Last Updated: March 17, 2022
The privacy is very important to us. This Privacy and Personal Data Protection Policy (hereinafter “Policy”) covers issues related to the personal data of natural persons collected and processed by Diogen J.S.C., UIC 205951473, with headquarters and address of management: 9 Ruschuk str., Pirgovo 7090, Bulgaria, represented by Miroslav Tsankov (hereinafter “We”, “Diogen”, “The Company”, “Administrator”, “Personal Data Administrator”, “Personal Data Controller”, “Controller”), through the website www.diogen.bg, social networks, including the company’s Facebook page (hereinafter “Site”, “Website”, “Internet page”, “Sites”), electronically (email), phone or by other means in which a natural person (hereinafter “Subject”) voluntarily provides data to The Company. The above sites and social media profiles (all referred to as the “Site”) are administered by Diogen J.S.C., as in this connection The Company is an administrator of personal data provided through them. When processing personal data, the Personal Data Controller complies with all applicable to its activities regulations on personal data protection, including, but not limited to, Regulation (EU) 2016/679 (“Regulation”) and the Personal Data Protection Act (“PDPA”), because for us the security of personal data of natural persons (inquirers, customers, suppliers, employees, others) is essential. You may contact us either through the Site or otherwise specified below in this Policy, where you will find contact details for us and our Data Protection Officer (“DPO”).
The Policy contains information about natural persons who provide Diogen with their personal data or data of third parties. The document describes in detail who processes the data (personal data controller), whose data is processed by the controller (categories of personal data subjects), what data of natural persons are processed, how the controller collects, processes, uses and protects this data and what rights they have on the processing of personal data subjects under Regulation (EU) 2016/679 – General Data Protection Regulation (known as the General Regulation or GDPR). This Policy is available on the above-mentioned websites. Any person who has provided data to Diogen for any reason should read this Privacy and Personal Data Protection Policy before providing them.
Partners, members and third parties who work with or for Diogen, as well as who have or may have access to personal data, will be expected to read, understand and comply with this Policy. No third party may have access to personal data stored by Diogen without first having entered into a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those assumed by The Company, and which entitles it to verify compliance with the obligations imposed by the agreement.
This Policy also applies to all employees of Diogen J.S.C., as well as to external suppliers of products and services with which The Company has concluded contracts. Any violation of the General Regulation will be considered as a violation of labor discipline, respectively as non-performance of contracts with partners, and in case there is a suspicion of a crime, the issue will be submitted for consideration as soon as possible to the relevant state authorities.
“Regulation” is the General Data Protection Regulation 2016/679 of 27 April 2016, called GDPR. The purpose of this European legislation is to protect the “rights and freedoms” of natural persons and to ensure that personal data are not processed without their knowledge and, where possible, that they are processed with their consent.
“Personal data” means any information relating to a natural person (“subject”) who is or may be identified, directly or indirectly, by an identifier such as name, identification number, location data, online identifier or by one or more attributes specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person.
“Processing of personal data” means any action or set of actions that can be performed on personal data by automatic or other means, such as collecting, recording, organizing, storing, adapting or modifying, recovering, consulting, using, disclosing by transmitting, distributing, providing, updating or combining, blocking, deleting or destroying.
“Administrator”, “Controller” means any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means for the processing of personal data.
“Data subject” is any living natural person who is the subject of personal data stored by the Administrator.
“Consent of the data subject” is any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clear confirmatory action expressing his consent to the processing of personal data relating to him.
“Third party” means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, have the right to process personal data.
When collecting and processing personal data, We are guided by the following principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability.
SUBJECTS WHOSE DATA WE PROCESS
In the course of its activity Diogen J.S.C. through its managers, members, employees, lawyers, proxies concludes and executes contracts for the sale of goods, reviews job applications, responds to inquiries, participates in events and initiatives, issues and receives invoices. In these cases The Company processes information regarding the following Data Subjects:
(a) natural persons who use the site without leaving any data (in this case we process data, but not personal);
(b) natural persons who have sent inquiries, requests, applications, initiatives, signals, complaints or other correspondence to The Company by phone, e-mail, contact form on the site, message on social networks or otherwise;
(c) natural persons, information about which is contained in inquiries (including by phone), requests, applications, initiatives, signals, complaints or other correspondence addressed to The Company;
(d) natural persons with whom Diogen J.S.C. concludes contracts (civil, including commercial or labor).
