Personal Data Collection and Processing Policy

Information about the personal data administrator:

Site: https://go-bg.com/; e-mail: info@go-bg.com

Personal data protection officer's contacts:

gdpr@go-bg.com

The grounds and purposes for which we use your personal data:

We collect and process your personal data on the following grounds:

• An agreement entered into between us and you in order to fulfil the obligations thereunder.
• Your personal consent – the purpose is indicated for each specific case.
• Legal requirements.

The following sections provide detailed information on how we process your personal data, depending on the grounds on which we process it.

1. TO FULFIL THE TERMS AND CONDITIONS OF THE AGREEMENT OR IN THE CONTEXT OF A PRE-CONTRACTUAL RELATIONSHIP

We process your personal data in order to fulfil contractual and pre-contractual obligations and in order to exercise the rights under agreements entered into with you.

The purposes of processing are as follows:

• identifying your identity;
• processing and execution of your application and execution of the agreement entered into;
• preparation of a proposal for the conclusion of an agreement;
• issuing and sending of an invoice for our services provided to you;
• to provide the necessary comprehensive service and collect the amounts that you owe for the use of the services provided;
• saving correspondence on the order placed, processing the application, preparing a problem report, etc.
• notification of all the peculiarities of our services that you use;
• analysis of customer history;
• to stop and/or prevent illegal actions or actions that are contrary to our terms and conditions for the provision of the services;

Data Processed by Us on This Ground.

On the basis of the agreement entered into between us and you, we process information about the type and content of the contractual relationship, as well as all other information related to the contractual relationship, including:

• personal data to contact you: postal address, email, telephone number;
• personal identification data: surname, given name, patronymic, unique citizenship number and foreigner's personal number, gender, age, permanent residence address, personal card number, passport data;
• data on orders placed;
• general service correspondence: e-mail, letters, information about your problem elimination applications, complaints, requests, statements, feedback that we receive from you;
• credit or debit card information, bank account number, or other banking and billing details in connection with payments made;

or other information:

• client number, code and other identifiers created for identification;
• the IP address displayed when you visit our website;
• demographic characteristics;
• social media profile data;
• data about your actions taken on the website.

The processing of the specified personal data is mandatory for us so that we can enter into an agreement with you and fulfil the obligations thereunder. We will not be able to fulfil our obligations under the agreement without the above data provided to us.

Sharing Personal Data with Third Parties

We share your personal data with third parties, as our main goal is to offer you high-quality, fast and comprehensive service. We do not share your personal data with third parties until we are convinced that all technical and organizational measures have been taken to protect this data. We seek to maintain strict control over the implementation of these measures. In this case, we are held liable for the privacy and security of your data.

We share personal data with the following categories of recipients (personal data administrators):

• postal operators and courier companies;
• persons who, under the contract, deal with software and hardware, maintain equipment used for processing personal data and necessary for the operation of the company;
• persons providing advising services in various areas

When the collected data is deleted.

We delete the data collected on this ground 2 years after the termination of the contractual relationship, regardless of the expiration of the agreement or its termination on other grounds.

COMPLIANCE WITH REGULATORY OBLIGATIONS

It is important that the law obliges us to process your personal data. We are obligated to collect and process your personal data in connection with, for example:

• our obligations under the Anti-Money Laundering Act;
• the fulfilment of obligations for remote sale of services and sales outside the retail facility, which are provided for by the Consumer Protection Act;
• the need to provide information to the Commission for Personal Data Protection in connection with the obligations under the Consumer Protection Law;
• the provision of information to the Commission for Personal Data Protection in connection with the obligations provided for by the regulatory instruction on the personal data protection;
• the obligations provided for by the Accounting Law, the Tax and Insurance Procedure Code and other related statutory instruments on accounting in accordance with applicable law;
• the need to provide information to the court and third parties in the course of legal proceedings in accordance with the requirements of statutory instruments;
• the requirement to define the age of the buyer when they buy goods and services online.

When Personal Data Collected in These Cases is Destroyed.

We destroy the data collected in accordance with the obligations established by law after the obligation to collect and store personal data is fulfilled or the need for personal data disappears. For example:

• according to the requirement of the Accounting Act, the requirements for storage and processing of accounting data, after 11 years;
• in accordance with the obligation to provide information to the court, competent public authorities and on other grounds provided for by the current legislation, after 5 years.

Sharing Data with Third Parties.

We can share your personal data with the competent public authorities, a certain individual or legal entity subject to the obligations provided for by law.

2. WITH YOUR CONSENT.

We process your personal data on this ground only with your direct, unambiguous and voluntary consent to the collection and processing of personal data. We do not expect any adverse consequences for you if you refuse to process your personal data.

Personal consent is a separate ground for the processing of your personal data, it should indicate the specific purpose of processing this data. Consent shall not be automatically given based solely on the purposes listed in this policy. If you give us your respective consent, then we will prepare offers for products/services that are suitable for you and will conduct an in-depth analysis of your basic personal data on the basis of such consent until you revoke your consent or until termination of all contractual relations with you.

In-depth analysis is a method of analysis that allows processing of large amounts of data using statistical models, algorithms and other methods that include both the use of personal data and processes for personal data pseudonymising and anonymising in order to obtain information about trends and various statistical indicators.

