Privacy policy
1. General Personal Data Protection Regulation
The European Union has adopted a normative act called the General Data Protection Regulation (EU) 2016/679, which we will refer to as the “Regulation”, in order to protect the use of your personal data. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge and, where possible, is processed with their consent.
2. Scope outlined by the General Data Protection Regulation
Material scope – The General Regulation applies to processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a personal data register or is intended to form part of a personal data register.
Territorial scope – the rules of the General Regulation will apply to all personal data controllers established in the EU which process personal data of natural persons in the context of their activity.
It will also apply to non-EU controllers which process personal data for the purpose of offering goods and services or if they monitor the behavior of data subjects which reside in the EU.
At Salex Exclusive EOOD, we keep all your information in accordance with the highest standards. Over time, we have built strict procedures and rules to protect your personal data. You can read the description of all of them here.
Burgas 8000, 21 Mara Gidik Str., 1st floor, tel./fax: (+359 56) 84 56 94
Declaration on Personal Data Protection Policy
1. The management of Salex Exclusive EOOD is committed to ensure compliance with the legislation of the EU and the member states regarding the processing of personal data and the protection of the “rights and freedoms” of the persons whose personal data we collect and process in accordance with the General Data Protection Regulation We undertake to ensure the compliance of all activities we carry out in terms of collection and processing of personal data with the requirements of the GDPR.
2. In accordance with the General Regulation, other relevant documents as well as related processes and procedures are described to this policy.
3. This policy applies to all personal data processing activities, including those carried out regarding personal data of customers, employees, suppliers and partners and any other personal data which the Salex Exclusive EOOD organization processes from various sources.
4. This policy applies to all employees/workers (and interested parties) of Salex Exclusive EOOD, as well as to processors and the members of their personnel. Any violation of the General Regulation will be considered a violation of labor discipline, and in the event that there is an assumption of a crime committed, the matter will be submitted for consideration as soon as possible to the relevant state authorities in order for criminal liability to be engaged.
6. Third parties which work with or for Salex Exclusive EOOD, including partners, external suppliers, customers, etc., as well as those which have or may have access to the personal data we process, shall get familiar and comply with our policy. We undertake to enter into a data confidentiality agreement with any third party to which we grant access to the personal data processed by it, which entitles us to carry out checks on the compliance with the obligations imposed by the agreement, unless the processing is required by the EU law or by the law of a member state. Obligations and responsibilities under Regulation (EU) 2016/679
1. Salex Exclusive EOOD is a data controller according to Regulation (EU) 2016/679 and bears all responsibility and risks of possible non-compliance with GDPR requirements and is responsible for developing and promoting good practices in the field of personal data processing.
2. A personal data processor is any person outside the controller’s organization that directly processes personal data on behalf of the controller – stores, digitizes, catalogues, etc. the whole information.
3. Compliance with data protection legislation is the responsibility of all employees of Salex Exclusive EOOD who process personal data, depending on their duties and job descriptions.
4. The training policy of Salex Exclusive EOOD defines the specific requirements for training and awareness in relation to the specific roles of the employees/workers of Salex Exclusive EOOD HOW DO WE USE THE PERSONAL DATA OF OUR CUSTOMERS AND EMPLOYEES.
1. Salex Exclusive EOOD collects and uses your personal information so that we can fulfill our obligations to you as users of our services, as well as employees/workers of Salex Exclusive EOOD. Here are some examples of how we do it:
• By virtue of the contract between us
We use your personal data to fulfill our contractual obligations to you. We need the data to be able to keep active communication with you, in order to fulfill our contractual relationship.
In order to make sure that you can use the website of Salex Exclusive EOOD, we keep accurate contact and registration details, provide comprehensive user support, offer you services and functions which are of interest to you.
• Protection of your identity
We take care of the security of your information stored with us. When you interact with us, we commit to taking reasonable steps to verify your identity, such as username and password, before giving you access to your personal data.
