Security Policies – Пловдив винени маршрути

PRIVACY AND PERSONAL DATA PROTECTION POLICY ON THE WEBSITE Www.Plovdivwines.Bg

This document outlines the Privacy and Personal Data Protection Policy for data collected from users of the website at (URL) www.plovdivwines.bg

This Privacy Policy aims to inform you about how the website owner processes your personal data as a data controller, and how you can control your preferences and settings related to this processing. Please read this Privacy and Personal Data Protection Policy carefully before accessing the website and its services. If you do not agree with any of the terms, you should not visit the website or use our services and products in any way.

This Privacy Policy constitutes an integral part of the General Terms and Conditions for Website Use. All definitions provided in the General Terms and Conditions are also applicable to this Privacy Policy.

This Policy is effective from October 1, 2023, and complies with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

PRINCIPLES FOR THE COLLECTION AND PROCESSING OF PERSONAL DATA

When processing personal data, the Controller adheres to the following principles:

1) collects personal data only when there is a legal basis, processes it fairly and transparently in relation to the data subject – principle of lawfulness, fairness, and transparency;

2) collects personal data for specific, explicit, and legitimate purposes and does not process this personal data in a manner incompatible with the initial purposes – principle of purpose limitation;

3) processes only such volume and type of personal data that are relevant and limited to what is necessary in relation to the purposes for which they are processed – principle of data minimization;

4) keeps personal data accurate and up-to-date – principle of accuracy;

5) stores personal data in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed – principle of storage limitation;

6) adheres to the principles of data protection by design and data protection by default, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, and implements appropriate measures for the protection of personal data and compliance with Regulation (EU) 2016/679.

7) ensures an appropriate level of security for personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures – principle of integrity and confidentiality.

LEGAL BASIS FOR COLLECTING PERSONAL DATA

The Controller collects and processes your personal data based on the following grounds:

Explicit consent received from you as a client/user. The consent obtained for personal data processing is voluntary and is provided for each specific case. Your provided consent for personal data processing can be withdrawn at any time by submitting a free-text request for withdrawal of consent via email to the Controller. Withdrawn consent is effective for the future and does not affect the lawfulness of the processing of your personal data provided before the submission of the withdrawal request;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the Company is subject;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

WHAT DATA WE COLLECT FROM OUR USERS

1. The Controller does not collect or store “sensitive” categories of personal data such as political opinions, ethnic origin, sexual orientation, data concerning the data subject’s health, religious or philosophical beliefs, etc. If the Controller receives “sensitive data,” it undertakes to delete it immediately. Please do not send such data to the Controller.
Personal data collected from the data subject when individuals contact the Controller via the website’s contact form.

When an individual sends a message to the Controller using email, the Controller collects and stores the individual’s name, email address, and the information provided in the message. The Controller collects and stores the aforementioned information for the purpose of communication with the individual.

Purpose for which data is collected: The Controller collects and stores the aforementioned information for the purpose of communication with the individual.

Personal data collected automatically.

Automatically collected data may include information such as your device’s Internet Protocol (IP) address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

On our website, we collect data for all visitors, namely:

Browser identifier;
History of visited pages, to determine your preferences for certain types of content;
History of your searches on our pages;
Device data. We collect device data, such as information about your computer, phone, tablet, or other device you use to access the website. Depending on the device used, this data may include information such as your IP address or proxy server, device and application identification numbers, location, browser type, hardware model, internet service provider and/or mobile carrier, operating system, and system configuration information.

We may also collect information that your browser sends when you visit our Service or when you access the Service by or through a mobile device.

Purpose for which data is collected: Improving the security of services provided by the Provider and preventing misuse of the user account by third parties.

Personal data collected from users when ordering a Program/product and when registering a profile on the website:

first and last name;
email;
phone number;
Payment data such as IBAN, SWIFT code, user’s bank account number and similar, Date of payment, Payment amount; Place of payment; Method of payment (by bank transfer), etc.

Purpose for which data is collected: for the fulfillment of contractual obligations for ordering a Program/product, as well as for tax and accounting purposes.

Personal data collected upon registration for receiving a newsletter with the user’s expressed consent:

* name;

* email.

COOKIES

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our sites. You can find more information about how the Administrator uses cookies by reviewing the Cookie Policy.

