This Personal Data Protection Policy, hereinafter referred to for brevity as the "Policy", governs the processing of personal data and the related processes that are carried out within and by ASANSIORI - BG Ltd., EIK 206716300, hereinafter referred to for brevity as the "Company", with registered seat and management address: city of Sofia, Vitosha district, 131A Belovodski Pat Street, represented by Ivaylo Mihaylov Milenov, in his capacity as manager.
1. Personal data is any information relating to an identified natural person or a natural person who can be identified (data subject); a natural person who can be identified is a person who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Controller is the Company, where it alone or jointly with others determines the purposes and means of the processing of personal data. The Company shall not be a controller where it acts as a processor of personal data.
3. Processor of personal data means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4. Recipient of personal data means a natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not. The notion does not include public authorities which may receive personal data within the framework of a particular remit in accordance with the law of the Republic of Bulgaria or of the European Union. Recipients of personal data are also the processors of personal data of the Company, as well as the persons from third countries receiving personal data by virtue of a transfer of personal data.
5. A filing system of personal data means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
6. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
7. A personal data security breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. Other notions – where notions are used in this Policy whose meaning is not clarified in this section and the possible recital with respect to the relevant meaning, they shall be interpreted and construed in accordance with the applicable normative acts.
When processing personal data, ASANSIORI - BG Ltd. complies with all normative acts on personal data protection applicable to its activity, including, but not limited to, Regulation (EU) 2016/679 (the "Regulation") and the Personal Data Protection Act, because for us the security of the personal data of our users is of paramount importance.
When processing personal data, the Company observes the principles set out below:
1. Lawful, fair and transparent processing of personal data. In order to comply with the principle of lawfulness of the processing of personal data, at least one of the following conditions must be met:
1.1. the data subject has given consent to the processing of their personal data for one or more specific purposes;
1.2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
1.3. processing is necessary for compliance with a legal obligation to which the Company is subject;
1.4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
1.5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
1.6. processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2. Transparency – The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Personal data is collected by the Company in accordance with the rules set out in this Policy.
3. Processing of personal data for specified, explicit and legitimate purposes. – Personal data is not further processed in a manner that is incompatible with the above-mentioned purposes. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Security and protection of personal data – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. Maintaining the accuracy of personal data – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay, having regard to the purposes for which it is processed.
6. Retention of personal data for a period no longer than is necessary for the purposes for which the data is processed – the Company stores personal data in a form which permits identification of the data subject for a period no longer than is necessary for the purposes for which the personal data is processed.
7. Where the Company processes personal data for purposes other than those for which the personal data was initially collected, and where such processing is not based on the data subject's consent or on the law of the Republic of Bulgaria or of the European Union, the Company ascertains that the processing for other purposes is compatible with the purpose for which the personal data was initially collected, taking into account any link between those purposes and the purposes of the intended further processing, the context in which the personal data was collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to the further use of the personal data, the nature of the personal data, the consequences of the intended further processing for data subjects and the existence of appropriate safeguards in both the original and the intended further processing operations, pursuant to recital 50 of the Personal Data Protection Regulation and the existence of appropriate safeguards, including encryption and pseudonymisation, where the latter is applicable.
8. Accountability – The Company is responsible for, and is able to demonstrate compliance with, the above-mentioned principles.
The Company processes the personal data of clients who have submitted a request regarding an elevator service sought by them and provided by a contractor.
The Company processes the personal data of its clients insofar as is necessary for:
– the arising of a legal relationship, the performance of an obligation or the exercise of a right under a legal relationship that has arisen;
– after termination of the legal relationship, where some or all of the processing activities are imposed on the Company to be carried out by virtue of the law or for the purposes of resolving a legal dispute;
– other grounds provided for in a normative act.
The Company guarantees that all of its clients who receive personal data from the Company by virtue of a legal relationship will ensure at least a minimum level of protection of the personal data.
In carrying out its activity, the Company processes the following data:
● first name and surname;
● address;
● telephone number;
● email;
● subscription number.
Any person who can be identified on the basis of information held by the Company shall be considered a personal data subject. The grounds on which the Company may process personal data are as follows:
1. Consent
Where the Company processes personal data by virtue of the consent given by the personal data subject, the latter must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous statement of consent on the part of the data subject to the processing relating to their personal data. For these purposes, the Company may use:
· a written declaration;
· a declaration submitted electronically;
· ticking a box when visiting the Company's website;
· choosing technical settings;
· another statement which clearly indicates that the data subject agrees to the proposed processing of their personal data.
The Company will not consider silence, pre-ticked boxes or inactivity to constitute consent.
Consent shall cover all processing activities carried out for the same purpose or purposes. Where the processing pursues multiple purposes, the Company will need to have obtained consent for all of them. If the data subject's consent is to be given following an electronic request, the Company will send a clear request which is concise and does not unnecessarily disrupt the use of the service for which it is intended.
