POLICY FOR THE PROTECTION OF PERSONAL DATA OF “KOSTADINOV ENGINEERING” OOD

When using our website, your personal data is processed by “KOSTADINOV ENGINEERING” OOD, with EIK 203248846, with registered office and management address: Bulgaria, Sofia region (capital), Stolichna municipality, Sofia 1345, Ilinden district, ul. Cuckoo No. 1

We would like to inform you that We process Your personal data on the following grounds:

Based on a contract – when you order some of our services or products;
Based on law – where we are required by law;
Based on your express consent – in all other cases.

Here below, you, our customers, partners and visitors to our site, will find information about our processing of your personal data depending on the basis on which we process it.

 

I.   WHEN YOU ORDER SOME OF OUR PRODUCTS

We process your personal data in order to fulfill our obligations to you based on the contract concluded between us, as well as to be able to enjoy our rights under the contract.

 

The purposes for which we process this personal data are the following:

– Establishing your identity;

– Management and fulfillment of your requests for services or products;

– Preparation of a proposal for concluding a contract, including electronically;

– Preparing and sending a bill/invoice for the products and/or services we provide you;

– Comprehensive service related to our products;

– Notification of everything related to the products and services we provide to you;

– Creating a user profile and maintaining the customer history;

– Keeping correspondence related to orders placed, processing requests, reporting complaints, problems, etc.

 

On this basis, we process the following data:

– Personal data for contacting you – contact address, telephone number and e-mail;

– Data for your identification – the three names, single citizen number or personal number of a foreigner, permanent address, passport data;

– Data about your orders and inquiries through your user profile;

– Email, letters, information about your requests to remedy claims, problems, appeals, requests, complaints and any other feedback we receive from you;

– Any other information that is necessary to provide you with the specific service and without which the service could not be provided;

– Customer number, code or other identifier created to identify users;

– Other personal data provided by you or a third party when concluding or during the validity of a contract with us, and more specifically: the three names, uniform civil number or personal number of a foreigner, permanent address of a proxy, data specified in a document for authorization; social network profile data, contact data, contact person;

username, password (when registering on our website or another similar service).

 

Without the processing of your personal data, we would not be able to conclude the contract with you or fulfill it.

 

Provision of your data to third parties:

We provide your personal data to third parties in order to offer quality and complex service and to fulfill our obligations under the contract concluded with you.

We do not provide your personal data to third parties before making sure that all technical and organizational measures are taken to protect this data and we strive to implement strict controls to fulfill this purpose.

We provide personal data to the following categories of recipients (administrators of personal data):

– state administrative bodies;

– postal operators and couriers, with a view to sending products and documentation;

– persons employed on an employment or civil contract, assisting the processes of sales, logistics, delivery, etc.;

– banks for servicing payments;

– persons who, by assignment, maintain equipment, software and hardware used for processing personal data and necessary for the company’s activities

– persons performing consulting services in various fields.

– providers of marketing/telemarketing services;

– service providers related to market research;

– IT service providers;

– other companies with whom we may develop joint programs for the provision of our services.

 

We delete the data collected on this basis 5 years after the fulfillment of our contractual obligations to you. The term is in accordance with the statutory 5-year statute of limitations for possible claims arising from the concluded contract.

 

II. WHEN WE FULFILL OUR LEGAL OBLIGATIONS

We may be required by law to process your personal data. In these cases, we are required to carry out the processing, such as:

– obligations under the Law on Anti-Money Laundering Measures;

– provision of information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;

– obligations stipulated in the Accounting Act and the Tax-Insurance Procedure Code and other related legal acts, in connection with the keeping of legal accounting;

– fulfillment of obligations in relation to distance selling, off-premises sales, provided for in the Consumer Protection Act;

– provision of information to the court and third parties, in the framework of proceedings before a court, in accordance with the requirements of the normative acts applicable to the proceedings;

 

We delete your data, collected pursuant to a statutory obligation, after the obligation to collect and store is fulfilled or ceases.

Provision of your data to third parties:

Where we are required to do so by law, we may provide personal data to the competent government authority, natural or legal person.

