Mandatory information on individuals’ data protection rights (Privacy notice)
Information about the company that processes your data:
Name |
Kendy Ltd. |
UIC/BULSTAT |
121068952 |
Seat and registered address |
1320 Bankya, 101 Sofia” Str. |
Address for correspondence |
1320 Bankya, 101 Sofia” Str. |
Phone |
+359 2 99 77 374 |
|
office@kendy.com |
Website |
https://supravit.bg/ |
Information on the competent data protection supervisory authority
Name |
Data Protection Commission |
Seat and registered address |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Address for correspondence |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Phone |
02 915 3 518 |
Website |
www.cpdp.bg |
“Kendy Ltd (hereinafter referred to as “Controller”, “Company” or “Kendy”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing..
Basis for collecting, processing and storing your personal data
Art. 1 Kendy Ltd. collects and processes your personal data in connection with the use of the Company’s website at https://supravit.bg/, including the provision of all functionalities of the website, the provision of additional services, registration for participation in an event of ours and processing of messages sent via the form on the Company’s website, your application for a job with us and conclusion of contracts with the Company on the basis of Art. 1, Regulation (EU) 2016/679 (GDPR), in particular on the following grounds:
-
Performance of Kendy Ltd’s obligations under a contract with you or taking steps to enter into such a contract;
-
Compliance with a legal obligation that applies to Kendy Ltd;
-
For the purposes of the legitimate interests of Kendy Ltd or a third party;
-
Explicit consent obtained from you as a customer or participant in an event.
Purposes and principles for the collection, processing and storage of your personal data
Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the website https://supravit.bg/, the provision of all functionalities of the website, the provision of additional services, registration for participation in an event of ours and processing of messages sent via the form on the Company’s website, your application for employment with us and the conclusion of contracts with the Company, including for the following purposes:
-
providing full functionality when using the website;
-
communicating and replying to messages;
-
making selections for job applicants;
-
use of the company’s website;
-
accounting purposes;
-
statistical purposes;
-
information security protection;
(2) We comply with the following principles when processing your personal data::
-
legality, fairness and transparency;
-
limitation of the purposes of processing;
-
relevance to the purposes of the processing and minimisation of the data collected;
-
data accuracy and timeliness;
-
limitation of storage to achieve the objectives;
-
integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
(3) In processing and storing personal data, Kendy Ltd. may process and store personal data in order to protect its legitimate interests:
-
fulfilling its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities;
-
protection from legal claims against the Company.
What types of personal data our company collects, processes and stores
Art 3. (1) In order to use the website and all its functionalities, process enquiries, provide additional services, register for our events and apply for a job with us, etc., the Company may collect and process the following categories of personal data:
-
Two names;
-
Adress;
-
Phone number;
-
Email;
-
ID card details;
-
Interests;
-
Social network profile;
-
Image.
(2) When concluding a contract with a business partner or customer, we collect and process personal data on the name of the legal representative of the legal entity – party to the contract, for the purpose of individualizing the party to the contract and its performance. The contact details of the legal representative or a contact officer are service information and as such are not considered personal data.
Art. 4. The Company shall carry out the following operations with the personal data provided by you for the following purposes:
1. Offering a range of products on the company’s website and using the functionality of the website to refer to online stores of Partners for the purchase of the relevant goods –The purpose of the operation is to provide users of the website with the opportunity to view the goods offered and refer to online stores for the purchase of the relevant goods.
-
Data processed: IP address data;
-
Grounds for processing. 1 (f) GDPR
-
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Presentation of a range of products on the company’s website and use of the website’s functionalities for referral to online stores for the purchase of the relevant goods” is admissible to carry out and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR.
2. Processing of messages sent via the form and contact details on the website – is identifying the data subject as the enquirer and sending a response to an enquiry or offer.
-
Data processed two names, email
- Grounds for processing. 1 (f) GDPR, namely contacting the enquirer.
-
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Processing of messages sent via the form and the contact details on the website” is admissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR.
