Privacy Policy
Information for the personal data controller:
Glowy Secrets EOOD is a company registered in the Commercial Register of the Registry Agency with UIC 206664316, with registered office and address of management: Sofia, p.k. 1303, Vazrazhdane district, st. Edirne № 115, Tel: 0878888617; e-mail: glowysecrets@gmail.com.
Reasons and purposes for which we use your personal data
We process your personal data on the following grounds:
● The contract concluded between us and you in order to fulfill our obligations under it;
● Explicit consent from you – the purpose is specified for each case;
● In case of an obligation under law;
In the following paragraphs you will find detailed information about the processing of your personal data depending on the basis on which we process them.
FOR PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS
We process your personal data in order to fulfill the contractual and pre-contractual obligations and to enjoy the rights under the contracts concluded with you.
Purposes of processing:
● establishing your identity;
● management and execution of your request and execution of a concluded contract;
● preparation of a proposal for concluding a contract;
● preparing and sending an invoice for the services you use with us;
● to provide the comprehensive service you need, as well as to collect the amounts due for the services used;
● keeping correspondence in connection with orders, processing requests, reporting problems, etc.
● notification of everything related to the services you use with us;
● analysis of customer history;
● identify and / or prevent illegal actions or actions contrary to our terms of service;
Data we process on this basis:
Based on the contract concluded between us and you, we process information on the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:
● personal contact details – contact address, email, phone number;
● identification data – the three names, unique civil number or personal number of a foreigner, address;
● data on the orders placed;
● correspondence in connection with the overall service – e-mail, letters, information about your requests for troubleshooting, complaints, requests, complaints, feedback that we receive from you;
● credit or debit card information, bank account number or other banking and payment information in connection with payments made;
o other information such as:
● Customer number, code or other identifier created for identification;
● Information from your actions on the site
The processing of the specified personal data is mandatory for us so that we can conclude the contract with you and fulfill it. Without providing us with the above information, we would not be able to fulfill our obligations under the contract.
We provide personal data to third parties
We provide your personal data to third parties, and our main goal is to offer you quality, fast and comprehensive service. We do not provide your personal data to third parties until we are sure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control to achieve this goal. In this case, we remain responsible for the confidentiality and security of your data.
We provide personal data to the following categories of recipients (data controllers):
● postal operators and courier companies;
● persons who, on assignment, maintain equipment, software and hardware used for the processing of personal data and necessary for the company’s activities
● persons providing consulting services in various fields.
When we delete data collected on this basis
We delete the data collected on this basis 2 years after the termination of the contractual relationship, regardless of whether due to the expiration of the contract, cancellation or other grounds.
We provide personal data to third parties
We provide your personal data to third parties, and our main goal is to offer you quality, fast and comprehensive service. We do not provide your personal data to third parties until we are sure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control to achieve this goal. In this case, we remain responsible for the confidentiality and security of your data.
We provide personal data to the following categories of recipients (data controllers):
● postal operators and courier companies;
● persons who, on assignment, maintain equipment, software and hardware used for the processing of personal data and necessary for the company’s activities
● persons providing consulting services in various fields.
When we delete data collected on this basis
We delete the data collected on this basis 2 years after the termination of the contractual relationship, regardless of whether due to the expiration of the contract, cancellation or other grounds.
FOR FULFILLMENT OF REGULATORY OBLIGATIONS
It is possible that the law provides for an obligation for us to process your personal data. In these cases we are obliged to carry out the processing, such as:
● Obligations under the Anti-Money Laundering Measures Act;
● Fulfillment of obligations in connection with distance selling, off-site sales, provided for in the Consumer Protection Act;
● Providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
● Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation for personal data protection;
● Obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related normative acts in connection with the keeping of lawful accounting;
● Providing information to the court and third parties in court proceedings, in accordance with the requirements of the applicable regulations;
● Age verification when shopping online.
When we delete personal data collected on this basis
The data collected in accordance with the obligation provided for in the law are deleted after the obligation for collection and storage is fulfilled or ceased. For example:
● under the Accounting Act for storage and processing of accounting data (11 years),
● obligations to provide information to the court, competent state bodies, etc. grounds provided for in the current legislation (5 years).
Providing data to third parties
When there is an obligation for us by law, it is possible to provide your personal data to the competent state authority, natural or legal person.