 

III. WHEN WE HAVE YOUR EXPRESS CONSENT

We process your personal data on this basis only after your express, unequivocal and voluntary consent. We do not foresee any adverse consequences for you if you refuse to process your personal data.

If you give us the relevant consent and until its withdrawal or termination of any contractual relationship with you, we will:

– we prepare offers for products/services suitable for you;

– preparing for you proposals for products/services from the company’s partners, by processing your basic personal data.

 

Withdrawal of consent

Consents may be withdrawn at any time. If you withdraw your consent to the processing of personal data, we will not use your personal data and information for the purposes specified above.

To withdraw the given consent, it is necessary to contact us at the indicated contacts.

Based on your consent, we process your email and other information for which you have expressly agreed.

We delete data collected on this basis upon your request or 2 years after initial collection.

 

Anonymization and pseudonymization

Your data can also be anonymized. Anonymization is an alternative to data deletion. When anonymized, all personally identifiable elements

/identifying elements are irreversibly deleted. For anonymized data, there is no legal obligation to delete it, as it does not constitute personal data.

 

Protection of your personal data

To ensure adequate protection of the data of the company and our customers, we implement all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as the best practices from international standards.

The Company has adopted policies to prevent abuse and security breaches. In order to ensure maximum security when processing, transferring and storing your data, we may use additional protection mechanisms such as encryption, pseudonymisation and others. We only work with personal data processors that provide equivalent security standards.

 

Personal data we have received from third parties

In some cases, we have to process your personal data, which were not provided to us by you or were not collected by us, but received from third parties. These are the following data:

– Data from public registers;

– Data from our Partners – in fulfillment of contractual obligations or with express consent;

– Data from our Users – provision of data for parties to a contract, recommendations, etc.

 

Rights of Users

As users, you can exercise your rights through our site or at the above contact details with us.

You have all the rights to protect personal data according to Bulgarian legislation and the law of the European Union. Each User has the right to:

– Information (in connection with the processing of personal data by the administrator);

– Access to your own personal data;

– Correction (if the data is inaccurate);

– Deletion of personal data (right “to be forgotten”);

– Restriction of processing by the administrator or personal data processor;

– Portability of personal data between individual administrators;

– Objection to the processing of his personal data;

– Not be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences for you or similarly significantly affects you;

– Right to judicial or administrative protection in the event that your rights have been violated.

– You can request deletion of your data if:

– Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

– Withdrawal of consent on which the data processing is based and there is no other legal basis for the processing;

– You object to the processing and there are no overriding legal grounds for the processing;

– Personal data has been processed illegally;

– Personal data must be deleted in order to comply with a legal obligation established by law;

– The personal data were collected in connection with the provision of information society services to children and the consent was given by the holder of parental responsibility for the child.

– You can restrict the processing of personal data by us when:

– Dispute the accuracy of personal data;

– The processing is unlawful, but you do not want the personal data to be deleted, but instead request a limitation of its use;

– We no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims;

– Objections to processing pending verification that our legitimate grounds for processing take precedence over your interests.

 

Right of portability

You have the right to receive the personal data relating to you that you have provided to us in electronic format and to transfer this data to another administrator without hindrance from us, where the processing is based on consent or a contractual obligation and the processing is carried out on automated way.

 

Right to object

You have the right to object to us processing your personal data. We will stop the processing unless we demonstrate that there are compelling legitimate grounds for the processing that override your interests as a data subject, or for the establishment, exercise or defense of legal claims. In case of objection to the processing of personal data for the purposes of direct marketing, the processing will be stopped immediately.

 

Maintaining a register

We maintain a register of the processing activities for which we are responsible. This register contains all the information below:

– the name and contact details for us;

– a description of the categories of data subjects and the categories of personal data we process;

– the categories of recipients to whom personal data are or will be disclosed, including recipients in third countries or international organizations;

– when possible, the deadlines for erasure of the various categories of data;

– where possible, a general description of the technical and organizational security measures.