PURPOSES FOR PROCESSING PERSONAL DATA

The Controller collects and processes the personal data of individuals that are provided directly by them or collected automatically only for the following purposes:

For the normal functioning of all services on the Website;
For contacting the individual;
For providing services offered on the Site;
For fulfilling the rights and obligations of the parties under the concluded agreement;
For improving the efficiency and functionality of the Site;
For accounting purposes;
For statistical purposes and analyses to improve our services;
For information security protection;
For sending newsletters upon your expressed desire;
To ensure our clients are genuine and to prevent fraud;

We also use your data for:

To send you administrative information (for business purposes, legal reasons, and/or potentially contractual purposes). We may use your personal information to send you information about products, services, new features, and/or information about changes to our terms and policies.
For feedback purposes (for our business purposes and/or with your consent). We may use your information to request feedback and to contact you about your use of our site.
For other business purposes. We may use your information for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns, and evaluating and improving our sites, products, services, marketing, and your experience.

If there is a change in purposes, we will inform you and request your explicit consent for processing your personal data in accordance with the new purposes.

HOW LONG WE STORE INFORMATION

We will not store your data for longer than necessary to achieve the purposes for which we process them. If the basis for storing your personal data ceases to exist (for example, if we no longer have a legitimate interest in storing your personal data, if the legally determined period for storing your personal data has expired, or if you have withdrawn your consent to store your personal data), we will delete or securely destroy them.

Data storage continues as long as we have grounds for their retention.

We apply the following retention periods for different types of personal data according to their purpose, namely:

Regarding personal data of individuals who have made inquiries through the Site’s contact form:

– up to 12 months from sending the inquiry if the user has not become a client of the Administrator.

Regarding personal data collected during newsletter subscription registration:

– Until you request your registration to be deleted or until the site ceases operations.

Regarding data related to contractual relationships between the Administrator and the Site User, they are stored for a five-year period from the moment the contractual relationship begins, unless mandatory legal provisions require the Provider to keep data about its partners for a longer period (e.g., for categories of documents that we are obliged to keep according to the Accounting Act and/or Tax Insurance Procedure Code).

WHERE WE STORE YOUR PERSONAL DATA

Your personal data that we collect is stored on servers located in the Republic of Bulgaria.

We store your personal data for a period no longer than necessary to achieve the above-described purposes, or until the discontinuation of services and/or the website.

SECURITY MEASURES

The Administrator has implemented a wide range of technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. If you wish to receive detailed information regarding technical and organizational measures, please do not hesitate to contact us.

Access to personal data is restricted to individually authorized and instructed personnel. We will inform you at any time about changes in privacy protection processes and data security, including practices and policies through always up-to-date information in this section. You can request information at any time about where and how your data is stored, protected, and used.

In case your data is compromised, we will notify you and the competent supervisory authority within 72 hours via email with information about the extent of the breach, affected data, any impact on the service, and action plan for measures to limit any possible harmful effects on data subjects.

“Personal data breach” means a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed in connection with the provision of the Service.

MINORS AND JUVENILES

If we receive information that we have collected personal data from/about a person under 18 years of age, we will immediately delete it unless we are legally obligated to retain this data.

Please contact us if you believe we have mistakenly or unknowingly collected information from/about a person under 18 years of age.

WITH WHOM WE SHARE AND DISCLOSE YOUR PERSONAL DATA

Sometimes we record some of the information on our servers or send it to third parties. This is necessary so we can ensure your best experience when using our services, and sometimes – in general, to ensure the availability and accessibility of the service you use.

Your personal data will not be transferred to third parties unless:

you provide your explicit, informed, and freely given consent;
the third parties provide us with support under contract for the purpose of providing our products or services;
it is required by law or by an authoritative act of a public authority;
there is a justified need to protect the rights, property, or security of website users or other protectable public interest;
it is necessary in connection with the sale of business, our company, or its assets that are subject to confidentiality.

Our employees and partners are duly informed about the importance of their confidentiality obligation and are responsible for fulfilling this obligation.

For any other purposes not explicitly mentioned in this policy, we will request your explicit consent, identifying our partners as well as the purposes for data transfer and sharing.

By court order or authoritative act of a public authority, we may be obliged to disclose a User’s identity, especially in cases of investigating violations of third-party rights or unlawful acquisition of personal data. In case of disclosure of personal data of a user to a public authority in connection with an investigation or proceedings against them, we are not obliged to notify the user in question.

LINKS, TOOLS, AND CONTENT FROM OTHER COMPANIES

The website contains buttons, tools, or content that connect to other companies, such as Facebook, Viber. The Administrator assumes no responsibility for damages and losses resulting from the use of these platforms. Individuals bear their own responsibility when using these sites and should familiarize themselves with their Privacy Policies.

RIGHTS OF DATA SUBJECTS UNDER GDPR

Right to access your personal data. You have the right to request and receive confirmation from the Administrator whether personal data concerning you is being processed by sending a request in free text via email.

Right to rectification of personal data: if you find that the personal data we process about you is inaccurate, you have the right to make us correct this personal data. You can correct or complete inaccurate or incomplete personal data related to you at any time by submitting a request to the Administrator via email in free text.

