TRADE FAIR TRIPS LTD
DEFINITIONS - Art. 4 GDPR
1.1. “Personal data” refers to any information relating to an identified or identifiable individual (“data subject”); an identifiable individual is a person that can be identified directly or indirectly specifically by identifiers such as name, identification number, location data, online identifier, or by one or more physical-specific attributes, the physiological, genetic, psychological, mental, economic, cultural or social identity of that individual;
1.2. “Processing” refers to any operation or set of operations carried out with personal data or a set of personal data by automatic or any other means such as the collection, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure through transmission, dissemination or otherwise making the data accessible, arranging or combining, limiting, deleting or destroying;
1.3. “Personal data register” refers to any structured set of personal data that is accessed according to specific criteria, whether centralized, decentralized or distributed according to a functional or geographical principle;
1.4. “Data controller” refers to a natural person or legal person, public authority, agency or other entity which alone or jointly with others determines the purposes and means of personal data processing; where the purposes and means of such processing are determined by Union or Member State law; the administrator or the specific criteria for determining one may be laid down in Union or Member State law;
1.5. “Data Processor” refers to a natural person or legal person, public authority, agency or other entity that processes personal data on behalf of the controller;
1.6. “Recipient” refers to a natural person or legal person, public authority, agency or other entity to which personal data is disclosed, whether they be a third party or not. At the same time, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not to be considered as ‘recipients’; the processing of such data by the designated public authorities complies with the applicable data protection rules for the purposes of the processing;
1.7. “Third party” refers to a natural person or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct control of the controller or the processor, have the right to process the personal data;
1.8. “Consent of the data subject” refers to any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly affirmative action, expressing their consent to the processing of personal data relating to them;
1.9. “Representative” refers to a natural person or legal person established within the Union, which, appointed in writing by the controller or processor in accordance with Article 27, represents the controller or processor in connection with their respective obligations under this Regulation – in this sense: an individual, with which an employment or civil contract has been signed by the power of which they perform functions related to the activity of the personal data controller Trade Fair Trips ltd., UIC 201945156;
2.1. “Compulsory company rules” refers to policies for the personal data protection as complied by a controller or processor established on the territory of a Member State, when transmitting or collecting personal data transfers to a controller or processor in one or more thirds countries within the framework of a group of enterprises or a group of companies engaged in a joint economic activity;
2.2 “Website” / “Online Platform” – a virtual, unified environment of the personal data controller used to provide the services related to the activity.
II. DETAILS ON PERSONAL DATA CONTROLLER TRADE FAIR TRIPS LTD., UIC 201945156
2.1. The ADMINISTRATOR can collect, process, store, provide, transmit and destroy information containing personal data in accordance with the requirements of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR).
2.2. To contact the ADMINISTRATOR:
Trade Fair Trips ltd.
Varna, 26 Petko Karavelov Str.
+359 52 810 760
Email address: [email protected]
III. CATEGORIES OF PERSONAL DATA
3.1. The ADMINISTRATOR processes a minimal volume of personal data provided by a “data subject” – natural persons, namely: name and surname, telephone, e-mail address.
3.2. The ADMINISTRATOR processes the following personal data provided by the natural persons employed under an employment or a civil contract, namely: three names, date of birth, address, ID number, bank account, diploma for completed education, (business / personal) phone.
3.3. The ADMINISTRATOR also processes data of data subjects that are natural persons that represent legal persons: business address, business phone, business email address (e-mail address) and names of contact persons and legal representative.
3.4. The ADMINISTRATOR processes personal data of third parties on the basis of “legitimate interest” within the meaning of points 47-49 of the Preamble and Art. 6 and Art. 49 of GDPR.
3.5. The ADMINISTRATOR does not process special categories of personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or membership in trade union organizations, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, health status data or data about the sexual life or sexual orientation of the individual.
IV. LEGAL BASIS AND LEGAL INTEREST - Art. 6 GDPR points 47-49 of the Preamble and Art. 49 of GDPR
4.1. The ADMINISTRATOR collects and processes personal data collected directly from data subjects on the basis of specified, explicit legitimate interests:
(a) processing is necessary for the completion of the contract, to which the data subject is a party or for taking steps at the request of the data subject prior to the signing of the contract;
(b) processing is necessary to comply with a legal obligation that applies to the controller;
(c) processing is necessary to protect the legitimate interests of the data subject or of another individual;
(d) processing is necessary for the purposes of the legitimate interests of the controller or of a third party.
