TERMS AND CONDITIONS
for the processing of personal data by
"MAGNETIC ND BG" Ltd.
SUBJECT. DEFINITIONS.
1.1. These General Terms and Conditions determine the order and rules for the protection of individuals, clients, and employees of "MAGNETIC ND BG" Ltd., UIC 203893847, regarding the processing of their personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to in these T&C as the "Regulation," concerning the initiation, execution, and termination of contractual relations of these individuals with "MAGNETIK ND BG" Ltd.
1.2. For the purposes of these General Terms and Conditions:
1.2.1. "Data subject" - a natural person who can be identified;
1.2.2. "Personal data" - any information related to an identified or identifiable natural person, such as an identifier: name, identification number, location data, online identifier, or by other attributes according to Article 4, item 1 of the Regulation;
1.2.3. "Processing" - any operation or set of operations performed with personal data or sets of personal data through automated or other means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making the data available, alignment or combination, restriction, erasure, or destruction;
1.2.4. "Restriction of processing" - marking stored personal data with the aim of limiting their processing in the future;
1.2.5. "Pseudonymization" - processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that personal data are not attributed to an identified or identifiable natural person;
1.2.6. "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to a natural person, in particular, to analyze or predict aspects concerning that natural person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
1.2.7. "Personal data register" - any structured set of personal data accessible according to certain criteria, whether centralized, decentralized, or distributed on a functional or geographical basis;
1.2.8. "Controller" – a natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be established by Union or Member State law.
The controller of personal data according to these T&C is "MAGNETIK ND BG" Ltd., hereinafter referred to as the "Company," UIC 203893847, with its registered office and address: Plovdiv, "Raiko Daskalov" St. No. 73, represented by the manager Sotirios Ioannis Tsoukalas;
The Data Protection Officer of "MAGNETIK ND BG" Ltd. is Sotirios Ioannis Tsoukalas, with address: Plovdiv, "Rogoshko shose" St. No. 6.
1.2.9. "Processor" - a natural person appointed specifically to store and control the process of processing clients' personal data;
1.2.10. "Recipient" - a natural person, employee of the controller, to whom personal client data is disclosed;
1.2.11. "Third party" - a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or the processor, are authorized to process personal data;
1.2.12. "Consent of the data subject" - any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of personal data related to them;
1.2.13. "Personal data breach" - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
II. GENERAL RULES FOR PROCESSING PERSONAL DATA.
2.1. The provision of personal data by the data subject constitutes a mandatory condition for the conclusion of a contract between them and the Company. If the data subject is unwilling to provide their personal data to the Company, the Company has the right to refuse to conclude the contract.
2.2. The Company has the right to process the following personal data:
2.2.1. Basic categories of personal data:
a) Full name;
b) Permanent and current address, if different, address for correspondence;
c) Signature;
d) Contact telephone;
e) Email address.
2.2.2. Data arising from the subject of the contract concluded with the company:
a) Gender, age, nationality, profession/qualification, experience;
b) Banking, credit, commercial, bond, or other relations relevant to the training provided by the Company according to the contract concluded between the parties;
c) Special categories of personal data within the meaning of Article 9 of the Regulation - data on health status relevant to the training provided by the Company according to the contract concluded between the parties;
2.2.3. Additional data:
a) Video recording when visiting the Company's office network;
b) Correspondence, letters, complaints, applications, feedback, and other communication received from you;
c) Client number, code, or similar identifier.
Profiling
2.3. If the conclusion or parameters of a particular contract are determined solely based on automated processing of personal data, this fact must be disclosed immediately (within 24 hours) to the data subject so that they can understand the nature and logic of the algorithms used.
2.4. The processing of personal data is carried out by the Company to fulfill the obligations under the contracts concluded between the Company and the data subject.
2.5. The main legitimate interests for which the Company processes the personal data provided by the subject are as follows:
2.5.1. To execute in the best possible way the training entrusted to the Company according to the contract concluded with the subject, by preparing an individualized and adequate offer for the purchase, respectively sale of the relevant materials, acquisition of the relevant qualification;
2.5.2. In order to provide high-quality and timely service, the Company may share the personal data provided by the subject with other organizations—banks (for the execution of payment orders), lawyers, attorneys, notaries, distribution companies, and other companies providing similar training and qualifications;
2.5.3. For achieving certain internal administrative purposes, the Company may provide the subject's personal data to archiving companies, technology companies providing IT support, courier service providers, and other service providers who adhere to high standards of information security and confidentiality;
2.5.4. For exercising the right of protection when the rights and legitimate interests of the Company are infringed, including by taking enforcement actions.