 

Right to appeal to the supervisory authority for personal data protection in Bulgaria

You can file a complaint against illegal processing of your personal data to the Commission for the Protection of Personal Data, with headquarters and correspondence address: Sofia 1592, “Prof. Tsvetan Lazarov” No. 2, telephone 02 915 3 518, E-mail: kzld@cpdp.bg, Internet page: www.cpdp.bg or to the competent court.

 

This privacy policy is current as of 05/25/2018.

The company reserves the right to change and/or supplement this Policy at any time. Changes take effect immediately after they are published on the website, unless otherwise provided in the updated version of the Policy. The policy can be updated at any time without special notification to the users of the Site. The Company is not responsible if a user of the websites has not familiarized himself with the latest version of this Policy.

 

Affirmed:

Georgi Kostadinov – Manager

 

DECLARATION OF COMPLIANCE WITH GDPR

Introduction

The EU’s General Data Protection Regulation (GDPR) came into force in the European Union on 25 May 2018, bringing the most significant changes to data protection regulation in two decades. Based on the principle of protecting personal data by design and adopting a risk-based approach, GDPR has been developed to meet the demands of the digital age. The 21st century brings with it greater use of technology, new definitions of what constitutes personal data and a huge increase in cross-border processing. The new regulation aims to standardize data protection legislation and data processing across the EU by giving individuals stronger, more consistent rights to access and control their personal information.

 

Our commitment

We at “KOSTADINOV ENGINEERING” OOD, with EIK 203248846, with headquarters and address of management: Bulgaria, Sofia region (capital), Stolichna municipality, Sofia 1345, Ilinden district, Kukush street No. 1, are committed to guaranteeing the security and the protection of the personal information we process and to provide a consistent and consistent approach to data protection. We have always had a robust and effective data protection policy that complies with the existing regulatory framework and complies with the data protection principles we accept our obligations to update and expand this policy to meet the requirements of the GDPR and the amendments to the Personal Data Protection Act in view of the adopted and effective Regulation 2016/679.

The company is dedicated to the processes of personal information protection that are within our competence and to the activities of developing data protection mechanisms that are effective, fit for purpose and demonstrate understanding and compliance with the GDPR. Our preparation and goals for GDPR compliance are summarized in this statement and include the development and implementation of new roles, policies, procedures, controls and data protection measures to ensure maximum and ongoing compliance.

 

How we are preparing for GDPR

The company now has the same level of data protection and security across our organization and the training we did included:

Information audit – conducting a comprehensive company information audit to identify and assess the personal information we hold, where it comes from, how and why it is processed, and if disclosed, to whom.
Policies and Procedures – the introduction of new data protection policies and procedures to meet the requirements and standards of GDPR and data protection legislation, including:

►       Privacy – our main data protection policy and procedures document has been revised to meet GDPR standards and requirements. Accountability and governance measures are in place to ensure that we understand and adequately communicate and demonstrate our obligations and responsibilities, with particular attention to the principle of protecting personal data at design stage and protecting the rights of individuals.

► Data Retention and Deletion – We have updated our data retention policy and schedule to ensure that we comply with the principles of “data minimization” and “retention limitation” and that personal information is stored, archived and

destroy compatible and ethical. We have dedicated erasure procedures in place to meet the new Right to Erasure obligation and are aware of when these and other data subject rights apply, along with any exceptions, response times and notification responsibilities.

►    Data Breach – Our data breach procedures ensure safeguards and measures are in place to identify, assess, investigate and report personal data breaches as early as possible. Procedures are robust and disseminated to all employees, informing them of reporting channels and steps to be followed.

►     Data Transfer and Disclosure to Third Parties – Where we store or transmit personal information, we have robust procedures and safeguards in place to protect, encrypt and maintain data integrity.

►     Data access request – we have revised our data access procedures to implement the revised time periods for providing requested information and to ensure that this activity is carried out free of charge. Our new procedures detail how to verify the data subject, what steps are taken when processing an access request, what exceptions apply and a set of response templates to ensure that communications with data subjects are consistent, consistent and adequate.

