PERSONAL DATA PROCESSING POLICY

Information about the data controller:

IMPULS Ltd., is a company registered in the Commercial Register of the Registry Agency with UIC 105575034, registered office and registered address: gr. Tower, Str. Maritsa 2,
tel.: 0898 445555; e-mail: impuls_ood_vidin@abv.bg

We process your personal data on the following grounds:
– The contract concluded between us and you in order to perform our obligations under it;
– Explicit consent from you the purpose is stated on a case-by-case basis;
– Where there is a statutory obligation

In the following paragraphs you will find information on the processing of your personal data depending on the basis on which we process it.

FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF A PRE-CONTRACTUAL RELATIONSHIP

We process your personal data in order to fulfil our contractual and pre-contractual obligations and to exercise our rights under the contracts concluded with you.

Processing objectives:
– establish your identity;
– management and execution of your request and the execution of a contract;
– preparing and sending you a bill/invoice for the services you use with us;
– Retaining correspondence regarding orders placed, processing requests, reporting problems, etc.
– preparation of a user profile;

On the basis of the contract concluded between us and you, processing information about the type and content of the contractual relationship and any other information related to the contractual relationship, including:
– personal contact details contact address, email, phone number;
– identification data full name, unique nationality number or alien identity number, permanent address;
– Details of orders placed through the user profile;
– Email, letters, information about your troubleshooting requests, complaints, requests, complaints;
– Credit or debit card information, bank account number or other banking and payment information in connection with payments made;

The processing of the above personal data is mandatory for us in order to conclude the contract with you and to perform it.

We provide your personal data to third parties as our main goal is to offer you a quality, fast and comprehensive service.

We provide personal data to the following categories of recipients (data controllers):
– postal operators and courier companies;
– persons providing consultancy services in various fields.

We delete the data collected on this basis 5 years after the termination of the contractual relationship, whether due to expiry of the contract, termination or any other reason. The time limit is determined by the 5-year limitation period for possible contractual claims.

FOR COMPLIANCE WITH REGULATORY OBLIGATIONS

There may be a legal obligation for us to process your personal data. In these cases, we are obliged to carry out the processing, such as:
– Anti-Money Laundering Act obligations;
– Performance of obligations in relation to distance selling, off-premises selling provided for in the Consumer Protection Act;
– providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act
– providing information to the Commission for Personal Data Protection in relation to obligations under data protection legislation;
– obligations provided for in the Accounting Act and the Tax and Social Security Procedural Code and other related regulations in relation to the keeping of lawful accounts;
– the provision of information to the court and third parties, in the context of court proceedings, in accordance with the requirements of the regulations applicable to the proceedings;
– age verification when shopping online.

We delete data collected pursuant to a statutory obligation after the collection and storage obligation has been fulfilled or has expired. For example:
• under the Accounting Act for the storage and processing of accounting data (11 years),
• obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years).

Where an obligation is imposed on us by law, it is possible for us to provide your personal data to the competent state authority, individual or legal entity.

WITH YOUR CONSENT

We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We do not foresee any adverse consequences for you if you refuse the processing of personal data.

Consent is a separate basis for processing your personal data and the purpose of the processing is set out in it, and is not overlapped with the purposes listed in this policy. If you give us your consent accordingly and until you withdraw it or terminate any contractual relationship with you, we make suitable product/service offers to you.

On this basis, we only process data for which you have given us your explicit consent. The specific data is determined on a case-by-case basis. Typically, the data includes:
• Email:
• Phone;
• Address;
• Names;

We may provide your data to marketing agencies and third parties on this basis.

Consents granted may be withdrawn at any time. Withdrawal of consent shall have no effect on the performance of contractual obligations. If you withdraw your consent to the processing of personal data for any or all of the ways described above, we will not use your personal data and information for the purposes set out above.

We delete data collected on this basis at your request or 1 year after its initial collection.

PROCESSING OF ANONYMISED DATA

We process your data for static purposes, that is, for analyses in which the results are only aggregated and the data are therefore anonymised. It is impossible to identify a specific person from this information.

How we protect your personal data

To ensure adequate protection of the company’s and its customers’ data, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act.

In order to maximize the security of the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Rights of Users

Each User of the Site enjoys all the rights for the protection of personal data under Bulgarian and European Union law.

Each User has the right to:
– Awareness (in relation to the processing of his personal data by the controller);
– Access to his own personal data;
– Rectification (if the data is inaccurate);
– Deletion of personal data (right to be forgotten);
– Restriction of processing by the controller or processor;
– Portability of personal data between controllers;
– Objection to the processing of his or her personal data;
– The data subject shall also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her;
– The right to a judicial or administrative remedy if the data subject’s rights have been violated.

The user may request erasure if one of the following conditions applies:
– The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– The user withdraws the consent on which the processing is based and there is no other legal basis for the processing;
– The data user objects to the processing and there are no legitimate grounds for the processing that override;
– The personal data has been unlawfully processed;
– The personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
– The personal data was collected in connection with the provision of information society services to children and consent was given by the person with parental responsibility for the child.