Right to erasure of personal data (the right to be “forgotten”)

You have the right to request from the Administrator the deletion of some or all personal data related to you, and the Administrator has the obligation to delete it without undue delay when one of the following grounds exists:

the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

You withdraw your consent on which the data processing is based and there is no other legal basis for processing;
You object to the processing of personal data relating to you and there are no legitimate grounds for processing that take precedence;
the personal data has been processed unlawfully;
the personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State that applies to the Controller;

The Controller is not obliged to delete personal data if it stores and processes it:

for exercising the right to freedom of expression and the right to information;
for compliance with a legal obligation that requires processing provided for in EU law or the law of the Member State that applies to the Controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in it;
for reasons of public interest in the area of public health;
for the purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes;
for the establishment, exercise or defense of legal claims.

To exercise your right to be forgotten, you need to send an email request for deletion of your personal data that the Controller processes, through a free text request.

Right to restriction of processing: under certain circumstances, such as if you doubt the accuracy of your personal data or have objected to our legitimate purpose for processing your personal data, you have the right to request that we restrict the processing of your personal data until a solution is found. You have the right to request that the Controller restrict the processing of data relating to you by sending us a free text request by email when:

you contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
the processing is unlawful, but you do not want the personal data to be deleted, but only its use to be restricted;
the Controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise or defense of your legal claims;
You have objected to processing pending verification whether the Controller’s legitimate grounds override your interests.

Right to data portability. If you have given consent for the processing of your personal data or processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you may:

request that the Controller provide you with your personal data in a readable format and transfer it to another Controller;
request that the Controller directly transfer your personal data to a controller specified by you, when this is technically feasible.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint regarding the processing of your personal data by us with the relevant supervisory authority. For more information, please contact your local data protection authority.

The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects them to a significant degree;

Right to judicial or administrative protection, in case the rights of the data subject have been violated.

Right to opt out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt out” link in the marketing emails we send you, to opt out of other forms of marketing (such as postal marketing or telemarketing), please contact us using the contact details

You can exercise all rights by contacting us via email: office@plovdivwines.bg. We will contact you and inform you in detail about the procedure for exercising your rights.

Appendix No. 1

Form for withdrawal of consent for processing purposes

Your name*: …………………….

Your email that you used on the Site*: …………………….

Feedback data (e-mail)*: …………………….

Name: ……….. EOOD

UIC/BULSTAT: …………………….

Registered office and management address:

Phone:

E-mail:

Website:

I hereby withdraw my consent for the processing of personal data provided by me for the purposes of receiving newsletters, advertising messages or other marketing materials, being familiar with the conditions for withdrawal of consent in accordance with the Mandatory Information on the Rights of Persons for Personal Data Protection on the Site.

In case of violation of your rights according to the above or applicable personal data protection legislation, you have the right to file a complaint with the Personal Data Protection Commission, as follows:

Name: Personal Data Protection Commission.

Registered office and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 2

Request “to be forgotten” – for deletion of personal data related to me

Your name*: …………………….

Your email with which you registered or used for orders on the Site*: …………………….

Feedback data (e-mail)*: …………………….

Name: ……….. EOOD

UIC/BULSTAT: …………………….

Registered office and management address:

Phone:

E-mail:

Website:

Please delete all personal data that you collect, process and store, provided by me or by third parties that are related to me, according to the specified identification, from your databases.

I declare that I am aware that some or all of my personal data may continue to be processed and stored by the Controller for the purposes of fulfilling its legal obligations.

Name: Personal Data Protection Commission.

Registered office and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 3

Request for personal data portability

Your name*: …………………….

Your email with which you registered or used on the Site *: …………………….

Feedback data (e-mail)*: …………………….

Name: ……….. EOOD

UIC/BULSTAT: …………………….

Registered office and management address:

Phone:

E-mail:

Website:

Please send all personal data related to me that is collected, processed and stored in your databases in XML format to:

e-mail: …………………….

Controller – receiving data: …………………….

Name: …………………….

Identification number (UIC, BULSTAT, reg. number in KZLD): …………………….

E-mail: …………………….

Name: Personal Data Protection Commission.

Registered office and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 4

Request for data correction

Your name*: …………………….

Your email with which you registered or used on the Site*: …………………….

Feedback data (e-mail)*: …………………….

Name: ……….. EOOD

UIC/BULSTAT: …………………….

Registered office and management address:

Phone:

E-mail:

Website:

Please correct the following personal data that you collect, process and store, provided by me or by third parties that are related to me, as follows:

Data subject to correction:

…………………………………………..

Please correct them in the following manner:

…………………………………………..

Name: Personal Data Protection Commission.

Registered office and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Phone: 02 915 3 518

Website: www.cpdp.bg