• Home »
  • PERSONAL DATA PROTECTION POLICY
PERSONAL DATA PROTECTION POLICY

This document contains the Privacy Policy for the personal data of individuals ('Policy') and is related to the General Terms and Conditions, and it aims to explain to the individuals what personal data we process, in what way, for what purpose and what the applicable privacy measures are. It also provides information about the rights that you, our client and users, have, in relation to the processing of your personal data by us. If this Policy is amended, the changes shall be published here.

Effective from: 01 March 2022

Revised on: 16 October 2023

 

PERSONAL DATA CONTROLLER

ZOGRAFOV & SON OOD, UIC: 202988840, VAT No. BG 202988840, seat and registered address: 115I Tsarigradsko Shose Blvd. postal address: 115I Tsarigradsko Shose Blvd. tel. +359 887 697 228, e-mail: office@zografovart.com (herein referred to as 'Zografov & Son', 'We', 'online shop', 'site', 'website', 'Controller') shall be the Controller of personal data, regarding information collected or provided when browsing the following site www.zografovart.com or when making a purchase through the same, as well as when viewing or purchasing a product or service through our Facebook page (herein collectively all referred to as 'Site', 'Internet Page'). This Policy shall also apply in cases where, as individuals (herein 'Subjects'), you provide us voluntarily with personal data via e-mail, by telephone or by other means, incl. on-site, at our store or office. We shall process personal data also from inquiries made by you to us, as well as for marketing and advertising purposes, profiling, participation in games, promotions or lotteries, organised by us and for any other purposes not prohibited by law. When processing personal data, Zografov & Son shall comply with all applicable data protection legislation, including but not limited to Regulation (EU) 2016/679 ('the Regulation') and the Personal Data Protection Act, because the privacy of our clients' personal data is of utmost priority to us.

 

APPLICABILITY OF THE POLICY

This Policy shall apply to all our clients who are individuals who use our services by ordering from the Site or showing interest in the same by sending inquiries (herein referred to as 'Data Subjects', 'Users').

Zografov & Son ensures that all partners and third parties who work with or for Zografov & Son, as well as who have or may have access to personal data, shall be aware of and comply with this Policy in data processing activities, as well as that they shall have adopted and comply with relevant and necessary internal data protection rules. No third party may have access to personal data stored by Zografov & Son without the company having previously entered into a data confidentiality agreement that imposes on the third-party obligations no less burdensome than those Zografov & Son have undertaken, and which entitles Zografov & Son to carry out inspections of compliance with the obligations imposed by the agreement.

This Policy shall apply to all employees/workers (and interested parties) of Zografov & Son, as well as to external suppliers of products and services contracted by Zografov & Son. Any violation of the GDPR shall be considered a violation of the labour discipline, respectively, as non-fulfilment of contracts with partners, and in case there is an assumption of a crime committed, the matter shall be immediately submitted to the relevant state authorities for examination.

For those visitors of the Site who do not place orders or send inquiries, but only browse our Website, the Cookie Policy adopted and published on the Site shall apply.

 

DEFINITIONS

'Regulation' - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation), referred to as GDPR. The purpose of this European legislative act is to determine the rules regarding the protection of individuals in relation to the processing of personal data, as well as the rules regarding the free movement of personal data.

'Personal Data' - any information relating to an identified individual or an identifiable individual ('Data Subject'); an identifiable individual shall be a person who can be identified directly or indirectly, in particular, by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, physiological, the genetic, psychic, mental, economic, cultural or social identity of that individual.

'Special Personal Data Categories' - personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of an individual, data relating to health or data regarding an individual's sex life or sexual orientation.

'Processing' - any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organising, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed.

'Controller' - any individual or legal entity, public body, agency or other structure that, alone or jointly with others, determines the purposes and means of processing of Personal Data; when the purposes and means of such processing are determined by an EU law or a law of a Member State, the Controller or the special criteria for its designation may be laid down in a Union law or in a law of a Member State.

'Data Subject' - an identified or an identifiable individual.

'Consent of the Data Subject' - any freely-expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses their consent for the personal data related to them to be processed.

'Child' - The General Regulations define a child as any person under the age of 18 years. When processing the data of a person under the age of 16, the data processing shall only be lawful if a parent or guardian has given consent. The Controller shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given, or is authorised to give, consent.

'Profiling' - any form of automated processing of personal data, consisting of the use of personal data to assess certain personal aspects related to an individual, and, more specifically, analysing or predicting aspects related to the performance of professional duties of that individual, their economic status, health, personal preferences, interests, reliability, conduct, location or movement.

'Breach of personal data security' - a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data that is transmitted, stored, or otherwise processed.

'Recipient' - individual or legal entity, public body, agency, or other structure to which the personal data is disclosed, regardless of whether it is a third party or not. At the same time, public authorities that may receive personal data within the framework of a specific investigation in accordance with Union law or the law of a Member State shall not be considered 'Recipients'; the processing of such data by said public authorities shall comply with the applicable rules for data protection according to the purposes of the processing.

