PERSONAL DATA PROTECTION AND PRIVICY POLICY OF CREDITREFORM BULGARIA EOOD

I.  Objectives and scope of the policy

With the present Policy and taking into account the privacy of the individuals and in compliance with the current legislation and the good practices, Creditreform Bulgaria EOOD applies the necessary technical and organizational measures to protect the personal data of the natural persons.

Тhe present Policy is in accordance with the Bulgarian Law for Protection of Personal Data (LPPD), Ordinance №1 dated – 30.01.2013 on the minimum level of technical and organizational measures and the admissible type of personal data protection, Regulation (EU) 2016/679 – General Data Protection Regulation and the Internal rules and regulations of the Company. The Policy’s objective is to inform the individuals about: the categories of personal data and the purposes of their processing; categories recipients to whom the personal data may be disclosed; the technical and organizational measures for data protection and security; information on the rights of the data subjects.

 

II.  Information on the Company

Creditreform Bulgaria EOOD is a trade company registered in the Commercial Register of the Bulgarian Registry Agency with UIC: 831030580, with headquarters and address in: 1606 Sofia, 10 Sandor Petofi str. The Company is a full member and one of the founders of the Association of The Collection Agencies in Bulgaria and is registered as a Controller of personal data with No. 50075 in the Register of the Controllers in the Personal Data Protection Commission.

Contacts:

Tel: +35929293993; +35929282611; fax: +35929200994;

e-mail: office@creditreform.bg  

Website: www.creditreform.bg

 

III. Principles related to the processing of personal data

The Company processes personal data for specific, explicit and legitimate purposes, in compliance with the current Bulgarian and European Union legislation and observing the Principles of good faith, accordance with the rules of law in force and awareness of what types of personal data is collected, why and how it is done. Personal data are processed for lawful purposes only and the processing does not exceed the period necessary to achieve those purposes, unless the Company is obligated by the law to store them after this period.

All the necessary technical and organizational measures have been introduced to protect Your personal data of any accidental or unlawful destruction, accidental loss, unauthorized access,
alteration or dissemination, and from any other unlawful forms of processing.

 

IV. Legal basis for processing personal data

Creditreform Bulgaria EOOD processes Your personal data legally, in good faith and transparently, on the basis of Art.6 of Regulation (EU) 2016/679 and the Law for Protection of Personal Data on any of the following grounds:

  • Consent – in cases where your specific consent is required and in compliance with Art.6, §1, “а“, the same should be free, voluntary, unambiguously expressed and informed. When the processing of Your personal data for a certain purpose is legated to such consent, You may withdraw Your consent at any time without prejudice to the lawfulness of the processing prior to its withdraw;

  • Contract – in cases where processing is necessary for the performance of a contract to which you are a party or in order to take steps on your request for a contract, Creditreform Bulgaria EOOD may process your personal data according to the requirements of Art. 6, §1 "b" from
    Regulation (EU) 2016/679. Failure to provide personal data may result in inability for the
    Company to provide you specific services or actions;

  • Legal obligation – in cases where the processing is necessary for compliance with a legal obligation of the Company, provided in a legal act (e.g.: Obligations and Contracts Act, Commerce Act, Bulgarian Civil Procedure Code, Measures against money laundering Act, The Labour Code, The Social Security Code, The VAT Law and the legislation in force in Bulgaria and in the European Union), the Company may process your personal data in accordance with the requirements of Art.6, §1 "c"  from Regulation (EU) 2016/679;

  • Legitimate interests – in cases where there is a legitimate interest for the Company or for a third party, The Company may process your personal data in accordance with Art.6, §1 "f" from Regulation (EU) 2016/679;

  •  

V. Purposes of the processing of personal data

    The Company may process your personal data in relation to any of the following:

    (a) Legal or contractual obligations in respect of employment relationships, assimilated to them and civil relations regarding personal data of employees, workers, attorneys and proxies of the Company and in relation to the company’s internal rules and instructions;

    (b) Collection of overdue receivables which the Company has acquired against debtors – natural persons, on the basis of cession contracts or individual legal relationships with the data subject, including relevant court proceedings;

    (c) Collection of overdue receivables on the basis of a contract with another data Controller
    and payable by individuals to the same respective Controller;