2.6. When the processing of personal data is carried out for purposes other than those for which they were originally collected, additional consent from the subject is not required, provided that the controller has considered:
2.6.1. any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
2.6.2. the context in which the personal data were collected, in particular regarding the relationship between the data subject and the controller;
2.6.3. the nature of the personal data;
2.6.4. the possible consequences of the intended further processing for data subjects;
2.6.5. the presence of appropriate safeguards, which may include encryption or pseudonymization.
2.7. The personal data within the meaning of these General Terms and Conditions should:
2.7.1. be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
2.7.2. be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
2.7.3. be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
2.7.4. be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
2.7.5. be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
2.7.6. be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
2.8. The Company, as a personal data controller, has the right to provide personal data to the following entities:
2.8.1. Data Processors. Data processors are entities that the Company uses for the proper fulfillment of contractual and/or statutory obligations, most often including any actions related to the training, subject of the contracts concluded with the Company, for the acquisition of the qualifications requested by the client, according to the contract concluded between the parties, for the use, purchase, and return of the materials provided by the Company; as well as performing any actions and signing any documents, including but not limited to those listed, related to the activities of the Company; courier service providers; insurance agents; service providers for the implementation and/or maintenance of information systems, which sometimes need to access personal data processed in the respective systems for the purposes of providing a service by the Company; law firms, accounting firms, or other consultancy service providers; administrative authorities, etc.
2.8.2. Joint Data Controllers. This category includes: law firms and accounting firms, distribution companies, and others.
2.8.3. Competent state authorities. The following authorities have the power to conduct inspections and require the Company to provide documents and information, including personal data, in the performance of their functions: Consumer Protection Commission, Personal Data Protection Commission, National Revenue Agency, National Social Security Institute, judicial authorities, Ministry of Interior, and others.
III. PERIOD FOR PROCESSING PERSONAL DATA.
3.1. The provided personal data is stored during the term of the contract concluded between the parties, as well as 5 years after the termination of the contract. If there is a legal obligation to retain the collected personal data for a period longer than the one specified in the previous sentence, the Company has the right to retain the personal data for the respective statutory period.
3.2. If the Company decides to process the personal data for a purpose other than that for which it was collected, it is obliged to provide the data subject with information about this other purpose and any other necessary information in this regard before such further processing.
IV. FORM OF CONSENT FOR PERSONAL DATA PROCESSING. RIGHT TO WITHDRAW CONSENT.
4.1. The processing of personal data is carried out based on the consent of the data subject, given in the form of a written declaration (Appendix № 1).
Withdrawal of Consent
4.2. The data subject has the right to withdraw their consent at any time, without affecting the legality of the processing carried out before the withdrawal. The withdrawal is performed through a written statement (Appendix № 2), submitted personally by the data subject to the administrator. It may concern all or part of the provided personal data. In case of withdrawal, the administrator has the right to unilaterally terminate the contract concluded with the data subject, under which their personal data were processed.
V. RIGHTS AND OBLIGATIONS OF THE ADMINISTRATOR REGARDING THE PROCESSING OF PERSONAL DATA.
5.1. The personal data administrator takes the necessary technical and organizational measures to protect the data from accidental or unlawful destruction, accidental loss, unauthorized access, alteration, or dissemination, as well as from other illegal forms of processing. To this end, the administrator adopts internal rules of conduct and instructions regarding the receipt and processing of personal data, ensuring compliance with national and European legislation in this area. The administrator implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose are processed. This obligation relates to the volume of collected personal data, the degree of processing, the storage period, and their accessibility.
5.2. The administrator processes clients' personal data through specially appointed employee(s), thereby ensuring the application of appropriate technical and organizational measures to protect the rights of data subjects. The data processor, recipients, and any person acting under the authority of the administrator or data processor who has access to personal data, processes these data only according to the adopted internal rules of conduct and instructions mentioned above.
5.3. In the event of a personal data security breach, the administrator, without undue delay and when feasible — no later than 72 hours after becoming aware of it, notifies the Personal Data Protection Commission about the breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
5.4. When the personal data security breach is likely to result in a high risk to the rights and freedoms of individuals, the administrator, without undue delay, informs the data subject about the breach. The notification to the data subject, written in clear and simple language, describes the nature of the personal data security breach and at least provides information and measures taken by the administrator.
5.5. Notification to the data subject is not required if any of the following conditions are met:
5.5.1. The administrator has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data security breach, in particular, measures that make the personal data unintelligible to any person who is not authorized to access them, such as encryption.
