Information about the Data Controller:
“Bira Bulgaria” Ltd. is a company registered under the Commercial Act of the Republic of Bulgaria, UIC: 204562907, with its registered office and management address in BULGARIA, e-mail: birabulgaria@gmail.com.
Legal grounds and purposes for processing your personal data
We process your personal data on the following legal grounds:
- The contract concluded between you and us, in order to fulfil our obligations under it;
- Your explicit consent – for each specific case where such consent is required;
- A legal obligation imposed on us by applicable law.
In the sections below, you will find detailed information regarding the processing of your personal data, depending on the specific legal basis on which it is processed.
FOR CONTRACT PERFORMANCE OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS
We process your personal data in order to perform our contractual and pre-contractual obligations and to exercise the rights arising from the agreements concluded between us.
Purposes of the processing:
- To verify your identity;
- To manage and fulfil your order and perform the concluded contract;
- To prepare an offer for a contract;
- To issue and send an invoice for the services you use with us;
- To provide you with comprehensive customer service and to collect any amounts due for services used;
- To retain correspondence related to orders, request processing, reporting issues, etc.;
- To send you notifications regarding everything related to the services you use with us;
- To detect and/or prevent unlawful actions or actions contrary to our terms and conditions for the respective services.
Data processed on this basis:
On the basis of the contract concluded between you and us, we process information about the type and content of the contractual relationship, as well as any other information related to it, including:
- Personal contact data – e-mail address;
- Identification data – full name, delivery address, e-mail;
- Other feedback we receive from you;
- Information about your actions on our website.
The processing of the above personal data is mandatory for us to be able to conclude and perform the contract with you. Without providing this information, we would be unable to fulfil our obligations under the agreement.
Disclosure of personal data to third parties
We may disclose your personal data to third parties, with the main purpose of providing you with high-quality, efficient, and comprehensive service. We do not share your personal data with third parties before ensuring that all required technical and organisational measures are in place to protect such data, and we exercise strict control over their implementation. In such cases, we remain fully responsible for maintaining the confidentiality and security of your data.
Your personal data may be disclosed to the following categories of recipients (data controllers or processors):
- Postal and courier service providers;
- Parties responsible for maintaining equipment, software, and hardware used for data processing, necessary for the company’s operations;
- Consultants and professional service providers in various fields.
Data retention period for this legal basis:
Personal data collected on this basis are deleted five (5) years after the termination of the contractual relationship, regardless of whether such termination results from contract expiration, dissolution, or another ground.
FOR COMPLIANCE WITH LEGAL OBLIGATIONS
In certain cases, the law requires us to process your personal data. In such cases, we are legally obliged to perform such processing. Examples include:
- Obligations under the Measures Against Money Laundering Act;
- Obligations related to distance selling and off-premises contracts, as provided in the Consumer Protection Act;
- Provision of information to the Consumer Protection Commission or other third parties as required by the Consumer Protection Act;
- Provision of information to the Commission for Personal Data Protection, in connection with our obligations under the applicable data protection legislation;
- Obligations arising under the Accounting Act and the Tax and Social Insurance Procedure Code and related statutory acts, ensuring lawful accounting practices;
- Provision of information to the court or other competent authorities within judicial or administrative proceedings, as required by the applicable laws.
Data retention period for this legal basis:
Personal data collected under a legal obligation are deleted after the obligation for data collection and retention has been fulfilled or has ceased to exist. For example:
- Under the Accounting Act – accounting data are retained and processed for eleven (11) years;
- Under obligations to provide information to courts, state authorities, and other entities defined by applicable legislation – five (5) years.
Disclosure to third parties:
Where required by law, we may disclose your personal data to competent government authorities, individuals, or legal entities.
BASED ON YOUR CONSENT
We process your personal data on this legal ground only after obtaining your explicit, unambiguous, and voluntary consent. We will not impose any adverse consequences if you choose not to provide consent for the processing of your personal data.
Consent represents an independent ground for processing your personal data. The specific purpose of the processing is described in each case and does not overlap with the purposes outlined elsewhere in this Policy.
