PERSONAL DATA POLICY
This PERSONAL DATA POLICY is an integral part of the GENERAL TERMS OF USE of the site https://investsofia.com (the Site) that is administered by the SOFIA MUNICIPAL PRIVATIZATION & INVESTMENT AGENCY (SMPIA), hereinafter referred to as the Agency. The policy describes how we collect and process the personal data of end user data subjects. It also describes how you can contact us if you need to do so.
- What information is collected by the Site?
The site needs some personal information in order to provide its services for your use, and that information can be used to directly or indirectly identify you.
- Information provided voluntarily by the User:
1.1. If it is necessary for a specific service provided by the site, we may request the following categories of personal data from you:
- name and family name
- valid e-mail address
- telephone
- physical correspondence address
- additional data (user content) that is input by the user
1.2. It is possible for the abovementioned categories of personal data also to be requested in a potential query by us to you in connection with the exercising of your rights described below.
- Information that the Site collects from the User
2.1. To enable certain functionalities of our site and the services you are accessing through the site, we automatically collect information about you from your computer. This is how the following additional categories of personal data can also be collected:
- IP address
- your web browser
- your recommended language settings
- device type
2.2. Voluntary sharing of publicly accessible information:
You may choose to share your opinion on SMPIA’s Facebook page. This might be publicly accessible through other websites, and your publications there may be seen by third persons. The collection, storage, safeguarding and processing of such data is subject to the terms and conditions of the site www.facebook.com.
- How do we treat personal data of children?
The services provided by the site are not aimed at persons under 18 years of age. SMPIA does not aim or wish to collect personal data of children in connection with the services provided through the site. If the Agency still receives information about an underage person in connection with the services of the Site, we will not process it and will delete it unless we are obligated by law to process such information in a prescribed manner.
- From whom do we collect information?
In connection with the goals stated below, the Site collects information from its visitors, including end user data subjects.
III. How is the information being collected?
The personal information processed through the site can be collected in any and all of the following manners:
- By being provided personally and voluntarily by the visitor;
- Automatic collection from and through the site via cookies for optimization of the site’s performance and optimal presentation (serving) of site content on user devices.
- Why are data being processed, what are the legal grounds for that and what is the processing period?
SMPIA uses the information described above for various purposes on specific legal grounds, namely:
Data category:
- user names
- current e-mail address
- additional data provided by the user
Purpose of the processing
In order to provide the service, to enable the functionality of the site and to allow personal communication
Legal grounds under GDPR
Art. 6, Para. 1 a) – the data subject has given consent
Method of collection
Through the service for alerting of the SMPIA (if such service exists on the site)
Storage period
Until the service is rendered
Data category:
- IP address
browser used
- language settings
- type of device used
5, operating system type
Purpose of the processing
In order to provide the full functionality of the Site
Legal grounds under GDPR
Art. 6, Para. 1 b) – the processing is necessary for the performance of a contract
Method of collection
When the site is loaded on a user device
Storage period
Until the end of the current user session
Data category:
- personal names
telephone and/or e-mail
- 3. Physical correspondence address
Purpose of the processing
Official, legal and/or system warnings, legal purposes
Legal grounds under GDPR
Art. 6, Para. 1 c) – for compliance with a legal obligation to which the controller is subject
Method of collection
When the user of site services exercises their rights
Storage period
Until fulfilment of the controller’s obligation
- Measures to guarantee lawful and fair processing. What measures have we taken to protect your data?
In accordance with the European legislation, the SMPIA maintains the appropriate and necessary technical and organizational measures to protect user data, including to prevent unauthorized access to or improper use of such data. The Agency uses business systems, procedures, and information technology that adequately protect your personal data and ensure their safety. Only authorized employees have access to the personal data in our information systems.
- How do we guarantee security?
The data collected by users of the Site are organized in encryption-protected registers. The data registers are stored on hard drives in computer systems with technical and physical access limited only to qualified and trained personnel.
VII. With whom do we share your information?
The SMPIA does not share personal data of Site users with third parties.
There are some exceptions when it is possible for us to share your personal information with a third party:
Subject of the sharing and grounds in accordance with the General Data Protection Regulation (GDPR)
A special state authority – administrative, judicial, and/or an executive body
Grounds under the General Data Protection Regulation (GDPR)
Art. 6, Para. 1, It. c
Description
1. In the event of a need and obligation to disclose trade secrets;
- In connection with resolution of legal disputes before a competent court and/or arbitration;
- Sharing of information with law enforcement authorities and financial institutions when this is required by law or is vitally important for the prevention, investigation, or prosecution of criminal activities or fraud.