    (d) Collection of receivables, establishment of pre-contractual and contractual relations, inquiries, correspondence and all other legal relationships and contacts in which the customer / contractor / inquirer is a natural person, individual acting in a capacity of a trader, respectively a natural person representing a trade company, NGO and others;

    (е) Credit reports for legal entities or trader individuals where a natural person has agreed his/her personal data, beyond the public information in the public registers, to be provided to a potential partner;

     

VI. Processed categories of personal data

    In compliance with the abovementioned objectives and legal basis Creditreform Bulgaria EOOD may process the following categories of personal data – separately or combined:

    (a) concerning the identity of the data subject: names, PIN/Personal number of foreigner or date of birth, address, phone numbers, e-mail, and in case of transferred receivables, labour, civil or equal legal relationships with the company – passport data as well; data able to identify representative/proxy/ parent/custodian/guardian (legal representative) related to the data subject within the abovementioned volume;

    (b) information on the type and content of a contractual or delict relationship and the related data, in cases of transferred receivables – economic information as well - for the purposes of establishment, exercising or protection of the company’s rights in court, according to Art.6, §1 "f" of the GDPR.
    (c) reference number given by the Company or by a Controller identifying the relevant obligation;
    (d) audio recording of calls, made by and to the Company, aiming improving of the services provided; letters, claims, complaints, requests etc., received by the data subjects, authorities, judicial institutions, etc.;
    (e) video recording of an undefined volume of subjects related to the security regime and for the purpose of enhancing control and protection from unauthorized access to the building and to the work premises;

     

VII. Categories of recipients of personal data

    As a Personal Data Controller, Creditreform Bulgaria EOOD processes personal data separately or by engaging another Controller or Data Processor. According to the requirements of the Regulation (EU) 2016/679, personal data may be transmitted to the following categories of recipients:
    (a) Authorities and competent individuals who are legally entitled by the Law with the rights to request information (including personal data) by Creditreform Bulgaria EOOD or for the protection of legal rights and interests of the Company, such as: courts, investigating authorities and prosecution offices,
    police, bailiffs, authorized lawyers of the company, supervisory and regulatory authorities, etc.
    (b) Partners supporting the company’s activities or on behalf of the company processes data (e.g. postal and courier companies for the purposes of sending letters, shipments, contracts, agreements, etc.). The company cooperates with partners that provide sufficient guarantees for the application of appropriate technical and organizational measures in compliance with Regulation (EU) 2016/679.

     

VIII. Transfer of personal data in EU and in third countries

    Usually the Company does not transfer personal data outside the Republic of Bulgaria. In case a need for transfer of personal data, processed by Creditreform Bulgaria EOOD to a country in the EU, to third countries or international organizations arises, the provisions of Regulation (EU) 2016/679 shall be respected, including for the possibility of subsequent transfer of personal data by the third country or organization to another third country or organization.

     

IX. Terms for processing

    The processing and storage of personal data shall take place for a period which is sufficient and necessary for the fulfilment of the data processing purposes described it this Policy, with respect to the current legislation (e.g. : accounting or tax reporting – with a legal term of 11 years) and the Company’s internal rules (e.g. : video recordings – for a period no longer than 30 days, audio recordings for a period no longer than 180 days), the occurrence of a limitation period (5 years) or with respect to the stipulated contracts. After expiration of the processing period or if the basis for processing no longer exists, incl. after the completion of a current court, administrative or other “inter partes” proceedings, the personal data shall be deleted/returned or destroyed..

     

Х. How we protect your personal data

    To ensure adequate data protection, the Company applies all necessary organizational requirements
    and technical measures provided in the Law for Protection of Personal Data, Ordinance №1 from 30.01.2013, Regulation (EU) 2016/679, including the best practices of an international standard for information security ISO 27001: 2013. The Company has established internal rules and procedures for prevention of security abuses and breakthroughs in accordance with the modern technological developments and has appointed a Data Protection Officer to support protection processes and
    ensuring data security.