'Third party' – any individual or legal entity, public body, agency or other body other than the Data Subject, the Controller, the Personal Data Processor and the persons who, under the direct supervision of the Controller or the Personal Data Processor, have the right to process the personal data.

 

PRINCIPLES:

When collecting and processing personal data, we shall be guided by the following principles: legality, good faith, transparency, limitation of objectives, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

 

SUBJECT WHOSE DATA WE SHALL PROCESS

While conducting their business, Zografov & Son shall conclude and execute distance-sale contracts, review job applications, offers, user/buyer-exercise-rights forms, and requests from data subjects, shall respond to inquiries, issue and receive invoices, process statistical data, manage a user panel on the Site, and carry out advertising activities through advertising campaigns (promotions, games, etc.). In the course of these activities, Zografov & Son shall process information about the following Data Subjects:

(a) Individuals, users of the Site without registration, who do not leave any data (in this case we shall process data, but not personal) and individuals, users of the Site without registration, who provide limited personal data voluntarily (e.g., telephone number and/or email).

(b) Individuals, users of the Site with registration as registered users - in these cases we shall process data about the user that they provide during registration - email, delivery address, names, billing data, order details etc.

(c) Individuals who have sent inquiries (incl. over the phone), requests, initiatives, signals, complaints or other correspondence to us, including through the Site, telephone, email or otherwise.

(d) Individuals whose data is contained in inquiries (incl. through telephone calls), requests, initiatives, signals, complaints, or other correspondence addressed to us.

(e) Individuals with whom we conclude contracts (civil, incl. commercial or employment, especially distance contracts) electronically (via the Site or social networks, as well as by means of email) or on-site at our office or commercial establishment.

(f) Individuals whose data we have obtained through third parties (e.g. in the case of an order intended for a gift).

 

PERSONAL DATA WE SHALL PROCESS

Depending on the reason for the processing of personal data, the type of such data may differ. The functionalities provided on the Site shall not be intended for storage or processing of special categories of data within the meaning of Art. 9 and Art. 10 of the Regulation. (NB! Read Art. 9 and Art. 10 of the Regulation here). We shall only require such personal data as are necessary for us to provide the activity/service/product requested from us. In the course of using the Site by Individuals, we may also process other data that do not contain personal data, but relate to the subject, such as the clients’ IP addresses, data on their activity on the Site, etc.

Data provided when placing an order

In order to fulfil a distance contract (order) concluded between you and Zografov & Son, we shall require certain information from you. You shall decide for yourself whether and how to use the possibilities of concluding a distance-sales contract provided through the Site or the Facebook page. In the forms through which personal data is entered, we shall clearly indicate the mandatory or voluntary nature of the provision of your data. Mandatory data shall be the information without which it is impossible to conclude the relevant contract. These shall be: names, email, delivery address, telephone number, your payment information (e.g., bank card), invoicing details, incl. your personal ID number if you wish to be invoiced as an individual. If you provide data of third parties who will receive the order (e.g., in the case of a gift or other type of donation), you shall be responsible for providing the data through such third parties.

Data provided when registering on the Site

In case you have chosen to store information about you on the Site by registering a profile on the same, we shall store the above data, as well as a history of orders made by each account registered on the Site. The required data shall be the data required for an order. Along with them, we shall also process IP address, activity data (time and date of registration, acceptance of the Security Policy and General Terms and Conditions, account login, etc.).

Data provided for other contracts

In cases where Zografov & Son concludes other contracts with individuals, other than distance- sale contracts, we shall require full name, personal ID number, address, and email.

Data provided by, through or on other websites or applications, called 'Third parties'

In certain cases, you may share information with social networks or use their sites to create your profile or link your profile on our website with the relevant social network. In this case, the social network may provide us with automatic access to certain personal information they have collected about you (e.g., the content you view, the content you want and information about the ads you have been shown or clicked on, etc.). By connecting your social network profile to your account on our website, you shall allow us to access your personal data processed by the relevant social network, and to collect, use and store this information in accordance with this Privacy Policy. This link of a social network profile with a registration on our website shall take place in the event that you click on a link provided to create a Registration on our website by engaging in social media, thereby you shall voluntarily establish a link with the respective social media site. In case you choose to register on our site through any social network, we may process your data such as name, phone, email, gender, marital status, age, photo, education, place of birth, residence, and other data that you have provided to these platforms and which are visible to us in case you log in with them on our site.

In case you provide your personal data to Zografov & Son through Viber, Skype, Facebook or any other platform/social network, we shall inform you that these platforms/websites/social networks have their own privacy policies and that we do not accept any responsibility or liability for these rules to the extent that their processing cannot be controlled by Zografov & Son. Therefore, we recommend that you check these policies before submitting your personal data to us through these websites/apps.

Data provided when posting a comment, review, publication

If you leave a post or comment on this website, your IP address shall be saved, along with your name if you have entered this information. This shall be done for the safety of the website operator. If your text breaks the law, the operator should be able to trace your identity. Apart from this, Zografov & Son shall store this data (referred to as 'traffic data') for certain periods and for certain purposes specified hereafter. Due to the fact that sending comments, inquiries or other messages to the site, Facebook page/group or their administrators constitutes sending an electronic statement, according to the Electronic Document and Electronic Authentication Services Act, the Controller shall maintain logs of the fact of sending the statement for a period of 1 year. The log shall contain the statement date and the sender's name and email.