PERSONAL AND SIMILAR DATA WE PROCESS
Depending on the reason for the processing of personal data, the type of such data may be different. The functionalities provided on the Site are not intended for storage and processing of special categories of data within the meaning of Art. 9 and Art. 10 of the Regulation. We require only such personal data that we need to carry out our activities and/or provide our services. In the course of using the site www.diogen.bg by individuals, Diogen may process other data that do not contain personal data, but relate to the subject, such as its IP address, data on its activity on the site, etc.
Depending on the particular action, we collect the following data:
(a) when submitting a job application:
data contained in the applicant’s CV, such as:
– three names;
– email address;
– contact phone;
– Personal Identification Number (when the applicant provides it without being required);
– data on the work experience of the candidate;
– data on the education and specialization of the candidate;
– data voluntarily provided by the applicant during the interview.
(b) when concluding contracts with individuals and employees:
– three names;
– Personal Identification Number;
– email address;
– contact phone.
(c) when submitting an inquiry through the site, on site, by e-mail, by phone:
– email address;
– IP address (upon enquiry through the site);
(d) when included in the Facebook page of The Company as well as data provided when posting a comment, review, publication or message via social networks or other third parties:
– other data provided by the person of the respective social network – gender, marital status, profession, education, place of birth, etc.
In case you provide your personal data to Diogen, respectively to an employee or another member of its staff, via Viber, Skype, Facebook or another application/platform/social network, we inform you that these applications/platforms/social networks have their own privacy policies and that we do not accept any responsibility or liability for these policies as their processing cannot be controlled by us. In this regard, we recommend that you check their privacy policies before sending us your personal data through these applications/platforms/social networks.
GROUNDS AND OBJECTIVES FOR DATA PROCESSING
Diogen J.S.C. collects and processes personal data in the course of its activities, including in connection with the provision of information services, and the grounds and objectives for personal data processing can be summarized in the following ways:
(a) Fulfillment of contractual obligations, in case The Company has concluded a contract or has taken steps at the request of the data subject before the conclusion of the contract. Pursuant to Art. 6, para. 1, letter “b” of the Regulation, we also process personal data in the implementation of pre-contractual relations (job applications, proposals for goods/services, inquiries), initiated by us or the data subject and for the fulfillment of already existing contractual obligations between Diogen and the data subject (service contracts, goods contracts, employment contracts, etc.).
(b) Compliance with certain regulatory obligations by Diogen J.S.C. – sometimes processing is necessary to comply with a legal obligation that applies to the administrator – Art. 6, para. 1, letter “c” of the Regulation – payment processing and prevention of fraudulent transactions, execution of requests from data subjects, lawful accounting of the Company:
– fulfillment of obligations stipulated in the law for preservation or provision of information in view of the tax legal obligations of The Company to the state (for example on the basis of the Accounting Act and other tax laws);
– execution of an injunction received by us from competent state authorities, incl. judicial bodies (for example, on the basis of the Criminal Procedure Code, the Ministry of Interior, etc.);
– fulfillment of obligations provided in the Regulation for personal data protection, related to your notification of various circumstances related to your rights, the services provided by us or the protection of your data, etc.
– fulfillment of legal obligations under the Labor Code, the Commercial Register Act and the register of non-profit legal entities and other regulations.
(c) For the purposes of the legitimate interest of Diogen J.S.C or third parties (Art. 6, para. 1, letter “e” of the Regulation). These objectives include:
– detection and resolution of technical problems or problems with the functionality, development, security of the site www.diogen.bg and improvement of its purpose;
– communication with you, including electronically, on important issues related to the services we provide, implementation of the concluded contracts and elimination of possible problems;
– receiving and processing of received inquiries, signals, complaints, requests, applications, initiatives and other correspondence;
– exercising and protecting the rights and legitimate interests of Diogen, including in court, and assisting in exercising and protecting the rights and legitimate interests of the members of The Company (employees, proxies), other users of the website and/or affected third parties;
– informing you about products, services, initiatives and other activities of Diogen, for which you wish us to send you information by e-mail, mail, mobile phone and / or other digital means (depending on your stated preferences), including social media platforms (only when we have received explicit consent from you or the processing is on a contractual basis) – the messages may concern improvements or changes in the site, expiring services, reminder letters in connection with expiring deadlines, newsletters, etc.
(d) Consent of the data subject to the use of this data for one or more purposes (Art. 6, para. 1, letter “a” of the Regulation). Consent is given in writing or by filling in a form that requires personal data. Consent is a freely expressed, specific and informed statement by which the individual agrees to his/her personal data being collected and processed – Your data may be processed on the basis of Your explicit consent, and the processing in this case is specific and to the extent and scope provided for in the relevant consent. We usually require such consent from you when we wish to process your personal data without a legal obligation or legitimate interest for Diogen or third parties, as well as before there are any of the above in sub-items “a” – “c” grounds. We most often require such consent when we want to offer you information about new events, initiatives or other activities, etc.