If the data subject's consent is given in the context of a written declaration which also concerns other matters, the Company will present the request for consent in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal. Prior to giving consent, the Company informs the data subject thereof. The Company ensures that it is as easy to withdraw consent as it is to give it.
The Company will have the right to process personal data where it is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
2. Legal obligation
In the event that one or more legal obligations exist which apply to the Company in its capacity as controller, the Company will have the right to process personal data for the performance of a specific legal obligation.
3. Vital interests
The Company will have the right to process the personal data of the personal data subject in the event that it is necessary in order to protect the vital interests of the data subject or of another natural person.
4. Task in the public interest
If the processing is necessary in order to perform a task carried out in the public interest, the Company will have the right to process the personal data for the purposes of the specific task.
5. Legitimate interests
For the purposes of the legitimate interests of the Company, it will have the right to process the personal data of specific personal data subjects, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data, in particular where the data subject is a child.
In accordance with this Policy and the applicable European and national legislation on personal data protection, the data subject has the following rights:
1. Right to be informed.
Where the personal data has not been obtained from the data subject, the controller provides the data subject with the following information:
● the data identifying the Company as data controller and its contact details;
● the purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;
● the relevant categories of personal data;
● the recipients or categories of recipients of the personal data, if any;
● the period for which the personal data will be stored;
● the existence of the right to request from the controller access to, rectification or erasure of personal data relating to the data subject, or restriction of processing, and the right to object to processing, as well as the right to data portability;
● the right to lodge a complaint with a supervisory authority;
● the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
Where the Company intends to further process the personal data for a purpose other than that for which it was collected, it provides the data subject, prior to that further processing, with information on that other purpose and any other necessary information, as set out above.
The data subject has the right to obtain confirmation as to whether their personal data is being processed, access to it and information regarding the manner of its processing and their rights in connection therewith. Such access may be exercised at any time by completing an online request, which is posted on the Company's website.
3. Right to rectification.
The data subject has the right to request the rectification of their personal data in the event that it is incomplete or inaccurate. The said right may be exercised at any time by completing an online request, which is posted on the Company's website.
3. Right to erasure (the "right to be forgotten").
The data subject has the right to request the erasure of data, except in cases where there is a substantial ground and/or legal obligation for its processing.
In order to ensure the reliability of the services and to safeguard against data loss for technical reasons, a data redundancy policy is applied on the Site. The maximum period for updating (erasure of data) from all backup copies is 30 days.
4. The data subject has the right to request the restriction of the processing of personal data where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
b) the processing is unlawful but the data subject does not wish the personal data to be erased and requests the restriction of its use instead;
c) the Company no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise or defence of legal claims;
d) the data subject has objected to the processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such data shall, with the exception of its storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for reasons of important public interest of the Union or of a Member State.
Where a data subject has requested the restriction of processing, the Company informs them before the restriction of processing is lifted.
5. Right to notification of third parties.
Where applicable, the data subject has the right to request that the Company notify the third parties to whom it has disclosed the data subject's personal data, with regard to the rectification, erasure or restriction of processing.
6. Right to data portability.
The data subject has the right to receive the personal data concerning them which they have provided, in a structured, commonly used and machine-readable format, and has the right to transmit that data to another controller without hindrance from the Company, in the event that the processing is based on consent or a contractual obligation or the processing is carried out by automated means.
7. Right to withdraw consent.
The data subject has the right, at any time, to withdraw the consent they have given in connection with the processing of personal data on the basis of their consent. Such withdrawal does not affect the lawfulness of processing based on the consent given prior to its withdrawal.
8. Right to object.
The data subject has the right to object with respect to data processed on the basis of a legitimate interest.
In the event of such an objection being received, the Company will examine the request of the personal data subject and, if it is well-founded, will comply with it. If the Company considers that there are compelling legitimate grounds for the processing or that it is necessary for the establishment, exercise or defence of legal claims, it will inform the data subject thereof.
9. Right to lodge a complaint with a supervisory authority.
The data subject has the right to lodge a complaint with the supervisory authority if they consider that the processing of personal data relating to them infringes the applicable personal data protection legislation. The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, with address: city of Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
In order for the data subject to exercise the above-mentioned rights, with the exception of the right to lodge a complaint with a supervisory authority, it is necessary to complete a request – template, posted on the Company's website.
In the event that the data subject exercises these rights manifestly unfounded or excessively, in particular because of their repetitive character, ASANSIORI - BG Ltd. reserves the right to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or to refuse to act on the request.
