GENERAL PERSONAL DATA PROTECTION POLICY
(in force as of 24.05.2018)
I. SCOPE AND APPLICATION
Adventure Facility Concepts and Management OOD (“AFCM”, “we”, “our” or “us”), a limited liability company organized under the law of the Republic of Bulgaria, having its registered office at 111V Tsarigradsko Shosse, Sofia 1784, Bulgaria, UIC 202387264, as a personal data controller, realizes the importance of protecting your personal data.
The purpose of this General Personal Data Protection Policy (the “General Policy”) is to inform you regarding the following:
This General Personal Data Protection Policy applies every time when we process your personal data. Our special policies for protecting certain data categories apply in addition to this General Policy.
We may from time to time update this General Personal Data Protection Policy. When we do so, we will publish on our website a notification of the update, as well as the amended version of the policy.
Should you have any questions related to this General Policy, don’t hesitate to contact us through any of the methods described in the end of this document.
For the purposes of this General Policy:
“Personal Data” means any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of that natural person
“Sensitive Personal Data” includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
We do not process sensitive personal data unless necessary to carry out our regulatory obligations, for example the obligations we have under the labour or anti-discrimination laws. Please do not send or otherwise provide us with any sensitive personal data related to you (or someone else) unless we have expressly asked you to do so in writing and after we have confirmed to you that we have the necessary consents and that all other legal requirements for data processing have been met.
“Personal Data” does not include data that can not be related to or associated with a particular natural person.
II. THE CATEGORIES OF PERSON DATA WE PROCESS
The Personal Data we process includes:
Basic information, such as your name (including title), the organization you represent or work for and your position in the same.
Contact information, such as postal address, email, telephone number, fax number, and Skype name.
Financial information, such as your credit/debit card number or your bank account in respect to particular transaction or series of related transactions.
Technical information, such as data generated as a result of your use of the website or an application embedded in the same (app, plug-in, etc.), as well as information regarding materials and communication received from you or sent to you electronically.
Information in connection to business meetings, such as any information you provide us regarding your participation in business seminars, conferences and other similar commercial events organized by us or some of the businesses associated with us.
Other personal data provided to us by you or on your behalf or generated in relation to the preparation or execution of an order you have placed with us, such as the history of the orders and payments.
III. SOURCES AND METHODS OF PERSONAL DATA COLLECTION
Part of the personal data we collect and process is provided by you directly (e.g. when you sign up or use some of the websites we operate or contact us via telephone or online to apply for a job or obtain information for the goods and services we provide or the status of execution of your order).
To specify, personal data that you provide directly to us include:
Identification data, such as your name, date of birth, permanent address, delivery address or correspondence address, telephone number, email address, password and user name when you create your own customer account in some of the websites we operate (as far as the respective website supports such a functionality);
In some cases, the personal data you provide may include age, gender, interests or membership in branch organization;
The personal data contained in the electronic communication you have sent us, such as the data in an email message addressed to us, our employee or sales representative;
Data created by you in the context of assigning and executing orders you have created via a website we operate or otherwise, such as the orders history, including data for the date of the assignment and/or acceptance of the orders and the status of their execution;
Financial information, such as your credit/debit card number or your bank account for the purpose of execution of a particular financial transaction or series of such transactions;
Personal data generated by you or related to your customer account in the respective website, such as data you input when you update your customer account or information of the products you have added to your cart or wish list;
Data you generate when you use certain social media plug-ins, such as Facebook’s “like” or “follow” plug-ins for the purpose of expressing your attitude toward certain material or content published on our websites or social media pages;
Other personal data you supply per our request when we are required or permitted by law to collect the subject data in order to identify you or confirm the information we already have.
In certain cases, when permitted by law, we collect data related to criminal convictions and offences. For example, when we are prohibited by law to hire on certain positions individuals who have been convicted of certain crimes, we will process the date provided by you only as long as necessary to comply with our legal obligation.