At this time, we do not use personal data for advertising purposes, nor do we provide personal data to other persons (processors of personal data) for advertising purposes. We do not send advertising messages or use personal data for marketing purposes.
STORAGE PERIOD OF YOUR PERSONAL DATA
When storing data, Diogen applies the general principle of data storage in a minimum volume and for a period not longer than necessary to achieve the objectives of the Company, provision of services and performance of contracts, ensuring their security and reliability and the requirements of the law.
DO WE SHARE YOUR PERSONAL DATA TO THIRD PARTIES
Diogen does not provide your personal data to third parties, unless there is a legal basis for this – an obligation under law or contract, a legitimate or vital interest, your consent. We try to minimize the personal data we disclose, as this is always directly related and necessary to achieve the set goal. We do not sell, rent or otherwise disclose your personal data to third parties for their marketing and advertising purposes without your explicit consent.
In certain cases, The Company is obliged to disclose your data to public authorities such as the police, prosecutor’s office, court, in connection with the prevention or detection of crimes. This includes the exchange of information with other companies and organizations in order to protect against fraud.
When we receive money from you or have paid money to you, we may be required by the revenue authorities to provide transaction data containing certain data, including personal data. In this regard, Diogen may provide your data to the accounting companies it works with or to the revenue authorities.
The legal obligation of Diogen as a data administrator, managing websites (Sites) is to protect the security of the networks and the data processed by The Company. In this regard, we apply a number of measures, the implementation of which may require the processing of your data by IT companies that take care of the security of computers and computer networks maintained by The Company.
Our legitimate interest justifies in certain cases the provision of personal data to third parties. Such would be the situation in initiated proceedings before the Commission for Personal Data Protection or other persons and public authorities. There is also a legitimate interest for us when we engage other companies and individuals to perform certain tasks on our behalf, complementing our services and activities, within the framework of data processing contracts.
TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA
Currently Diogen J.S.C. stores and processes your personal data in Bulgaria.
YOUR RIGHTS REGARDING YOUR PERSONAL DATA
Under the General Data Protection Regulation you have the following rights:
Right to be informed
This Policy is intended to inform you in detail about the processing of your personal data. When there is a risk of violation of the security of your personal data, the Administrator is obliged to inform you about the nature of the violation and what measures have been taken to eliminate it, as well as whether the supervisory authority has been notified of the violation. The data subject may also request information on all recipients to whom the personal data for which the correction, deletion or restriction of processing has been requested have been disclosed.
Right of access
As a data subject, you have the right to request confirmation of whether your personal data is being processed and, if so, to have access to your data and the following information: for what purpose data are processed, what personal data are processed, data recipients, data processing time. Access requests must be made in writing/electronically and addressed to the Administrator. In this case, we provide a copy of the processed personal data in electronic or other appropriate form.
Right of rectification
As a data subject, you have the right to request the correction or addition of your personal data that is inaccurate/out of date or incomplete.
Right to erasure (Right to be forgotten)
As a data subject, you have the right to request your personal data deletion from all systems and records where they are stored, including the Administrator to notify all third parties/processors to whom he has provided the data.
A request for deletion may be submitted on the grounds covered by the Regulation, including in the presence of any of the following grounds:
– personal data are no longer needed for the purposes for which they were collected;
– when you have withdrawn your consent;
– when you have objected to the processing of personal data and there are no legal grounds for processing to take precedence;
– when the processing is illegal;
– where personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the Controller;
– when personal data have been collected in connection with the provision of information society services.
Diogen may refuse to delete part or all of the personal data in cases where there is a substantial basis and/or legal obligation for their processing. You will be informed about this in a timely manner.
The Controller may refuse to delete personal data on the grounds specified in the Regulation – when the processing of the specific data is for the following purpose:
– Exercising the right to freedom of expression and the right to information;
– Compliance with a legal obligation requiring processing provided for in EU or Member State law, which applies to the Administrator either for the performance of a task in the public interest or in the exercise of official powers conferred on him;
– for reasons of public interest in the area of public health;
– for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
– for the establishment, exercise or defense of legal claims;
Right to restrict data processing
The General Data Protection Regulation provides the possibility to restrict the processing of your personal data if there are grounds for doing so. Restriction is allowed in the following cases:
– when you believe that your personal data is not accurate, in which case the restriction is for the period necessary for the Administrator to verify their accuracy;
– when the processing of your personal data is illegal, but you do not want it to be deleted, but you only want to restrict its use;
– when the Administrator no longer needs your personal data for the purposes of processing, but you, as the data subject, require them for the establishment, exercise or protection of legal claims;
– when you have objected to the processing pending verification that the legal grounds of the Administrator take precedence over your interests.
