Mandatory information on the personal data protection rights of persons
Information about the company that processes your data:
Name: Mortaly Ltd.
UIC / BULSTAT: BG200409547
Headquarters and management address: 13 Bacho Kiro Str., Dryanovo 5370, Gabrovo region
Correspondence address: 1-9 Maxim Raykovich Str., Dryanovo 5370, Gabrovo region
Phone: 0899887293
Email: ma@bebetech.net; ta@bebetech.net
Website: www.bebetech.net
Information on the competent data protection supervisory authority
Title: Commission for Personal Data Protection
Headquarters and management address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Website: www.cpdp.bg.
……………. (hereinafter referred to as “Administrator” or “Company”) operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.
PURPOSE of collecting, processing and storing your personal data
Art. 1. The administrator shall collect and process your personal data in connection with the use of the e-shop www.bebetech.net and the conclusion of contracts with the Company on the grounds of art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:
- explicit consent received from you as a customer;
- fulfillment of the obligations of the Administrator under a contract with you;
- compliance with a legal obligation that applies to the Administrator;
- for the purposes of the legitimate interests of the Administrator or a third party.
Goals and principles in collecting, processing and storing your personal data.
Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the e-shop and conclusion of contracts with the Company, including for the following:
- creating a profile and providing full functionality of the online store;
- concluding and executing a distance contract;
- identifying parties of the contract;
- accounting purposes;
- statistical purposes;
- protecting information security;
- ensuring the implementation of the contract and provision of the respective service;
- sending you our information bulletins upon your request.
(2) We observe the following principles when processing your personal data:
- lawfulness, fairness and transparency;
- purpose restriction;
- data minimisation and relevance;
- accuracy and actuality of data;
- storage restriction;
- integrity and confidentiality, ensuring appropriate level of security of personal data.
(3) In the processing and storage of personal data, the Administrator may process and store personal data in order to protect the following legitimate interests: fulfillment of obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal bodies.
What types of personal data our company collects, processes and stores
Art. 3. (1) The company performs the following operations with the personal data provided by you for the following purposes:
Registration of a user in the e-shop and execution of a contract for distance purchase – the aim of this operation is to create a profile for using the e-shop to purchase goods and provide contact information for the delivery of purchased goods. Registering and creating an account to use the online store is not a mandatory step for providing the service and the service is to a large extent available without creating an account.
Impact assessment conclusion: based on the impact assessment, the operation “User registration in the e-shop and execution of a distance sales contract” is admissible and provides sufficient guarantee for protecting the rights and legitimate interests of the data subjects in accordance with the requirements of the GDPR.
Concluding a contract and executing a business deal with a customer or partner – the purpose of this operation is the conclusion, execution and administration of a contract with a commercial partner or a customer. Given the limited scope of the personal data collected and the fact that some data is collected from publicly available sources, it is not required to carry out an impact assessment of this operation.
Sending a newsletter – the purpose of this operation is to administer the process of sending newsletters to customers who have explicitly requested receiving them. Given the limited scope of the personal data collected, an impact assessment is not required to carry out the operation.
Exercising the right to refusal or complaints – the purpose of this operation is to administer the process of exercising the customers’right to refuse or complain. Given the limited scope of the personal data collected, an impact assessment is not required to carry out the operation.
(2) The administrator shall process the following categories of personal data and information for the following purposes and on the following grounds:
Your personal data (e-mail, name, etc.)
Purpose of data collecting: 1) To contact users and send information to them, 2) to register users on the online store, and 3) to send newsletters.
Grounds for processing your personal data – By accepting the general conditions and by registering on the e-shop or by placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Administrator and you, on the grounds of which we process your personal data – Art. 6, para. 1, p. (b) GDPR. Your data for receiving a newsletter is processed with your explicit consent – Art. 6, para. 1, p. (a) GDPR.
Delivery details (names, phone, address, etc.)
Purpose of data collecting: Fulfillment of obligations of the administrator under a purchase and sale contract and delivery of purchased goods.
Grounds for processing your personal data – By accepting the general conditions and by registering with the e-shop or by placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Administrator and you, on the grounds of which we process your personal data – Art. 6, para. 1, p. (b) GDPR.
Additional data provided by you – in case you want to complete your profile, you are required to provide data related to your name, surname, phone number.
Purpose of data collecting: adding information about users in their accounts to complete user profiles.
Grounds for data processing: You have given your explicit consent for your personal data to be processed for one or more specific purposes – 6, para. 1, p. (a) the GDPR at the time of registration with the online store. Providing such data is not necessary for registering with the online store.