4.2. The data subject has consented to the processing of their personal data for one or more specific purposes;
4.3. The ADMINISTRATOR collects and processes the personal data obtained from other data controllers to which the data subjects have provided on the basis of specific legitimate interests. Such legitimate interests may be present where there is a respective relationship between the data subject and the data controller, for example:
(a) where the data subject is (or could be) a customer or subordinate of the data controller. In any event, a legitimate interest would need to be carefully assessed, including whether the data subject at the time and in the context of data collection can reasonably expect that personal data processing for this purpose is to be carried out.
(b) the processing of personal data strictly necessary for the purposes of fraud prevention is also a legitimate interest for the data controller concerned. The processing of personal data for the purposes of direct marketing may be considered to be for a legitimate interest.
(c) the processing of personal data to the extent strictly necessary and proportionate to the objectives of guaranteeing network and information security, i.e the ability of a network or an information system to withstand, at an appropriate level of confidence, incidental events or illegal or malicious actions that affect the availability, authenticity, integrity and confidentiality of stored or transmitted personal data as well as the security of related services, offered or made available through these networks and systems.
This may include, for example, preventing unauthorized access to electronic communications networks and spreading malware, and stopping attacks to with the intention to deny services, and harming computers and electronic communications systems.
4.4. Where it is provided for the possibility of transmitting data in certain circumstances, where the data subject has given their explicit consent, when the transfer concerns individual cases and is necessary in connection with a contract or a legal claim, whether in the context of judicial, administrative or other out-of-court procedures, including those before the regulatory authorities or where the transmission is made by a register established by law and intended for inquiry by the public or by persons having a legitimate interest. In this case, the transfer should not include all personal data or entire categories of data contained within the register, and where the register is intended for the inquiry of persons with legitimate interest, the transfer should be made only at the request of those persons or if they are the recipients, taking the data subject's interests and fundamental rights into full account.
4.5. The ADMINISTRATOR collects and processes personal data when assessing the impact on data protection – Art. 35 GDPR
The assessment shall contain at least a systematic inventory of the processing operations envisaged as well as the processing objectives, including, where applicable, the legal interest pursued by the controller.
V. OBJECTIVES OF THE PROCESSING OF PERSONAL DATA
5.1. Depending on the data subject, the ADMINISTRATOR processes the latter for the following purposes:
5.1.1. The contact details of contact persons and legal representatives are processed in order to:
• keep platform users informed of current offers from the platform;
• troubleshoot issues and uncertainties arising from the use of the platform;
• answering questions and requests from the relevant user of the platform;
• implement the contracts signed between the ADMINISTRATOR and the users of the platform.
5.1.2. In addition to the purposes of the preceding paragraph, the contact details of the contact persons shall also be processed for the purposes of direct marketing, insofar as the contact person receives a newsletter of current offers from the ADMINISTRATOR in the name of the legal entity they represent.
5.1.3. The data of the employees of the company or of data subjects who have provided their data to the ADMINISTRATOR is processed for the purpose of fulfilling the legal obligations of the ADMINISTRATOR as an employer, respectively as a contracting authority for civil contracts.
VI. TIME LIMIT OF PROCESSING
6.1. Time limit for processing personal data of contact persons and legal representative of counterparties:
The ADMINISTRATOR shall process the personal data of the contact persons and legal representative only for the duration of the contract and/or in view of the deadline for the provision of the service and obligations under a law or regulation in the Republic of Bulgaria and EU.
6.2. Deadline for processing personal data of workers / employees
The ADMINISTRATOR processes the personal data of their employees during the fulfillment of their legal obligations to develop and keep a work file for each employee, in which they shall keep all documents related to the occurrence, amendment and termination of employment.
6.3. After the employment relationship is over, the ADMINISTRATOR saves the documents from the employment file, except for the payroll records for a period of 3 (three) years.
6.4. Payroll records are to be kept for a period of 50 years in accordance with the procedure provided for in the Law of the National Archival Fund.
6.5. After the expiry of the term for keeping the documents, which are not subject to submission to the National Archival Fund, they are destroyed.
