This is custom heading element
The current policy for personal data protection (hereinafter referred to as the “Policy”) regulates the activities for personal data processing by Beauty Profi EOOD, UIC 204794460, with registered office and address of management: Burgas, Zornitsa bl.77 ( hereinafter referred to as the “Company”), in order to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Regulation on data protection, hereinafter referred to as “the Regulation”), as well as all other applicable data protection regulations. This Policy applies to issues of personal data protection, for which there is no other regulation under other acts of the Company.
1.2. The policy aims to regulate and cover in particular the following issues:
personal data processing activities, the categories of data subjects to which the Policy applies, the principles and responsibilities in relation to the processing;
the obligations of the persons acting under the direction of the Company in the processing of personal data and their liability in case of non-compliance;
rights of data subjects and procedure for their exercise;
procedure for processing personal data based on the consent of the data subjects;
rules for responding to breaches of personal data security;
the applied technical and organizational measures for personal data protection.
1.3. Information about the Company
Beauty Profi EOOD
Entered in the Commercial Register with UIC 204794460
Headquarters and address of management Burgas, Zornitsa bl.77, ent.1, fl.6
Contact address: Burgas, Zornitsa bl.77, ent.1, pk 53
Subject of activity: import, export, re-export, wholesale and retail trade and distribution of goods; catering, shops, catering, aperitifs, confectioneries, manufacture, wholesale and retail of all kinds of goods, purchase of goods and other items for resale in their original, processed or processed form, including wholesale and retail, sale of goods of own production, commissions, construction, construction-repair and installation works, import-export transactions, forwarding and transport transactions, hotel, tourist, tour operator and travel agency, advertising, car rental (car rental), information, programming, impresario or other services, commercial representation and mediation (including real estate), purchase, construction or furnishing of real estate for sale, intellectual property transactions, marketing , engineering, investment, warehousing, leasing, innovation services, consulting services, as well as any other activities, services and transactions not prohibited by law.
Contact email: email@example.com/stag
2. Terms and abbreviations used
All terms and abbreviations that are not explicitly defined in the Policy have the meaning defined in the Regulation.
3. Personal data processing activities
3.1. Principles of personal data processing
The processing of personal data by the Company is subject to the principles of legality, good faith and transparency and to minimizing data. The personal data processed are limited to what is necessary in relation to the purposes for which they are processed. Personal data is collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes. Personal data is accurate and, if necessary, kept up to date. Personal data shall be stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed. Personal data shall be processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, disclosure, destruction or damage, applying appropriate technical or organizational measures, in compliance with the principles of permanent confidentiality, integrity, availability and sustainability of processing systems and services.
3.2. Categories of data subjects. Categories of personal data and purposes of processing.
3.2.1. The company has the right to process personal data about its customers, employees and other data subjects as follows:
clients (individuals) of the Company in its main activity of offering and trading in cosmetic products, in respect of which personal data may be processed such as IP address, e-mail address, telephone number, MAC address, address (postal and delivery) ), information on invoicing and acceptance of bank payments, etc. Processing purposes for this category of entities include: (i). acceptance, processing and execution of orders for order of the products and / or services offered by the Company, including the use of the Company’s website; (II). storage of tax and accounting register; (III). fulfillment of legislative requirements; (IV). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data;
potential, current and / or former employees of the Company, and individuals who are or have been in a contractual relationship with the Company under civil contracts; candidates for work or for concluding a civil contract as external contractors – individuals who are not in employment or contractual relations with the Company, but wish to enter into such, in respect of which personal data can be processed as three names, PIN / LNC / Official number, date of birth; address, data on previous work or professional experience, education and qualification, exercised disciplinary responsibility; information on bank accounts (IBAN, when paying by bank transfer), contact details: phone number; e-mail address; other data required by the applicable legislation for the conclusion and execution of an employment or civil contract; data directly related to the activity of execution of the contracts concluded with these persons (eg: data from logs or activity of the persons in the systems maintained by the Company, with a view to performing the functions assigned to the persons) (eg order entry systems), IP address, etc. The processing purposes in respect of this category of entities include:. study of the possibility for this, conclusion and execution of an employment or civil contract with the data subjects; (ii). storage of tax and accounting register; (iii). fulfillment of legislative requirements; (iv). goals related to the legitimate interests of the Company; (v). purposes for which the data subject has consented to the processing of his data.
co-contractors and partners – individuals, under contracts for advertising and promotion of the products offered by the Company, for which the Company may collect personal data in the form of photographic images. The processing purposes for this category of entities include: (i). fulfillment of contracts for advertising or promotion; ; (ii). goals related to the legitimate interests of the Company; (iii). purposes for which the data subject has consented to the processing of his data;
other natural persons and natural persons-representatives or contact persons of legal entities that have contact with the Company (including, but not limited to suppliers, business contacts, subcontractors, business partners, etc.) for the purposes of implementation and / or management of the activity of the Company;
other natural persons, representatives by law or power of attorney, of natural persons – clients of the Company.
