PERSONAL DATA POLICY

This PERSONAL DATA POLICY is an integral part of the GENERAL TERMS OF USE of the site https://investsofia.com (the Site) that is administered by the SOFIA MUNICIPAL PRIVATIZATION & INVESTMENT AGENCY (SMPIA), hereinafter referred to as the Agency. The policy describes how we collect and process the personal data of end user data subjects. It also describes how you can contact us if you need to do so.

  1. What information is collected by the Site?

The site needs some personal information in order to provide its services for your use, and that information can be used to directly or indirectly identify you.

  1. Information provided voluntarily by the User:

1.1. If it is necessary for a specific service provided by the site, we may request the following categories of personal data from you:

  • name and family name
  • valid e-mail address
  • telephone
  • physical correspondence address
  • additional data (user content) that is input by the user

1.2. It is possible for the abovementioned categories of personal data also to be requested in a potential query by us to you in connection with the exercising of your rights described below.

  1. Information that the Site collects from the User

2.1. To enable certain functionalities of our site and the services you are accessing through the site, we automatically collect information about you from your computer. This is how the following additional categories of personal data can also be collected:

  • IP address
  • your web browser
  • your recommended language settings
  • device type

2.2. Voluntary sharing of publicly accessible information:

You may choose to share your opinion on SMPIA’s Facebook page. This might be publicly accessible through other websites, and your publications there may be seen by third persons. The collection, storage, safeguarding and processing of such data is subject to the terms and conditions of the site www.facebook.com.

  1. How do we treat personal data of children?

The services provided by the site are not aimed at persons under 18 years of age. SMPIA does not aim or wish to collect personal data of children in connection with the services provided through the site. If the Agency still receives information about an underage person in connection with the services of the Site, we will not process it and will delete it unless we are obligated by law to process such information in a prescribed manner.

  1. From whom do we collect information?

In connection with the goals stated below, the Site collects information from its visitors, including end user data subjects.

III. How is the information being collected?

The personal information processed through the site can be collected in any and all of the following manners:

  1. By being provided personally and voluntarily by the visitor;
  2. Automatic collection from and through the site via cookies for optimization of the site’s performance and optimal presentation (serving) of site content on user devices.
  1. Why are data being processed, what are the legal grounds for that and what is the processing period?

SMPIA uses the information described above for various purposes on specific legal grounds, namely:

Data category:

  1. user names
  2. current e-mail address
  3. additional data provided by the user

Purpose of the processing

In order to provide the service, to enable the functionality of the site and to allow personal communication

Legal grounds under GDPR

Art. 6, Para. 1 a) – the data subject has given consent

Method of collection

Through the service for alerting of the SMPIA (if such service exists on the site)

Storage period

Until the service is rendered

Data category:

  1. IP address

browser used

  1. language settings
  2. type of device used

5, operating system type

Purpose of the processing

In order to provide the full functionality of the Site

Legal grounds under GDPR

Art. 6, Para. 1 b) – the processing is necessary for the performance of a contract

Method of collection

When the site is loaded on a user device

Storage period

Until the end of the current user session

Data category:

  1. personal names

telephone and/or e-mail

  1. 3. Physical correspondence address

Purpose of the processing

Official, legal and/or system warnings, legal purposes

Legal grounds under GDPR

Art. 6, Para. 1 c) – for compliance with a legal obligation to which the controller is subject

Method of collection

When the user of site services exercises their rights

Storage period

Until fulfilment of the controller’s obligation

  1. Measures to guarantee lawful and fair processing. What measures have we taken to protect your data?

In accordance with the European legislation, the SMPIA maintains the appropriate and necessary technical and organizational measures to protect user data, including to prevent unauthorized access to or improper use of such data. The Agency uses business systems, procedures, and information technology that adequately protect your personal data and ensure their safety. Only authorized employees have access to the personal data in our information systems.

  1. How do we guarantee security?

The data collected by users of the Site are organized in encryption-protected registers. The data registers are stored on hard drives in computer systems with technical and physical access limited only to qualified and trained personnel.

VII. With whom do we share your information?

The SMPIA does not share personal data of Site users with third parties.

There are some exceptions when it is possible for us to share your personal information with a third party:

Subject of the sharing and grounds in accordance with the General Data Protection Regulation (GDPR)

A special state authority – administrative, judicial, and/or an executive body

Grounds under the General Data Protection Regulation (GDPR)

Art. 6, Para. 1, It. c

Description

1. In the event of a need and obligation to disclose trade secrets;

  1. In connection with resolution of legal disputes before a competent court and/or arbitration;
  2. Sharing of information with law enforcement authorities and financial institutions when this is required by law or is vitally important for the prevention, investigation, or prosecution of criminal activities or fraud.