• Advertising
We provide you with promotional offers in accordance with your interests for services offered by Salex Exclusive EOOD. This may be related to automated data collection tools. We may share some information about you with providers of marketing services and digital marketing networks in order to show you advertisements which are of interest to you.
WHAT PERSONAL DATA DO WE PROCESS/COLLECT
The personal data we collect depends on the services you use and may include the following:
• Information you provide directly
• Your contact information (for example, name, address, telephone number, email address and other similar contact details).
• Data needed to process payments and prevent fraud.
• Preferences – we collect information about your preferences and interests in relation to our services (from what you share with us and from the inferences we draw based on the facts provided) and your preferences for receiving communications from us in order to improve the service we provide you.
• Other unique identifying information – for example, data you provide to us in person, online, by phone or mail or other customer service channels, responses to questions from user surveys or contests, and additional information we collect to facilitate the provision of our services and to respond to your enquiries.
• for the purposes of personnel and our accounting activity: name, telephone, e-mail, permanent address, ID card number, Personal Number
Remember that you do not have to share your personal data we request, although in some cases, if you choose not to share such information, we will not be able to provide you with our services, certain specialized features or respond effectively to your enquiries.
• Information we collect automatically when you use our services
• information about your visit and activity on our website, including the content you view and use. Some of this information is collected through our automated data collection tools, which include cookies and web beacons.
• anonymous responses to survey questions or summarized information about how our services are used. In the course of our work, we apply a process of de-identification or pseudonymization of the data to minimize the likelihood for you to be identified by using
such data with the available technologies.
How do we protect your data At Salex Exclusive EOOD, we have implemented reasonable technical and administrative measures to protect the personal data we process, to ensure that unauthorized persons do not have access to it and to prevent its leakage, as well as to ensure its proper use in accordance with the law and for a period within which we legitimately need such data.
How do we share your data
We only share your personal data in the following manner:
• Compliance with the law
We may share your personal data if we are required to: (a) respond to duly authorized requests for information from law enforcement authorities and comply with national security requirements and other requirements of law enforcement authorities; (b) comply with any law, regulation, subpoena or court order; (c) investigate and help prevent security threats, fraud or other criminal or malicious activity; or (d) protect the rights or personal safety of our employees and third parties under the applicable law.
How can you receive additional information from us
• Telephone: 056/85 30 30
• E-mail: sales.burgas@salex.bg
Data Protection Principles
All processing of personal data shall be carried out in accordance with the data protection principles set out in the Regulation. The policies and procedures of Salex Exclusive EOOD are intended to ensure compliance with such principles.
1. Your personal data will be processed in a lawful, fair and transparent manner. The information will be communicated to you in an understandable form, using clear and understandable language, i.e. the confidentiality declarations you sign will be detailed and specific, understandable and accessible.
The rules for notification by Salex Exclusive EOOD are defined in Procedure for transparency of processing of personal data
The specific information that will be provided to you will include at a minimum:
• data which identifies us as well as our contact details;
• the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
• the period for which the personal data will be stored;
• the existence of the following rights – to request access to the data, rectification, erasure (“right to be forgotten”), restriction of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of such rights;
• personal data categories;
• the recipients or categories of recipients of personal data, where applicable;
• where applicable, whether we intend to transfer the personal data to a recipient in a third country and the level of data protection;
• any additional information necessary to ensure fair processing.
2. Your personal data will only be collected for specific, explicitly stated and lawful purposes. Data received for specific purposes will be collected and processed only for such purposes which correspond to the processing activities of Salex Exclusive EOOD A procedure for transparency of processing of personal data defines the relevant rules.
3. The personal data we collect will be limited to what is necessary for the relevant processing purpose
• All data collection forms (electronic or paper), including the requirements for data collection in the new information systems, will include a declaration of good faith processing or a link to Notice of confidential treatment of personal data and will be approved by a manager of Salex Exclusive EOOD
• Salex Exclusive EOOD has the obligation to carry out periodic checks every 6 months to ensure that the collected data continues to be adequate, relevant and not excessive
4. Your personal data will be accurate and up-to-date at all times, and every effort will be made to enable immediate (within possible technical solutions) erasure or rectification.
