Personal data and privacy

PRIVACY POLICY AND PERSONAL DATA PROTECTION
OF CREDITREFORM BULGARIA EOOD

I.  Objectives and scope of the Policy
With the present Policy Creditreform Bulgaria Ltd takes into account the privacy rights of the individuals and in full compliance with the current legislation and good practices, the company applies the necessary technical and organizational measures to protect the personal data of the individuals.
Тhe present Policy is in accordance with the Bulgarian Personal Data Protection Act (LPPD), Regulation (EU) 2016/679 – General Data Protection Regulation and the Internal Policies and procedures of the Company. This Policy aims to inform individuals about: the categories of personal data and the purposes of their processing in the Company; categories recipients to whom the personal data may be disclosed; technical and organizational measures for data protection and security; information about the rights of the data subjects.

II.  Information on the Company
Creditreform Bulgaria Ltd is a company registered in the Commercial Register of the Bulgarian Registry Agency with UIC: 831030580, with headquarters in: Sofia, 1606, 10 Sandor Petyöfi str. The Company is one of the founding members of the Receivables Management Association in Bulgaria and is registered as a Controller of personal data with № 50075 in the Register of the Controllers in the Commission for Personal Data Protection.
Contacts: Tel: +35929293993; +35929282611, fax: +35929200994, e-mail: office@creditreform.bg, Website: www.creditreform.bg

III. Principles related to the processing of personal data
The Company is processing personal data for a specific and legitimate purposes in full compliance with the current Bulgarian and EU legislation, observing the Bona fide principles, in accordance with legal requirements and in transparent manner. Creditreform aims to process personal data, considering their accuracy, integrity, necessary scope, categories and classification. Such processing does not exceed the time limits for the relevant lawful purposes, with exception for the cases where there is a specific legal requirements or rights to preserve certain information for a longer period.
All the necessary technical and organizational measures have been implemented in order to protect Your personal data of any accidental or unlawful destruction, accidental loss, unauthorized access,
alteration or dissemination, and any other unlawful forms of processing.

IV. Personal data processing grounds
Creditreform Bulgaria processes Your personal data legally, in good faith and transparently, on the basis of Art.6 of Regulation (EU) 2016/679 and the Personal Data Protection Act on any of the following grounds:
-    Consent – in cases where your specific consent is required and in compliance with Art.6, §1, “а“, the same should be freely, voluntarily, unambiguously expressed and informed. When the processing of Your personal data for a certain purpose is connected to such consent,You have the right to withdraw Your consent at any time, which should not concern the lawfulness of the processing prior to its withdraw;
-    Contract – in cases where data processing is necessary for the performance of a contract to which you are party or to take steps on your request for a contract, Creditreform Bulgaria Ltd may process your personal data according to the requirements of Art. 6, §1 "b" from
Regulation (EU) 2016/679. Failure to provide personal data may result in inability for the
Company to provide certain services or actions.
-    Legal obligation – in cases where the processing is necessary for compliance with a legal obligation of the Company, provided  in a legal act (for example: Ministry of Interior Act, Accountancy Act, Civil Procedure Code, Criminal Procedure Code, AML Law, Labour Code, Tax-Insurance Procedure Code, VAT Law, Law for Obligations and Contracts, Commercial Law, the accounting, health insurance and the legislation in force in Bulgaria and in the European Union), the Company may process your personal data in accordance with the requirements of Art.6, §1 "c"  from Regulation (EU) 2016/679.
-    Legitimate interests – in cases where there is a legitimate interest for the Company or for a Third party, The Company may process your personal data in accordance with Art.6, §1 "f" from Regulation (EU) 2016/679.  