3.2.2. The Company retains personal data for the longer of the periods necessary or to comply with applicable laws and regulations, or another period according to the requirements applicable to the commercial activity of the Company or to its activity as an employer or assignor under civil contracts. The processing of personal data is based on the principle of minimizing the data, depending on and for the purposes of providing the services used by the respective client.
4. Categories of data recipients
The company may disclose personal data of the following persons:
service providers – consultants, lawyers, accountants, IT specialists, etc., in connection with the conclusion of contracts for the main activity of the Company, compliance with legal requirements, technical support, etc .;
subcontractors – when providing services on behalf of the Company (distributors, etc.), in connection with the conclusion and execution of contracts for trade with the products offered by the Company;
persons providing services for the provision and maintenance of equipment, software and hardware used for processing (including storage) of personal data, for reporting payments, etc .;
banks, to service payments by data subjects;
public and / or judicial bodies, in and to the extent permitted and / or required by law.
5. Obligations of the Company
The company has the following obligations:
determines the policies and procedures for protection of the processed personal data according to the applicable legislation;
introduce appropriate technical and organizational measures with a view to the effective application of data protection principles and to ensure that, by default, only personal data which are necessary for the relevant purpose of the processing are processed;
ensures the exercise of the rights of the subjects for personal data protection;
updates the maintained databases and monitors compliance with the requirements for protection, establishes circumstances related to the breach of protection and takes measures for their elimination;
maintain personal data in a form that allows the identification of the relevant subjects for a period not longer than necessary for the purposes for which such data are processed;
maintain personal data in a form that allows the identification of the relevant subjects for a period not longer than necessary for the purposes for which such data are processed;
assists in the implementation of the control functions of the Commission for Personal Data Protection (hereinafter referred to as “CPDP”);
determines the rights of employees for access to personal data in the information systems according to the purposes of processing;
uses personal data processors that provide sufficient guarantees through the application of appropriate technical and organizational protection measures;
observes certain rules in case of breach of personal data security;
document breaches of personal data security in accordance with applicable law;
carry out a risk assessment in accordance with the requirements of the Regulation, respectively an impact assessment, if the conditions for this are met in accordance with the Regulation.
6. Obligations of the employees of the Company. Responsibility. Confidentiality
6.1. The employees of the Company start processing personal data after getting acquainted with:
the legislation in the field of personal data protection;
The policy and other internal acts of the Company related to the protection of personal data;
the dangers for the personal data processed by the Company.
The employees of the Company are obliged to:
to comply with the requirements of the Regulation, other applicable legislation in the field of personal data protection, the Policy and other internal acts of the Company related to the protection of personal data;
to process personal data only in the presence of a condition for lawful processing, namely: legal basis for processing; or grounds for processing which derive from the contractual relationship with the person or are necessary for the possible conclusion of a contractual relationship with the person; or grounds for processing which result from the express consent of the person; or grounds for processing arising from the legitimate interest of the Company or a third party in accordance with the requirements of the Regulation;
to use personal data in accordance with the purposes for which they are collected and not to further process them in a manner incompatible with those purposes;
not to use the personal data to which they have access in their capacity as employees of the Company, for any personal purposes;
to comply with the rule to avoid the possibility of unregulated access to personal data and to leave accessible personal data unattended at the respective workplace. In premises to which outsiders have access, the employees concerned are obliged to take measures so that outsiders do not have any unauthorized access to documents containing personal data, including being able to view, copy or photograph them with a technical device. ;
where the performance of the relevant activity allows, to limit the use of personal data to the maximum extent;
to ensure and guarantee the observance of the rights of the subjects in connection with the processing of personal data;
not to allow, assist or create conditions for security breaches in the processing of personal data;
not to share or provide to each other or to third parties information essential for data security (their usernames, passwords for access to the systems, etc.);
not to copy files with corporate information containing personal data on removable media in unencrypted (or in password-free) form;
not to send by e-mail to e-mail addresses outside the Company information containing significant volumes of personal data, or any special categories of personal data or other personal data, unauthorized access to which may pose a high risk to the rights and interests of the subjects data to which they relate, in password-free files or in unencrypted or otherwise pseudonymous form.
not to publish personal data about clients or employees of the Company in public sites, etc., without having an adequate legal basis for this;
6.2. Responsibility of employees
6.2.1. All actions that lead or may lead to unauthorized deletion, destruction or modification of personal data received by the Company in electronic form or on paper, as well as unauthorized sharing / disclosure of personal data by employees of the Company is prohibited and may to lead to the realization of the responsibility of the respective employee (disciplinary, administrative-penal and / or criminal, and / or civil).