• The data we store will be reviewed and updated as necessary. No data will be stored in cases where it is likely for it to be inaccurate.
• Also, it is your obligation to declare that the data you submit to be stored by Salex Exclusive EOOD is accurate and up-to-date. The completion of a form by the subject of the data intended for Salex Exclusive EOOD will include a statement that the data contained therein is accurate as of the date of submission.
• We will require employees / workers (customers / others) to notify us of any changes in circumstances so that personal data records can be updated. It is the responsibility of Salex Exclusive EOOD to ensure that any notice of change of circumstances is recorded and actions are taken.
• Once a year, the data protection officer will review the retention periods of all personal data processed by Salex Exclusive EOOD, referring to the data inventory and will identify any data which is no longer required in the context of the stated purpose. Such data will be securely destroyed in accordance with the controller’s procedures and rules.
• The data protection officer ensures that requests for data rectification are answered within one month. This deadline may be extended by another two months for complex requests.
If Salex Exclusive EOOD decides not to comply with the request, the data protection officer shall respond to the data subject to explain the reasons for the refusal and inform them of their right to file a complaint with the supervisory authority and seek legal protection.
• The data protection officer shall inform all third parties to which inaccurate or outdated personal data has been provided that the information is inaccurate or outdated and shall not be used to make decisions about data subjects, and forward any rectification of
personal data to the third parties, where necessary.
5. We will store your personal data in a form that allows you to be identified for the period necessary for processing.
• Where personal data is retained beyond the processing period, it will be stored in an appropriate manner (minimized, encrypted, pseudonymized) to protect your identity in the event of data breach.
• Personal data will be kept in accordance with Data Retention and Destruction Procedure and once the retention period has passed, it shall be securely destroyed as instructed in this procedure.
• The data protection officer shall specifically approve any data retention which exceeds the retention period defined in the Data Retention and Destruction Procedure and shall ensure that the rationale is clearly defined and in accordance with the requirements of data protection legislation. Such approval shall be in writing.
6. Your personal data will be processed in a way that ensures adequate security The data protection officer will carry out an initial impact assessment, when necessary, taking into account all circumstances related to the data processing operations of Salex Exclusive EOOD Ensuring the security of personal data is also related to taking appropriate technical measures for which Salex Exclusive EOOD will monitor and which may include at a minimum:
• Password protection;
• Automatic locking of idle workstations on the network;
• Removal of access rights for USB and other portable storage media (there may be an exception if mandatory virus checking and data transfer logging are provided);
• Antivirus software and firewalls;
• Role-based access rights, including those of temporary staff;
• The protection of devices which leave the premises of the organization, such as laptops or others;
• Security of local and wide area networks;
• Privacy-enhancing technologies such as pseudonymization and anonymization;
• Identification of relevant international security standards suitable for Salex Exclusive EOOD. For the assessment of the appropriate organizational measures, Salex Exclusive EOOD will take into
consideration the following:
• The levels of appropriate training in Salex Exclusive EOOD;
• The measures which take into account the trustworthiness of the employees (for example, attestation ratings, recommendations, etc.);
• The inclusion of data protection in employment contracts;
• Identification of disciplinary measures for violations regarding data processing;
• Regular inspection of personnel for compliance with the relevant security standards;
• Control of the physical access to electronic and paper-based records;
• The adoption of a “clean workplace” policy;
• Storage of database on paper in lockable wall cabinets;
• Limiting the use of portable electronic devices outside the workplace;
• Limiting the use of personal devices by the employees at the workplace;
• The adoption of clear rules for passwords creation and use;
• Regular creation of backup copies of personal data and physical storage of media with copies outside the office;
• Imposing contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU. The assessment of appropriate measures takes into consideration the identified risks to personal data, as well as the possibility of causing damage to the persons whose data is processed.