Part of the processed by us personal data is collected automatically when you sign up or use a website operated by us in order to contact us or place an order. This information is provided by the devices (such as your personal or work computer, smartphone, tablet, etc.) you use to access our websites, social media pages or the applications and other online services we offer and include you’re the ID of your device or the unique identifier related to the device or browser you use, location data, the type of the device or browser you use.
We do not use automated decision-making, including profiling as a result of automated personal data processing.
In addition to the personal data we collect directly from you or the device you use, we collect data from other sources. As an example, in some cases, if not prohibited by law, we collect information related to your credit history as well as other similar information provided by а credit bureau or licensed credit or financial institutions you have had or have financial or business relations with.
Personal data provided by third parties include data contained in your public profile in the social, to which we get access when you choose to sign in your customer account using your social media account, such as Facebook or G+. Note that most of the data published in your profiles in the social media, such as your public profile, location data, language, public posts and comments, are publicly available which leads to certain responsibilities and poses certain risks to the inviolability of your personal space. You control what data you share with us through the site settings of the respective social media, as well as the consents you give us in relation to the processing of your personal data contained on the social media sites.
IV. THE PURPOSES FOR PROCESSING YOUR PERSONAL DATA AND THE LEGAL BASIS FOR DOING SO
We collect, keep and otherwise process personal data as long as this complies with the law and our personal data protection policies. We process personal data for various business purposes and on various legal bases. In accordance with the applicable law, we must have a legal basis for processing your personal data. Depending on the basis on which we process your personal data, you have certain rights. You can find further information on your rights in Section IX.
In particular, we process the personal data we have collected on the legal bases listed below for one or more of the following purposes:
We process your personal data for the purposes of executing and performing a contract with you.
We can collect and process your personal data in order to execute and perform a contract with you and to take certain steps before the execution of the contract per your request. The main purposes for processing your personal data on this basis are as follows:
We process your personal data in order to perform the legal obligations we have under the law of the European Union and the EU member states.
Specifically, we process personal data when we perform the legal obligations we have due to the fact that we are simultaneously an employer and a seller/purchaser of goods and services. In this regard, we process personal data in order to carry out our specific obligations that originate from or are related to the following:
We can collect and process your personal data with your consent
In some cases, upon receipt of your consent to process your personal data for a specific purpose, we can use these data as follows:
You have the right to withdraw your consent for personal data processing at any time. Further information about this right can be find below.
We can process your personal data when we have legal (legitimate) interest to do so, such as for example, our legitimate interest to:
V. COLLECTING AND PROCESSING CHILDREN’S PERSONAL DATA
We understand the importance of taking additional measures for protecting the personal data of children who use our products and services, including the websites we operate. We do not collect personal data from children who are younger than 16 or data related to children younger than 16 without parental consent or, if applicable, without the consent of another individual who can legally consent to the processing of the personal data of the child (such as the guardian of the child).
We do not allow children younger than 16 to create their own customer accounts on the websites we operate or to otherwise provide us with their personal data.
If we find out that we have collected or processed personal data of a child without having the required by law parental consent, we will take measures for destroying such information without any undue delay.
VI. IN WHAT CASES WE TRANSFER YOUR PERSONAL DATA TO THIRD PARTIES
We may assign the processing of your personal data to third parties – subcontractors who assist us with the data processing. These third parties process your data on our behalf and in correspondence with our instructions for all or some of the purposes indicated in this General Policy. We do not allow third parties – subcontractors to use your personal data for their own purposes, including for direct marketing.
We require all third parties that process your personal data on our behalf to process the data in accordance with the applicable law and to guarantee the safety of the data, including by taking the necessary technical and organizational measures for personal data protection. The categories of recipients that process personal data on our behalf are:
In some cases, when this is necessary to protect our legitimate interests, we can disclose your personal data to third parties, such as:
VII. THE TERM FOR WHICH WE RETAIN YOUR PERSONAL DATA AND WHEN WE DELETE THE SAME
We retain your personal data for such period as required or allowed to fulfil the purposes for which we process the data. Upon fulfilment of these purposes or in case we no longer have legitimate interest or legal basis for data processing (for example, when the consent for processing has been withdrawn), we will erase your personal data without undue delay.