3. Newsletter Sending – The purpose of this operation is to administer the process of sending newsletters to customers who have requested to receive them.
-
Data processed: email.
-
Grounds for processing. (a) GDPR
-
Conclusion of the impact assessment: Given the limited scope of the personal data collected, an impact assessment of the operation is not necessary.
4. Organising and running an event or campaign – The purpose of this operation is to organise and run events, including in collaboration with external partners, and to provide prizes for games and raffles.
-
Data processed: Two names, address, phone number, email;
-
Grounds for processing. (a) GDPR.
-
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Organisation and organisation of an event” is admissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR.
5. Conclusion and execution of a contract with a partner – the purpose of this operation is the conclusion and execution of a contract with a partner and its administration. In individual cases, the purpose of the operation may also be to protect the company’s legitimate interests in the performance of the contract.
-
Data to be processed: Two names, Personal number (when issuing an invoice), address (for issuing a commercial guarantee) and telephone number (for issuing a commercial guarantee). In the case of hire purchase, identity card details are also collected.
-
Grounds for processing. (b) GDPR.
6. Conclusion and execution of an employment or civil contract – the purpose of this operation is to conduct a selection process for the appointment of employees or persons on a civil contract, the conclusion of the relevant contract and its administration and execution by the company..
-
Data processed: names, telephone number, email address and personal data contained in the CV sent;
-
Grounds for processing: 1 (b) GDPR and the subsequent processing of your personal data for the purpose of a permanent application for a position in the company is carried out on the basis of your explicit consent – Art. 6 para. 1 (a) GDPR.
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Conclusion and implementation of an employment or civil servant contract”
7. Submitting a product review – The purpose of this operation is to administer the process of submitting feedback from website visitors.
-
Data processed: name and email.
-
Grounds for processing. (a) GDPR.
-
Conclusion of the impact assessment: given the limited scope of the personal data collected, an impact assessment of the operation is not necessary.
Art. 5. (1) The Company shall not collect or process personal data relating to the following:
-
reveal racial or ethnic origin;
-
reveal political, religious or philosophical beliefs, or trade union membership;
-
genetic and biometric data, health data or data on sex life or sexual orientation.
(2) The Company does not collect data on persons under 14 years of age, except with the express consent of their parent or legal representative.
(3) Personal data is collected by the Company from the persons to whom it relates.
(4) The Company shall not carry out automated decision-making with data.
Storage period of your personal data
Art. 6. (1) Kendy Ltd. stores your personal data as a job applicant for a period not exceeding 6 months. After the expiry of the advertisement period or the completion of the selection, Kendy Ltd. shall take reasonable care to delete and destroy all your data without undue delay or to anonymize it (i.e. to put it in a form that does not reveal your identity), unless you give your express consent for your data to continue to be stored and processed in the future.
(2) Kendy Ltd. stores the personal data of the legal representatives of the legal entities – parties to the contract or the natural persons – partners or customers under contract with the company indefinitely, for the purpose of protecting the legitimate interest of Kendy Ltd. and fulfilling its legal obligations to state authorities and institutions.
(3) Kendy Ltd. stores the personal data of individuals who have made an inquiry through the form of the Company’s website – https://supravit.bg/ until the explicit withdrawal of the consent given by the individual.
(4) The Controller shall notify you in the event that the data retention period needs to be extended in order to comply with a legal obligation or in view of the legitimate interests of the Controller or otherwise.
(5) The controller shall keep the personal data which it is required to keep under applicable law for the relevant period provided for, which may exceed the duration of the contract.
Transfer of your personal data for processing
Art. 7. (1) The controller may, at its own discretion, transfer some or all of your personal data to processors for the performance of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The controller shall notify you in the event of an intention to transfer some or all of your personal data to third countries or international organisations..
Your rights in the collection, processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Art. 8. (1) If you do not wish all or part of your personal data to continue to be processed by Kendy Ltd. for a specific or for all processing purposes, you may withdraw your consent to processing at any time by sending a request in free text or by filling in the form in Appendix 1.