ASANSIORI - BG Ltd. collects, uses and processes the information described above for the purposes provided for in this Policy, which may be connected to/with:
a. Actions preceding the arising of a legal relationship;
b. Performance of the legal relationship;
c. Termination of the legal relationship;
d. Fulfilment of legal requirements in connection with the storage, reporting and transmission of documents containing personal data and related to the terminated legal relationship.
e. Where personal data is processed for the purposes of the legitimate interest of the Company, the actions which the Company carries out consist in the storage and analysis of the personal data for the purposes of actions preceding the arising of a potential legal relationship, as follows:
• to consider and process a request for the performance of repair activity connected with the provision of an elevator service; for the submission of enquiries by completing an online form.
Personal data is kept and stored by the Company on paper and/or electronic information media. When storing personal data on a technical medium, the policies and procedures of the Company, respectively those of the personal data processor for information technology (IT) security, are observed.
In storing data, the Company applies the general principle of storing data in a minimal volume and for a period no longer than is necessary for the performance of the contracts, ensuring their security and reliability, and the requirements of the law.
| Types of data | Storage period | Explanations |
| Registration data (such as full name, email address, contact telephone) | For the entire period of the concluded contract and up to 5 /five/ years from the termination of the contract | |
| Cookies | Up to 6 /six/ months from the last use of the Services | For a description of the cookies used, see the "Cookies Policy" |
In the event of a legal dispute or proceedings arising which require the retention of data and/or a request from a competent state authority, the retention of data for a period longer than those indicated may be possible until the final conclusion of the dispute or proceedings that have arisen before all instances. The indicated periods may be changed in the event that a different requirement for the retention of the information is established in accordance with the applicable legislation.
Redundancy (Backup). In order to ensure the reliability of the Services and to safeguard against data loss for technical reasons, a data redundancy policy is applied on the Site. The maximum period for updating (including erasure of data) of all backup copies is 30 days.
The Company discloses personal data to third parties by virtue of a legal ground. The Company may disclose personal data to:
– State authorities – where there is a legal obligation and a request for disclosure, where the disclosure is required for the purpose of fulfilling one or more legal obligations or in another case provided for by legislation.
– State authorities for the purposes of criminal proceedings – where the Company is obliged by law enforcement authorities to provide personal data for the purposes of instituting criminal proceedings or in the case of criminal proceedings that have already been instituted, regardless of their nature. Disclosure in this case must be within the framework and limitations provided for in the applicable legislation.
– Disclosure to other controllers – Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. They determine in a transparent manner their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercise of the rights of the data subject and their respective duties to provide the information, by means of an arrangement between them, except where, and in so far as, the respective responsibilities of the controllers are determined by Union law or the law of a Member State to which the controllers are subject. The arrangement may designate a contact point for data subjects. The above-mentioned arrangement duly reflects the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement is made available to the data subject. Irrespective of the terms of the above-mentioned arrangement, the data subject may exercise their rights in connection with the protection of personal data in respect of and against each of the controllers.
– Disclosure to processors of personal data – where processing activities are assigned to the processor, the controller must use only such processors of personal data as provide sufficient guarantees that they will implement technical and organisational measures which meet the requirements of this Regulation, including the requirements for the security of processing. The processor of personal data does not engage another processor of personal data without prior specific authorisation of the Company. In the case of general written authorisation from the Company, the processor always informs the Company of any intended changes concerning the addition or replacement of other persons processing data, thereby giving the Company the opportunity to object to such changes.
All employees of the Company are responsible for ensuring the lawful processing and/or protection of personal data. The employees of the Company who are processors of personal data and to whom the actions for the processing of personal data are assigned are users (recipients) of the personal data. Users have authorised access to the specific personal data filing system(s) maintained by the Company that is necessary for the performance of their duties. Employees exchange personal data among themselves while observing the principles for the protection of personal data laid down in this Policy.
ASANSIORI - BG Ltd. is not liable for the truthfulness of the data provided by the data subject, does not carry out checks in this regard and does not guarantee the actual identity of the natural persons who provided the data. In all cases of doubt on the part of the data subject, of established fraud and/or abuse, the Company must be notified immediately. The data subject undertakes, when providing any information on the Site, not to infringe the rights of other persons in connection with the protection of their personal data or their other rights.
With a view to ensuring the best possible protection of data, the Company applies all necessary organisational and technical measures provided for in the General Data Protection Regulation and the Personal Data Protection Act, as well as the best practices from international standards.
For maximum security in the processing, transmission and storage of personal data, the Company may use additional protection mechanisms such as encryption, pseudonymisation, etc.
In the event of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data which is transmitted, stored or otherwise processed in a manner other than that provided for in this Policy, a security breach will be present. With a view to ensuring the realisation of the rights of the personal data subject enshrined in European and national legislation, as well as in fulfilment of the Company's obligations in its capacity as a controller of personal data, the Company adopts the relevant internal rules in which the measures to be taken in the event of a personal data security breach are described in detail.
The use of cookies is necessary for the functioning of the Site. In connection with this, a "Cookies" Policy has also been adopted. The processing of personal data collected through the tracking of internet usage is carried out in accordance with the Cookies Policy.