5.5.2. The administrator has taken subsequent measures ensuring that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
5.5.3. It would involve disproportionate effort. In such a case, a public announcement or a similar measure is made to ensure that the data subjects are informed in an equally effective manner.
VI. RIGHTS OF DATA SUBJECTS REGARDING THE PROCESSING OF THEIR PERSONAL DATA.
Right of Access
6.1. Every individual client or employee has the right to access personal data related to them. The right of access is exercised by submitting a written request to the personal data administrator. In cases where exercising the right of access may disclose personal data of a third party, the administrator must provide the respective individual access only to the part of the data relating to them. When exercising the right of access, the individual may request from the administrator at any time:
a) Confirmation of whether data related to them is being processed, information about the purposes of the processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;
b) A comprehensible communication containing their processed personal data, as well as any available information about their source.
6.1.1. The personal data administrator provides the information free of charge. In the event of the individual's death, their rights are exercised by their heirs, with a certificate of inheritance attached to the request under item 7.1. The right can also be exercised by an authorized representative with a notarized power of attorney. The information can be provided in the form of an oral or written report or by reviewing the data by the individual or another person explicitly authorized by them. The individual may request a copy of the processed personal data on a preferred medium or provide it electronically, except when prohibited by law.
6.1.2. The administrator refuses full or partial access to personal data if:
a) The data does not exist or its provision is prohibited by law;
b) This would pose a threat to defense or national security or the protection of classified information, as provided for in a special law;
c) This would hinder the prevention or detection of crimes, the conduct of criminal proceedings, or the execution of penalties;
d) This is necessary to protect national security, public order, and the individual to whom the data relates.
Right to Rectification
6.2. The data subject has the right to request the administrator to correct inaccurate personal data related to them without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including through the addition of a declaration.
Erasure
6.3. The data subject has the right to request the administrator to erase related personal data without undue delay, and the administrator has the obligation to erase the personal data without undue delay when one of the following grounds applies:
6.3.1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
6.3.2. The data subject withdraws their consent on which the processing was based before the withdrawal of consent;
6.3.3. The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
6.3.4. The personal data has been unlawfully processed;
6.3.5. The personal data must be erased to comply with a legal obligation under international or national law.
6.3.6. Erasure cannot be requested to the extent that processing is necessary:
a) For exercising the right to freedom of expression and information;
b) For compliance with a legal obligation requiring processing under international or national law applicable to the administrator or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the administrator;
c) For reasons of public interest in the area of public health;
d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
e) For the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing
6.4. The data subject has the right to obtain from the administrator restriction of processing when:
6.4.1. The accuracy of the personal data is contested by the data subject, for a period enabling the administrator to verify the accuracy of the personal data;
6.4.2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
6.4.3. The administrator no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims;
6.4.4. The data subject has objected to processing pending verification of whether the legitimate grounds of the administrator override those of the data subject.
6.4.5. When processing has been restricted under the above point, such data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural person or for reasons of important public interest.
6.4.6. Before lifting the restriction on processing, the administrator informs the data subject.
Right to Data Portability
6.5. The data subject has the right to receive the personal data concerning them, which they have provided to an administrator, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another administrator without hindrance from the administrator to whom the personal data has been provided.
6.6. When exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one administrator to another, where technically feasible.
Right to Complain to a Supervisory Authority
6.7. Every data subject has the right to file a complaint with the Personal Data Protection Commission (PDPC) and to bring an action before the court if the rules for processing and protecting personal data are violated. The PDPC exercises control over the lawful processing of personal data. Address of the PDPC: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; Information and Contact Center of the PDPC – tel. 02/91-53-518; email: kzld@cpdp.bg; website: www.cpdp.bg.
VII. EXERCISING DATA SUBJECT RIGHTS
7.1. Exercising the Rights
7.1.1. The rights from Clauses 6.1 to 6.6 of these General Terms and Conditions are exercised through a written application (Appendix No. 3). When an application is submitted by an authorized person, a notarized power of attorney must also be attached to the application. The applications are recorded in a register by the administrator.
7.1.2. The data controller or the data processor expressly reviews the applications – Appendix No. 4 and issues a decision within 14 days from the date of submission. The deadline for reviewing an access request under Clause 6.1 may be extended by the data controller or the processor to 30 days in cases where a longer period is objectively required to collect all requested data and this seriously hinders the activities of the controller.
7.1.3. Within 14 days, the data controller or the data processor makes a decision to provide full or partial information to the applicant or to motivatedly refuse to provide it.