(2) The controller may ask you to verify your identity and identity with the person to whom the data relate by requesting you to provide proof of identity on the spot.
(3) The withdrawal of consent shall not affect the validity of the processing of the personal data provided by you until the moment of withdrawal of consent.
(4) Kendy Ltd may continue to process some or all of your data if there is a legal obligation to do so or for the purposes of safeguarding its legitimate interests.
(5) Paragraph (4) shall apply to legal representatives and natural persons who are partners or clients under contract with the company.
Right of access
Art. 9. (1) You have the right to request and obtain confirmation from the Controller as to whether personal data relating to you are being processed.
(2) You have the right to access the data relating to you and the information concerning the collection, processing and storage of your personal data.
(3) The controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.
(4) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetition or excessive requests.
Right of correction or completion
Art. 10. You have the right to request the Administrator to:
-
correct inaccurate personal data relating to you;
-
fill in incomplete personal data relating to you.
Right to erasure (“being forgotten”)
Art. 11. (1) You have the right to request the Controller to erase some or all of the personal data relating to you, and the Controller has the obligation to erase them without undue delay where one of the following grounds applies:
-
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
-
You withdraw your consent on which the processing is based and there is no other legal basis for the processing;
-
You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no overriding legitimate grounds for the processing;
-
personal data have been unlawfully processed;;
-
the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Controller is subject;
-
personal data have been collected in connection with the provision of information society services.
(2) The controller is not obliged to erase the personal data if it stores and processes them:
-
to exercise the right to freedom of expression and the right to information;
-
to comply with a legal obligation requiring processing under EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
-
for public health reasons;
-
for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
-
for the establishment, exercise or defence of legal claims.
(3) In the event of you exercising your right to be forgotten, the Company will delete all your data, except your full name as a job applicant, for reporting purposes.
(4) The data of the legal representatives and natural persons-partners/customers under contract with the company shall continue to be stored and processed, despite a request of being forgotten, on the basis of compliance with a legal obligation of the company, to comply with the legitimate interest and the establishment, exercise or defence of legal claims.
(5) In order to exercise your right to be forgotten, it is necessary to send a request in free text or to fill in the form in Appendix No. 2 and to identify yourself with an identity document on the spot.
Right to restriction
Art. 12. You have the right to request the Controller to restrict the processing of data relating to you where:
-
contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
-
the processing is unlawful, but you do not wish the personal data to be erased, but only for its use to be restricted;
-
The controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims;
-
You have objected to processing pending verification that the legitimate grounds of the Controller override your interests.
Right to portability
Art. 13. (1)If you have given your consent to the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data are processed in an automated manner, you may, after having legitimised yourself to the Controller:
-
to request the Controller to provide you with your personal data in a readable format and to transfer it to another Controller;
-
to request the Controller to transfer your personal data directly to a controller designated by you, where this is technically feasible.
(2) You may exercise your right to portability by submitting a free text request or by completing the form in Appendix 3.
Right to receive information
Art. 14. You may request the Controller to inform you of any recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The controller may refuse to provide this information if it would be impossible or would require a disproportionate effort.
Right to object
Art. 15. You may object at any time to the processing of personal data concerning you by the Controller, including if it is processed for profiling or direct marketing purposes.
Your rights in the event of a personal data breach
Art. 16. (1) If the Controller identifies a breach of the security of your personal data that may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the breach, as well as of the measures that have been taken or are to be taken.
(2) The controller is not obliged to notify you if:
-
it has taken appropriate technical and organisational measures to protect the data affected by the security breach;
-
it has subsequently taken measures to ensure that the infringement will not result in a high risk to your rights;
-
notification would require a disproportionate effort.
Persons to whom your personal data is provided
Art. 17. For the purposes of processing your personal data and the performance of the concluded contract, Kendy Ltd. may provide your data to third party processors who comply with all the requirements for legality and security in the processing and storage of your personal data.