(3) The administrator shall not collect or process personal data, which refers to the following:
– reveal racial or ethnic origin;
– reveal political, religious or philosophical beliefs, or trade union membership;
– reveal genetic and biometric data, health data or data on sexual life or sexual orientation.
(4) The personal data is collected by the Administrator from the persons to whom they refer.
(5) The company shall not perform automated decision-making.
Art. 4. (1) The company performs the following operations with the personal data provided by you, as legal representatives or proxies of legal entities – trading partners, for the following purposes:
Concluding and executing a commercial transaction: to conclude and execute a commercial transaction with a commercial company, we process only the three names of the legal representative of the person authorized by the company. Conclusion from the impact assessment: Given the small volume of individuals whose data is processed and given the limited amount of personal data collected, impact assessment is not necessary for this operation.
(2) The personal data has been collected by the Administrator from the persons to whom they refer, also by the Commercial Register to the Registry Agency.
(3) The company does not perform automated decision making.
Art. 5. The administrator can use the so-called “cookies” for the purposes of providing full functionality of the website, improving the user experience and easy access, for statistical purposes, etc., which you agree with by using our website. You can control and / or delete cookies at any time through the settings of your browser. Cookies do not constitute personal data and are not used to identify visitors and users of the e-shop.
Data retention – period of storage of your personal data
Art. 6. (1) The administrator shall store your personal data for a period not longer than the existence of your account in our online store. After deleting your account, the Administrator shall take the necessary measures to delete and destroy all your data without any undue delay or to anonymize your data (i.e. to transform it in a way your identity is not revealed).
(2) The administrator shall process your personal data, which you provided when placing an order without registration in the e-shop, until the completion of this order, unless you have given your explicit consent, when processing your order, for processing your data for the purpose of improving our service, of providing recommended content for you, or individual offers and promotions, as well as for statistical purposes.
(3) The Administrator shall store your personal data, provided with your online orders for a period of 5 years for the purposes of protecting the legal interests of the Administrator in court or in case of any administrative disputes with users of the online store.
(4) The Administrator shall notify you in case the period for data storage needs to be extended in view of fulfillment of a legal obligation or in view of legitimate interests of the Administrator or anything else.
(5) The administrator shall store the personal data, which is to be kept by virtue of the applicable legislation for the respective envisaged period, which may exceed the period of existence of your account in the e-shop or until the completion of the order.
Art. 7. The Administrator shall keep the personal data of the legal representatives of its business partners for the term of the contract, in order to observe the legitimate rights and obligations of the Administrator, this period may exceed the term of the contract concluded.
Transfer of your personal data for processing
Art. 8. (1) The controller may at his or her discretion transfer part or all of your personal data to personal data processors for the fulfillment of the processing purposes with which you have agreed, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR) .
(2) The administrator shall notify you in case of any intention to transfer part or all of your personal data to third countries or international organizations.
Your rights in the collection, processing and storage of your personal data
Withdrawal of consent for the processing of your personal data
Art. 9. (1) If you do not want the personal data provided by you to be processed for marketing purposes or if you do not want to receive a newsletter, you can at any time withdraw your consent for processing by filling in the withdrawal form in Annex № 1 or by a request drafted in your own words and send to us by email.
(2) After we have received your request, we will send you a letter to the e-mail you have provided for receiving newsletters and commercial messages, with detailed instructions on your verification as a recipient of newsletters and as a personal data subject for whom withdrawal of consent has been requested.
(3) The withdrawal of consent shall not affect the legality of the processing of personal data, which the Administrator has already performed.
Right of access
Art. 10. (1) You shall have the right to request and receive a confirmation from the Administrator of whether any personal data related to you is processed, by e-mailing a request, drafted in your own words.
(2) You shall have the right to access the data related to you, as well as the information related to the collection, processing and storage of your personal data.
(3) Upon receipt of your request, we shall send you a message to the email you used to register or place orders to the e-shop, with detailed instructions on your verification as a subject of personal data to which access has been requested.
(4) After performing the verification process, according to par. 3, the administrator will provide you, upon request, with a copy of the processed personal data related to you, in electronic or in any other suitable format.
(5) The provision of access to the data is free of charge, but the Administrator shall have the right to impose an administrative fee in case of repeated or of too many requests.
Right to rectification
Art. 11. (1) You shall be able at any time to correct or complete the inaccurate or incomplete personal data related to you through the option “Edit account”.