VII. METHOD OF PROCESSING
7.1. The ADMINISTRATOR saves documents containing personal data in a technical (electronic) format and hard copy.
7.2. The ADMINISTRATOR maintains a register, which records the following information in the public Trade Register with the Registry Agency: name of the legal person and user of the platform, their ID number, two names of the legal representative, address of the legal person, VAT (number, license number), two names of the contact person, business phone number of the contact person, business address of the contact person, business email of the contact person.
7.3. The online register contains a minimal amount of personal data.
VIII. FACTUAL GROUNDS FOR PROCESSING
8.1. The ADMINISTRATOR processes the data of the contact persons and the legal representative – employees / representatives of travel agencies, tour operators, commercial companies / hotels or other legal entities with a view to protecting the ADMINISTRATOR's legitimate interests in connection with the fulfillment of the contracts signed between the ADMINISTRATOR and the corresponding PROCESSING counterparty.
8.2. The ADMINISTRATOR processes the data of his employees or contractors on the basis of employment or civil contracts signed with them.
IX. ACCESS TO PERSONAL DATA
9.1. The right of access to the personal data of contact persons and legal representatives is granted to the employees of the ADMINISTRATOR in the provision of signed Annexes to their job descriptions and their employment, civil and other contracts for the observance of all rules for the protection and confidentiality of the personal data of the data subjects, on the one hand, and of the PROCESSORS, on the other, such as a trading company providing IT support services on the online platform, as well as other third parties in the cases provided for by law.
9.2. The personal data of the ADMINISTRATOR's employees employed under civil / employment contracts may be disclosed to the following PROCESSING third parties – a trading company that provides accounting services to the ADMINISTRATOR for the purposes of the accounting activity, the competent state authorities and institutions in the cases established in Bulgarian and European Union law.
X. RIGHTS OF PERSONAL DATA SUBJECTS (Art. 15GDPR)
10.1. The data subject has the right to obtain confirmation from the ADMINISTRATOR whether personal data relating to them is being processed in regards to:
• the purposes of processing;
• what categories of personal data are being processed;
• PROCESSING RECIPIENTS to whom the data may be disclosed;
• storage period or criteria for its setting;
• the right to request a correction;
• the right to request the deletion of personal data;
• the right to request a restriction on the processing of personal data;
• the right to data portability;
• the right to object to processing;
• the right of appeal to a supervisory authority;
• the person who provided the data (this right applies only to the contact persons indicated by the registered users of the site).
XI. RIGHT TO CORRECTION (Art.16)
The data subject has the right to ask the ADMINISTRATOR to correct their personal data when there is a discrepancy and / or change, as well as to fill in the incomplete personal data.
XI. RIGHT TO DELETION (Art. 17)
11.1. The data subject has the right to request the ADMINISTRATOR to delete the personal data related to them, except where through a legislative instrument (laws and/or regulations) of national or European law there is an obligation to store said personal data.
• personal data is no longer needed for purposes for which it was otherwise collected or processed;
• the data subject withdraws their consent in cases where the basis for processing the data is only that consent and there is no other basis for processing;
• personal data was processed illegally;
• personal data should be deleted in order to comply with a legal obligation under Union or Member State law applicable to the controller;
11.3. When the subject has requested deletion, the ADMINISTRATOR takes all necessary measures to inform the PROCESSOR of the personal data that the data subject has requested the deletion of all links, copies or replicas of said personal data.
11.4. The data subject has the ability to refuse to receive future information emails by automatically unsubscribing (URL) each time he receives an email from the ADMINISTRATOR.
XII. THE RIGHT TO LIMIT PROCESSING (Art. 18)
12.1. The data subject has the right to enforce on the ADMINISTRATOR a restriction on data processing and there is no legal obligation for the ADMINISTRATOR to process the data of the data subject or any other legitimate interest of the ADMINISTRATOR when one of the following hypotheses exists:
(a) when the accuracy of personal data is disputed by the data subject for a period allowing the ADMINISTRATOR to verify the accuracy of the personal data;
(b) where the processing is unlawful, but the data subject does not wish to have the personal data erased but requests instead to restrict its use;
(c) the ADMINISTRATOR no longer needs the personal data for the purposes of processing, but the data subject requires them to establish, exercise or defend legal claims;
(d) the data subject has objected to the processing under Article 21 (1) of the Regulation pending verification that the controller’s legitimate grounds have priority over the data subject's interests.