Art. 18. The controller does not transfer your data to third countries.
Art. 19. In the event of a violation of your rights under the foregoing or applicable data protection law, you have the right to file a complaint with the Personal Data Protection Commission as follows:
Name |
Data Protection Commission |
Seat and registered address |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Address for correspondence |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Phone |
02 915 3 518 |
Website |
www.cpdp.bg |
Art. 20. You can exercise all your rights regarding the protection of your personal data by using the forms attached to this information. Of course, these forms are optional and you may make your requests in any form that contains a statement to that effect and identifies you as the data holder..
Kendy Ltd ensures that it will reference this Mandatory Information by a link to its website, by signposting or by other appropriate means to ensure that you have the opportunity to get yourself familiar with its contents.
Withdrawal of consent form for processing purposes
Your name*:
Contact details (e-mail, telephone)*:
To
Name |
Kendy Ltd. |
UIC/BULSTAT |
121068952 |
Seat and registered address |
1320 Bankya, 101 Sofia Str. |
Address for correspondence |
1320 Bankya, 101 Sofia Str. |
Phone |
+359 2 99 77 374 |
|
office@kendy.com |
Website |
https://supravit.bg/ |
☐I withdraw my consent to the collection, processing and storage of the following personal data provided by me:
☐All personal data provided by me
☐Only of this data …………………………………………………………….
for the following purposes:
☐The following purposes: …………………………………….
………………………………………………………….
☐All purposes
☐I declare that I am aware of the company’s terms and conditions for providing the service after withdrawal of consent.
In the event of a breach of your rights under the above or applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name |
Data Protection Commission |
Seat and registered address |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Address for correspondence |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Phone |
02 915 3 518 |
Website |
www.cpdp.bg |
Signature of the person:………………………….
Request “to be forgotten” – to delete personal data relating to me
Your name*:
Contact details (e-mail, telephone)*:
Tо
Name |
Kendy Ltd. |
UIC/BULSTAT |
121068952 |
Seat and registered address |
1320 Bankya, 101 Sofia Str. |
Address for correspondence |
1320 Bankya, 101 Sofia Str. |
Phone |
+359 2 99 77 374 |
|
office@kendy.com |
Webite |
https://supravit.bg/ |
I request that all personal data that you collect, process and store, provided by me or by third parties who are related to me, according to the indicated identification, be deleted from your databases.
I declare that I am aware that some or all of my personal data may continue to be processed and stored by the controller for the purposes of fulfilling its legal obligations.
In the event of a breach of your rights under the above or applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name |
Data Protection Commission |
Seat and registered address |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Address for correspondence |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Phone |
02 915 3 518 |
Website |
www.cpdp.bg |
Signature of the person:………………………….
Annex 3 – Request for portability of personal data
Your name*:
Contact details (e-mail, telephone)*:
Tо
Name |
Kendy Ltd. |
UIC/BULSTAT |
121068952 |
Registered office and registered office |
1320 Bankya, 101 Sofia Str. |
Address for correspondence |
1320 Bankya, 101 Sofia Str. |
Phone |
+359 2 99 77 374 |
|
office@kendy.com |
Website |
https://supravit.bg/ |
Please send all personal data related to me that is collected, processed and stored in your databases to:
☐e-mail:
☐Controller – receiving the data:
Name |
|
Identification number (UIC, BULSTAT, reg. number in the Commission for Personal Data Protection (CPDP)) |
|
|
|
API interface |
I request that my personal data be transmitted in the following format:
☐XML
☐JSON
☐CSV
☐Other:
I wish my personal data in the format I have chosen to be transmitted to me/the controller I have indicated:
☐To the e-mail address or via API ………..
☐On physical optical or electronic media (CD, DVD, USB) at your address
In the event of a breach of your rights under the above or applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name |
Data Protection Commission |
Seat and registered address |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Address for correspondence |
1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. |
Phone |
02 915 3 518 |
Webesite |
www.cpdp.bg |
Signature of the person:………………………….