Personal Data Processing Policy
Information about the data controller:
Magicofcolors EOOD is a company registered in the Commercial Register at the Registry Agency under UIC 204110318, with seat and registered address at 9023 Varna, VL. VARNENCHIK R.A., bl. 9, entrance 6, Floor 6, apt. 53, Phone: 888455909; e-mail: firstname.lastname@example.org
Grounds and purposes for which we use your personal data
We process your personal data on the following grounds:
- The contract concluded between us and you in order to fulfill our obligations thereunder;
- Your explicit consent – the purpose is specified on a case-by-case basis;
- In case of a legal obligation;
In the following paragraphs, you will find detailed information about the processing of your personal data depending on the grounds on which we process it.
FOR FULFILLING A CONTRACT OR IN THE CONTEXT OF A PRE-CONTRACTUAL RELATIONSHIP
We process your personal data in order to fulfill contractual and pre-contractual obligations and to exercise the rights under the contracts concluded with you.
Purpose of the processing:
- Verifying your identity;
- Managing and fulfilling your request and fulfilling a contract;
- Drafting a contract proposal;
- Drafting and sending a bill/invoice for the goods/services you use;
- To ensure you have been fully serviced and collect the due amounts for the goods/services you have used;
- Storing communications in relation to any orders, processing requests, reporting problems, etc.
- Sending notifications regarding anything related to the goods/services you use;
- For customer history analysis;
- To identify and/or prevent any unlawful actions or violations of the terms and conditions for the respective goods/services;
Data we process on these grounds:
Based on the contract concluded between us and you, we process information regarding the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:
- personal contact details – contact address, e-mail, telephone number;
- identification data – name and surname;
- data about your placed orders;
- any communications regarding the overall service – e-mails, letters, information about your requests for troubleshooting, claims, requests, complaints, and feedback that we have received from you;
o other information such as:
- Customer number, code or other identifier generated for identification purposes;
- Information about your activities on the Site
The processing of the specified personal data is mandatory for us so we can conclude the contract with you and fulfill it. Without providing us with the above information, we would not be able to fulfill our contractual obligations.
We provide personal data to third parties
We provide your personal data to third parties and our main purpose is to provide you with high-quality, fast and complex services. We do not provide your personal data to any third parties before we make sure that all technical and organisational measures have been taken to protect these data, and we aim to exercise strict control to that end; in that case, we remain responsible for the confidentiality and security of your data.
We provide personal data to the following categories of recipients (data controllers):
- Postal operators and courier companies;
- Persons who have been assigned to maintain equipment, software and hardware used to process personal data and are necessary for the business of the company
- Persons providing consulting services in various fields.
When do we delete the data collected on these grounds?
We delete the data collected on these grounds 2 years after the termination of the contractual relationship, regardless if it’s due to the expiration or dissolution of the contract, or on any other grounds.
TO FULFILL OUR REGULATORY OBLIGATIONS
We may be obliged under the law to process your personal data; in these cases, we are obliged to perform the processing, such as in cases of:
- Obligations under the Measures Against Money Laundering Act;
- Fulfillment of obligations in connection with remote sales and off-site sales, as set forth in the Consumer Protection Act;
- Providing information to the Consumer Protection Commission or third parties, as set forth in the Consumer Protection Act;
- Providing information to the Personal Data Protection Commission with regard to the obligations in the personal data protection regulations;
- Obligations related to the Accountancy Act and the Tax and Social Security Procedure Code and other related statutory accounting regulations;
- Providing information to courts and third parties within court proceedings in accordance with the requirements of the statutory instruments applicable to the proceedings;
- Age verification when shopping online.
When do we delete the personal data collected on these grounds?
The data collected in accordance with a legal obligation shall be deleted after the obligation for collection and storage is fulfilled or dropped. For example:
- Under the Accountancy Act on the Storage and Processing of Accounting Data (11 years);
- Obligations to provide information to the court, competent state authorities, and other grounds set forth in the existing legislation (5 years).
Providing data to third parties
When we are legally obliged to do so, we may provide your personal data to the competent state authority, a natural or legal person.