The criteria that serve as grounds for determination of the period of retention of your personal data include: (а) the period for which we maintain commercial relations with you and provide you with our services, (b) the periods for data retention set forth in the legal regulations that apply to us, and (c) the period for which are required to retain your data for in connection to our participation and the protection of our rights and legal interests in court and administrative proceedings and the expiration of the respective limitation periods.
We will retain the personal data, contained in our accounting books, for the periods set forth in the Accounting Act.
VIII. HOW IS YOUR PERSONAL INFORMATION PROTECTED
When processing your personal data, we take the necessary technical and organizational measures to protect such data from unauthorized access, amendment, or erasure. These measures include the following:
IX. YOUR RIGHTS IN RESPECT TO YOUR PERSONAL DATA PROCESSING
At all times during the period of processing of your personal data, you have certain rights that are listed below.
You can exercise your rights under this Policy and the General Data Protection Regulation by sending an email or a letter to our Data Protection Officer describing your specific request. If possible, your request shall be signed by hand or with a qualified electronic signature. If you are not able to sign your request in one of the aforesaid ways, we may ask you to provide additional information in order to establish your identity.
We will respond to your request free of charge and without undue delay. In the event we receive duplicated requests, we may decline to take action on the request or set a fee (based on the expenses on our part) that you will have to pay in order for us to provide you the information or communication or take the requested actions.
RIGHT OF ACCESS AND INFORMATION
You have the right to request and receive:
RIGHT OF RECTIFICATION AND COMPLETION
If you find out that the personal data we process are inaccurate and/or incomplete, you can ask us to rectify and/or complete them.
RIGHT OF OBJECTION
When we process your personal data based on our legitimate interest, you have the right to object to such processing. We will cease the processing of your data without undue delay and will erase the data unless we have compelling legitimate grounds to continue processing your data, which override your rights and legal interests or if the processing of your personal data is required for the establishment, exercise or defence of legal claims. Moreover, you have the right to object at any time to the processing of your personal data for marketing and advertising purposes. We will terminate the processing without undue delay, immediately upon receipt of your objection.
RIGHT TO RESTRICTION OF PROCESSING
You have the right to ask us to suspend the processing of your personal data in the future when:
RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)
You have the right to ask us to erase your personal data and we are obliged to erase the same without undue delay when:
In some cases, we will not be able to comply with your request, such as when the processing of your personal data is necessary for the following:
RIGHT TO WITHDRAW YOUR CONSENT
When we are relying on your consent in order to process your personal data, you have the right to withdraw your consent with immediate effect. In this case, we will stop any future processing of your personal data.
PORTABILITY OF YOUR DATA
When we process your personal data on the basis of your consent or in order to perform any contractual obligations we have to you, as long as this does not adversely affect the rights and freedoms of other people, you have the right to obtain the data that you have provided to us in structural, frequently used, machine-readable form or, if technically possible, to ask us to transfer the data to a third party.
RIGHT TO COMPLAIN
If you believe that we process your personal data in a way that does not comply with the applicable law, you have the right to file a complaint to the competent authority. You can contact the supervisory authority with jurisdiction at your place of residence or your country or the supervisory authority with jurisdiction at our domicile.
The competent authority in the Republic of Bulgaria is the Personal Data Protection Commission with address:
Sofia, 1592, 2, Prof. Tsvetan Lazarov Blvd., tel.: 02/915 – 3518, Email: email@example.com
X. HOW TO CONTACT US
On all matters related to the processing of your personal data or exercising your rights, you can contact our Data Protection Officer in one of the following ways:
Via email, by sending an electronic message to firstname.lastname@example.org, or Via mail, at postal address: Sofia 1784, 111V Tsarigradsko Shose Blvd., fl. 3