7.1.4. The data controller or the data processor notifies the applicant in writing of the decision or refusal within the respective period. The notification is made personally against signature or by registered mail with a return receipt. Lack of notification is considered a refusal.
Right to Object
7.2. The individual to whom the data relates has the right to:
7.2.1. Object to the data controller against the processing of their personal data if there is a legal basis for it. If the objection is justified, the personal data of the respective individual can no longer be processed;
7.2.2. Object to the processing of their personal data for direct marketing purposes;
7.2.3. Be notified before their personal data is disclosed for the first time to third parties or used on their behalf under these General Terms and Conditions, and be given the opportunity to object to such disclosure or use.
7.3. The controller's decision is inadmissible when:
7.3.1. There are legal or other significant adverse consequences for the individual, and
7.3.2. It is based solely on automated processing of personal data intended to evaluate personal characteristics of the individual.
7.4. A decision is not inadmissible if it is:
7.4.1. Made during the conclusion or execution of a contract, provided that the application for the conclusion or execution of the contract submitted by the respective individual has been satisfied or that there are appropriate measures guaranteeing their legitimate interests;
7.4.2. Provided for in law, which also provides measures to protect the legitimate interests of the individual.
7.5. The individual has the right to request that the controller reviews the decision when it is inadmissible under Clause 7.3 of these General Terms and Conditions.
VIII. APPEALING THE ACTIONS OF THE DATA CONTROLLER
8.1. In case of violation of their rights under these General Terms and Conditions, any individual has the right to refer to the Commission for Personal Data Protection within one year from becoming aware of the violation, but no later than five years from the occurrence of the violation.
8.2. In case of violation of their rights, any individual can appeal the actions and acts of the controller in court before the respective administrative court or the Supreme Administrative Court under the general rules of jurisdiction.
8.2.1. In the proceedings under the previous clause, any individual who has suffered property or non-property damages as a result of a violation of the General Terms and Conditions has the right to receive compensation from the data controller or data processor for the damages caused.
8.2.2. The data controller involved in the processing of personal data is liable for damages resulting from the processing that violates the General Terms and Conditions. The data processor is liable for damages resulting from processing only when it has failed to fulfill a legal obligation specifically directed at data processors, or when it has acted outside the instructions of the controller or in contradiction to them.
8.2.3. The data controller or data processor is exempt from liability if it proves that it is in no way responsible for the event causing the damage.
IX. FINAL PROVISIONS
9.1. The General Terms and Conditions apply to customers and employees - data subjects, from the moment of giving consent for the processing of personal data by completing and signing a declaration in Appendix No. 1.
9.2. In case of amendments and/or supplements to these General Terms and Conditions, the Company notifies the data subjects who have accepted them.
9.3. For unresolved issues in these General Terms and Conditions, the Regulation, the Personal Data Protection Act, and all other national and international legal acts in the field of personal data protection apply.
9.4. These General Terms and Conditions were adopted by Decision of 01.08.2018 of "MAGNETIC ND BG" Ltd.
PRIVACY AND PERSONAL DATA PROTECTION POLICY
“MAGNETIC ND BG” Ltd. respects the privacy of its customers and guarantees the maximum protection of their personal data. This Privacy and Personal Data Protection Policy is drawn up and based on the current Bulgarian and European legislation in the field of personal data protection. This Privacy Policy governs the processing of personal data of individuals or representatives of legal entities on our website: magneticnaildesign.bg (the "Site"), in connection with the services provided by “MAGNETIC ND BG” Ltd., including those provided through and accessible on the Site.
This Privacy Policy sets out the rules that “MAGNETIC ND BG” Ltd. will comply with when processing personal data that we collect from you or about you, or that you provide to us. This Privacy Policy does not affect, restrict, or cancel your rights arising from the Personal Data Protection Act (“PDPA”) or other applicable legislation.
What do these Privacy Rules regulate and on what legal basis
As of May 25, 2018, the General Data Protection Regulation (GDPR) is being applied in Bulgaria. It was adopted by the European Union and aims to harmonize the policies of the EU member states related to the collection and use of personal data. Another goal is to guarantee your right to privacy, protect your personal data, and provide more security against misuse of each of our personal information. The new regulation comes with a number of requirements that “MAGNETIC ND BG” Ltd. applies and which you can familiarize yourself with here. Among them are:
Inform you about what data we use;
Inform you why we use it;
Seek your consent to use it when providing additional services based on it;
Give you the opportunity to change your consent for different purposes through this site to give you more freedom;
Guarantee your right to request correction of your data, its deletion, and to "be forgotten." Additionally, we can provide you with the data for download or transfer if you notify us and identify yourself in the appropriate ways.