  • Legal basis for processing personal data – we review all personal data processing processes and activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity to which it relates. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 GDPR are met.
    Our Privacy Policy aims to comply with the GDPR by ensuring that all individuals whose personal information we process have been informed about why we need their data, what their rights are in relation to who owns it provided with this information and what safeguards are in place to protect their data.
    Obtaining consent – we have redesigned our consent mechanisms for receiving personal data to ensure that people understand what they are providing, why and how we use it, and to give clear and defined ways to obtain consent to receive certain information, as well as the basic rights and requests that each user can make to us.
    We have developed strict procedures for documenting consent, ensuring and being able to demonstrate that we have confirmation of opt-in options and receiving certain data, as well as time and date records, an easy-to-understand and accessible way to withdraw consent at any time .
    We have also revised the wording and processes for direct marketing, including the introduction of a separate additional consent for the provision of direct marketing, as well as the introduction of clear mechanisms for opt-in to marketing subscriptions, clear notices and ways to opt-out and providing unsubscribe functions from all subsequent marketing materials and activities.
    We carry out a Data Protection Impact Assessment in places where we process personal information that is considered to be of high risk, we have developed strict procedures and models for carrying out impact assessments that fully comply with the requirements of Art. 35 GDPR. We have implemented documented processes that account for each assessment, allow us to assess the risk posed by processing activities and implement mitigating measures to reduce the risk posed to data subjects.
    In cases where we need to use third parties to process personal information on our behalf (e.g. TPMS, data collection, hosting, etc.), we have drawn up compatible personal data processor agreements and due diligence procedures,

to make sure they (and we) understand the GDPR obligations. These measures include initial and ongoing reviews of the services provided, the necessity of the processing activities, the technical and organizational measures in place and GDPR compliance.

Special categories of personal data – when we receive and process information from a special category of personal data, we do so in full compliance with the requirements of Art. 9 GDPR and we have high-level encryption and protection of all such data. Special categories of personal data are processed only if necessary and are processed only under the conditions that a legal basis is identified under Art. 9 para. 2 GDPR. Where we rely on consent to processing, this is express and confirmed by a signature, with the subject’s right to change or withdraw consent clearly indicated.

 

Rights of personal data subjects

In addition to the above rules and procedures, which ensure that individuals can exercise their rights to the protection of their personal data, through various request forms provided by us, both at our registered office and address of management and at our website.

 

All our customers/counterparts should know that at any time you can request information about:

What personal data we hold about you;
The purposes of the processing of personal data;
The categories of relevant personal data;
The recipients to whom the personal data is/will be disclosed;
How long we intend to keep the relevant personal data;
If we have not collected the data directly from you, information about the source;
The right to correct or complete incomplete or inaccurate data about you and the process for requesting it;
The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection legislation, as well as the ability to object to any direct marketing and to receive information about any automated decision-making that takes place uses;
The right to file a complaint or seek legal redress, as well as competent contact persons in such cases.

 

Information Security and Technical and Organizational Measures The Company takes the protection of personal information very seriously and takes all reasonable and precautionary measures to protect and secure the personal data we process.

We have robust information security policies and procedures in place to protect personal data from unauthorized access, alteration, disclosure or destruction and have multiple layers of security measures such as: (Insert measures such as SSL, access control, password policy, encryption, pseudonymization, practices, restrictions, IT authentication, etc.)

 

GDPR Roles and Employees

The company appointed Borislav Alexander Kanchelov as our responsible person and appointed a personal data protection team to develop and implement rules to comply with the new data protection regulation. The team is responsible for promoting GDPR across the organization, assessing our GDPR readiness, identifying any areas of non-compliance and implementing the new policies, procedures and measures.

Our employees are fully engaged in our plans to prepare for GDPR compliance, with relevant training programs in place at all levels of the organization.

If you have any questions about our preparation for GDPR, please contact Borislav Alexander Kanchelov – Data Protection Officer.

 

Affirmed:

Georgi Kostadinov – Manager

 

PRIVACY NOTICE/STATEMENT

Data of the administrator – WE:

“KOSTADINOV ENGINEERING” OOD, with EIK 203248846, with headquarters and address of management: Bulgaria, Sofia region (capital), Stolichna municipality, Sofia city 1345, Ilinden district, Kukush street No. 1, is a limited liability company whose main Production of prototypes and components; commercial representation of Bulgarian and legal entities; freight forwarding; and other activities. not prohibited by law.