V. Purposes for processing of personal data
The Company is processing your personal data for one or more of the following purposes:   
(a) Legal or contractual obligations regarding labour relationships, assimilated to them and civil relationships concerning personal data of employees, workers, attorneys and proxies of the Company and with respect to the company’s internal rules and instructions;   
(b) Collection of overdue receivables which the Company has acquired against debtors – natural persons, on the basis of stipulated Cession contracts or individual legal relationships with the data subject, including the relevant court proceedings;
(c) Collection of overdue receivables on the basis of a contract with another data Controller, which are
due by individuals to the respective Controller /as a creditor/;
(d) Collection of receivables, establishment of pre-contractual and contractual relations, inquiries,
correspondence and all other legal relationships and contacts in which the customer / contractor / inquirer is a natural person, individuals - merchants, incl. individuals representing companies, NGO-s etc.;
(е) Processing and preparing of credit reports on legal entities or  trader individuals where the respective natural person agrees – his/her personal data, beyond the public information in public, to be provided to current or potential partners;

VI. Processed categories of personal data
With respect to the abovementioned purposes and grounds Creditreform Bulgaria may process the following categories of personal data (separately or combined):
(a) information concerning the identity of the data subject: names, PIN / Personal number of а foreigner or date of birth, addresses, phone numbers, e-mail, and in cases of transferred receivables, labour, civil or equal legal relationships with the company – information from ID; identification data for representative/ proxy/ parent/ custodian/ guardian (legal representative) related to the data subject with the abovementioned volume;
(b) information regarding contractual or delict relationships and the related data and in cases of transferred receivables – economic/property status information as well - for the purposes of establishment, exercise or protection of the company’s rights before the court/regulatory entity, according to Art.6,§1 "f" of GDPR.

(c) phonograms of calls, made by and to the Company - aimed and improving the services;
(d) videotapes of unidentified subjects concerning the security regime for the purposes of prevention, control and protection from unauthorized access to the building and to the work premises;
(e) in cases of received: letters, complaints, claims, requests and other correspondence between the company and data subjects, regulatory entities, court institutions and others – the information (incl. personal data) from the mentioned sources.

VII. Categories of recipients of personal data
As a Data Controller, Creditreform Bulgaria is processing personal data or by engaging another Controller or Data Processor. According to the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679, personal data may be transmitted to the following categories of recipients:
(a) Authorities and competent regulatory representatives who are entitled by the Law with the right to request from Creditreform Bulgaria to disclose information (including personal data) or for protection of legal rights and interests of the Company, data may be provided to : courts, investigating authorities and prosecution, police, bailiffs, authorized lawyers of the company, supervisory and regulatory authorities, etc.
(b) Partners involved in the company’s activities or on behalf of the company are processing data, such as: postal and courier companies for the purpose of sending letters, shipments, contracts, agreements, etc. The company only cooperates with partners able to provide sufficient guarantees for the application of appropriate technical and organizational measures in compliance with Regulation (EU) 2016/679.

VIII. Transfer of personal data in EU and in Third countries
Usually the Company does not transfer personal data outside the Republic of Bulgaria. In case there is a need to transmit personal data processed by Creditreform Bulgaria Ltd to a country within the EU or to third countries or international organizations, the provisions of Regulation (EU) 2016/679 shall be respected, including in cases of subsequent transfer of personal data by the third country or organization to another third country or organization.

IX. Processing terms
The processing and storage of personal data shall take place for a period which is sufficient and necessary for the fulfilment of the data processing purposes mentioned it this Policy. The processing period depends on specific and explicitly defined purposes and in full compliance with: A) The legislative requirements (for example: for accounting or tax reporting – 10 yrs. period; Documentation for tax control – 5 years; Salary records – 50 yrs.; for the respective limitation periods – up to 10 yrs. or until the expiration of a specific term, related to a certain legitimate interest, etc. B) The Company internal Policies and procedures (for example: storage of video recordings – for a 30-days period; phonograms/call recordings – up to 180 days term). C) Occurrence of contractually defined terms or until the completion of a contractual assignment, when the data processing is related to such legal ground.
After expiration of the relevant processing period or the legal grounds of processing no more exists, including upon completion of pending judicial, administrative or other disputed proceedings, the personal data shall be deleted/returned or destroyed.