The user has the right to restrict the processing of his/her personal data by the controller when:
– In this case, the restriction of processing shall be for a period which allows the controller to verify the accuracy of the personal data;
– The processing is unlawful, but the User does not wish the personal data to be erased, but requests instead the restriction of its use;
– The controller no longer needs the personal data for processing purposes, HO the User requires it for the establishment, exercise or defence of legal claims;
– objects to the processing pending verification whether the controller’s legitimate grounds override the interests of the User.

Right to portability

The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format and shall have the right to transfer those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means. When exercising his or her right to data portability, the data subject shall also have the right to obtain a direct transfer of the personal data from one controller to another where this is technically feasible.

Right to object.

Users have the right to object to the controller to the processing of their personal data. The data controller shall be obliged to terminate the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. If you object to the processing of personal data for direct marketing purposes, the processing shall cease immediately.

Complaint to the supervisory authority Every User has the right to lodge a complaint against unlawful processing of his/her personal data with the Personal Data Protection Commission or the competent court.

RULES ON THE MECHANISM OF PROCESSING PERSONAL DATA AND THEIR PROTECTION AGAINST UNLAWFUL FORMS OF PROCESSING

Art. 1. These internal rules on technical and organisational measures and the type of personal data protection allowed shall govern the organisation of the processing of personal data of the Company’s employees, persons employed on civil contracts and customers, as well as their protection.

Art. 2. The Company is a personal data controller and as such keeps the following records:
1. Employees and persons under civil contracts register
2. Register “Customers”.

Art. 3. (1) The register “Employees and Persons Under Civil Contracts” shall collect and store the personal data of the employees and contractors under civil contracts in the company for the purpose of:
1. Individualization of labor and civil legal relations.
2. Compliance with the regulatory requirements of the Labour Code, the Social Security Code, the Accounting Act, the State Archives Act, etc.
3. Use of the collected data on the persons concerned for official purposes.
4. 3a all activities related to the existence, modification termination of employment and civil law relationships for the preparation of any documents of persons in this regard (contracts, supplementary agreements, documents certifying employment, service notes, reports, certificates, etc. similar).
5. To establish contact with the person by telephone, to send correspondence relating to the performance of his/her obligations under employment or civil contracts.
6. To keep accounting records regarding the remuneration of the above-mentioned persons under employment and civil contracts.

(2) The “Clients” register collects and stores the personal data of the company’s clients in order to:
1. Individualize the relevant counterparties.
2. Provide services by the company for which personal data of counterparties is required.
3. Fulfill the regulatory requirements of the Accountancy Act and other relevant regulatory acts.
4. Use of the collected data for the relevant persons for official purposes only and solely after obtaining due consent from the persons to process their personal data for the following purposes:
a. for all activities related to the existence, amendment and termination of contractual legal relationships, as well as with the collection of receivables arising from the latter for the preparation of any documents in this regard (contracts, additional agreements, any commercial, accounting and other documents);
b. for establishing contact with the persons by telephone, address and/or e-mail, for sending correspondence relating to the fulfillment of their obligations under the contracts concluded with the Company;
c. for keeping accounting records;

Art. 4. (1) The following types of personal data are stored in the register “Employees and Persons Under Civil Contracts”:
1. Regarding the category “Physical Identity” of persons: (three names, personal identification number, gender, permanent address and place of birth for employment contracts, and for civil contracts, the number of the identity card, date and place of issue, validity, body that issued it), contact telephone numbers, e-mail, etc. They are provided on the basis of a regulatory obligation and the conclusion and performance of a contract;
2. Data on the health status of employees, when it is necessary to process sick leaves, documents, in connection with an occupational accident, employment of workers, etc.
3. Regarding the category “Social Identity” of persons provided on the basis of a regulatory obligation and/or legitimate interest:
a. type and level of education, place, number and date of issue of the diploma and educational institution;
b. additional qualification;

(2) The following types of personal data concerning the category “Physical identity” of persons shall be stored in the register “Customers”: names and ID card data (personal identification number, gender, ID card number, date and place of issue, validity, issuing authority, permanent address-where necessary and relevant), contact telephone numbers, e-mail address, etc. They shall be provided on the basis of the conclusion and performance of a contract.

(3) The records of personal data maintained by the company are protected by controlled access, such access being granted to authorised employees by means of a username and password identification procedure. The records are kept electronically in a cloud space managed by a data processor, which in turn implements the necessary measures to protect personal data.

(4) Exceptionally, the company may also keep paper records of data. Employee and customer data shall be stored in folders arranged in lockers located in a restricted storage area in the company’s office.