Employee data and data collected when processing job applications

We shall process data when concluding employment contracts and when evaluating and processing a job application. For employment contracts with us, we shall require full name, personal ID number, address, age, gender, education data, work experience, bank data, and subsequently we shall also process health data. For resumes, we shall process name, address, email, age, gender, education, work experience, photo and any data voluntarily provided by the candidate during an interview or in their resume.

Data provided in connection with correspondence, complaints or notifications

In order to resolve submitted complaints, signals, disputes, inquiries, requests or other issues addressed in communication to Zografov & Son, received via electronic forms on the Site, by calls to Zografov & Son, or by post or email, Zografov & Son shall store and process this information as well as the result of this processing. These can be name, email, phone or address.

Furthermore, due to the fact that sending comments, inquiries or other messages to the site, Facebook page or their administrators shall constitute sending an electronic statement, according to the Electronic Document and Electronic Authentication Services Act, we shall maintain a log of the fact of sending the statement (without its contents) for a period of 1 (one) year. The log shall contain the statement date, the sender's name and email and identification of the sender.

If you provide us with personal data about someone else, you must do so only with that person's authorisation. You must inform them of how we collect, use, disclose and store personal data in accordance with this Privacy Policy.

Technical data collected in the course of using the Site

In addition, we shall collect data from your computer, phone, tablet or other device you use. This information may include the following:

  • an identifier of the device you are using, the type of that device and a unique identifier for that device, 'log data', incl. data that your browser automatically sends to us when you visit the website; this log data shall include the internet protocol address, the address and activity of the websites you visit, searches, browser type and settings, date and time of your request, how you used the site, cookie data and device data. If you would like to receive more details about the information we collect, please contact us through our contact form.
  • location information transmitted by the device if you have set it to display location data. Please note that mobile devices allow you to control or disable the use of location services by any application on your mobile device in the device's settings menu.
  • computer and connection information, such as page view statistics, IP address, site browsing history, language settings, and date and time.
  • logs to facilitate your searches: quick links to repeat previous searches allow you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. When using the Site, a cookie with a randomly-generated number shall be stored in your browser, enabling the Site to show you quick links for repeating previous searches. The site shall store and display the last 10 searches associated with this browser, and when you log in to your account, you can save and use them in it. In case you use the service with your registration (currently an inactive feature), the last 10 searches shall be stored in your account.
  • Logs related to privacy, technical support, development, etc.
  • To ensure the reliable functioning of the services and to identify technical problems.
  • To ensure the security of the services and detect malicious actions.
  • To develop and improve the services on the site.
  • To measure the site's traffic and usability.
  • Logs required by the law (such as logs of electronic wills).
  • Log for entering a user profile (account) - this log shall make it possible to establish and automatically block unregulated attempts to access accounts. It shall be maintained for a period of up to 1 (one) year, containing the date and time of the account login, status, whether the login was through a mobile version, application or desktop browser, and IP address.
  • server logs, logs of security devices (Web Application Firewalls), etc. and devices falling into this category. These logs shall be necessary to diagnose technical problems, detect malicious actions, etc. of the purposes stated above; they shall be stored for a period of up to 1 (one) year. Logs may contain the following information: date and time, IP address, URL, and browser and device information. In addition, some of the devices may use cookie-based security technology.
  • cookies - the use of cookies shall be necessary for the functioning of the Site. In connection with this, a Policy on the use of cookies has also been adopted. See the Policy for more details on: the type of cookies we use, the term for their storage and use, etc.

We may prefer to reduce the amount of data we store and process according to the purposes of the processing.

We do not require and shall not collect and process personal data that discloses: racial or ethnic origin; political, religious or philosophical beliefs; membership in trade union organisations; genetic or biometric data; data on the state of health, as well as data on sex life or sexual orientation. If a data subject himself, on his own initiative and desire, provides such categories of data, Zografov & Son shall not be responsible for the provision, but shall only provide them with the same protection measures as are provided for the requested personal data. We shall not transfer data to third countries. Also, we shall not make automated decisions in relation to personal data and we shall not process data of persons under 16 years of age. If you are under the age of 16, you should not provide us with personal data about yourself.

 

FOR WHAT PURPOSES WE PROCESS YOUR DATA

The main purpose for which WE process your personal data shall be to provide services through the Site and social networks, namely: conclusion of a contract for distance-sale and delivery of the goods and services ordered by you, as well as for accounting purposes. We shall also use your personal data to provide and improve our Services, provide you with a personalised experience on our site, contact you about your profile and our Services, provide you with customer services, provide you with personalised advertising and marketing according to your interests, to carry out raffles or games organised by us, and, in certain cases, to detect and investigate fraudulent or illegal activity.

