We would like to inform you that we have undertaken the necessary measures to process your personal data lawfully, fairly and in a transparent manner. This privacy statement explains the purposes and legal grounds for processing your personal data.
Please, read this privacy statement carefully in order to learn the details about the manner of processing your personal data in your capacity as a client, potential client or another interested party. Notwithstanding the purposes and the grounds for processing your personal data, we will treat them with equal care. This privacy statement contains information about your rights and remedies in accordance with the applicable law.
We may amend this Privacy statement from time to time. Amendments will be effective upon our posting of such updated Privacy statement at:
More information of the Bulgarian legislation concerning personal data protection is available on the website of the Commission for Personal Data Protection: www.cpdp.bg
1. The company
CERTRIA EOOD is a Single Member Limited Liability Company, incorporated under the laws of the Republic of Bulgaria, registered with the commercial register at Registry Agency under Unified Identification Code (UIC) 204096911, having its registered seat and address of management at Sofia, 1421, Region Lozenets, 12 Nikolay Liliev Str., 1st floor, office 2 (herein after referred to as “Certria”).
Certria EOOD is a registered Personal Data Controller with the Bulgarian Personal Data Protection Commission, having its identification number 425502. Certria EOOD conducts its activities in strict compliance with the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of this data (General Data Protection Regulation), in order to ensure confidentiality and lawful processing of its Clients personal data.
2. Contact details
In case you have any questions related to the processing of personal data, please contact us at: firstname.lastname@example.org
3. Purposes of personal data processing
Personal Data collected by Certria may be processed for different purposes and on different legitimate grounds, as follows:
3.1. Purposes, where personal data processing is based on legal obligations:
a. Regulatory and governmental reporting - for taxation based on the requirement of the Accountancy Act.
3.2. Purposes, where personal data processing is necessary for the performance of a contract
a. Concluding contracts and performance of contractual obligations by Certria at the request of individuals, whose personal data is processed - in order to conclude a sale contract with a client and to execute the contract by delivering the products or services purchased by the client, Certria needs to have the client's specific personal data (e.g. full name, address, contact details). It is possible that Certria would require additional information, depending on the character of the services that are part of the contract.
b. Product/service usage - Certria processes clients' personal data via its various channels with the purpose of ensuring the usage of the acquired products and services (e.g. processes data for a warranty claim).
3.3. Purposes, where personal data processing is based on the consent of the client
a. Direct marketing of products or services provided by Certria: Offering products provided by Certria, as well as participation in surveys on products and services offered through any of the channels incl. email, SMS, phone, online channels.
b. Individual/personalized direct marketing and segmentation (profiling) with commercial purposes: Creating clients' profiles in order to provide new, better services and products, taking into account clients' individual needs.
The consent to the personal data processing under the present clause 3.3 shall be provided by the data subject in a special Client Consent Declaration.
3.4. Purposes, where personal data processing is based on safeguarding the legitimate interests of the controller:
a. Sending product and service messages - Certria processes personal data in order to send messages for the products and services used by the client through calls, emails, sms, letters, etc. The messages pertain only to the products and services already used by the client; the messages do not pursue marketing goals, nor do they contain new service offers.
b. Litigations - Establishment, exercise or defense of Certria rights - Certria shall process its client's data in order to defend its rights in court/litigation procedures, when settling claims with the help of external lawyers, etc. This pertains to situations were personal data is processed in connection with administering information related to litigations, judicial warrants, petitions and court decisions.
c. Internal accountability, analysis and development of the products and services offered - Certria uses its clients' personal data to improve its market position by offering new, better and innovative products.
4. Rights of Data Subjects
All the personal data subjects are entitled with the following rights and they can exercise any of it personally or sending a letter or an e-mail, addressed to: Sofia, 1421, Region Lozenets, 12 Nikolay Liliev Str., 1st floor, office 2 or email@example.com.
a. Right to access - Upon the request of the data subject, Certria shall provide information about the categories of the personal data relating to him, which are being collected and processed by it, as well as information about the purposes of the processing, the recipients or categories of recipients to whom the data is disclosed and the sources of this data, except the cases when the data was collected directly from the data subject.