6.3. The company:
ensures the signing of a declaration of confidentiality and non-disclosure of personal data by all employees who process personal data about him.
inform the employees who process personal data of their obligations related to this processing.
7. Maintaining a Register of personal data processing activities as an administrator
According to the requirements of art. 30, para. 1 of the Regulation, the Company keeps a Register of processing activities as an administrator, which contains the name and contact details of the Company. The register includes a detailed description of all activities for processing personal data according to Art. 30, para. 1 of the Regulation, including the following characteristics: name of the activity (business process, function) for processing; processing purposes; the categories of natural persons for whom personal data are processed; the categories of personal data that are processed in the respective activity; third parties who receive or otherwise participate in the processing of personal data in the activity concerned; where applicable, the transfer of personal data to a third country outside the EU; the envisaged time limits for storage and deletion of the different categories of personal data, where possible; a general description of the technical and organizational security measures, where possible.
8. Maintaining a Register of personal data processing activities as a processor
In case, in view of the activities of the Company, the need arises for it to maintain a Register of the activities for processing personal data as a processor within the meaning of Art. 30, para. 2 of the Regulation, the Company will create and maintain such a Register in the required by the applicable legislation type, volume and content.
9. Data protection officer
The Company will designate a Data Protection Officer (hereinafter referred to as the DPO) in the event that such appointment is or becomes necessary in accordance with the applicable legal requirements for personal data protection.
10. Rights of data subjects
The company ensures the exercise of the following rights of data subjects:
right to information when collecting personal data from the data subject;
right to information when collecting personal data from the data subject; (i). confirmation whether the personal data of the data subject are processed by the Company; (ii). providing access to the data through a copy of the data that are being processed, as well as information about the purposes of the processing; the categories of personal data; the recipients or categories of recipients to whom the personal data are or will be disclosed; the terms for storage of personal data; the existence of a right to rectify or delete personal data or to restrict the processing of personal data, or to object to the processing; the right to appeal to the CPDP; sources of personal data; the existence of automated decision making, including profiling.
right of correction – to request the correction or completion of his personal data, if they are inaccurate or incomplete;
the right to delete personal data when the grounds provided for in the Regulation are present;
right to limit processing;
right to data portability;
right to object;
the right of the data subject not to be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences or otherwise significantly affects him;
giving, changing or withdrawing consent for the processing of personal data, when the basis for the processing is the consent of the data subject.
Data subjects may exercise their rights by submitting a written application to the Company in one of the following ways:
by e-mail to the above-mentioned e-mail address of the Company through a qualified electronic signature, in accordance with the Electronic Document and Electronic Certification Services Act (hereinafter “QES”);
by mail to the contact address of the Company by sending a notarized application to ensure identification of the applicant, and in cases where the application is submitted by a legal representative of the applicant, or by a notarized representative of the applicant, the application should also contains a notarized signature of the signatory.
Applications shall be considered without undue delay. Within one month from the submission of the application, the Company notifies the data subject of the actions taken on the application, respectively of the reasons for not taking action and of the possibility to file a complaint to a supervisory body and seek protection in court. If action is taken on the application, the period for notifying the data subject of such action may be extended to a total of three months, taking into account the complexity and number of applications. In this case, the Company notifies the data subject of the extension within the initial one-month period.
The information (which may vary depending on which right of the data subject is exercised) is provided on paper personally to the data subject or to his legal or authorized representative with an explicit notarized power of attorney. If the application is submitted by e-mail, the information is also provided by e-mail to the e-mail address from which the submitted application originates, in password-protected files.
11. Consent of the data subject as a basis for processing
11.1. The basis
In cases where the basis for the processing of personal data is consent within the meaning of the Regulation, consent should be given in person by written declaration, in electronic form or by another means specified by the Company to ensure that consent is freely given, in particular , informed, and unambiguous.
11.2. Data subjects
The Company may collect consents for all categories of data subjects for which personal data is processed, including customers, employees and persons with whom the Company has entered into civil contracts for the provision of services or orders, etc.
The Company provides an opportunity for data subjects to easily change or withdraw their consent, without causing adverse legal consequences for them, when objectively there is a possibility to do so. Changes or withdrawal of consent are carried out by the data subjects in the order of collection of consent. In case of partial or complete withdrawal of consent, when the processing of personal data is carried out on this basis, the Company may be unable to provide the service requested by the customer or to perform the activity for which the relevant provision of personal data was required. The withdrawal of the consent shall not affect the lawfulness of the processing on the basis of the given consent until the moment of its withdrawal.