WITH YOUR CONSENT
We process your personal data on these grounds only with your explicit, unambiguous and voluntary consent. On our part, there will be no adverse consequences for you if you refuse to have your personal data processed.
Consent constitutes separate grounds for the processing of your personal data, and the purpose of the processing is specified therein and is not covered by the objectives listed in this Policy. If you give us the relevant consent and until it is withdrawn or terminated, we shall draft suitable offers for products/services for you by performing a detailed analysis of your basic personal data;
A detailed analysis is a method of analysis that allows the processing of large quantities of data using statistical models and algorithms and other means that involve the use of personal data, as well as pseudonymisation and anonymisation processes of that data, in order to obtain information on trends and various statistical indicators.
Data we process on these grounds:
On these grounds, we only process the data for which you have given your explicit consent. The specific data is determined on a case-by-case basis; usually emails, names, telephone number and address.
Providing data to third parties
On these grounds, we may provide your data to marketing agencies, Facebook, Google, etc.
Withdrawal of consent
Your consent can be withdrawn at any time; the withdrawal of consent has no impact on the fulfilment of the contractual obligations; if you withdraw your consent for the processing of your personal data for any or all of the ways described above, we shall not use your personal data and information for the purposes set out above. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
To withdraw your consent, you just have to use our website or our contact details.
When do we delete the data collected on these grounds?
The data collected on these grounds shall be deleted upon your request or 12 months after the initial collection.
PROCESSING ANONYMISED DATA
We process your data for statistical purposes, i.e. for analysis where the results are only aggregates and the data is therefore anonymous. It is impossible to identify a specific person from this information.
Your data may also be anonymised. Anonymisation is an alternative to deleting data. Upon anonymisation, all personally identifiable features/items that allow you to be identified are irrevocably deleted. There is no legal obligation for anonymised data to be deleted, as they do not constitute personal data.
Why and how do we use automated algorithms?
For the processing of your personal data, we use partially automated algorithms and methods to continuously improve our products and services to adapt our products and services to your needs in the best possible way; this process is called profiling.
How do we protect your personal data?
To ensure adequate protection of the company’s and our clients’ data, we apply all necessary organisational and technical measures provided for in the Personal Data Protection Act.
The company has rules for preventing data misuse and security breaches in support of the processes for protecting and ensuring the security of your data.
To ensure maximum security during the processing, transfer and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymisation, etc.
Personal data we have received from third parties
We receive the following personal data from third parties: email, names, telephone number and address.
Rights of the Users
Each User on the website shall have all rights to personal data protection in accordance with the Bulgarian legislation and the laws of the European Union.
The User may exercise their rights using the contact form or by sending a message to our email address.
Each User shall have the right to:
- Information (regarding the processing of personal data by the controller);
- Access to their own personal data;
- Correction (if the data is inaccurate);
- Deletion of the personal data (“right to be forgotten”);
- Restriction of the processing by the data controller or processor;
- Portability of the personal data between individual data processors;
- Objection to the processing of their personal data;
- The data subject is also entitled to not be the subject of a decision based solely on automated processing, including profiling, which has any legal consequences for the data subject or similarly affects him in a significant manner;
- Right to judicial or administrative remedy if the data subject’s rights have been violated.
The User may request the deletion of their data if one of the following conditions is true:
- The personal data is no longer needed for the purposes for which it was collected or otherwise processed;
- The User withdraws their consent on which the processing was based and there are no other legal grounds for the processing;
- The User objects to the processing and there are no prevailing legitimate grounds for the processing;
- The personal data has been unlawfully processed;
- The personal data must be deleted to comply with a legal obligation under EU or the Member State law applicable to the data controller;
- The personal data was collected in connection with the provision of information society services to children and the consent was granted by the parent responsible for the child.
The User has the right to restrict the processing of their personal data by the data controller if:
- They dispute the accuracy of the personal data; in this case, the restriction of the processing shall be for a period which allows the data controller to verify the accuracy of the personal data;
- The processing is unlawful but the User does not want the personal data to be deleted and requests the restriction of their use instead;
- The data controller no longer needs the personal data for the purposes of the processing but the User requires them for establishing, exercising or defending against legal claims;
- They object to the processing, and there is pending verification of whether the legitimate grounds of the controller override the interests of the User.