All data by which a user can be identified is considered personal data. These can include email, names, mobile phone, residential address, IP address.
1. Introduction
1.1 We are committed to protecting the personal data of our website visitors. In this statement, we explain how we will handle your personal information.
1.2 We will ask you to consent to the use of cookies in accordance with the terms of this policy when you first visit our website. By using our website and agreeing to our policy, you consent to our use of cookies in accordance with the terms of this policy.
2. Collection of Personal Information
2.1 We may collect, store, and use the following types of personal information:
Information about your computer and your visits to and use of this site (including your IP address, geographical location, browser type and version, operating system, length of visit, and pages viewed);
Information that you provide when registering on our site (including your email address);
Information that you provide when completing your profile on our site (including your name, address, phone);
Information related to any transactions or any other dealings (including your name, address, phone number, email address);
Information contained in or related to any communication made/sent through our website (including the content of the communication, metadata related to the communication);
Any other personal information you choose to send to us;
2.2 Before you disclose to us the personal information of another person (a third party), you must obtain that person's consent for both the disclosure and processing of their personal data in accordance with this policy.
3. Use of Your Personal Data
3.1 Personal information provided to us will be used for the purposes specified in this policy.
3.2 We may use your personal information for:
Administering our website and business;
Personalizing our website for you;
Enabling your use of the services available on our website;
Providing you with the services described on our site;
Sending you non-marketing commercial communications;
Sending you email notifications that you have requested or expect;
Sending you marketing communications related to our business (or the businesses of carefully selected third parties) that we think may be of interest to you, by post, email, or similar technology (you can inform us at any time if you no longer require marketing communication);
3.3 If you send us personal information for publication on our site, we will publish and use that information in accordance with the license you grant us.
3.4 We will not provide your personal information to third parties for any purposes without your explicit consent.
3.4 The storage of data continues as long as we have a basis for their retention.
4. Disclosure of Personal Information
4.1 We may disclose your personal information to any of our employees, insurers, professional advisers, agents, lawyers, suppliers, or subcontractors as reasonably necessary for the purposes set out in this policy.
4.2 We may disclose your personal information:
To the extent that we are required to do so by law;
In connection with any ongoing or prospective legal proceedings;
To establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
To the buyer (or prospective buyer) of any business or asset that we are (or are contemplating) selling;
4.3 Except as provided in this policy, we will not provide your personal information to third parties.
International Data Transfers
5.1 The information we collect may be stored, processed, and transferred between any of the countries in which we operate to enable us to use the information in accordance with this policy.
5.2 Personal information that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
5.4 You expressly agree to the transfers of personal information described in this section 5.
Retaining Personal Information
6.1 This section describes our data retention policies and procedures, designed to ensure that we comply with legal obligations regarding the retention and deletion of personal data of our users.
6.2 Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.3 Notwithstanding the other provisions of this section, we will retain documents (including electronic documents) containing personal data:
To the extent that we are required to do so by law;
If we believe that the documents may be relevant to any ongoing or prospective legal proceedings;
To establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
7. Protection of Personal Information
7.1 We will take reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your personal information.
7.2 We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
7.3 All electronic financial transactions entered through our website will be protected by encryption technology.
7.4 You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
Amendments
8.1 We may update this policy by posting a new version on our website.
8.2 We may notify you of changes to this policy by email or through a personal messaging system on our website.
Your Rights
9.1 You may request to provide you with any personal information we hold about you.
9.2 We may withhold personal information that you request to the extent permitted by law.
9.3 You may inform us at any time not to use your personal data for marketing purposes.
9.4 By using our services and website, you agree that we may use your personal information for marketing purposes. We will provide you with the option to opt out of the use of your personal data for marketing purposes.
We have no control and do not take responsibility for the privacy policy and practices of third parties.
Updating Information
11.1 Please inform us if the personal information we hold about you needs to be corrected or updated.
Cookies
12.1 Our website uses cookies.
12.2 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
12.3 Cookies may be "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
12.4 Cookies typically do not contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
12.5 We use both session and persistent cookies on our website.
12.6 Most browsers allow you to refuse to accept cookies. You may block cookies at any time.
12.7 Blocking all cookies will have a negative impact upon the usability of many websites.
12.8 If you block cookies, you will not be able to use all the features on our website.
12.9 You can delete cookies already stored on your computer;
12.10 Deleting cookies will have a negative impact on the usability of many websites.
We process your personal data only in accordance with the purposes and terms set forth above.