AFTER YOUR CONSENT
We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We will not foresee any adverse consequences for you if you refuse to process personal data.
Data we process on this basis:
On this basis, we only process data for which you have given us your express consent. The specific data are determined for each individual case. Usually this information is: email address.
Providing data to third parties
On this basis, we may provide your data to marketing agencies, Facebook, Google or the like.
Withdrawal of consent
Concessions granted may be withdrawn at any time. Withdrawal of consent does not affect the performance of contractual obligations. If you withdraw your consent to the processing of personal data for some or all of the ways described above, we will not use your personal data and information for the purposes set out above. Withdrawal of consent shall not affect the lawfulness of the processing based on a consent prior to its withdrawal.
In order to withdraw your consent, you only need to use our website or just our contact details.
When we delete data collected on this basis
We delete the data collected on this basis at your request or 12 months after their initial collection.
Processing of Anonymized Data
We process your data for static purposes, ie for analyzes in which the results are only summary and therefore the data is anonymous. It is impossible to identify a specific person from this information.
Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items / items that allow you to identify yourself are irrevocably deleted. There is no legal obligation for anonymised data to be deleted, as they do not constitute personal data.
Why and how we use automated algorithms
For the processing of your personal data we use partially automated algorithms and methods in order to continuously improve our products and services for customized
How we protect your personal information
To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act.
The company has established rules to prevent security breaches and breaches, which supports the processes of protecting and ensuring the security of your data.
In order to ensure maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
Personal data we have received from third parties
We do not receive data from third parties.
Consumer Rights
Each User of the site enjoys all rights to personal data protection under Bulgarian law and European Union law.
The user can exercise their rights through the contact form or by sending a message to our email.
Each User has the right to:
● Awareness (in connection with the processing of his personal data by the administrator);
● Access to your own personal data;
● Correction (if the data is inaccurate);
● Deletion of personal data (right to be forgotten);
● Restriction of processing by the controller or processor of personal data;
● Portability of personal data between individual administrators;
● Objection to the processing of his personal data;
● The data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for the data subject or similarly affects him significantly;
● Right to judicial or administrative protection in case the data subject’s rights have been violated.
The user may request deletion if one of the following conditions is true:
● Personal data are no longer needed for the purposes for which they were collected or otherwise processed;
● The user withdraws his consent on which the data processing is based and there is no other legal basis for the processing;
● The data user objects to the processing and there are no legal grounds for processing to take precedence;
● Personal data has been processed illegally;
● Personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;
● Personal data have been collected in connection with the provision of information society services to children and the consent has been given by the parent responsible for the child.
The user has the right to restrict the processing of his personal data by the administrator when:
● Challenge the accuracy of personal data. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of personal data;
● The processing is illegal, but the User does not want the personal data to be deleted, but instead requires restricting their use;
● The administrator no longer needs personal data for the purposes of processing, but the User requires them for the establishment, exercise or protection of legal claims;
● Objects to the processing pending verification of whether the legal grounds of the administrator take precedence over the interests of the User.
Right of portability.
The data subject has the right to receive the personal data concerning him and which he has provided to the controller in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance from the controller. data are provided when the processing is based on consent or a contractual obligation and the processing is carried out in an automated manner. When exercising its right to data portability, the data subject is also entitled to receive the direct transfer of personal data from one controller to another where this is technically feasible.
Right to object.
Users have the right to object to the controller against the processing of their personal data. The controller of personal data shall be obliged to terminate the processing, unless he proves that there are convincing legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for establishing, exercising or defending legal claims. In the event of an objection to the processing of personal data for the purposes of direct marketing, the processing should be stopped immediately.
Complaint to the supervisory authority
Each User has the right to file a complaint against illegal processing of his personal data to the Commission for Personal Data Protection or to the competent court.
Maintaining a register
We maintain a register of the processing activities for which we are responsible. This register contains all the information below:
● The name and contact details of the administrator
● The purposes of processing;
● Description of the categories of data subjects and the categories of personal data;
● The categories of recipients to whom personal data are or will be disclosed,
● Including recipients in third countries or international organizations;
● Where possible, the deadlines for deleting the different categories of data;
● Where possible, a general description of the technical and organizational security measures
Rules on the mechanism of personal data processing and their protection against illegal forms of processing
Art. 1. The current internal rules for technical and organizational measures and the permissible type of personal data protection regulate the organization of personal data processing of employees, persons employed on civil contracts and customers of the company, as well as their protection.