 

XI. Your rights in relation to the processing of your personal data

    (a) Right to information and access – At any time You have the right to request and receive information in an intelligible form – if the data you are referring to are processed, and for what purposes, on the recipients or categories of recipients to whom the data may be/are disclosed,
    incl. in third countries or organizations, if such, the guarantees legated to the transfer, the processing periods and if not possible, the criteria for determining such period and the source of the data;

    (b) Right to rectification – in case you find processed inaccurate (incomplete, incorrect or wrong) data, You have the right, at any time, to request your personal data processed in deviation with the legal requirements to be deleted, completed, corrected or blocked, except when this is impossible or is associated with excessive efforts.

    (c) Right to object – At any time, if you claim to have legal basis, you are entitled to object against the processing of your personal data. When the objection is justified and there are no legal grounds for processing your personal data, the Company ceases the processing.

    (d) Right to erasure (“right to be forgotten”) – At any time You have the right to ask the Company to delete Your personal data without unnecessary delay and if such data is no needed for the establishment, exercise or legal protection of rights, and in the following cases:

    - the personal data is no longer needed for the purposes for which they were collected or are processed in a way outside the relevant purposes;

    - when you have withdrawn your consent on which processing is based and there is not another legal ground for processing (e.g.: you have given your consent to a data Controller to provide your data to the Company, but subsequently you withdraw that consent before the Controller);

    - you have objected to the processing and there are no legal grounds for the processing that have Advantage;

    - you consider that your personal data has been illegally processed;

    - you consider that your personal data should be deleted in accordance with a legal obligation under the Union law or the law of a Member state that is applicable to the Company:

    (e) Right to restriction of processing – At any time You are entitled to obtain a restriction of processing Your personal data when one of the following applies:

    - the accuracy of the personal data is contested by You for the period needed to the Company to verify their accuracy;

    - the processing is unlawful and You request a restriction of their use instead of their erasure;

    - the personal data is no longer needed by the Company, but they are required by You for the establishment, exercise or defence of legal Claims;

    - the processing of Your personal data is objected by You – for the period needed to the Company to verify if the processing is lawful.

    (f) Right to data portability – You may request and receive Your personal data in a structured, commonly used and machine-readable format and have the right to request for the Company to transmit those data to another controller when the processing is based on Your consent or on a contract pursuant;

    (g) Right to object – in case You consider that the Company has violated the applicable regulations, You may use the contact listed below to clarify the case with us or to submit a complaint to the relevant regulatory authority within the EU, respectively to the Commission for Personal Data Protection or before the competent court. When exercising the right to object before Creditreform Bulgaria EOOD, the Company shall answer within 14 days of the filing with a reasoned Reply.

For contacts with Creditreform Bulgaria EOOD
Data protection officer: Mr. Enil Enev
tel.: +35924192370, +359894100370
e-mail: dpo@creditreform.bg

XII. Additional provisions

    Detailed information on the rights of the data subjects according to the Law for Protection of Personal Data and Regulation (EU) 2016/679 can be found at the following link:

    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

    This Privacy and Data Protection Policy is carried and approved by the Managers of Creditreform Bulgaria EOOD in compliance with the current legislation and is part of the Information Security Policy of the company known to all employees. The Company declares that shall maintain the Policy accurate to the legislation in force and shall develop and improve the procedures and the measures in processing and protection of personal data.

    Using Google reCAPTCHA

    We use "Google reCAPTCHA" (hereafter "reCAPTCHA") on our websites. Provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google").

    With reCAPTCHA we want to check if the data entry on our websites (for example in a contact form) is done by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information (such as the IP address, website visitor's time spent on the website, or mouse movements made by the user). The data collected during the analysis will be forwarded to Google.

    The reCAPTCHA analyzes are completely in the background. Site visitors are not advised that an analysis is taking place.

    Data processing is based on Art. 6 para. 1 lit. f DSGVO. The Web site operator has a legitimate interest in protecting its web sites from abusive automated spying and SPAM.

    For more information about Google reCAPTCHA and the Google Privacy Policy, please visit the following links: www.google.com/intl/en/policies/privacy/ and www.google.com/recaptcha/intro/android. html.

    This Policy is valid as at: 23 May 2018

Contact us

online-kontakt

Contact
*All fields not marked with an asterisk (*) are optional, but you can provide us this information as well.

Contact