 

Contact details for the Data Protection Officer:

The company cooperates and has chosen Mr. Borislav Aleksandrov Kanchelov as its personal data protection officer, and you can contact him through the electronic contact form on our website.

 

The personal data we collect and process from you are:

We present you with information about us and our activities. In order to provide you with additional information about our products, services, partners and in general information beyond that disclosed at the headquarters and address of management and on our website, to respond to your inquiries and comments and in general to be in communication with you, it is necessary to collect your personal data so that we can identify you (if you wish) and respond to your needs, if and to the extent possible. To achieve the stated goals, we collect information about your names, e-mail, telephone, address, passport data, in the volume that you provide us. We guarantee that the information we collect and use is urgent for the stated purposes and is not for the purpose of entering your personal space and affecting your personal interest and private life.

 

Special categories of data we process:

In view of the Company’s activity, we do not process sensitive personal data of our customers and partners.

 

Source:

We receive the above personal data from you, personally or in some cases our business partners and/or other third parties.

 

We declare that the personal data we collect will be used for the following purposes:

We need your personal data in addition to having a relationship with you and to provide you with our products and services in the highest quality and on time, and to perform other statutory obligations.

 

The basis that entitles us to process your data is:

– Processing is based on your consent;

– The processing of your data is necessary for the performance of a contract with you or our intention to enter into a contract;

–   Processing is necessary to comply with our legal obligation – Processing is necessary to protect your (vital) interests (or the interests of another person).

 

Consent:

By agreeing to accept this Notice, you are giving us permission to process your personal data only for the purposes we have specified, where necessary we will provide you with express and written informed consent.

Consent is necessary for us to process both types (ordinary and special) of personal data, but it needs to be explicit.

You can withdraw your consent at any time by submitting a form to us, which you can obtain from us upon request, or you can write it in free text.

 

Transfer of personal data to a country outside the EU or to an international organization:

The company does not intend to transfer your personal data to third parties, except in the cases established by law.

We will not pass your data on to third parties, nor will we pass it on for the purpose of gaining any benefit. We may provide your personal data to persons who assist us in achieving the purposes described above – processors of personal data who act on the basis of a written contract, in accordance with our express instructions and in the application of appropriate technical and organizational measures to protect your personal data. Personal data will not be provided to third parties or shared outside the European Union or the European Economic Area. Recipients of your data can also be persons and authorities with authority, to whom we will provide them in fulfillment of specific and clear legal obligations. Where we intend to pass your specific personal data (if you have provided it to us) to a third party, we will only do so after obtaining your consent, unless we are required by law to do otherwise.

 

CONFIDENTIALITY of VISITORS’ data in the Company where VIDEO SURVEILLANCE is carried out

The personal data we collect and process: in the event that you are a visitor to our company at its address or to an object managed by us, where there is video surveillance, your image and behavior data will be processed, giving information about the human image and characteristics traits, insight into your behavior, habits, offenses and other visible information.

The source of this data is: We receive the above personal data from you, personally.

We declare that the personal data we collect during video surveillance will be used only for legitimate purposes, such as protecting property, ensuring security, safety and order, protecting public health and preventing theft and other abuses.

The grounds that give us the right to process your image and behavior data are: our legitimate interest in carrying out security and ensuring security and on the basis of the public interest. In addition to the above through processing, we can also provide the legally required assistance to competent public authorities within the framework of the powers granted to them.

Processing period: We store your data processed during video surveillance for up to 60 (sixty) days in accordance with the Law on Private Security Activities. Typically, this processing is limited to real-time monitoring of guarded locations and the storage of relevant records.

 

Total data retention period

The personal data of the company’s clients are stored for a period of up to 5 years from the conclusion of the relevant contract with the client. This term is consistent with the statute of limitations for making any claims arising from the contract.