Art. 2. The company is a controller of personal data and as such keeps the following registers:
1. Register “Civil servants and persons”
2. Register “Clients”.
Art. 3. (1) In the register “Employees and persons under civil contracts” shall be collected and stored the personal data of the employees and the executors under civil contracts in the company for the purpose of:
1. Individualization of labor and civil relations.
2. Fulfillment of the normative requirements of the Labor Code, the Social Security Code, the Accounting Act, the State Archives Act, etc.
3. Use of the collected data for the respective persons for official purposes.
4. For all activities related to the existence, amendment and termination of employment and civil relations – for the preparation of any documents of persons in this regard (contracts, additional agreements, documents certifying length of service, memos, certificates, etc.). similar).
5. To establish contact with the person by telephone, to send correspondence relating to the performance of his obligations under employment or civil contracts.
6. For keeping accounting records regarding the remuneration of the above-mentioned persons under employment and civil contracts.
(2) The personal data of the clients of the company shall be collected and stored in the register “Clients” in view of:
1. Individualization of the respective counterparties.
2. Provision of services by the company for which personal data of contractors are required.
3. Fulfillment of the normative requirements of the Accounting Act and other relevant normative acts.
4. Use of the data collected about the persons concerned for official purposes only after obtaining the appropriate consent of the persons for the processing of their personal data for the following purposes:
a. for all activities related to the existence, amendment and termination of contractual relations, as well as the collection of receivables arising from the latter – for the preparation of any documents in this regard (contracts, additional agreements, any commercial, accounting and other documents);
b. to establish contact with the persons by phone, address and / or e-mail, to send correspondence related to the fulfillment of their obligations under the contracts concluded with the Company;
c. for accounting;
Art. 4. (1) The following types of personal data shall be stored in the register “Employees and persons under civil contracts”:
1. Regarding the category “Physical identity” of persons: (three names, PIN, gender, permanent address and place of employment for employment contracts, and for civil and ID card number, date and place of issue, validity, authority that issued it ), contact numbers, e-mail, etc. They are provided on the basis of a normative obligation and the conclusion and execution of a contract;
2. Data from the health condition of the employees, when it is necessary to process sick leaves, documents in connection with an accident at work, employment of workers, etc.
3. Concerning the category “Social identity” of persons granted on the basis of a legal obligation and / or a legitimate interest:
a. type and degree of education, place, number and date of issuance of the diploma and educational institution;
b. additional qualification;
(2) The following types of personal data regarding the category “Physical identity” of the persons shall be stored in the “Clients” register: names and data on ID card (PIN, gender, ID card number, date and place of issue, validity, body which issued it, permanent address – when necessary and relevant), contact numbers, e-mail, etc. They are provided on the basis of the conclusion and execution of a contract.
(3) The registers with personal data kept by the company shall be protected with controlled access as such shall be provided to the authorized employees through an identification procedure with username and password. The registers are kept on electronic media in a cloud space managed by a personal data processor, who in turn applies the necessary measures for personal data protection.
(4) As an exception, the company may also keep paper registers with data. Data on employees and customers are stored in folders arranged in binders located in a warehouse with limited access in the company’s office.
Chapter three
PROCESSING OF PERSONAL DATA
Art. 5. Collection of personal data:
(1) The personal data in the register “Employees and persons under civil contracts” shall be collected before entering / assigning work under an employment or civil legal relationship to a person through an oral interview or electronically, provided by the data subject.
(2) The personal data in the “Clients” register shall be collected through their direct provision by users and clients or automatically.
(3) When collecting personal data, the data subject shall be informed of the purposes for data collection and processing.
(4) When personal data are collected and processed on paper for clients of the company, the same shall be stored in a warehouse with limited access with a key and shall be used by the authorized persons only for the needs of fulfillment of legal or contractual obligations.
Art. 6. (1) The company may assign the processing of personal data to processors. Processing is assigned to more than one processor according to the specifics of their functions and in order to differentiate their specific obligations.
Art. 7. The company may transfer personal data to its customers to third parties, of which the data subjects should be explicitly notified.