Zografov & Son shall collect, use and process the data described hereabove for the purposes provided for in this Policy, which may be related to:

  • the conclusion of a contract for the purchase and sale of goods/services at a distance between you and Zografov & Son through the Site or social networks - we shall require your identification and contact and payment data in order to conclude a contract with you, respectively, to send you your order.
  • conclusion of a consumer credit agreement when you have requested the purchase of a product or service from the Site through credit.
  • processing payments and preventing fraudulent transactions (we may pass your data to a third party to perform these functions).
  • conclusion of employment contracts and processing and evaluation of submitted resumes.
  • protection and enforcement of the legitimate interests of other users of the Services, third parties and the Site - the legitimate interest pursues goals related to the legitimate interests of Zografov & Son and/or third parties. These goals shall include:
  • detection and resolution of technical or functionality problems, development and improvement of the purpose of the Site.
  • communicating with you, including electronically, on important issues related to the services we provide and the performance of concluded contracts.
  • targeting our marketing, updating services and offering you, as our client who has already benefited from our goods and services, promotional offers based on your preferences.
  • receiving and processing received signals, complaints, requests and other correspondence.
  • implementation and protection of the rights and legal interests of the Site, incl. by court order, and providing assistance in the implementation and protection of the rights and legal interests of other users of the site and/or affected third parties.
  • administering the Website and Application and keeping them secure and safe.
  • To analyse and improve the use of our website, app and retail, (incl. using information about how you navigate our website, App and/or stores).
  • To measure and analyse our advertising and send you offers and recommendations based on the information you share with us.
  • communicating with you about your account and troubleshooting problems with your account. When we contact you by telephone, we may use automated or pre-recorded calls and text messages to ensure efficiency.
  • To inform you about products or services about which you wish us to send you information by email, post, mobile phone and/or through other digital means (depending on your stated preferences), incl. social media platforms - only when we have received express consent from you for this.
  • your registration on the Website (in which case We shall also use your personal information to maintain and update your profile (for example, such as a change of address or a change in your marketing preferences).
  • administration of all contests/raffles/lottery-based games conducted by Zografov & Son.
  • to provide you with location-based services (such as advertising, search results and other personalised content).
  • the fulfilment of legal obligations of Zografov & Son, including:
  • fulfilment of obligations stipulated by the law to preserve or provide information in view of our fiscal obligations to the state (for example, on the basis of the Accounting Act and other tax acts - the VAT Act, the Personal Income Taxation Act, the Corporate Income Taxation Act, the Tax and Insurance Procedural Code, etc.).
  • fulfilment of legal obligations based on the Labour Code, the Commercial Register and the Register of Non-Profit Legal Entities Act, etc.
  • execution of an order received by us from competent state or judicial authorities (e.g. on the basis of the MoI ACT, The Civil Procedure Code, The Electronic Communications Act, etc.).
  • fulfilment of obligations stipulated in the GDPR, related to notifying you of various circumstances related to your rights, the Services provided or the protection of your data, etc.
  • fulfilment of obligations provided for in the Consumer Protection Act, such as ensuring the right of refusal or the right to legal guarantee.
  • the legal defence of Zografov & Son.

Your data may be processed on the basis of your express consent, and the processing in this case shall be specific and to the extent and scope provided for in the relevant consent. We shall normally require such consent from you when we wish to process your personal data without any other valid basis for Zografov & Son processing of your data. Most often, we shall require such consent when we want to offer you information about new promotions, products, etc.

STORAGE PERIOD OF YOUR PERSONAL DATA

When storing data, WE shall apply the general principle of storing data in a minimum volume and for a period no longer than shall be necessary to provide the Services and perform the contracts, ensuring their security and reliability and the requirements of the law. We shall retain your personal data for the period necessary to perform the purposes set out in this Privacy Policy, unless otherwise required by law or based on our legitimate interest. According to the type of data and the purposes for which it is deleted, there shall be a specific erasure policy, with the expiration of which the data shall be deleted permanently.

 

Data type

Storage period

Grounds for processing

Clarifications

Registration data (name, surname, email, telephone, address)

and

 information about registration and agreement with the Terms and Conditions

(date, time, IP address)

Storage period

For the entire period of maintaining the account on the Site and up to 5 (five) years from termination of registration

Grounds

Execution of contractual relationships, fulfilment of legal obligations, and protection of legitimate interest.

The data shall identify you as a registered user on the Site. In order to resolve possible disputes that arose or became known after the termination of the agreement for the use of the Site and in connection with the Electronic Document and Electronic Authentication Services Act (see below), this data shall be stored for a period of up to 5 (five) years after the termination of the account.

Attention! Pursuant to the Electronic Document and Electronic Authentication Services Act (see below), part of this data (activity, IP address) must be stored by the Controller for a period of up to 1 (one) year from the termination of the account. The extension of the storage period shall be due to the protection of the legitimate interests of the Controller.

Personal data from orders and from invoices issued or received by the Controller, payment documents (orders, statement), reports and other accounting, reporting or payment documents.

Personal data from employee employment records.