(2) You shall have the right to correct or complete inaccurate or incomplete personal data related to you directly through your account on the website or by making a request to the Administrator by email, using the form in Appendix № 4 or by request drafted in your own words.
Right to erasure (‘right to be forgotten’)
Art. 12. (1) You shall have the right to request from the Administrator to erase part or all of the personal data related to you, and the Administrator shall have the obligation to erase the data without any undue delay, on any of the following grounds:
- personal data is no longer needed for the purposes for which it has been collected or otherwise processed;
- you have withdrawn your consent on which the data processing is based and there is no other legal grounds for the processing;
- you have objected to the processing of the personal data related to you, including for the purposes of direct marketing, and there are no other prevailing legal grounds for the processing;
- personal data has been unlawfully processed;
- personal data must be erased in order to comply with a legal obligation under the EU law or the law of a Member State that applies to the Administrator;
- personal data has been collected in connection with provision of services of the information society.
(2) The administrator shall not be obliged to erase the personal data if he/she stores and processes the data:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation requiring processing, provided for in the EU law or a member state law, applicable to the Administrator or to perform a task in the public interest or to exercise any official powers conferred on him;
- for reasons of public interest in the field of public health;
- for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or defence of legal claims.
(3) In order to exercise your right to be forgotten, it is necessary to send a request by e-mail for erasure of your personal data, by filling in the form in Appendix № 2 or by a request drafted in your own words, which the Administrator shall process, the Administrator shall send to the e-mail you used to register or place orders to the e-shop, a letter with detailed instructions on your verification as a user of the store and a subject of personal data for which a request for data erasure has been requested.
(4) After certifying the identity of the person who has submitted the request and the person to whom the data relates in accordance with the instructions sent to you, we will erase all data that we are processing about you, in accordance with para. 3.
(5) If there is an order made by you, which is being processed, the earliest time you can request “to be forgotten” is when the order has been successfully completed.
Right to restriction
Art. 13. You shall have the right to ask the Administrator to restrict the processing of data related to you by emailing a request drafted in your own words when:
- you dispute the accuracy of your personal data for a period that allows the Administrator to verify the accuracy of your data;
- the processing is illegal, but you do not want your personal data to be erased, only their use to be restricted;
- the administrator no longer needs your personal data for the purposes of processing, but you require the data for the establishment, exercise or protection of your legal claims;
- you have objected to the processing, pending verification whether the legal grounds of the administrator take precedence over your interests.
(2) After receiving your request, we shall send you to the email you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a user of the store and a subject of personal data for which the request for restriction has been submitted.
(3) After performing the verification according to par. 2, the Company shall stop processing your data, but shall not remove the publications you have published on the online store, if any.
Right to data portability
Art. 14. (1) If you have given consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Administrator, or if your data are processed in an automated manner, you shall have the right to:
- ask the Administrator to provide you with your personal data in a readable format so that you are able to transfer your data to another Administrator;
- ask the Administrator to directly transfer your personal data to another administrator specified by you, when this is technically feasible.
(2) You can exercise your right to portability by emailing us a completed form according to Annex № 3 or a request drafted in your own words, after which the Administrator will send a letter to the e-mail you used to register or place orders to the e-shop with detailed instructions on your verification as a store user and a subject of personal data, for which a portability request has been submitted.
(3) After performing the verification according to par. 2, the Company shall send to the e-mail specified by you the data processed for you in XML format.
Right to information
Art. 15. You may request the Administrator to inform you of all the recipients to whom the personal data for which correction, erasure or restriction of processing has been requested have been disclosed. The administrator may refuse to provide this information if this would be impossible or would require a disproportionate effort.
Right to object
Art. 16. You shall have the right to object at any time to the processing of your personal data by the Administrator relating to him, including if they are processed for profiling or direct marketing purposes.
Вие можете да възразите по всяко време срещу обработването на лични данни от Администратора, които се отнасят до него, включително ако се обработват за целите на профилиране или директен маркетинг.
Your rights in the event of a breach of the security of your personal data
Art. 17. (1) If the Administrator finds out a violation of your personal data security, which may put your rights and freedoms at high risk, he shall notify you without any undue delay of the violation, as well as of the measures that have been taken or are to be taken.
(2) The Administrator is not obliged to notify you if:
- he has taken all appropriate technical and organizational protection measures with regard to the data affected by the security breach;
- he has subsequently taken steps to ensure that the breach does not put your rights at high risk;
- notification would require a disproportionate effort.