13.1 When collecting personal data, we do so in a minimal amount and only for specific and clear purposes and storage periods. Access to the data is provided only to a limited number of individuals who have been trained and instructed on how to work with the data.
As a data subject, you have the right to receive confirmation and/or detailed information about the personal data processed for you (right of access).
14.1 Furthermore, you may object to the collection and further processing of your personal data, as well as request that it be corrected (updated) or deleted (right to be forgotten), (when we do not have a valid legal basis to continue processing them).
14.2 It is important to know that at any time you can withdraw your consent to the processing of personal data: see contact details for us.
14.3 If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Data Protection Commission, or to contact us immediately.
To ask questions about your rights or if you wish to exercise any of them, please contact us at the following email address: info@queens-coosmetic.com
INSTRUCTIONS
regarding the procedures for processing personal data and protecting it from unlawful forms of processing
of “MAGNETIC ND BG“ EOOD
I. LEGAL BASIS.
These instructions are issued in compliance with the obligations of the data processors under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Personal Data Protection Act.
II. OBJECTIVES OF THE INSTRUCTION.
These instructions constitute a form of personal protection concerning customer personal data and are accompanied by training to familiarize with the regulatory framework. The instructions aim to familiarize with:
The mechanisms for maintaining, storing, and protecting the personal data provided in relation to the legal relationships of “MAGNETIC ND BG“ EOOD.
The obligations of the data processor(s) and/or the persons who have access to personal data and work under the direction of the data processor(s) (recipients), as well as their responsibility in case of non-fulfillment of these obligations.
The necessary technical and organizational measures to protect the personal data of the aforementioned persons from unlawful processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination, as well as all other unlawful forms of processing personal data).
III. OBLIGATIONS OF PERSONAL DATA RECIPIENTS.
PROCEDURE FOR INITIAL COLLECTION AND STORAGE OF PERSONAL DATA.
Groups of Personal Data Subject to Collection and Storage.
The groups of personal data subject to collection and storage are specified in clause 2.2 of the General Terms and Conditions for the processing of personal data by “MAGNETIC ND BG“ EOOD.
Collecting Personal Data.
The recipients of personal data within the meaning of the General Terms and Conditions for the processing of personal data by “MAGNETIC ND BG“ EOOD are the employees responsible for processing and storing personal data, to whom the data subject initially discloses information for the purpose of concluding a contract or other transaction within the scope of the company's activities – the administrator, as well as persons employed under an employment or civil contract within the company. At this stage, the processing is carried out only by the recipient on their work computer, to which only they have access, guaranteed by the measures under clause 2.2.
At this stage, the recipient should take the following actions (for example):
Provide the General Terms and Conditions for the processing of personal data by “MAGNETIC ND BG“ EOOD and a Consent Declaration for their acceptance and the processing of personal data for review;
Once the General Terms and Conditions are accepted, provide a copy to the client for review and the administrator retains the Declaration.
Record the personal data on an electronic document, which is then saved as a file in a folder/directory on the work computer of “MAGNETIC ND BG“ EOOD;
Print the prepared electronic document in the required number of copies;
Collect signatures on the document and provide one copy to the data subject;
Store the collected personal data with the Declaration according to the methods listed below.
III. FORMS OF STORAGE.
3.1. Paper Storage.
The organization and storage of personal data is done in written (documentary) form, by storing it in folders (client files) for each client. The files are arranged in a special filing cabinet with a lock;
Each time files are placed in the respective cabinet, it must be locked;
The location of the filing cabinet is in a special room that is locked, with access only granted to persons authorized to process personal data;
The room must remain locked if there is no employee of the administrator inside;
The keys to this cabinet are kept by the personal data protection officers of “MAGNETIC ND BG“ EOOD;
Only data subjects, supervisory authorities for data protection, and state authorities with a legal basis have the right to request the files on paper;
In case of relocating a client file from the filing cabinet to another place, the recipient drafts a written protocol and informs the data processor(s).