Storage period

For the period in which the rights and obligations of the parties to the legal relationship under which the accounting, reporting or payment document was issued shall be available, up to 5 years from the termination of the employment.

Certain data shall also be stored for a longer legally-defined period than the above, as they shall represent accounting information, transaction and invoicing data, between 5 and 50 years

Grounds

Fulfilling legal obligations and protecting the legitimate interests of the Controller.

Your data identify you as a party to the distance-sale contract and are stored in order to ensure your rights, resp. fulfilling our legal obligations as taxpayers. The storage is necessary in order to ensure the rights of the buyers (individuals) when there is a period provided for this (for example, a 2-year guarantee). Legal obligations require the storage period to be determined in the manner described.

Pursuant to Art. 38 of the Tax and Social Security Procedure Code, accounting and commercial information, as well as any other information or documents relevant to taxation and mandatory social security contributions, shall be stored by the obligated person in accordance with the procedure established in the National Archive Fund Act, for the following periods of time: payroll - 50 years; accounting registers and financial reports - 10 years; tax and insurance control documentation - 5 years after the expiration of the limitation period for repayment of the public obligation to which the documents are related; all other carriers - 5 years. According to Art. 38, para. 2 of the Tax and Social Security Procedure Code, after the expiration of the term for their storage, the carriers of information under Para. 1 (paper or technical), which are not subject to transfer to the National Archive Fund, may be destroyed.

Personal data from correspondence, complaints, signals, requests or initiatives

Storage period

Data from correspondence, complaints, signals, requests and initiatives shall be stored for a period of up to 5 (five) years, pursuant to the Obligations and Contracts Act (limitation periods for making claims).

Grounds

Protection of legitimate interests of the Controller

In order to resolve submitted complaints, signals, disputes, inquiries, requests or other issues addressed in communication to Us, received via electronic forms on the Site or by post or email, we shall store and process this information as well as the result of this processing. Given the statute of limitations according to the Bulgarian legislation for the purpose of resolving disputes, this information shall be stored for a period of up to 5 (five) years.

Log certifying the sending of a comment, inquiry, order or other statement of intent (containing sender, recipient, date and time of the statement)

Storage period

For a period of 1 (one) to 5 years.

Grounds

Fulfilling legal obligations and protecting the legitimate interests of the Controller.

Due to the fact that sending comments, feedback, inquiries or other messages constitutes sending an electronic statement, according to the Electronic Document and Electronic Authentication Services Act, the company shall maintain log of the fact of sending the statement for a period of 1 (one) year.

The Controller's legitimate interest allows us, in certain cases, to extend the storage period of this data up to 5 years from making the statement.

Quick searches

They do not contain personal data.

Storage period

Until they are deleted by you, until your registration is terminated or no more than 6 (six) months if you use this functionality without registration

Grounds

Consent of the Data Subject and protecting the legitimate interests of the Controller.

This option shall allow you to repeat your searches without the need of entering them each time. The functionality can be used with or without registration. Quick links shall be stored to repeat the last 10 searches. You can change the setting from the browser you are using.

Settings and System Logs

do not contain personal data, they may contain information such as: date and time, IP address, URL, and information about the browser version and the device.

Storage period

Until they are deleted by you or until your registration is terminated. In case they are stored in a cookie - between 6 (six) and 12 (twelve) months from the last use

Grounds

Subject Consent. Fulfilling legal obligations and protecting the legitimate interests of the Controller.

This category shall include settings such as language selection, etc.

You are in control of the settings and you can change them through your browser.

Server logs, logs of security devices (Web Application Firewalls), etc. devices falling into this category. These logs shall be necessary to identify technical issues and/or detect malicious activity.

Information stored in a mobile application

For the period of its use (until it is uninstalled)

Information necessary for the technical provision of the Services (such as settings, etc.)

Cookies

Storage period

Between 6 and 12 months - depending on the type of cookie and your browser settings

Grounds

Consent of the Data Subject and protecting the legitimate interests of the OCA.

For a description of the cookies used, see 'Cookie Policy'.

Exceptions to the storage period rules

Please note that we shall not delete or anonymise your personal data if it is necessary for pending judicial, administrative, arbitration, enforcement or complaint proceedings before us. Deletion shall be carried out when the need for the data ceases, and it is not excluded that this occurs after the expiration of the periods indicated above.

You may always request that we delete certain data or close your account, and we shall respond to that request by retaining certain information, even after the account is closed, when applicable law or legitimate interests require us to do so. If we are legally required to, or if reasonably necessary to comply with regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms, we may also retain some of your personal data for a limited period of time, even after you have deleted your profile.

In order to ensure the reliability of the services and to protect against data loss for technical reasons, the Site shall apply a data reservation policy. The maximum period for updating (deleting data) from all backups shall be 30 days.

 

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

Zografov & Son, respectively the Site, shall not provide your personal data to third parties, unless there is a legal basis for this - a legal or contractual obligation, a legitimate or vital interest or your consent. We shall try to minimise the personal data we disclose, as this is always directly related and necessary to achieve the specified purpose. We shall not sell, rent or otherwise disclose your personal data to third parties for their marketing or advertising purposes without your consent. We guarantee that access to your data by third-party private legal entities shall take place in accordance with the legal provisions in the field of data protection and information confidentiality, based on contracts concluded with them.