Persons to whom your personal data is provided
Art. 18. (1) For the purposes of processing your personal data and providing our service in its full function, and in view of your interests, the Administrator may provide your data to the following persons, who are data processors:
Personal data processor | Purpose of personal data processing
|
……………………………………………………… | ………………………………………………………….. |
……………………………………………………… | ………………………………………………………….. |
……………………………………………………… | ………………………………………………………….. |
(2) The personal data processors shall comply with all the requirements for legality and security of processing and storage of your personal data.
Art. 19. The administrator shall not transfer your data to third countries.
Art. 20. In case of violation of your rights under the above or any other applicable legislation on personal data protection, you shall have the right to file a complaint to the Commission for Personal Data Protection as follows:
Title: Commission for Personal Data Protection
Headquarters: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ” № 2
Phone: 02 915 3 518
Website: www.cpdp.bg
Art. 21. You can exercise all your rights regarding your personal data protection through the forms attached hereto. Understandably, these forms are optional and you can submit your requests in any form as soon as they contain a statement to that effect and identify you as the data holder.
Art. 22. If the consent relates to a transfer, the controller shall describe the possible risks for the transfer of data to third countries in the absence of a decision on adequate protection measures and of appropriate means of data protection.
Appendix № 1
Consent withdrawal form for processing purposes
Your Name*: …………………….
Your email used with the e-shop *: …………………….
Feedback data (e-mail) *: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and management address: …………………….
Mailing address: …………………….
Phone: …………………….
Email: …………………….
Website: www.bebetech.net
I hereby withdraw my consent to the processing of personal data provided by me for the purposes of receiving a newsletter, commercial messages or any other marketing materials. I am aware of the consent withdrawal conditions in accordance with the Mandatory Information on the Rights of Persons related to the personal data protection policy of the e-shop.
In the event of a breach of your rights under the above or any other applicable data protection legislation, you shall have the right to lodge a complaint with the Data Protection Commission as follows:
Title: Commission for Personal Data Protection
Headquarters: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Website: www.cpdp.bg.
Appendix № 2
“To be forgotten” Request – erasure of personal data related to me
Your Name*: …………………….
Your registration email or the email used to place orders to the e-shop *: …………………….
Feedback data (e-mail) *: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and management address: …………………….
Mailing address: …………………….
Phone: …………………….
Email: …………………….
Website: www.bebetech.net
I request that all personal data, provided by me or by third parties related to me, which you collect, process and store, and in relation to the identification specified, be erased from your database.
I do hereby declare that I am aware that some or all of my personal data may continue to be processed and stored by the controller for the purpose of fulfilling his/her legal obligations.
In the event of a breach of your rights under the above or any other applicable data protection legislation, you shall have the right to lodge a complaint with the Data Protection Commission as follows:
Title: Commission for Personal Data Protection
Headquarters: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Website: www.cpdp.bg.
Appendix № 3
Request for portability of personal data
Your Name*: …………………….
Your registration email or the email used to order to the e-shop *: …………………….
Feedback data (e-mail) *: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and management address: …………………….
Mailing address: …………………….
Phone: …………………….
Email: …………………….
Website: www.bebetech.net
I request that all personal data related to me that is collected, processed and stored on your database be sent in XML format to:
e-mail: …………………….
Administrator – receiving the data: …………………….
Name: …………………….
Identification number (UIC, BULSTAT, registration number in the CPDP): …………………….
Email: …………………….
In the event of a breach of your rights under the above or any other applicable data protection legislation, you shall have the right to lodge a complaint with the Data Protection Commission as follows:
Title: Commission for Personal Data Protection.
Headquarters and management address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Website: www.cpdp.bg.
Appendix № 4
Request for data rectification
Your Name*: …………………….
Your registration email or the email you used to order to the e-shop *: …………………….
Feedback data (e-mail) *: …………………….
To
Name: …………………….
UIC / BULSTAT: …………………….
Headquarters and management address: …………………….
Mailing address: …………………….
Phone: …………………….
Email: …………………….
Website: www.bebetech.net
Please, rectify the following personal data that you collect, process and store and which is provided by me or by third parties who are related to me as follows:
Data to be rectified:
…………………………………………..
Please rectify as follows:
…………………………………………..
In the event of a breach of your rights under the above or applicable data protection legislation, you shall have the right to lodge a complaint with the Data Protection Commission as follows:
Title: Commission for Personal Data Protection
Headquarters and management address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Correspondence address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone: 02 915 3 518
Website: www.cpdp.bg.