7. Compliance with the accountability principle.
Regulation (EU) 2016/679 includes provisions which promote accountability and manageability and complement transparency requirements. The accountability principle requires Salex Exclusive EOOD to prove that it complies with the other principles in the GDPR and explicitly states that this is its responsibility.
Salex Exclusive EOOD will demonstrate compliance with data protection principles by applying data protection policies, implementing appropriate technical and organizational measures, as well as by adopting data protection techniques at the design stage and data protection by default, personal data protection impact assessment, personal data breach notification procedure, etc.
I. Rights of data subjects
1. According to the GDPR, you have the following rights regarding the processing of your personal data:
• To receive information about the personal data related to you, which is processed by Salex Exclusive EOOD, and about the purpose for which it is processed, including to obtain access to the data, as well as information on who the recipients of this data are and the third parties to which data is submitted;
• To request a copy of your personal data from Salex Exclusive EOOD;
• Ask us to rectify personal data when it is inaccurate, as well as when it is not already current;
• To demand from Salex Exclusive EOOD erasure of personal data (right “to be forgotten”);
• To ask Salex Exclusive EOOD to limit the processing of personal data and in this case, the data will only be stored, but not processed;
• To object to the processing of their personal data;
• To file a complaint with a supervisory authority if they believe that any of the provisions of the GDPR is violated;
• To request and be provided with the personal data in a structured, widely used and machine-readable format;
• To withdraw their consent to the processing of personal data at any time with a separate request addressed to the controller;
• To not be the subject of automated decisions which affect them to a significant extent, without the possibility of human intervention;
• To oppose to automated profiling that occurs without their consent;
2. Salex Exclusive EOOD provides conditions which guarantee the exercise of such rights by the data subject:
• Data subjects may make data access requests as described in the procedure for Procedure for Subject Request Management, this procedure also describes how Salex Exclusive EOOD will ensure that the response to the data subject’s request meets the requirements of the General Regulation.
• Where a data subject’s requests are manifestly unfounded or excessive, in particular due to their repetition, Salex Exclusive EOOD may either impose a reasonable fee, taking into account the administrative costs of providing the information, communication or taking the requested actions, or refuse to act on the request.
• Data subjects have the right to submit objections to Salex Exclusive EOOD related to the processing of their personal data. The processing of a request from the data subject and the submission of objections by the data subject is carried out in accordance with Procedure on the manners of communication for complaints and requests from the data subject. Complaints may be submitted directly to the supervisory authority, the competent authority on that matter in Bulgaria being the Commission for Personal Data Protection, address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd (www.cpdp.bg).
II. Consent
1. By “consent”, we, Salex Exclusive EOOD, understand any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear confirming action, which expresses their consent to the processing of the personal data related to them. The data subject may withdraw their consent at any time. Consent of the personal data subject is required whenever there is no alternative legal basis for the processing.
2. By “consent”, Salex Exclusive EOOD understands only the cases in which the data subject was fully informed about the planned processing and expressed their consent without any pressure being exerted on them. Consent obtained under duress or based on misleading information will not be a valid basis for personal data processing.
3. Consent will not be inferred from the absence of a response to a message to you. There shall be active communication between Salex Exclusive EOOD and you for consent to exist. We will be able to prove that consent has been obtained for the processing activities.
4. Consent to the processing of personal data will be given – based on the relevant consent document provided by you to Salex Exclusive EOOD for each specific purpose of processing. When the subject signs a contract, consent is not necessary because their data is collected on a different legal basis.
III. Data security
1. The employees of Salex Exclusive EOOD, who, according to their job characteristics, have the obligation to process certain personal data on behalf of Salex Exclusive EOOD, are obliged to ensure the security of the processing and storage of the data on their part, including guaranteeing that they will not disclose the data to third parties, unless Salex Exclusive EOOD has given such rights to such third party to access the data.
2. Personal data or part of it shall be accessible only to those who have an obligation to process / store it. All personal data will be stored in:
• in a separate room with controlled access;
and / or
• if it is computerized, password protected in accordance with the internal requirements specified in the organizational and technical measures to control the access to information
and / or
• stored on portable computer media which are protected in accordance with the organizational and technical measures to control the access to information.