b. Right of rectification, blocking the processing (restriction and/or deletion (erasure)) - Upon the data subject's request, Certria shall correct, erase or block the processing of personal data if there is an instance where the processing does not comply with the provisions of the legislation. In such instances Certria shall notify all third parties to whom the personal data has been disclosed regarding all cases of rectification, deletion or blocking of the personal data processing of the individual concerned.
c. Right to data portability - The data subject has the right to request to receive the personal data concerning him, which he has provided to Certria, in a commonly used, structured and machine-readable format, and has the right to forward/transfer this data to another Controller without hindrance from Certria as personal data controller, to whom the data was provided, when the personal data processing is based on consent or a contract obligation or the personal data processing is carried out by automated means.
d. Right to object - The data subject has the right to file an objection to the processing of his personal data when the processing of personal data is based on controller's legitimate interest. Certria shall consider the objection within the shortest time possible of submitting it and inform the objecting party in writing of its opinion. After considering the objection, Certria shall in principle discontinue the processing of the personal data of the individual and inform all involved parties, to whom the data has been transferred, about the objection received and the measures taken based on it. However, in some cases Certria could have compelling legitimate grounds to continue with the processing, even after an objection from the data subject has been received (e.g. in case of court proceedings, fraud monitoring, etc.) In these cases, Certria will get in touch with the data subject who filed the objection to clarify the reasons for Certria to continue processing his personal data.
e. Right to withdraw the consent given for personal data processing for the purposes outlined in the Consent Declaration. The withdrawal can be submitted via Declaration form.
f. Right to lodge a complaint with the Commission for Personal Data Protection (CPDP) - the data subject has the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) against the actions of Certria in connection with the processing of his personal data.
Each time when data subject wish to exercise his rights, he should provide a specific and detailed description of their request. Certria shall reply accordingly to inquiries which contain sufficient details. Upon exercising rights, Certria needs to check the identity of data subjects, and for this purpose it may ask them to present an ID card or another identification document.
If you wish to receive more information or in case you disagree with the opinion of Certria, you are entitled to submit a complaint of the Commission for Personal Data Protection at: www.cpdp.bg.
5. Types of personal data processed
Certria may process different types of personal data relating to the data subjects' physical identity, social identity or economical identity. The data may be obtained from the data subject, from third parties, or it may be created by Certria during the servicing of the client.
5.1. Certria may process different types of data depending on the purpose of the processing, e.g.:
a. to identify you: name, current address;
b. to contact you: telephone number e-mail address mailing address.
5.2. Public data and data obtained through third parties
Certria sometimes processes public data, such as information that is subject to a duty of disclosure, such as if you're appointed as a company director or proxy, or if you own a company. Certria may also receive personal data via third parties, for example by official registers which bear responsibility for gathering that information lawfully.
Such public data and data obtained via third parties may be relevant and used for the purposes indicated by Certria in this privacy statement, to verify the accuracy of information in our records and to support the process for direct or indirect marketing campaigns.
6. Recipients of personal data
Personal data is mainly processed by Certria staff. The processing of personal data may be also carried out by other processors in relation to services provided to Certria. All such processors have valid and binding contract for personal data processing, concluded with Certria.
a. Personal data controllers to whom Certria may transfer personal data include:
The CPDP (Commission for Personal Data Protection)
The CCP (Commission for Consumer Protection)
b. Personal data processors are Individuals or legal entities, public authorities, agencies or any other body which processes personal data on behalf of the controller.
c. Recipients outside the European Economic Area (EEA)
Some of the recipients mentioned above may be located outside the EEA. Certria shall only forward personal data to non-EEA states (third countries) if the necessary safeguards for the protection of personal data, as required by the local and European law, are in place, and the provided personal data is adequately protected in the relevant third country. Certria will take all the necessary measures to protect your personal data by limiting its availability to third parties in or outside the EEA.
7. Duration of personal data retention
Certria retains the personal data of data subjects in accordance with the statutory retention time limits, and when there are none specified - according to its internal rules.
The general duration of personal data and document retention of clients/prospect-clients, transactions and deals is five (5) years after closing the deal and terminating the relationship with the client.
Wherever Certria is indicated in this Privacy Statement and in the Client Consent Declaration, it should be considered as the company Certria EOOD and its eventual successors in case the company ceases its existence.