Right to portability.
The data subject has the right to receive the personal data they have provided to a data controller in a structured, commonly used and machine-readable format, and has the right to transfer that data to another data controller without any obstruction by the controller to whom the personal data was provided if the processing is based on consent or a contractual obligation and the processing is performed in an automated manner. When exercising their right to data portability, the data subject is also entitled to receive the direct transfer of the personal data from one data controller to another where this is technically feasible.
Right to objection.
The Users have the right to object to the processing of their personal data before the data controller. The data controller shall be obliged to terminate the processing unless they prove that there are convincing legal grounds for the processing which take precedence over the interests, rights and freedoms of the data subject, or for establishing, exercising or defending legal claims. In the event of an objection to the processing of personal data for the purposes of direct marketing, the processing should be stopped immediately.
Filing a complaint to the supervisory authority
Each User has the right to file a complaint against the illegal processing of their personal data to the Personal Data Protection Commission or the competent courts.
Maintaining a register
We maintain a register of the processing activities for which we are responsible. This register contains all the information listed below:
- Name and contact details of the data controller
- The purposes of the processing;
- A description of the data subject and personal data categories;
- The categories of data recipients to whom the personal data have been or will be disclosed,
- Including recipients in third countries or international organisations;
- Where possible, the envisaged time limits for deletion of the different data categories;
- Where possible, a general description of the technical and organisational security measures
Registration and identification
The Vendor identifies the Users of the Site by storing log files on the server of the Site.
The Vendor shall be entitled to collect and use information regarding the Users on the grounds and for the purposes of fulfilling the contract concluded with the User under the General Terms and Conditions. The personally identifiable information may include the kinds of personal data provided for in the General Terms and Conditions, as well as any other information the person has volunteered upon registration; the information shall include any other information the User has introduced, used or provided upon using the Services.
The Vendor duly care for and be responsible for the protection of the information about the User that has become known to them by virtue of the registration, except in cases of force majeure, accidents or malicious acts by third parties.
In the registration form filled in by the User upon registration, the Vendor shall indicate the mandatory or voluntary nature of the requested data and the consequences of refusing to provide that data.
The Vendor may disclose personal data to third parties only in the cases provided for by the law and in the circumstances provided for by the law or with the explicit consent of the Users.
The User may register by filling in the relevant electronic registration form available in real time (on-line) on the Vendor’s website, and agree to the General Terms and Conditions.
By pressing the virtual button labeled „Register“ or other similar text, having the effect of a written acceptance of the General Terms and Conditions, the User makes an electronic statement within the meaning of the Electronic Document and Electronic Signature Act, thereby declaring that they are familiar with the General Terms and Conditions, accept them and undertake to comply with them. The Vendor may store the IP address of the User and any other information necessary for the identification and reproduction of their electronic statement of acceptance of the General Terms and Conditions in the event of a legal dispute, in log files on their server. The text of the General Terms and Conditions shall be available online, on the website of the Vendor, in a way that allows its storage and reproduction.
When filling in the registration form, the User undertakes to provide complete and accurate information on their identity (for natural persons), legal status (for legal entities) and any other data required by the electronic form of the Vendor, and to update it within 7 (seven) days from their change. The User represents that they agree to provide the required personal data, ensuring that the data provided during the registration process is correct, complete and accurate, and will update them in a timely manner if they change. If provided with incorrect data, the Vendor has the right to terminate or suspend, immediately and without notice, the provision of the services and the registration of the User.
Upon registration, the User receives a unique username which may also be the email address or data provided by the User from social media or third-party identification services, and a password to access the services available through the website.
The User can manage their user profile on the Site using their account.
The username used to register the User does not give them any other rights than those explicitly stated in these Terms and Conditions.
The person registering in their capacity as representative of a legal entity undertakes to enter their full name and address, resp. the name of the legal entity they represent.
The User shall take all due care and all necessary measures that are reasonably required in order to protect their password, and shall refrain from disclosing their password to any third parties, and shall immediately notify the Vendor in case of actual, likely or suspected unauthorised access, and shall bear all the responsibility and risk to protect their password and for any actions performed by them or by any third party using their password.