3. Salex Exclusive EOOD will establish an organization to ensure that the computer screens and terminals cannot be viewed by anyone other than the authorized employees / workers of the company. All employees / workers are required to be trained and accept the relevant contractual clauses / declaration of compliance with the organizational and technical measures for access, as well as the rules for workstation locking, before they are granted access to information of any kind.
4. Paper records shall not be left where they can be accessed by unauthorized persons and may not be removed from the designated office premises without express permission. As soon as paper documents are no longer required for the current customer support work, they shall be destroyed in accordance with established procedure/rules and relevant protocol.
5. Personal data may be erased or destroyed only in accordance with the Data Retention and Destruction Procedure. Paper records with expired retention period will be shredded and destroyed as “confidential waste”. The data on the hard drives of redundant personal computers will be erased or the drives destroyed according to established rules/procedures.
6. Processing of personal data “outside the office” poses a potentially greater risk of loss, theft or breach of personal data. Personnel shall be specifically authorized to process the data outside of the controller’s premises.
IV. Disclosure of data
1. Salex Exclusive EOOD will provide conditions under which personal data is not disclosed to unauthorized third parties, which includes family members, friends, state authorities, even investigative ones, if there is reasonable doubt that it is not required according to the established order. All employees/workers shall exercise caution when asked to disclose stored personal data on another person to a third party. It is important to consider whether or not the disclosure of the information is related to the needs of the activity carried out by the organization. It is necessary to provide employees with special training and periodic briefings in order to avoid the risk of such violation.
2. Any requests by third parties for provision of data shall be supported by appropriate documentation and all such data disclosures will be coordinated by the Data Protection Officer who will provide a statement.
3. Personal data will be provided to the competent public authorities during and on the occasion of the exercise of their official powers.
V. Storage and destruction of data
1. Salex Exclusive EOOD will not store personal data in a form that allows the identification of subjects for a longer period than necessary in relation to the purposes for which the data was collected.
2. Salex Exclusive EOOD may store data for longer periods only if the personal data will be processed for archiving purposes, for purposes of public interest, scientific or historical research and for statistical purposes, and only when implementing appropriate technical and organizational measures to guarantee the rights and freedoms of the data subject.
3. The retention period for each category of personal data is specified in the procedure for Data Retention and Destruction Procedure, as well as the criteria used to determine such period, including any legal obligations requiring Salex Exclusive EOOD to retain the data.
4. Data Retention and Destruction Procedure in Salex Exclusive EOOD will be applied in all cases.
5. Personal data will be destroyed in accordance with the principle of ensuring an appropriate level of security – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures (“integrity and confidentiality”);
VI. Data processing register (data inventory)
1. Salex Exclusive EOOD has established a data inventory process as part of its approach to addressing the risks and opportunities in the process of observing the Regulation compliance policy. The following is established during the data inventory in Salex Exclusive EOOD and in the workflow of data:
• business processes which use personal data;
• the sources of personal data;
• the number of data subjects;
• description of the categories of personal data and the elements of each category;
• processing activities;
• the purposes of the processing for which the personal data is intended;
• the legal basis for the processing;
• the recipients or categories of personal data recipients;
• the main systems and storage locations;
• all personal data subject to transfers outside the EU;
• retention and deletion periods.
2. Salex Exclusive EOOD is aware of the risks associated with the processing of certain types of personal data.
3. Salex Exclusive EOOD assesses the level of risk for persons related to the processing of their personal data. When mandatory, data protection impact assessments are carried out in connection with the processing of personal data by Salex Exclusive EOOD and in connection with the processing undertaken by other organizations on behalf of Salex Exclusive EOOD.
4. Salex Exclusive EOOD manages all risks identified by the impact assessment in order to reduce the probability of non-compliance with the rules set out during the preparation of the assessment.
5. If the data protection officer has serious concerns either about the potential harm or danger, or about the amount of the relevant data, they should refer the matter to the supervisory authority.