We may disclose your personal data where we are subject to a legal obligation. In certain cases, Zografov & Son shall disclose your data to public authorities such as the police, prosecutor's office or court, in connection with the prevention or detection of crimes. This shall also include sharing information with other companies and organisations for the purpose of fraud protection and credit risk reduction. You should be aware that if we are asked by the police or any other regulatory or government authority investigating suspected illegal activities to provide your personal data or any other information we obtain about you, we shall provide it after we are satisfied with the validity of the state authorities' request. When we receive sales income, we may be required by the revenue authorities to provide sales details containing data from your orders, including personal data. In this regard, we shall provide your data to the accounting companies we work with. It is the legal obligation of the Site and Zografov & Son to protect the security of the networks and the data processed by the company. In this regard, we implement a number of measures, which may require the processing of your data by IT companies our company works with.

We could have a contractual obligation to provide your data in the case of a distance-sale contract concluded with you, under which we are obliged to provide the goods or services requested by you via courier. The same shall apply in case you choose to purchase, pay for a product or service from our Site through payment, credit or banking services to whose providers you personally share your data or entrust this to us. If you have chosen to insure a product/service during the purchase through the Site, your data shall be shared with the insurance companies through the order. If we install a purchased product through a subcontractor, we may provide your details to the subcontractor to perform the service/warranty service.

Our legitimate interest shall justify, in certain cases, the provision of personal data to third parties. Such would be the situation in the case of proceedings initiated before the for the Personal Data Protection Commission, the Consumers Protection Commission of and other bodies of state power. Legitimate interest shall also exist for Zografov & Son when we employ other companies or individuals to perform certain tasks on our behalf, supplementing our services within the framework of data processing contracts. We would like you to always be aware of the best offers for the products/services you are interested in. In this regard, we may provide specific data of yours, only with your express consent, to providers of marketing/telemarketing services and other companies with whom we may develop joint programs to market our goods and services.

Our website may also contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for those policies. Please check these policies before submitting information to these websites. Our site uses YouTube LLC, represented by Google Inc. to integrate videos. Usually, when you visit an embedded video page, your IP address shall be sent to YouTube and cookies will be installed on your device. However, our YouTube videos are integrated in extended privacy mode (in this case, YouTube is still in contact with the DoubleClick service from Google, but personal data in accordance with Google's privacy policy is not used). As a result, YouTube shall not store any information about visitors unless you watch the video itself. If you click on the video, your IP address shall be sent to YouTube and YouTube shall know that you have watched the video. If you are logged in to YouTube through your user profile, this information shall also be associated with your user profile (you can prevent this by logging out of YouTube before clicking on the video to watch it). We have no information about the possible collection and use of your data by YouTube. For more information, see YouTube's Privacy Policy at www.google.com/intl/bg/policies/privacy/.

 

WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL INFORMATION TO?

We currently store and process your personal data in Bulgaria.

However, it is possible that some of your personal data may be transferred to entities located in the European Union or outside it, including countries for which the European Commission has not recognised an adequate level of personal data protection. We transfer personal data outside the European Union only when this is necessary to fulfil any of the purposes detailed in this Policy and in the presence of:

  1. A decision by a supervisory authority at national or European level confirming that the given third country, territory or one or more specific sectors in that third country or the international organization in question provide an adequate level of protection.

or

  1. Appropriate guarantee for the protection of personal data, such as:

- Binding corporate rules approved by the relevant supervisory authority, or

- Standard data protection clauses adopted by the Commission or adopted by the national supervisory authority and approved by the Commission, or

- An approved code of conduct or an approved certification mechanism, both of which must provide for legally-binding and enforceable obligations on the controller or the processor in the third country to implement appropriate safeguards, including in relation to human rights.

We shall always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests.

You can contact us at any time using the contact details provided at the end of this Policy to find out which countries we transfer your data to and what protection measures we apply in relation to these data transfers.

 

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

According to the General Data Protection Regulation, you shall have the following rights:

Right to information

This Policy shall aim to inform you in detail about the processing of your personal data in connection with the processing of your personal data. When there is a risk of a breach of the security of your personal data, the Controller shall notify you of the nature of the breach and what measures have been taken to remedy it, as well as whether the supervisory authority has been notified of the breach. Also, the Data Subject may request information regarding all recipients to whom the personal data for which correction, erasure or restriction of processing is requested, has been disclosed.

Right of access

You shall have the right to receive confirmation as to whether your personal data is being processed, access to it and information about how it is being processed and your rights in this regard. As a Data Subject, you shall have the right to request confirmation as to whether your personal data is being processed and, if so, to access your data and the following information: for what purpose data is processed, what personal data, the recipients of data, the term of processing. Access requests must be made in writing/electronically and addressed to the Controller. In this case, we shall provide a copy of the processed personal data in an electronic or other appropriate form.