Chapter four
PROTECTION OF PERSONAL DATA. DUTIES OF THE ADMINISTRATOR.
Art. 8. Ensuring access of persons to their personal data:
(1) Every natural person has the right of access to personal data relating to him. In the cases when personal data for a third party may be disclosed during the exercise of the natural person’s right of access, the administrator shall be obliged to provide the respective natural person with access to the part of them relating only to him.
(2) In order to gain access to personal data, data subjects may follow the procedure described in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.
(3) When the data do not exist or cannot be provided on a certain legal basis, the applicant shall be denied access to them by a motivated decision, which shall be communicated to the applicant by the order of the previous sentence.
(4) In fulfilling its obligations to provide access to personal data, the company shall provide the data subject with the following information:
● the data that identifies the administrator and the contact details;
● the purposes of the processing for which the personal data are intended, as well as the legal basis for their processing;
● the recipients or categories of recipients to whom personal data are or will be disclosed, in particular recipients in third countries within the meaning of the Regulation or international organizations, as well as their safeguards;
● where possible, the intended period for which personal data will be stored and, if this is not possible, the criteria used to determine this period;
● the existence of the right to require the controller to correct or delete personal data or to restrict the processing of personal data related to the applicant, as well as the right to object to such processing;
● The right to complain to the Commission for Personal Data Protection.
● The existence of a profiling procedure, if any, applicable to the personal data of the subject.
(5) The controller shall be obliged to inform about any correction, deletion or restriction of processing of each recipient, to whom the personal data have been disclosed, unless this is impossible or requires disproportionately great efforts. The controller shall inform the data subject of these recipients if the data subject so requests.
Art. 9. The provision of personal data in a Member State of the European Union, as well as in another Member State of the European Economic Area, shall be carried out in compliance with the requirements of the current European and national legislation.
(2) Provision of personal data in a third country other than those under para 1. allowed only if it provides an adequate level of protection of personal data in its territory.
Art. 10. Term for storage of personal data:
(1) Register “Employees and persons under civil contracts”: The various carriers of accounting information, containing personal data from the register “Employees and persons under civil contracts”, shall be stored within the terms provided in the Accounting Act (AA).
(2) “Clients” Register: The various media of accounting and tax information, containing personal data from the “Clients” Register – of the Company’s clients with whom a contract has been concluded, shall be stored in the Accounting Act (AA) and in Tax and Social Security Procedure Code (TSPC) deadlines.
Art. 11. Periodic archiving – archiving of personal data is performed by the company periodically and access to archived data is further restricted.
Art. 12. (1) The Company shall be obliged, in case of a request from a natural person, whose personal data are processed by the Administrator, to delete without undue delay the personal data, when any of the following grounds is applicable:
1. personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. the person withdraws his / her consent on which the data processing is based and there is no other legal basis for the processing;
3. the person objects to the automatic decision-making applied by the Administrator with his personal data and there are no other legal grounds for the processing to have an advantage, or the person explicitly objects to the processing;
4. the personal data have been processed illegally;
5. personal data must be deleted in order to comply with an obligation under European or national law;
6. personal data have been collected in connection with the provision of services to the children’s information society.
(2) The company has the right to refuse to perform the actions under para 1 in the cases provided by law, and in case of refusal it shall notify the subject, who has made the respective request.
Art. 13. (1) Data portability: The data subject has the right to receive the personal data he has presented to the Administrator in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without interference from The controller to whom he has provided personal data, when:
(a) The processing is based on the consent of the data subject or a contractual obligation;
(b) Processing shall be carried out in an automated manner.
Art. 14. (1) In case of violation of the security of personal data, the Administrator, without undue delay, but not later than 72 hours after learning about it, shall notify the Commission for Personal Data Protection of the violation of the security of personal data. (CPDP), unless the breach of personal data security is likely to pose a risk to the rights and freedoms of individuals.
(2) In cases where the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, the company shall, without undue delay, notify the data subject of the personal data breach.
Art. 15. The controller shall put in place appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of processing are processed, this obligation relating to the volume of personal data collected, the degree of processing, the period of their storage and their availability.
Art. 16. The present rules are reduced to the knowledge of all employees of the Company, as well as to the persons appointed under a civil contract.
Date:
Signature: _______________________