Right to notify third parties
If applicable, you have the right to ask the Administrator of your personal data to notify third parties (when he has provided your data), regarding the correction, deletion or restriction of their processing.
Right to data portability
When exercising its right to data portability, the data subject shall also have the right to receive a direct transfer of personal data from one controller to another where this is technically feasible and in the event that the processing is based on consent or a contractual obligation or the processing is carried out in an automated manner.
Important: The responsibility for the storage of data exported from the Site, as well as for all consequences of their provision to other administrators is entirely yours.
Right not to be subject to a decision based solely on automated processing
You have the right not to be subject to such automated processing, including profiling, which has legal consequences for you or in a similar way significantly affects you, unless the grounds for the protection of personal data provided for in the applicable data protection legislation are met and appropriate guarantees are provided for the protection of your rights, freedoms and legitimate interests.
Right of withdrawal of consent
You have the right at any time to withdraw your consent to the processing of personal data on the basis of your previous consent. Such withdrawal shall not affect the lawfulness of the processing on the basis of the consent given until the moment of its withdrawal. For services such as e-mail ads subscription based on your wish (consent), there is a possibility to unsubscribe at any time (withdrawal of consent). In the event of withdrawal of consent, we have the right to request that the identity of the applicant be verified in order to establish the identity of the data subject.
Right to object
You have the right to object to data processed on the basis of a legitimate interest. In the event of such an objection, we will consider your request and, if it is justified, we will comply with it. If we believe that there are compelling legal grounds for processing or that it is necessary to establish, exercise or defend legal claims, we will inform you. Diogen will motivate itself whether it accepts the objection, respectively why it continues to process personal data if it rejects the objection.
Right to appeal to a supervisory authority
You have the right to file a complaint against Diogen (Data Administrator) to the supervisory authority if you believe that the processing of personal data concerning you violates the applicable personal data protection legislation.
The supervisory body in the Republic of Bulgaria is the Commission for Personal Data Protection with address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov” No. 2, e-mail email@example.com, website: www.cpdp.bg, phone: +359 2 915 3 518.
HOW CAN YOU EXERCISE YOUR RIGHTS. DEADLINES FOR PRONOUNCEMENT
In the event that you exercise these rights manifestly unreasonably or excessively, in particular because of its recurrence, we reserve the right to charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the requested action, or refuse to take action on your request. We will inform you of our fees, if applicable, before ruling on your request.
ACCURACY OF INFORMATION
We are not responsible for the accuracy of the data provided by you, we do not perform checks in this sense (such are performed only in certain cases) and we do not guarantee the actual identity of the individuals who provided the data. In all cases of suspicion on your part, of established fraud and/or abuse, please notify us immediately. You undertake not to violate the rights of others in connection with the protection of their personal data or other rights when providing any information on the Site.
PERSONAL DATA SECURITY
Diogen maintains appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The protection measures put in place ensure a level of security of personal data corresponding to the risks arising from the processing, taking into account the achievements of technical progress, the costs of implementation and the nature, scope, context and objectives of the processing and the risk to data subjects. These measures are aimed at ensuring the continued availability, integrity and confidentiality of personal data.
We do not share data with third parties except as required by our legal obligation or right. It is possible to use the services of third parties who are processors of personal data for the above-mentioned processing purposes. These persons will process the personal data on our assignment and are obliged to comply with the applicable provisions for personal data protection.
When you post to forums, chat rooms or social networking services, the personal information you share is visible to other users and may be read, collected or used by them. In these cases, you are responsible for the personal information you provide.
Despite the measures we take to protect your personal data, we are aware that, in principle, the transmission of information over the Internet or other public networks is not completely secure, and there is a risk that the data may be viewed and used by unauthorized third parties. We cannot be held responsible for vulnerabilities in systems that are not under our control. In the event of a data leak containing personal data, we guarantee that we will comply with all applicable notification rules in such cases.
HOW TO CONTACT US
Questions and requests related to the exercise of your rights regarding the protection of your personal data, you can send to Diogen J.S.C. through the contact form on the Site, to e-mail firstname.lastname@example.org or to the address: Bulgaria, 7000 Ruse, 31 General Skobelev Blvd. – for the Data Protection Officer.