VIII. User rights in connection with personal data
Please find below the rights of all end user data subjects that are guaranteed by the European legislation for the protection of personal data:
Type of right | Description | Relevant to the Site |
Right of information | When providing their personal data or before the data are collected by the controller for processing, the User has the right to be informed of the following main circumstances: 1. Who is the controller; 2. What are the purposes of the processing; 3. What are the legal grounds and/or legal interests; 4. Who may receive the data; 5. What is the data storage period; 6. What are the rights of the users; 7. Are there any automated decision algorithms, including profiling. | Yes |
Right of access | The user has a right of access to their personal data that are processed by the Site. This includes the data from the Right of Information section, as well as the source of the personal data and the categories of data that are being processed. If the personal data are not directly collected from the User, the User shall also be informed on the method of collection, the type of processing, and the legal grounds. | Yes |
Right of correction | The user is entitled to request from the controller to correct without undue delay any incorrect personal data related to the user who is the personal data subject. | Yes |
Right of deletion | The user is entitled to request from the controller to delete the personal data related to the user without undue delay. | Yes |
Right “to be forgotten” | If the controller has made the personal data publicly accessible and is obligated to delete such data, the controller shall take reasonable measures to notify the other controllers who are processing the data that the data subject has requested the deletion by such controllers of all links, copies, or reproductions of such personal data. | No |
Right of restriction ofthe processing of personal data | The user is entitled to request from the controller to restrict the processing if any of the following circumstances is present: 1. The user has disputed the accuracy of the data; 2. The processing is unlawful but the User does not wish for the data to be deleted; 3. The controller no longer needs the personal data for the purposes of the processing but the User needs the data in connection with the exercising or protection of their legal rights; 4. The user has objected to the processing of the data and the check by the controller is pending to finish. The controller may still store the data during the processing restriction period. | No |
Right of data transmission | The user is entitled to receive from the controller the personal data relevant to the user and which the User has provided to the administrator if: 1. The processing is automated; and 2. The processing is consent-based or is in performance of a contractual obligation. This right also includes an obligation of the controller to transfer to another controller personal data specified by the User. | Yes |
Right of objection against the processing of personal data | The user is entitled to object against the processing of their personal information that has been provided to the controller in connection with the performance of a task carried out in the public interest, is necessary in connection with the controller’s legitimate interest, or is needed in connection with profiling or direct marketing. When exercising that right, the user’s personal data may be deleted from the controller’s devices. | Yes |
Right to not be a subject of processing, including for profiling | The user has the right to not be the subject of decisions based on fully automated processing, including profiling. | No |
Right to file a complaint | The user is entitled to file a complaint at a regulatory authority (the Commission for Personal Data Protection) if they think the processing of personal data related to the user is in violation of the GDPR or the Personal Data Protection Act in terms of data protection. The data subject may exercise that right in the Member-State of their usual residence, place of work, or where the suspected violation has occurred. | Yes |
If you wish to learn more about the rights granted to you, the manner and procedures for the exercising of such rights, you may visit the information website of the European Data Protection Supervisor or the supervisory authority of the Republic of Bulgaria – the Commission for Personal Data Protection.
- How can you exercise your rights?
The user can exercise their rights always and at any time. To allow us to be of maximum use in this process, please send us a query by physical mail or e-mail at the addresses stated below.
You can use our query forms to facilitate the process – Annexes No 1 to 4 below.
- Who is responsible for the personal data processing?
In connection with the processing of personal data through the Site, the SMPIA acts in its capacity as a personal data controller and Site administrator.
Contact details of the data controller | |
Name | SOFIA MUNICIPAL PRIVATIZATION & INVESTMENT AGENCY (SMPIA) |
Address | 6 Slaveykov Sq., Fl. 1, 1000 Sofia |
Bulstat code | 0006963272031 |
Representative | Dr. Maria Alexandrova Popova-Hristova, Senior Executive Director |
Telephone | +359 2 9804255 |
contact@investsofia.com | |
Contact details of the supervisory body for the protection of personal data | |
Name | Commission for Personal Data Protection |
address | 2 Prof. Tsvetan Lazarov Blvd., Bulgaria, 1592 Sofia |
kzld@cpdp.bg | |
Telephone for contacts | + 359 2 9153518 |
If you have any questions or comments about this personal data policy, you may send your question to us by mail or e-mail it to the following electronic address: contact@investsofia.com.
This PERSONAL DATA POLICY has been adopted and approved by the representative of the SMPIA, Maria Popova-Hristova, Senior Executive Director, on 12 November 2020 and is in compliance with the effective legislation at the time of its adoption, as well as with the general European and national legal framework in the area of personal data protection. Date of publication: 12 November 2020 |