Х. How we are assuring the protection of Your personal data
To ensure adequate data protection, the Company applies all the necessary organizational and technical measures mentioned in the Personal Data Protection Act, Regulation (EU) 2016/679, including the best practices of the international standard for information and system security which is implemented in the Company - ISO 27001: 2013. The Company has established internal rules and procedures for prevention of security abuses and breakthroughs in accordance with the modern technological developments and has appointed a Data Protection Officer to supervise the data processing and protection processes, ensuring the data privacy and security.

XI. Your rights in relation to the processing of your personal data
(a) Right to information and access – At any time You have the right to request and receive information in understandable form – if the data you are referring to is a subject of processing and for what purposes and scope, the estimated storage period; information about possible recipients or categories of recipients to whom the data may be disclosed, incl. in third countries or organizations (if applicable); information about the provider of Your data; the applicable privacy and security guarantees and what is the processing period or at least – the criteria for determining this period;
(b) Right to rectification – in case Your personal data is inaccurate (incomplete, incorrect or wrong), You have the right, at any time, to request your personal data, the processing of which is not according to the respective legal requirements to be: deleted, completed, corrected or blocked, except when this is impossible or is associated with actions not corresponding to the legitimate rights and interests of the Company.
(c) Right to object – At any time and in case there is a specific legal ground, you are entitled to object against the processing of your personal data. When such objection is justified and there are no legal grounds for processing Your personal data, the Company must suspend the processing.
(d) Right to erasure (“right to be forgotten”) – At any time You have the right to ask the Company to delete Your personal data without unnecessary delay when the processing is unlawful or when the data are not a subject of processing for the establishment, exercise or protection of legal claims and rights, and in the following cases:
- the personal data is no longer needed for the purposes for which they were collected or are processed in a way exceeding the relevant purposes;
- when You have withdrawn your consent on which processing is based and there is no other legal ground for processing (for example: you have given your consent to a data Controller to provide your data to the Company, but subsequently you withdraw that consent before the Controller);
- You have objected to the processing and there are no other grounds for the processing which has legal priority over your individual rights;
- You consider that your personal data has been processed in an illegal manner;
- You consider that your personal data should be deleted in accordance with a legal requirement under the EU law or the law of a EU Member state which is concerning and applies to the Company:
(e) Right to restriction of processing – At any time You are entitled to restrict the processing of Your personal data when one of the following applies:
- the accuracy of the personal data is contested by You for the period within which the Company may verify their accuracy;
- there is no legal ground for the processing and You request a restriction of their use instead of their erasure;  
- the personal data is no longer needed by the Company, but their storage is required by You for the establishment, exercise or defence of legal claims;
- the processing of Your personal data is contested by You – for the period within which the Company may verify if the processing is lawful.
(f) Right to data transfer –You may request and receive Your personal data in a structured, commonly used and machine-readable format and with right to request the Company to transfer Your data to another controller when the processing is based on Your consent or under a contractual ground ;
(g) Right to object – in case You consider that the Company has violated the applicable regulations, at any time You can contact us using the contacts listed below to discuss the case or to submit a complaint to the relevant regulatory authority within the EU, respectively to the Data Protection Commission or before the competent court. When exercising the right of objection before Creditreform Bulgaria, the Company shall send you a motivated response within 14 days;
For any questions related to the data processing in Creditreform Bulgaria EOOD:
Data protection officer: Mr. Enil Enev
tel: +3592419370, +359894100370
e-mail: dpo@creditreform.bg

XII. Data processing in cases of contact and requests send to the Company:
When you are contacting us via e-mail or by our website contact form:
In case of an inquiry related to the services, provided by Creditreform (e.g. credit reports, CrefoCert, collection of overdue receivables, etc.) and the purpose of the contact is the establishment of a contractual relationship, the data provided by you may be stored and processed by us pursuant to Art. 6, paragraph 1, letter b) of the General Data Protection Regulation (GDPR);
In case for the performance of your rights as a data subject (listed in section XI.), there is an application/request/complaint/objection or other relevant statement submitted to Creditreform, the data provided by you may be saved and processed in order to respond to your request and to assist you in exercising your rights. The basis on which we may process the provided data is Art. 6, paragraph 1, letter c) and/or Art. 6, paragraph 1, letter f.) of the General Data Protection Regulation (GDPR).