11.4. Collecting consents
Consents are collected in one of the following ways:
personally, in the contact office – for clients of the Company;
by e-mail – for current employees;
through a licensed postal operator with notarization of the statement of consent; or
signed with QES statement of consent sent by e-mail.
11.5. Giving and withdrawing consents online
In cases where obtaining the consent to the processing of personal data by the Company is required in view of the services provided by the Company, which are requested or online, this consent is obtained (respectively, withdrawn) also online.
The consents for personal data processing are registered and stored by the Company, in the form and volume possible for such storage, respectively.
12. Processing of personal data by the Company through personal data processor
For the performance of its activity the Company may use third parties (subcontractors, distributors, courier service providers, etc.), which are processing personal data within the meaning of Art. 4, vol. 8 of the Regulation. Such processors may be:
natural persons employed on civil contracts.
When assigning the processing of personal data to a processor, the Company complies with the following requirements:
processors shall be selected who provide sufficient guarantees for the application of appropriate technical and organizational measures for the protection of personal data;
the conditions for personal data protection are settled in writing between the Company and the processor.
The contracts / agreements that the Company concludes with the processors of personal data determine and regulate: the subject and the term of validity, the purposes and the nature of the processing; the categories of data subjects whose personal data are processed; the type of personal data that the processor will process on behalf of the Company; the rights and obligations of the Company and the processor; the requirements to the technical and organizational protection measures that the processor should apply (no deviation from the one provided for in this Policy is allowed to the processor); obligation for the processor for assistance according to art. 31-36 of the Regulation; an obligation for the processor to notify the Company without undue delay after learning of a security breach; requirements to the processor and other obligatory conditions, according to art. 28, item 3 of the Regulation.
13. Rules for response in case of breach of personal data security
13.1. Detection of a security breach by an employee
In case of a security breach discovered by an employee of the Company, the employee shall immediately notify the management of the Company or the DLPD, if such is determined, in writing (and if possible – orally), providing the information, which is for this – for the nature of the violation, for the estimated time of occurrence / commission of the violation, etc.
13.2. Security breach investigation and measures
Without undue delay, the Company should investigate the facts, analyze and assess the gravity of the violation, in view of the risk to the rights and freedoms of subjects, the number of affected data subjects, etc., and propose appropriate remedial measures, and where is impossible – to minimize the identified risks and possible adverse effects.
13.3. Notification of the CPDP
In case of a security breach, the Company informs the CPDP within 72 hours of its establishment, unless in the specific case there is any probability that the security breach will pose a risk to the rights and freedoms of individuals.
13.4. Notification of data subjects
When the breach of security may lead to a high risk to the rights and freedoms of individuals, the Company shall report the breach of security of personal data of the affected data subjects without undue delay. The notice shall describe the nature of the security breach and shall indicate at least: the name and contact details of the Company; a description of the possible consequences of the infringement; a description of the measures taken or proposed by the Company to deal with the violation.
The company has the right not to inform the affected data subjects about the violation if:
(I). has taken appropriate technical and organizational security measures in advance and these measures have been implemented (eg encryption); and / or
(II). has subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; and / or
(III). such communication would lead to a disproportionate effort. In this case, the Company makes a public announcement on its website and / or by publicity in an appropriate manner through the media about the violation.
The signals for breaches of personal data security are registered and stored by the Company.
14. Technical and organizational measures for personal data protection
14.1. Technical and organizational measures of the Company as an administrator
The Company’s activities provide the necessary technical and organizational measures to protect personal data from accidental or illegal destruction or accidental loss, from unauthorized access, alteration or distribution, as well as from other illegal forms of processing. The types of protection are physical, personal, documentary, protection of automated information systems and / or networks, cryptographic protection. The technical and organizational measures applied by the Company are listed in detail in Appendix 1 to this Policy, as it may be subject to periodic updates.
14.2. Technical and organizational measures of the Company as a processor
In case the Company processes personal data as a processor for other administrators, the specific technical and organizational measures applied by the Company as a processor shall be determined in individual agreements with the respective administrator. In the absence of such determination, the Company will adhere to the technical and organizational measures it applies as an administrator.
XV. Transfer of personal data outside the European Economic Area (EEA)
The company may carry out international data transmission originating in the European Economic Area (EEA) when the European Commission has recognized a non-EEA country as providing an adequate level of data protection. For transfers to non-EEA countries whose level of protection is not recognized by the European Commission, the Company will either invoke a certain derogation applicable to the specific situation under the Regulation or apply one of the guarantees provided by the applicable legislation. In other cases, for the transfer of personal data outside the EEA, this shall be done on the basis of the data subject’s explicit consent to the proposed data transfer, obtained in compliance with the requirements of the Regulation.