Chapter Three

PROCESSING OF PERSONAL DATA

Art. 5. Collection of personal data:
(1) Personal data in the register “Employees and persons under civil contracts” are collected before entering/assigning work under an employment or civil law relationship to a given person through an oral interview or electronically, provided by the data subject.
(2) The personal data in the Customer Register is collected by direct provision by users and customers or automatically.
(3) When personal data are collected, the data subject shall be informed of the purposes for which the data are collected and processed.
(4) Where personal data are collected and processed on paper for customers of the company, they shall be stored in a key-locked restricted access warehouse and used by authorised persons solely for the purposes of fulfilling legal or contractual obligations.

Art. 6. (1) The Company may outsource the processing of personal data to processors. The processing shall be entrusted to more than one processor in accordance with the specificity of their functions and in order to distinguish their specific duties.

Art. 7. The Company may transfer personal data of its customers to third parties, which shall be expressly notified to the data subjects.

Chapter Four

PROTECTION OF PERSONAL DATA. OBLIGATIONS OF THE CONTROLLER.

Article 8. Ensuring access of individuals to their personal data
(1) Every individual has the right of access to personal data relating to him/her. In cases where, upon exercising the individual’s right of access, personal data may be disclosed to a third party, the controller shall be obliged to provide the individual concerned with access to the part of the data relating only to him/her.
(2) To obtain access to personal data, data subjects may follow the procedure described in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.
(3) Where the data do not exist or cannot be provided on a specific legal basis, the applicant shall be refused access to them by a reasoned decision which shall be communicated to the applicant in accordance with the preceding sentence.
(4) In performing its obligations to provide access to personal data, the company shall provide the data subject with the following information:
– the data identifying the controller and the contact details of the controller;
– the purposes of the processing for which the personal data are intended and the legal basis for processing;
– the recipients or categories of recipients to whom the personal data are or will be disclosed, in particular recipients in third countries within the meaning of the Regulation or international organisations, and their safeguards;
– where possible, the intended period for which the personal data will be kept and, if this is not possible, the criteria used to determine that period;
– the existence of a right to require the controller to rectify or erase personal data or to restrict the processing of personal data relating to the applicant, as well as the right to object to such processing;
– The right to lodge a complaint with the Data Protection Commission.
– The existence of a profiling procedure, if applicable to the subject’s personal data.

(5) The controller shall be obliged to communicate any rectification, erasure or restriction of processing to any recipient to whom the personal data have been disclosed, unless this is impossible or requires a disproportionate effort. The controller shall inform the data subject of those recipients if the data subject so requests.

Art. 9. The provision of personal data to a Member State of the European Union, as well as to another Member State of the European Economic Area, shall be carried out in compliance with the requirements of the applicable European and national legislation.

(2) Provision of personal data to a third country outside those referred to in par. (1) shall be permitted only if it ensures an adequate level of protection of personal data on its territory.

Art. 10. Period for storing personal data:
(1) Register “Employees and Persons under Civil Contracts”: The various carriers of accounting information containing personal data from the register “Employees and Persons under Civil Contracts” are stored within the periods provided for in the Accountancy Act (ACA).
(2) Register “Clients”: The various carriers of accounting and tax information containing personal data from the register “Clients” of the Company’s clients with whom a contract has been concluded are stored within the periods provided for in the Accountancy Act (ACA) and the Tax and Social Security Procedure Code (TSPC).

Art. 11. Periodic archiving The archiving of personal data shall be carried out by the company periodically and access to the archived data shall be further restricted.

Art. 12. (1) The Company undertakes, in the event of a request from an individual whose personal data is processed by the Controller, to erase the personal data without undue delay where one of the grounds set out below applies:
1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. the individual withdraws the consent on which the processing is based and there is no other legal basis for the processing;
3. the person objects to the automatic decision-making applied by the Administrator to his or her personal data and there are no other legitimate grounds for the processing which override, or the person expressly objects to the processing;
4. the personal data have been unlawfully processed;
5. the personal data must be erased in order to comply with an obligation under European or national law;
6. the personal data have been collected in connection with the provision of information society services to children.

(2) The Company shall have the right to refuse to perform the actions referred to in paragraph (1) in the cases provided for by law, and in case of refusal it shall notify the subject who made the relevant request.

Art. 13. (1) Data portability: The data subject shall have the right to receive the personal data which he or she has provided to the Controller in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the Controller to whom the personal data have been provided, where:
(a) The processing is based on the consent of the data subject or on a contractual obligation;
(b) The processing is carried out by automated means.

Art. 14. (1) In the event of a personal data breach, the Controller shall, without undue delay but not later than 72 hours after becoming aware of it, notify the personal data breach to the Commission for Personal Data Protection (“CPDP”), unless the personal data breach is likely to pose a risk to the rights and freedoms of natural persons.

(2) Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company shall, without undue delay, notify the data subject of the personal data breach.

Art. 15. The administrator shall implement appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed, this obligation relating to the volume of personal data collected, the extent of the processing, the period of their storage and their accessibility. Art. 16. These rules are brought to the attention of all employees of the Company, as well as to persons appointed under a civil contract.