Right to rectification

You shall have the right to correct and supplement your personal data if they are incomplete or inaccurate. For registered users, this option shall also be present in the user panel on the Site. Unregistered users can obtain this information by making a request to the Controller. As a personal data subject, you shall have the right to request the correction or completion of your personal data that is inaccurate/out-of-date or incomplete. For this purpose, you shall have to submit a separate request. Your request shall be answered by the Controller in writing to the email provided by you.

Right to erasure (right to be forgotten) and account closure

As a subject of personal data, you shall have the right to 'be forgotten', i.e. to request that your personal data be deleted without undue delay i.e. the Controller to delete your personal data from all systems and records where they are stored, incl. notifying any third parties/processors of personal data to whom they have provided the data.

If you wish, you can close your account on the Site at any time. This option shall also be present in the user panel on the Site. After closing the account, all or part of the data shall be deleted. In connection with our obligations, responsibilities and requirements of the law (for example, the Electronic Communications Act or the Electronic Document and Electronic Authentication Services Act), it is possible that we shall store certain data for a certain period (see the section above).

In order to ensure the reliability of the services and to protect against data loss for technical reasons, the Site shall apply a data reservation policy. The maximum period for updating (deleting data) from all backups shall be 30 days.

A deletion request can be submitted on the grounds provided for in the Regulation, incl. in the presence of any of the following grounds:

- The personal data are no longer necessary for the purposes for which they were collected.

- You have withdrawn your consent.

- You have objected to the processing of personal data and there are no overriding legal grounds for the processing.

- The processing is illegal.

- The personal data must be deleted in order to comply with a legal obligation under the Union law or the law of a Member State that applies to the Controller.

- The personal data were collected in connection with the provision of information society services.

 

Please note that we may refuse to delete part or all of the personal data in cases where there is a substantial basis and/or legal obligation for their processing. You will be informed about this in due course. The Controller may refuse to delete the personal data on the grounds specified in the Regulation, when the processing of the specific data is for the purpose of:

To exercise the right to freedom of expression and the right to information.

- To comply with a legal obligation that requires processing provided for in the EU law or a Member State law that applies to the Controller or for the performance of a task in the public interest or in the exercise of official powers granted to them.

- For reasons of public interest in the field of public health.

- For the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes.

- For the establishment, exercise or defence of legal claims.

Right to restriction in relation to data processing

The GDPR provides for the possibility to restrict the processing of your personal data if there are grounds for this. The limitation shall be allowed in the following cases:

- When you think your personal data is not accurate, in which case the limitation shall be for a period necessary for the Controller to verify the accuracy.

- When the processing of your personal data is illegal, but you do not want them to be deleted, but only to limit their use.

- When the Controller no longer needs your personal data for the purposes of processing, but you, as the Data Subject, require them for the establishment, exercise, or defence of legal claims.

- When you have objected to the processing pending verification of whether the Controller's legitimate grounds prevail over your interests.

Right to notify third parties

If applicable, you shall have the right to request the Controller of your personal data to notify the third parties, when they have provided your data, regarding the correction, deletion or restriction of the processing of your personal data.

Right to data portability

You shall have the right to receive the personal data concerning you and that you have provided in a structured, widely-used and machine-readable format, and you shall have the right to transfer this data to another controller without hindrance from us, in case the processing is based on consent or contractual obligation or the processing is carried out in an automated manner.

Important: The responsibility for the storage of data exported from the Site, as well as for all the consequences of providing them to other controllers, shall be entirely yours.

Right not to be subject to a decision based solely on automated processing

You shall have the right not to be subject to such automated processing, including profiling, which gives rise to legal consequences for you or similarly affects you to a significant extent, unless there are grounds for this provided for in the applicable personal data protection legislation and provided for adequate guarantees to protect your rights, freedoms, and legitimate interests.

Right to withdraw consent

You shall have the right, at any time, to withdraw the consent you have given in connection with the processing of personal data based on your prior consent. Such withdrawal shall not affect the lawfulness of the processing based on the consent given until the time of its withdrawal. In the case of services such as the subscription to email announcements, for which the subscription is made based on your wish (consent), the possibility of unsubscribing at any time (withdrawal of consent) shall be provided. In the event of withdrawal of consent, we shall have the right to request that the identity of the applicant be verified to establish the identity with the person to whom the data relates.

Right to object

You shall have the right to object to data processed based on legitimate interest. In the event of such an objection, we shall consider your request and, if justified, we shall comply with it. If we believe that there are compelling legal grounds for the processing or that it is necessary for the establishment, exercise or defence of legal claims, we shall inform you of this.

Right of appeal to a supervisory authority

You shall have the right to lodge a complaint against our company (data controller) with the supervisory authority if you consider that the processing of personal data concerning you violates the applicable legislation on the protection of personal data. The supervisory authority in the Republic of Bulgaria is the Personal Data Protection Commission with address: 2 Prof. Tsvetan Lazarov Blvd, Sofia 1592 email kzld@cpdp.bg, website: www.cpdp.bg, tel. +359 2 915 3518.