The personal data of job applicants who are not approved for appointment to the Company are stored for the period determined according to the current regulations in the field of personal data protection, from the end of the procedure, after which they are returned to the person or destroyed. Personal data may be stored for a longer period for the purpose of making job offers only with the applicant’s written consent.

Personal data of the company’s employees are stored in accordance with Bulgarian legislation, until the expiration of the terms provided for this after the termination of the employment relationship.

The records of the video surveillance carried out in the company are stored for a period of up to 60 (sixty) days in accordance with the Law on the private security activity. Personal data that the company collects through video surveillance will only be used for legitimate purposes, such as security

of property, ensuring security, safety and order in commercial establishments, protecting public health in the food trade and preventing theft and other abuses.

Personal data contained in accounting documents are stored according to the terms provided for this, according to the Accounting Act.

 

Method of storing and protecting your personal data that we process:

We will process your personal data while taking necessary and sufficient technical and organizational measures for their protection. Among other things, we have implemented the necessary internal policies and measures to protect your personal data at the design stage; the employees responsible for the data are well aware of the requirements regarding the protection of your personal data; the processing of your personal data is reduced to the minimum necessary to achieve the relevant goals; we have put in place the necessary security measures, such as security, restricted access, security systems, etc.; we have implemented measures to guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services, as well as measures in the event of a physical or technical incident to promptly restore availability and access to personal data; an internal process has been established for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to guarantee the security of the processing; a procedure has been developed for storing and destroying the data. We will process (collect, store and use) the information you provide in a manner compatible with the requirements of the General Data Protection Regulation (GDPR). We will endeavor to keep the information accurate and up to date.

We do not perform automated decision-making (without human intervention) when processing your personal data for any of the above purposes.

 

Your rights as a subject of personal data are as follows:

At any time while we store or process your personal data, you (according to the legal terminology – data subject) have the following rights:

you have the right to request a copy of your personal data from the Company and the right to access your personal data at any time;
you have the right to request from the Company your personal data in a form convenient for transfer to another personal data controller, or to request that we do so without being hindered by us;
you have the right to ask the Company to correct, without undue delay, your inaccurate personal data, as well as data that is no longer current;
you have the right to ask the Company to delete your personal data without undue delay on any of the following grounds:

o    the personal data are no longer necessary for the purposes for which they were collected;

o when you have withdrawn your consent;

o when you have objected to the processing,

o when the processing is unlawful;

o    when the personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State that applies to us as a controller of personal data;

o when the personal data were collected in connection with the provision of information society services.

We may refuse to delete your personal data for the following reasons:

o in exercising the right to freedom of expression and the right to information;

o to comply with a legal obligation on our part or to carry out a task in the public interest,

o    for reasons of public interest in the field of public health;

o    for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes, to the extent that deletion is likely to make it impossible or seriously hinder the achievement of the purposes of this processing; or for the establishment, exercise or defense of legal claims.

  • you have the right to ask the Company to limit the processing of your personal data, in which case the data will only be stored, but not processed. Our refusal to limit will only be expressly in writing, and we are obliged to motivate it with the lawful reason;
    you have the right to withdraw your consent to the processing of your personal data at any time with a separate request addressed to the administrator;
    you have the right to object to certain types of processing, such as direct marketing (unsolicited advertising messages);
    you have the right to object to automated processing, including profiling;
    you have the right not to be subject to a decision based solely on automated processing involving profiling;
    if we need to use your personal data for a new purpose that is not covered by this data protection statement, we will provide you with a new data protection notice and, when and where necessary, we will request your prior consent to the new processing.

    All of the above requests will be forwarded if there is a third party (recipients including non-EU and international organizations) processing your personal data.

     

    You have the right to appeal to the supervisory authority

    You have the right to file a complaint directly with the supervisory authority, the competent authority being the Commission for the Protection of Personal Data, address: Sofia 1592, “Prof. Tsvetan Lazarov” No. 2 (www.cpdp.bg).

    In the event that you wish to lodge a complaint regarding the processing of your personal data by the Company, you may do so at the Company’s contact details or directly to the Data Protection Officer at the above contact details.

    Confirmed by:

    Georgi Kostadinov – Manager