XIII. Additional provisions
Detailed information on the rights of the data subjects according to the Bulgarian Data Protection Act and EU Regulation 2016/679 can be found at the following link: https://www.cpdp.bg/index.php?p=element&aid=1045
This Privacy and Data Protection Policy is approved and adopted by the Management of Creditreform Bulgaria, in accordance with the current legislation and is an integral part of the implemented Information security management system (ISO 27001:2013). The provisions and principles of this Policy are known and respected by the employees and partners of Creditreform. The Company declares that shall take care to maintain the Policy accurate to the current legal requirements and shall take care for the development and improvement of the activities, the procedures and the measures lawful processing and protection of personal data.

This policy is current as of: 10.08.2022.

INFORMATION SECURITY POLICY
OF CREDITREFORM BULGARIA EOOD

In relation to the aspirations of Creditreform Bulgaria EOOD to constantly improve the procedures and measures for the protection of information, the company approves the present Information Security Policy. Its implementation aims to guarantee control over the information risk and effective management of the storage of both own information and information provided by sources - outside the company. The policy has been explained and presented to the attention of all employees who have access to the information and information systems of Creditreform Bulgaria EOOD in such a way that they are familiar with the risks and aware of information security problems. The policy establishes the organization's approach to information security management. The organization's policy is to ensure security of customer, own personal data and systems when performing services of preparing credit reports for companies, collecting overdue receivables (its own and customers'), purchasing receivables and providing public information for legal entities.
Creditreform Bulgaria EOOD bases information security management on the basis of prevention and protection regarding potential adverse impacts and events through a systematic analysis of the environment, the type of information, regulatory rules and requirements of interested parties, the risk in relation to security and applies a complex of technical and organizational risk management measures.
This information security policy sets the framework for a system of measures aimed at:
The treatment of specific information - company, customer and in relation to natural persons - data subjects, as confidential, through the application of approved restrictions on access and disclosure of information;
Ensuring the integrity of information by protecting against unauthorized changes, loss or destruction of information;
Ensuring the availability of information by providing reliable and timely access;
Achieving information accountability by introducing control over access and rights to information bases and systems.

 The objectives of this policy are:
Ensuring continuity of work processes;
Minimization of information security risks causing losses or damages to Creditreform Bulgaria EOOD, its customers, partners and other interested parties;
Minimizing the risk of possible losses or damages caused by breaches in information security;
Informing employees about their responsibilities and obligations regarding information security;
Ensuring compliance with regulatory and contractual requirements;
Protection and privacy of information constituting personal data;
Respecting the trade secrets of the organization's customers.
Creditreform Bulgaria EOOD takes into account and applies the following basic principles in managing information security:
Data protection and privacy of personal information;
Protection of trade secrets, copyrights and other intellectual property rights;
Periodic evaluation, updating and development of appropriate practices, measures and procedures in relation to information security.
The information security policy is distributed to third parties. The Information Security Policy is regularly reviewed based on an established process within the Management Review.
The information security policy is revised and updated in accordance with the regulatory changes and applicable requirements.
Employees of Creditreform Bulgaria EOOD undertake to comply with all rules related to information security, described in procedures, instructions and other documents from the Management System.
Creditreform Bulgaria Ltd. approves the current policy and actively participates in the processes of development, maintenance and improvement of the Management System.
 
This policy is current as of: 26.03.2018