HOW CAN YOU EXERCISE YOUR RIGHTS? DEADLINES

You can exercise these rights free-of-charge at any time, by email or by request sent to the addresses indicated in the contact form on the Site or at the end of this Privacy Policy, and you can address your requests both to the Controller or directly to the Data Protection Officer. Requests shall be made in a manner that allows the identity of the requester to be identified. With respect to some rights, technical means of exercising them may be applicable, such as an 'Unsubscribe' button. In all cases, the Controller should respond to the request or take a decision on the right exercised, at the address provided in the request, incl. an email, within one month of the receipt.

In the event that you exercise these rights manifestly unreasonably or excessively, in particular due to their repetition, we shall reserve the right to impose a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action, or to refuse to take action on the request. We shall inform you of our fees, if applicable, before taking a decision on your claim.

ACCURACY OF INFORMATION

We shall not be responsible for the accuracy of the information you provide; we shall not carry out any checks in this regard, and we shall not guarantee the actual identity of the individuals who provided the data. In all cases of doubt on your part, of established fraud and/or abuse, please notify us immediately. When providing any information on the Site, you should not violate the rights of other persons in connection with the protection of their personal data or their other rights.

 

GENERAL INFORMATION ABOUT THE POLICY

This Privacy Policy may be changed or supplemented due to changes in the applicable Bulgarian or European legislation, at the initiative of Zografov & Son or a competent authority.

Zografov & Son shall inform the users of any amendments or additions to this Privacy Policy by publishing the updated Privacy Policy on the Site.

It is recommended that the users periodically check the most current version of this Privacy Policy on the Zografov & Son website.

 

HOW DO WE PROTECT YOUR RIGHTS?

SECURITY MEASURES

In order to ensure the best possible data protection of the company and our clients/users/business partners/visitors on the Site, WE shall apply all the necessary organisational and technical measures provided for in the General Data Protection Regulation and the Personal Data Protection Act, as well as best practices from international standards. We shall apply the appropriate and necessary level of protection and, to this end, we have developed effective physical, electronic and administrative procedures to protect the data we collect from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to transmitted, stored or otherwise processed personal data.

We shall store your data on secure servers using the latest encryption algorithms and we shall guarantee the storage of backup copies.

The company has adopted the necessary rules and procedures related to the lawful processing of your personal data, incl. an action plan in the event of a data security breach; we have established structures to prevent abuses and security breaches, and have designated a Data Protection Officer who shall support the processes of lawful processing, protection and ensuring the security of your data.

Access to your personal data shall be permitted only to those employees, service providers or persons related to them on the principle of need for information for official purposes or who need it for the performance of their official duties. All employees/workers shall be required to be trained and accept the relevant contractual clauses/declarations/rules to comply with organisational and technical access measures before being granted access to information of any kind.

It is a principle in our structure that all employees/workers are responsible for ensuring the security of the storage of the data for which they are responsible and which we process, and that the data is stored securely and is not disclosed under any circumstances to third parties, unless we have granted such rights to that third party by entering into a confidentiality agreement/clause. In this regard, all personal data shall be available only to those who need it, and access can only be granted in accordance with established access control rules. All personal data shall be treated with the utmost security and stored as follows:

  • in a private room with controlled access, and/or
  • in a locked cabinet to which authorised persons have access, and/or
  • a computerised system protected by a password in accordance with the internal requirements specified in the organisational and technical measures for controlling access to, and/or
  • computer media that are protected in accordance with organisational and technical measures to control access to information.

Personal data is deleted or destroyed only in accordance with the internal data storage and destruction procedures.

For maximum security during processing, transfer and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymisation, backup technology for backup copies.

We use a payment service to process payments. All payment information shall be encrypted using SSL technology.

When you post to forums, chat rooms or social networking services, the personal information you share shall be visible to other users and may be read, collected or used by them. In these cases, you shall be responsible for the personal information you choose to provide.

Despite the measures we implement to protect your personal data, we are aware that, in general, the transmission of information over the Internet or other public networks is not completely secure, and there is a risk that the data can be viewed and used by unauthorised third parties. We cannot accept responsibility for these vulnerabilities of systems that are not under our control. In the event of a data leak containing personal data, we shall ensure that we comply with all applicable notification norms in such cases.

 

COOKIE POLICY

As an integral part of this Privacy Policy for individuals, Zografov & Son has also adopted a Cookie Policy, published and available both on the Site and on our Facebook page.

 

CONTACT US

DATA PROTECTION OFFICER

 

Questions and requests related to the exercise of your rights related with the protection of your personal data can be sent to Zografov & Son through the contact form available on the Site or through:

ZOGRAFOV & SON OOD, UIC: 202988840, VAT No. BG 202988840, seat and registered address: 428A Tsar Boris III Blvd, Sofia postal address: 428A Tsar Boris III Blvd, Sofia tel. +359 887 697 228, e-mail: office@zografovart.com

DATA PROTECTION OFFICER

Our Data Protection Officer is Lyubomir Zografov

Address: 428A Tsar Boris III Blvd, Sofia

Email: Lyubomir@zografovart.com

Tel. +359 887 697 228