The Data We Process on This Ground.

In this case, we only process the data for which you have given us your personal consent to process. Specific data are determined in each individual case. As a rule, these are data about name, email, phone number, gender and age.

Sharing Data with Third Parties.

We may share your data on this ground with public authorities, banking institutions, marketing agencies, Facebook, Google or other similar services.

Withdrawal of Consent.

You may withdraw your consent at any time. Withdrawal of consent does not affect the fulfilment of the contractual obligations. If you withdraw your consent to the processing of personal data for use in some or all of the options described above, we will not use your personal data and information for the above purposes. Withdrawal of consent does not affect the legality of processing based on this consent until the withdrawal of consent.

In order to withdraw this consent, you only need to use our website or just our contact information.

When the Data Collected on This Ground is Deleted.

We will delete the data collected on this ground at your request or 12 months after it was originally collected.

PROCESSING OF ANONYMISED DATA.

We process your personal data only for statistical purposes, that is, we use it in carrying out analyses, as a result of which only aggregated and therefore anonymous data appears. It is not possible to identify a specific person using this information.

Your data can also be anonymized. Anonymization is an alternative to data deletion. When anonymizing, all personal data that allow identifying you are destroyed without the possibility of recovering this data. There is no legal requirement for the mandatory deletion of anonymized data, since it does not contain anyone's personal data.

Why and How We Use Automated Algorithms.

To process your personal data, we use partially automated algorithms and methods in order to continuously improve the quality of our products and services, to adapt them to your needs in the best possible way. This process is called profiling.

How We Protect Your Personal Data.

To ensure adequate protection of the data of the company and its customers, we take all the necessary organizational and technical measures provided for by the Personal Data Protection Act.

The company has developed rules to prevent abuse and security issues and has assigned a data protection officer who is responsible for ensuring the safety and security of your personal data.

In order to achieve maximum security when processing, transferring and storing your personal data, we may use additional protection mechanisms such as encryption, pseudonymisation, etc.

Personal Data Shared by Third Parties.

We receive various data from the following third parties: social media, advertising and marketing service providers.

3. Consumer Rights.

Each consumer using the website is granted all rights to protect their personal data in accordance with the Bulgarian law and the European Union law.

The consumer can exercise these rights by filling in a contact form or by sending a message to our e-mail.

Every consumer has the right to:

• be informed (in connection with the processing of their personal data by the administrator);
• access to their own personal data;
• correction of their personal data (if the data is inaccurate);
• deletion of personal data (the right to "be forgotten");
• restriction of data processing by the administrator or the person who processes personal data;
• transfer of personal data between individual administrators;
• objection to the processing of their personal data;
• the data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which leads to legal consequences for the data subject or similarly affects it to a significant extent;
• the right to legal or administrative defense in the event that the data subject's rights have been violated.

 

The consumer may request the deletion of their personal data if one of the following conditions is met:

• personal data are no longer needed for the purposes for which they were collected or otherwise processed;
• the consumer withdraws their consent, on which the data processing is based, and there is no other legal ground for the processing;
• the consumer objects to the processing of the data, and there is no legal ground for processing that takes precedence;
• personal data has been processed unlawfully;
• personal data must be deleted in order to comply with legal obligations under the European Union's law or a member state's law that applies to the administrator;
• personal data was collected in connection with the offer of information community services directly to children and consent was given by persons who bear parental responsibility for the child.

The consumer has the right to restrict the processing of their personal data by the administrator:

• in order to challenge the accuracy of the personal data, and in this case the processing shall be limited for a period that allows the administrator to check the accuracy of the personal data;
• if the processing is unlawful, but the consumer does not want the personal data to be deleted, but instead demands to restrict their use.
• when the administrator no longer needs your personal data for processing purposes, but the consumer requires them to file, implement or defend legal claims;
• in case of an objection to the processing pending verification whether the administrator's legitimate grounds prevail over the interests of the consumer.

Right to Data Portability.

The data subject has the right to receive the personal data that concerns them and which they have provided to the administrator in a structured, widely used and machine-readable format, and has the right to transfer this data to another administrator without any hindrance from the administrator to whom the personal data was provided, when the processing is based on personal consent or contractual obligations and the processing is carried out in an automated way. When exercising the right to data portability, the data subject has the right to receive and directly transfer personal data from one administrator to another, if technically feasible.

Right to Object.

Consumers have the right to submit objections to the processing of their personal data to the administrator. The controller of personal data must stop processing, unless it proves that there are compelling legitimate grounds for processing that take precedence over the interests, rights and freedoms of the data subject, or for the filing, implementation or defence of legal claims. Upon receipt of an objection to the processing of personal data for their use for direct marketing purposes, the processing should be stopped immediately.

Complaints to Supervisory Authorities.

Every consumer has the right to file a complaint against the illegal processing of their personal data with the Commission for the Personal Data Protection or a competent court.

Maintaining the Register.

We maintain a register of processing activities for which we are responsible. This register contains all of the following information:

• the administrator's name and contacts;
• the purposes of the processing;
• a description of the categories of data subjects and categories of personal data;
• the categories of recipients to whom personal data is or will be disclosed;
• including recipients in third countries or international organizations;
• if possible, the time frames provided for the deletion of various categories of data;
• if possible, a general description of the technical and organizational security measures.