3.2. Electronic Storage.
The method of collecting and storing personal data involves entering it onto a hard drive of an isolated work computer. The computer, with secure access to the personal data, is used only by the recipient of the personal data. Software products tailored to the specific needs of the data controller are used for data processing. Security measures include:
The computer is located in a room, which is also the workplace of the personal data recipient, who has access through a username and personal password;
The room must remain locked if there is no employee of the administrator inside;
The keys to this cabinet are kept by the personal data protection officers of “MAGNETIC ND BG“ EOOD;
Access to personal data and protection is controlled—only the recipient of the personal data has access to the operating system containing files for processing personal data, through a username and personal password;
Data processors and certain employees designated by “MAGNETIC ND BG“ EOOD have access to electronic files containing personal data to fulfill obligations arising from the Internal Rules and these Instructions;
Protection of electronic data from unauthorized access, damage, loss, or destruction is ensured through antivirus programs, periodic data backups, and maintaining information on paper.
IV. OBLIGATIONS OF THE DATA PROCESSOR(S).
4.1. Collecting, Processing, and Storing Personal Data.
Processing on behalf of the controller is carried out by specially appointed person(s) - data processor(s), who ensure the implementation of appropriate technical and organizational measures so that the processing complies with international and national legal requirements and ensures the protection of data subjects' rights.
The data processor performs their functions from an isolated room at the workplace;
In the room, the processor works on a work computer, which only they have access to through a username and personal password;
The data processor has shared access to the data stored on technical media mentioned in clause 3.2, from which they create copies on paper and electronic media;
The copies are stored in a specially designated locked cabinet, as well as on a computer, to which only the processor has access through a username and personal password;
When a copy of a document containing personal data is requested and delivered, the processor drafts a written protocol.
4.2. Ensuring Access to Personal Data.
Every natural person-client has the right to access their personal data. The right of access is exercised by submitting a written request to the data controller, which is reviewed by the data processor according to the General Terms and Conditions for the processing of personal data by “MAGNETIC ND BG“ EOOD. When exercising the right of access, if personal data concerning a third party may be disclosed, the processor is obliged to provide the data subject with access only to the part concerning them.
When exercising the right of access, the data subject has the right to request from the controller at any time:
Confirmation whether data concerning them is being processed, information on the purposes of the processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;
A comprehensible message containing their personal data that is being processed, as well as any available information about their source;
The data controller provides the information free of charge. In the event of the data subject's death, their rights are exercised by their heirs, who must attach a certificate of heirs to the application. The right may also be exercised by an authorized representative with a notarized power of attorney.
The information may be provided in the form of an oral or written report or by reviewing the data by the data subject or a person explicitly authorized by them. The data subject may request a copy of the processed personal data on a preferred medium or electronically, except when prohibited by law.
The controller refuses full or partial access to the personal data of the person to whom it relates when:
The data does not exist or its provision is prohibited by law;
There is a risk to defense or national security, or for the protection of classified information as stipulated by a special law;
It would interfere with the prevention or detection of crimes, the conduct of criminal proceedings, or the execution of penalties;
It is necessary for the protection of national security, public order, and the individual to whom the data relates.
In case of approved and provided access, the data processor drafts a written protocol.
4.3. Procedure for Destroying Personal Client Data.
The client has the right to request the deletion of their personal data by the controller through a written application, which is reviewed by the data processor according to the General Terms and Conditions for the processing of personal data by “MAGNETIC ND BG“ EOOD. The controller is obliged to delete the personal data without undue delay when one of the following grounds applies:
The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
The data subject withdraws their consent on which the processing is based;
The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
The personal data has been unlawfully processed;
The personal data must be deleted to comply with a legal obligation under international or national law;
Deletion cannot be requested to the extent that the processing is necessary:
For exercising the right of freedom of expression and information;
For compliance with a legal obligation requiring processing under international or national law applicable to the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
For reasons of public interest in the area of public health;
For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
For the establishment, exercise, or defense of legal claims.
In case of approved deletion, the data processor requires the return of copies in paper and electronic form from the persons holding them. In the case of returning paper copies, the data recipient or another employee drafts a written protocol.
After collecting the personal data from all employees who hold it, the processor deletes it mechanically and electronically, for which they draft a protocol according to Appendix No. 4 of these instructions.
4.4. Procedure for Correcting Personal Data
The data subject has the right to request the controller to correct inaccurate personal data concerning him or her without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of a supplementary declaration. The correction is carried out by submitting a written application to the controller, which is reviewed by the data processor in accordance with the General Conditions for the order and conditions for the processing of personal data by "MAGNETIC ND BG" EOOD.
For the correction to be made, the data processor prepares a protocol, which is sent to all employees who process the relevant personal data, so they can make the correction in their databases.
4.5. Procedure for Restricting the Processing of Personal Data
The data subject has the right to request the controller to restrict the processing when one of the following applies:
The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
The processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
The data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject.
