This PERSONAL DATA POLICY is an integral part of the GENERAL TERMS OF USE of the site https://investsofia.com (the Site) that is administered by the SOFIA MUNICIPAL PRIVATIZATION & INVESTMENT AGENCY (SMPIA), hereinafter referred to as the Agency. The policy describes how we collect and process the personal data of end user data subjects. It also describes how you can contact us if you need to do so.
I. What information is collected by the Site?
The site needs some personal information in order to provide its services for your use, and that information can be used to directly or indirectly identify you.
The services provided by the site are not aimed at persons under 18 years of age. SMPIA does not aim or wish to collect personal data of children in connection with the services provided through the site. If the Agency still receives information about an underage person in connection with the services of the Site, we will not process it and will delete it unless we are obligated by law to process such information in a prescribed manner.
II. From whom do we collect information?
In connection with the goals stated below, the Site collects information from its visitors, including end user data subjects.
III. How is the information being collected?
The personal information processed through the site can be collected in any and all of the following manners:
IV. Why are data being processed?
SMPIA uses the information described above for various purposes on specific legal grounds, namely:
Data: User names, current e-mail address, additional data provided by the user
Purpose: To provide the service, to enable the functionality of the site and to allow personal communication
Legal grounds: Art. 6, Para. 1 a) GDPR – the data subject has given consent
Method: Through the service for alerting of the SMPIA
Period: Until the service is rendered
Data: IP address, browser used, language settings, type of device used, operating system type
Purpose: To provide the full functionality of the Site
Legal grounds: Art. 6, Para. 1 b) GDPR – processing is necessary for the performance of a contract
Method: When the site is loaded on a user device
Period: Until the end of the current user session
Data: Personal names, telephone and/or e-mail, physical correspondence address
Purpose: Official, legal and/or system warnings, legal purposes
Legal grounds: Art. 6, Para. 1 c) GDPR – for compliance with a legal obligation
Method: When the user of site services exercises their rights
Period: Until fulfilment of the controller’s obligation
V. Measures to guarantee lawful and fair processing
In accordance with the European legislation, the SMPIA maintains the appropriate and necessary technical and organizational measures to protect user data, including to prevent unauthorized access to or improper use of such data. The Agency uses business systems, procedures, and information technology that adequately protect your personal data and ensure their safety. Only authorized employees have access to the personal data in our information systems.
VI. How do we guarantee security?
The data collected by users of the Site are organized in encryption-protected registers. The data registers are stored on hard drives in computer systems with technical and physical access limited only to qualified and trained personnel.
VII. With whom do we share your information?
The SMPIA does not share personal data of Site users with third parties.
There are some exceptions when it is possible for us to share your personal information with a third party:
Subject: A special state authority – administrative, judicial, and/or an executive body
Grounds under GDPR: Art. 6, Para. 1, It. c
VIII. User rights in connection with personal data
Please find below the rights of all end user data subjects that are guaranteed by the European legislation for the protection of personal data:
When providing their personal data or before the data are collected by the controller for processing, the User has the right to be informed of: 1) Who is the controller; 2) What are the purposes of the processing; 3) What are the legal grounds; 4) Who may receive the data; 5) What is the storage period; 6) What are the rights of the users; 7) Are there any automated decision algorithms, including profiling.
The user has a right of access to their personal data processed by the Site. This includes the data from the Right of Information section, as well as the source of the personal data and the categories of data being processed.
The user is entitled to request from the controller to correct without undue delay any incorrect personal data related to the user who is the personal data subject.
The user is entitled to request from the controller to delete the personal data related to the user without undue delay.
If the controller has made the personal data publicly accessible and is obligated to delete such data, the controller shall take reasonable measures to notify the other controllers who are processing the data that the data subject has requested the deletion by such controllers of all links, copies, or reproductions of such personal data.
The user is entitled to request from the controller to restrict the processing if: 1) The user has disputed the accuracy of the data; 2) The processing is unlawful but the User does not wish deletion; 3) The controller no longer needs the data but the User needs them for legal rights; 4) The user has objected and the check is pending. The controller may still store the data during the restriction period.
The user is entitled to receive from the controller their personal data if: 1) The processing is automated; and 2) The processing is consent-based or in performance of a contractual obligation. This includes an obligation of the controller to transfer to another controller personal data specified by the User.
The user is entitled to object against the processing of their personal information provided to the controller in connection with public interest tasks, the controller’s legitimate interest, profiling or direct marketing. When exercising that right, the user’s personal data may be deleted from the controller’s devices.
The user has the right to not be the subject of decisions based on fully automated processing, including profiling.
The user is entitled to file a complaint at a regulatory authority (the Commission for Personal Data Protection) if they think the processing of personal data is in violation of the GDPR or the Personal Data Protection Act. The data subject may exercise that right in the Member-State of their usual residence, place of work, or where the suspected violation has occurred.
If you wish to learn more about the rights granted to you, you may visit the information website of the European Data Protection Supervisor or the supervisory authority of the Republic of Bulgaria – the Commission for Personal Data Protection.
IX. How can you exercise your rights?
The user can exercise their rights always and at any time. To allow us to be of maximum use in this process, please send us a query by physical mail or e-mail at the addresses stated below.
You can use our query forms to facilitate the process – Annexes No 1 to 4 below.
X. Who is responsible for the personal data processing?
In connection with the processing of personal data through the Site, the SMPIA acts in its capacity as a personal data controller and Site administrator.
Bulstat code: 0006963272031
Representative: Dr. Maria Alexandrova Popova-Hristova, Senior Executive Director
Telephone: +359 2 9804255
E-mail: contact@investsofia.com
E-mail: kzld@cpdp.bg
Telephone: +359 2 9153518
If you have any questions or comments about this personal data policy, you may send your question to us by mail or e-mail it to: contact@investsofia.com.
This PERSONAL DATA POLICY has been adopted and approved by the representative of the SMPIA, Maria Popova-Hristova, Senior Executive Director, on 12 November 2020 and is in compliance with the effective legislation at the time of its adoption, as well as with the general European and national legal framework in the area of personal data protection.
Date of publication: 12 November 2020