If you have granted your consent, and until such consent is withdrawn or your contractual relationship with us ends, we may prepare tailored offers for products or services, performing detailed analyses of your core personal data.
A detailed analysis is a method that allows for the processing of large volumes of data through statistical models, algorithms, and similar approaches. It may involve pseudonymisation and anonymisation of data for the purpose of deriving trends and statistical insights.
Data processed on this legal basis:
We process only the data for which you have given explicit consent. The specific data depend on each individual case but generally include:
- Email address;
- Full name;
- IP address.
Disclosure of data to third parties:
On this basis, we may provide your data to marketing agencies, Facebook, Google, or other similar platforms and partners.
Withdrawal of consent:
You may withdraw your consent at any time. The withdrawal of consent does not affect the performance of any contractual obligations already in force. If you withdraw your consent for any or all of the processing purposes mentioned above, we will cease processing your personal data for the respective purposes.
The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You may withdraw your consent easily by using our website or by contacting us directly via the contact details provided.
Data retention period for this legal basis:
Data collected on this basis are deleted upon your request or within six (6) months from their initial collection.
PROCESSING OF ANONYMISED DATA
We may process your data for statistical purposes, meaning that analyses are conducted only on aggregated results, and therefore the data are anonymous. It is impossible to identify any specific individual from this information.
Your data may also be anonymised. Anonymisation represents an alternative to deletion, whereby all personally identifiable elements are irreversibly removed. Anonymised data are not considered personal data and are not subject to legal requirements for deletion.
Why and how we use automated algorithms:
We use partially automated algorithms and analytical methods when processing your personal data. This allows us to continuously improve our products and services, adapting them to your needs in the best possible way. This process is known as profiling.
How we protect your personal data:
To ensure adequate protection of both company and customer data, we apply all necessary organisational and technical measures as required under the Personal Data Protection Act.
The company has established internal rules and procedures to prevent misuse and security breaches.
For maximum security during the processing, transfer, and storage of your data, we may apply additional safeguards such as encryption, pseudonymisation, and similar protective mechanisms.
Personal data received from third parties:
We may also receive personal data about you from other users or business partners.
USER RIGHTS
Every user of the website is entitled to all rights provided under Bulgarian and European Union data protection law.
You may exercise your rights through the contact form on our website or by sending an email to us directly.
Each user has the right to:
- Be informed regarding the processing of their personal data (right to information);
- Access their own personal data;
- Rectify inaccurate or incomplete data;
- Erase personal data ('the right to be forgotten');
- Restrict processing by the controller or processor;
- Data portability between different controllers;
- Object to the processing of their personal data;
- Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them;
- Seek judicial or administrative protection if their rights have been violated.
A user may request the erasure of their data if any of the following apply:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- The user withdraws their consent on which the processing is based and there is no other legal ground for the processing;
- The user objects to the processing and there are no overriding legitimate grounds for continuing it;
- The personal data have been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the controller;
- The personal data have been collected in relation to the offer of information society services to a child, where consent was given by the holder of parental responsibility.
The user also has the right to restrict processing when:
- The accuracy of the personal data is contested, for a period enabling the controller to verify its accuracy;
- The processing is unlawful, but the user opposes the erasure of the data and requests restriction of their use instead;
- The controller no longer needs the personal data for the purposes of processing, but the user requires them for the establishment, exercise, or defence of legal claims;
- The user has objected to processing pending verification of whether the legitimate grounds of the controller override those of the user.
Right to data portability:
The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the original controller, where processing is based on consent or a contractual obligation and is carried out by automated means. Where technically feasible, the user may request that the data be transmitted directly from one controller to another.
Right to object:
Users have the right to object to the processing of their personal data at any time. The data controller must cease processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims. If the objection concerns direct marketing, the processing shall cease immediately.
Complaint to the supervisory authority:
Every user has the right to lodge a complaint regarding unlawful processing of their personal data with the Commission for Personal Data Protection or with the competent court.
Record keeping:
We maintain a record of all processing activities for which we are responsible. This record includes the following information:
- The name and contact details of the controller;
- The purposes of processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organisational security measures applied.
This Privacy Policy was adopted and approved on February 4, 2022 by “Bira Bulgaria” Ltd.