When processing has been restricted according to the above point, such data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. Before lifting the restriction on processing, the controller shall inform the data subject of the lifting.
The restriction is carried out by submitting a written application to the controller, which is reviewed by the data processor in accordance with the General Conditions for the order and conditions for the processing of personal data by "MAGNETIC ND BG" EOOD.
4.6. Procedure for Transferring Personal Data
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
When exercising the right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The transfer is carried out by submitting a written application to the controller, which is reviewed by the data processor in accordance with the General Conditions for the order and conditions for the processing of personal data by "MAGNETIC ND BG" EOOD.
In case of approved transfer, the data processor requests the delivery of the data from the individuals who have copies on paper or electronic media. In the case of delivery on paper, the recipient of the personal data or another employee prepares a written protocol.
After collecting the personal data from all employees who store them, the data processor transfers them on paper and electronic media, for which a special protocol is prepared.
4.7. Data Protection Impact Assessment
When a type of processing, especially using new technologies, and considering the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The assessment shall include at least:
A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
An assessment of the risks to the rights and freedoms of data subjects; and
The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of the data subjects and other persons.
The controller shall consult the Data Protection Commission prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. When consulting, the controller shall provide the Commission with:
The respective responsibilities of the controller, joint controllers, and processors involved in the processing;
The purposes and means of the intended processing;
The measures and safeguards provided to protect the rights and freedoms of data subjects in accordance with this regulation;
Where applicable, the contact details of the data protection officer;
The data protection impact assessment as referred to above; and
Any other information requested by the Commission.
These Instructions are adopted by Decision of 01.08.2018 of "MAGNETIC ND BG" EOOD.
ACCEPTED BY: ......................................................................
/Sotirios Ioannis Tsoukalas – Manager of "MAGNETIC ND BG" EOOD/
I DECLARE:
I am aware that "MAGNETIC ND BG" EOOD, UIC 203893847, with headquarters and address of management: Plovdiv, 73 "Raiko Daskalov" Street, represented by manager Sotirios Ioannis Tsoukalas, is a data controller within the meaning of Art. 4, item 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) in connection with the contracts concluded by the company.
I am aware of and accept the General Conditions for the order and conditions for the processing of personal data by "MAGNETIC ND BG" EOOD in its capacity as a data controller, which General Conditions were provided to me for review and can also be found in paper form posted in the offices of "MAGNETIC ND BG" EOOD.
I am aware of and give my consent for "MAGNETIC ND BG" EOOD to process my personal data in connection with the purposes and grounds stated below:
Purpose | Legal Basis |
3.1. Performing any actions for conducting the client's training and assisting in acquiring the relevant qualification, as well as purchasing and selling the offered professional materials. | Legitimate interest of "MAGNETIC ND BG" EOOD in connection with the obligations of the data subject in the performance of their activity. |
3.2. Performing any actions and signing any documents, including those related to the Company's activities for the duration of the contract concluded between the parties. | Taking steps by the data subject to enter into a contract. |
3.3. Internal analyses and establishing a risk assessment and management system. | Legitimate interest of "MAGNETIC ND BG" EOOD in connection with reducing the level of risk when concluding and executing contracts. |
3.4. Conducting court or arbitration proceedings related to breaches of contractual obligations by data subjects who are parties to the contract, including the extent and nature of such breaches and payment ethics. | Legitimate interest of "MAGNETIC ND BG" EOOD in pursuing claims through legal/non-legal means. |
4.
I give my consent for "MAGNETIC ND BG" EOOD to process the following personal data of mine for the purposes specified in item 3 of this declaration: full name; permanent and current address; signature; correspondence address; contact phone number; email address and email content, as well as other data under item 2.2 of the General Conditions for the order and conditions of personal data processing by "MAGNETIC ND BG" EOOD.
5.
I give my consent for "MAGNETIC ND BG" EOOD to process the personal data described below for the following purposes:
Types of Personal Data | Purpose | Consent | ||
Permanent and current address and correspondence address | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
| ||
Contact phone number | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
| ||
Email address | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
| ||
Permanent and current address and correspondence address | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
| ||
Contact phone number | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
| ||
Email address | Performing any actions and signing any documents related to the activities of "MAGNETIC ND BG" EOOD for the duration of the contract. |
|
6.
I understand that the process of processing my personal data is bound to the duration of the contract concluded between me and "MAGNETIC ND BG" EOOD, as well as with the conditions of item 3.1 and item 3.2 of the General Conditions for the order and conditions of personal data processing by "MAGNETIC ND BG" EOOD.