12.2. In cases of limitation of processing, personal data is processed, with the exception of its storage, only with the consent of the data subject or for the establishment, exercise or protection of legal claims or for the protection of the rights of another individual or for important grounds of public interest in the Union or a Member State.
12.3. The ADMINISTRATOR informs the data subject requesting the restriction before the same restriction on processing is lifted.
XIII. THE RIGHT TO DATA TRANSMISSION (Art. 20)
13.1. The data subject has the right to receive the personal data concerning them which they have provided to the controller in a structured, widely-used and machine-readable format and has the right to transfer this data to another controller without hindrance from the controller whose personal data has been provided where:
• processing is based on consent or a contractual obligation and / or legitimate interest
• processing is done in an automated manner.
13.2. When exercising their right to data portability, the data subject has the right to receive a direct transfer of personal data from one controller to another, where technically feasible.
XIV. METHOD OF EXERCISE OF RIGHTS
14.1. The data subject submits their requests, inquiries and objections to the ADMINISTRATOR at email [email protected]
14.2. The requests / inquiries / objections of the data subject may be submitted in writing to the ADMINISTRATOR at the specified contact address: Varna, 26 Petko Karavelov Street;
14.3. The requests / inquiries / objections shall be made personally by the natural person or by a person explicitly authorized by them through a notarized power of attorney. Establishing the identity of the data subject as a security measure in the processing of personal data is a necessary and mandatory condition for the consideration of the request, inquiry and objection by the ADMINISTRATOR. When the ADMINISTRATOR has reasonable concerns about the identity of the individual, who files the request, the ADMINISTRATOR can request the provision of additional information necessary to confirm the identity of the data subject;
14.4. The requests / inquiries / objections should include: name, address and other identifying details of the individual concerned; a description of the request; preferred form of providing information in writing, orally, electronically; signature, date of application and correspondence address / correspondence email;
14.5. When submitting an application by an authorized person, the notarized power of attorney original must be attached to the application;
14.6. The ADMINISTRATOR decides on the requests, inquiries and objections of the data subjects within 1 (one) month from the receipt of the request, and within the same period notify the data subject of the result by sending a message to the contact email provided by the data subject;
14.7. The ADMINISTRATOR shall provide the requested information in writing, verbally or electronically by e-mail, depending on the manner explicitly indicated by the subject;
14.8. The ADMINISTRATOR shall report on any correction, deletion or restriction of processing to any PROCESSOR to whom the personal data have been provided, unless this is impossible or requires a disproportionate effort. THE ADMINISTRATOR informs the data subject of these PROCESSORS, if the data subject so requests;
14.9. The ADMINISTRATOR provides the requested information to the data subject free of charge;
14.10. The ADMINISTRATOR has the right to demand payment of a fee by the data subject or to refuse to take action on the request when the requests of the subject are manifestly unfounded or excessive because of their repetitive nature;
14.11. For requests / inquiries / objections, ADMINISTRATIVERS keep a special register stating in brief what the content of the request / inquiry / objection is, who is the subject who makes it, the date of receipt of the requests / inquiries / objections, the date of the final decision by the ADMINISTRATOR, date of notification, summary of the contents of the pronouncement;
XV. COMPLIANCE WITH GDPR RULES ON THE ADMINISTRATOR WEBSITE
For the purposes of the ADMINISTRATOR's legitimate interests, site visits provide information such as: registration, search for a service, search for information, study of visits to improve websites and services, content entry, service search, communication with a third party through providing contact information for feedback (including name, position, position, company name, telephone, fax and mobile numbers, postal and e-mail addresses, the industry in which you work and the field in which you work MIRA). interest) may be collected by the ADMINISTRATOR.
The ADMINISTRATOR obtains personal information from the data subject when they contact us by email or otherwise, or by a third party administrator and / or processor of the personal data to which it was provided.
ADMINISTRATOR's website - www.tradefairtrips.bg / www.trade-fair-trips.com - may contain links to third-party websites. These websites have their own privacy policies that the ADMINISTRATOR recommends that data subjects get acquainted with. The ADMINISTRATOR is not responsible for the privacy policies of these websites and the use of such sites is at the risk of the data subject.
In cases not covered by this Policy, the provisions of the Regulation and Bulgarian law apply.