VIII. User rights in connection with personal data

Please find below the rights of all end user data subjects that are guaranteed by the European legislation for the protection of personal data:

Type of right Description Relevant to the Site
Right of information When providing their personal data or before the data are collected by the controller for processing, the User has the right to be informed of the following main circumstances: 1. Who is the controller; 2. What are the purposes of the processing; 3. What are the legal grounds and/or legal interests; 4. Who may receive the data; 5. What is the data storage period; 6. What are the rights of the users; 7. Are there any automated decision algorithms, including profiling.   Yes
Right of access The user has a right of access to their personal data that are processed by the Site. This includes the data from the Right of Information section, as well as the source of the personal data and the categories of data that are being processed. If the personal data are not directly collected from the User, the User shall also be informed on the method of collection, the type of processing, and the legal grounds.   Yes
Right of correction The user is entitled to request from the controller to correct without undue delay any incorrect personal data related to the user who is the personal data subject.   Yes
Right of deletion The user is entitled to request from the controller to delete the personal data related to the user without undue delay.   Yes
Right “to be forgotten” If the controller has made the personal data publicly accessible and is obligated to delete such data, the controller shall take reasonable measures to notify the other controllers who are processing the data that the data subject has requested the deletion by such controllers of all links, copies, or reproductions of such personal data.   No
Right of restriction ofthe processing of personal data The user is entitled to request from the controller to restrict the processing if any of the following circumstances is present: 1. The user has disputed the accuracy of the data; 2. The processing is unlawful but the User does not wish for the data to be deleted; 3. The controller no longer needs the personal data for the purposes of the processing but the User needs the data in connection with the exercising or protection of their legal rights; 4. The user has objected to the processing of the data and the check by the controller is pending to finish. The controller may still store the data during the processing restriction period.   No
Right of data transmission The user is entitled to receive from the controller the personal data relevant to the user and which the User has provided to the administrator if: 1. The processing is automated; and 2. The processing is consent-based or is in performance of a contractual obligation. This right also includes an obligation of the controller to transfer to another controller personal data specified by the User.   Yes
Right of objection against the processing of personal data The user is entitled to object against the processing of their personal information that has been provided to the controller in connection with the performance of a task carried out in the public interest, is necessary in connection with the controller’s legitimate interest, or is needed in connection with profiling or direct marketing. When exercising that right, the user’s personal data may be deleted from the controller’s devices.   Yes
Right to not be a subject of processing, including for profiling The user has the right to not be the subject of decisions based on fully automated processing, including profiling.   No
Right to file a complaint The user is entitled to file a complaint at a regulatory authority (the Commission for Personal Data Protection) if they think the processing of personal data related to the user is in violation of the GDPR or the Personal Data Protection Act in terms of data protection. The data subject may exercise that right in the Member-State of their usual residence, place of work, or where the suspected violation has occurred.   Yes

If you wish to learn more about the rights granted to you, the manner and procedures for the exercising of such rights, you may visit the information website of the European Data Protection Supervisor or the supervisory authority of the Republic of Bulgaria – the Commission for Personal Data Protection.

  1. How can you exercise your rights?

The user can exercise their rights always and at any time. To allow us to be of maximum use in this process, please send us a query by physical mail or e-mail at the addresses stated below.

You can use our query forms to facilitate the process – Annexes No 1 to 4 below.

  1. Who is responsible for the personal data processing?

In connection with the processing of personal data through the Site, the SMPIA acts in its capacity as a personal data controller and Site administrator.

Contact details of the data controller
Name SOFIA MUNICIPAL PRIVATIZATION & INVESTMENT AGENCY (SMPIA)
Address 6 Slaveykov Sq., Fl. 1, 1000 Sofia
Bulstat code 0006963272031
Representative Dr. Maria Alexandrova Popova-Hristova, Senior Executive Director
Telephone +359 2 9804255
E-mail contact@investsofia.com
Contact details of the supervisory body for the protection of personal data
Name Commission for Personal Data Protection
address 2 Prof. Tsvetan Lazarov Blvd., Bulgaria, 1592 Sofia
e-mail kzld@cpdp.bg
Telephone for contacts + 359 2 9153518

If you have any questions or comments about this personal data policy, you may send your question to us by mail or e-mail it to the following electronic address: contact@investsofia.com.

This PERSONAL DATA POLICY has been adopted and approved by the representative of the SMPIA, Maria Popova-Hristova, Senior Executive Director, on 12 November 2020 and is in compliance with the effective legislation at the time of its adoption, as well as with the general European and national legal framework in the area of personal data protection. Date of publication: 12 November 2020

Application for access to process personal data

Download

Application for the use or supplementation of personal data

Download

Application for data portability

Download

Objection to the processing of personal data

Download
X