PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy (“Policy”) defines the rules regarding the protection of personal data of individuals using the Website (the “Platform”), owned by Rhethority Ltd, a company registered under the Commercial Law of the Republic of Bulgaria with UIC 208137840 and registered office in Iskar District, Sofia, Bulgaria. 

The website is fully compliant with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“the Regulation”), which entered into force on 25.05.2018, and the Personal Data Protection Act (“PDPA”).

By using the Platform, you accept and undertake to comply with this Privacy Policy, the Cookies Policy and  the General Terms and Conditions of the Website.

We process your personal data on the following grounds:

1. Mandatory by law 
2. Explicit consent from you – the purpose is specified for each specific case;
3. In case of a statutory obligation

In the following paragraphs you will find information on the processing of your personal data depending on the basis on which we process it.

FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS

We process your personal data in order to fulfill contractual and pre-contractual obligations and to enjoy the rights under the contracts concluded with you.

Purposes of processing:

• Described in the General Terms and Conditions of Use of the Website; 

• In case of an obligation provided for by law;

We do not provide your personal data to third parties, and our main goal is to offer you quality, fast and comprehensive service.

We use an SSL certificate to provide a secure shopping experience for our customers. The certificate provides an encrypted connection between you and the site when you enter your personal data.

FOR THE FULFILLMENT OF REGULATORY OBLIGATIONS

There may be a legal obligation for us to process your personal data. In these cases, we are obliged to carry out the processing, such as:

• Obligations under the Measures Against Money Laundering Act;
• fulfillment of obligations in relation to distance selling, off-premises sales provided for in the Consumer Protection Act;
• providing information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act;
• providing information to the Commission for Personal Data Protection in relation to obligations provided for in the legal framework for personal data protection;
• obligations provided for in the Accountancy Act and the Tax and Social Security Procedure Code and other related normative acts, in connection with the keeping of lawful accounting;
• provision of information to the court and third parties, within the framework of proceedings before a court, in accordance with the requirements of the normative acts applicable to the proceedings;
• age verification when shopping online.

Data collected under a statutory obligation is deleted after the collection and storage obligation has been fulfilled or has ceased to exist. For example:

• under the Accountancy Act for storage and processing of accounting data (11 years),
• obligations to provide information to the court, competent state authorities, etc. grounds provided for in the legislation in force (5 years).

Where we are required by law, we may provide your personal data to the competent state authority, natural or legal person.

AFTER YOUR CONSENT 

Consent is a separate ground for processing your personal data and the purpose of processing is specified therein, and is not covered by the purposes listed in this policy. If you give us the appropriate consent and until its withdrawal or termination of any contractual relationship with you, we prepare product/service offers suitable for you.

We delete the data collected on this basis upon your request or 1 year after their initial collection.

We may use your Contact Data to communicate with you via email, email or other means of electronic communication (e.g., website messages, text messages, messaging apps, or remote detailing/on-demand customer services) to deliver marketing communications containing information about services, products or events related to your interests.  marketing communications by e-mail or other electronic means of communication (“Electronic Marketing Communications“), as well as by telephone calls, are made only with your consent.

Rhethority Ltd has the right to collect and use information about the USERS after they have ordered goods or services. The information by which the person can be identified may include: 

• Name and surname
• address
• telephone
• email
• as well as any other information that the person voluntarily provides for the production and delivery of the order. 

PROCESSING OF ANONYMISED DATA

We process your data for static purposes, this means for analyses in which the results are only aggregated and therefore the data is anonymized. It is impossible to identify a specific person from this information.

How we protect your personal data

To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act.

In order to maximize security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Users’ Rights

Each User of the site enjoys all rights for the protection of personal data in accordance with the Bulgarian legislation and the law of the European Union. 

Each User has the right to:

• Awareness (in relation to the processing of his personal data by the controller);
• Access to your own personal data;
• Correction (if the data is inaccurate);
• Deletion of personal data (right to be forgotten);
• Restriction of processing by the controller or processor;
• Portability of own personal data between individual controllers
• Object to the processing of his/her personal data;
• The data subject shall also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for the data subject or similarly affects him or her to a significant extent;
• Right to judicial or administrative protection in case the rights of the data subject have been violated.

The user can request deletion if one of the following conditions is met:

• Personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• The User withdraws his/her consent on which the data processing is based and there is no other legal basis for the processing;
• The user objects to the processing and there are no legitimate grounds for the processing that prevail; 
• Personal data has been processed unlawfully;
• Personal data must be erased in order to comply with a legal obligation under European Union law or the law of a Member State that applies to the controller;

The user has the right to restrict the processing of his personal data by the controller when:

• He challenged the accuracy of the personal data. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of the personal data;
• The processing is unlawful, but the User does not want the personal data to be deleted, but instead requests the restriction of their use;
• The Controller no longer needs the personal data for the purposes of processing, but the User requires them for the establishment, exercise or defense of legal claims;
• Objects to the processing pending verification whether the legal grounds of the controller take precedence over the interests of the User.

Right to portability.

The data subject has the right to receive the personal data concerning him/her and which he/she has provided to the controller in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance by the controller to whom the personal data have been provided, where the processing is based on consent or on a contractual obligation and the processing is carried out in an automated manner. When exercising his/her right to data portability, the data subject shall also have the right to obtain a direct transfer of personal data from one controller to another, where this is technically feasible.

Right to object.

Users have the right to object to the controller against the processing of their personal data. The data controller is obliged to terminate the processing unless it proves that there are compelling legal grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims. In case of objection to the processing of personal data for direct marketing purposes, the processing should be terminated immediately.

Complaint to the supervisory authority

Each User has the right to file a complaint against unlawful processing of his/her personal data to the Commission for Personal Data Protection or to the competent Bulgarian court.