Protection of personal data
All personal data, collected from this site, are processed exclusively, solely and only for the needs of Rosbul Arm” Ltd.
Any questions or requests regarding your personal data can be directed to our data protection officer at: dataprotection@oragie.net.
PERSONAL DATA PROTECTION POLICY OF "ROSBUL ARM" LTD
In fulfillment of the obligations laid down in the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) of the European Parliament and the Council from 27 April 2016 and the Personal Data Protection Act, "Rosbul Arm" EOOD, EIC: 121536792 hereinafter referred to as "Rosbul Arm" and/or "Administrator" has accepted this Privacy Policy. With the information provided below, we aim to explain to you how and why we process your personal data, how long we will store them, to whom we may pass them on, as well as what protection measures we have taken. The policy applies to all types of personal data processing, as in our stores, as well as when registering, sales and service through our online store.
- Information about the Data Controller
"Rosbul Arm" EOOD is a company, registered in the Commercial Register at the Registration Agency with EIK 121536792, with registered office and address of management: city. Sofia, 1592, Iskar district, zh.k. Company I, bl. 183 – ground floor, language: 028790099; e-mail: rba@oragie.net In view of Rosbull Arm's serious attitude and high concern for data protection, We have appointed a Data Protection Officer, hereinafter referred to for short as "DPL". The contact details of the Data Protection Officer are:: dataprotection@oragie.net. When processing personal data, We strictly follow the following basic principles, namely:
- Legality, integrity and transparency;
- Limitation of purposes of processing;
- Relevance to the purposes of the processing and minimization of the data collected;
- Accuracy and timeliness of data;
- Limitation of storage with a view to achieving the objectives;
- Integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
- Personal data
When providing our services and selling goods, we collect personal data of different categories of customers (data subjects), which can be summarized in the following groups:
- Individuals, using our services as a service or buying our products;
- Relatives of our customers upon registration;
- Individuals involved in various surveys, campaigns, tournaments, including on social networks;
- Individuals for direct marketing purposes;
- Legal representatives of other trading companies-partners;
- Visitors to our sites.
Description of the personal data collected and processed, can be found below. Where there is a contractual or legal obligation, we must comply with it and process your personal data. In case, that such an obligation exists and you do not provide us with the required data upon request, We may not be able to enter into or perform the contract, or our legal obligation.
III. Objectives, legal basis and storage periods
- General conditions
1.1. Objectives
The data, that we collect from and for you, we use for the purposes of:
- Providing our services and selling our products;
- Organizing campaigns, studies, games and competitions;
- Offering quality customer service and responding to inquiries;
- To comply with the law or legal obligations and/or to respond to requests from public and government authorities;
- Analyzing and improving our services and products;
- Exercising or preserving our legal rights and interests;
- Managing our social networks;
- Promotion of our services and products.
1.2. Legal grounds
The legal grounds, on the basis of which we process personal data alternatively are:
- Fulfillment of statutory obligations;
- Conclusion and execution of a contract, including pre-contractual relations;
- Existence of legitimate interest;
- Protection of your vital interests;
- Yours truly, specific and unequivocal consent.
1.3. Storage periods
We will only keep your personal data for so long, as necessary, to fulfill the objectives, for which we have collected and described them in this Policy. When determining the data storage period, we take into account their kind, volume, the potential risk of harm from unauthorized use or disclosure, as well as regulatory requirements. In many cases, we will comply with the statute of limitations for filing certain claims under Bulgarian legislation, as the longest ones are 10 years. The retention period for video surveillance data is described in our video surveillance privacy notice. In all cases, we take measures to restrict access to personal data at appropriate stages, in view of the current processing of the data and the relevant purposes.
- Specific types of data processing, the legal bases and storage periods are described in the table below, namely:
Types of processing | Data processed | Legal basis | Term of processing |
Opinions and questions about our products, | Names, email address and data | Processing is in progress | Data is stored for a period |
Services from our workshops | Names, delivery address, | Processing is carried out on | Data is stored for a period |
Organization of sports events | Names, email address, date of birth, | Processing is in progress | Data is stored for a period |
Create a loyalty card | Names, EGN (if you wish to issue invoices), | Processing is in progress | Data is stored for a period |
Online ordering of goods | Names, delivery address, email address | Processing is in progress | Data is stored for a period |
Issuance of invoices | Names, Social security number and address | Processing is in progress | Data is stored for a period |
Send a personalized newsletter | Names, email address, history | Processing is in progress | Data is stored until 2 |
Using the free | Names, email address, | Processing is in progress | Data is stored until 12 the month, |
Some of the processed personal data may be stored for a longer time in cases, when the data is needed as evidence of specific relationships; for a committed crime or irregularity, as well as in court or complaint proceedings until their final resolution.
We may use anonymized information or information, which no longer allows you to be identified as a specific natural person after the storage periods described above.
- Sharing of Personal Data
The administrator does not provide personal data to third parties, before it is guaranteed, that all technicalities are taken, organizational and legal measures to protect this data, and that there is a valid legal basis. We may need to share your personal data with parties, specified below:
- Within our Rosbull Arm group of related companies – on the basis of our legitimate interest to administer and report on our activities. If another legal basis is needed, the same will be provided, before data transfer;
- Service providers – in their capacity as processors of personal data. These can be law and accounting firms, auditors, couriers, carriers, hosting company, IT service providers, system administration, couriers, mobile operators, insurers, event organizers, as well as in cases where you apply for the purchase of goods on payment through "TBI Bank" EAD and others. We conclude contracts with them, which guarantee the security of your data;
- Public bodies – the provision of personal data is in some cases mandatory, to comply with our legal requirements and in this connection we provide information to: public and municipal bodies, ministries, NAA, NOAH, CPC, CCP, and other regulatory bodies and commissions.
- Automated decision making
We do not use tools for automated decision-making and/or profiling when carrying out our activity.
- Security
Data security, that you have entrusted to us is very important to us. To ensure adequate data protection of its customers, we implement all necessary organizational and technical measures, provided for in the legislation, as well as best practices from international standards. In this connection, at Rossbull Arm, we have taken measures to protect your personal data from accidental loss and unauthorized access, use, change or disclosure. Policies and procedures are in place, designed to protect information from loss, misuse and wrongful disclosure. We also take additional information security measures, including access control, strict physical protection and reliable collection practices, storage and processing of information. Some of the applied measures are:
- Protection of collected personal data from unreasonable use and traces of their processing;
- Adoption of strict policies and procedures, applicable to our staff to minimize the risks of processing personal data;
- Control of access to personal data based on a matrix of obligations;
- Periodic staff training in connection with the protection of personal data.
VII. Data transfer, outside the EU
When carrying out our activity, we may transfer your data outside the European Union, but in all cases we will provide an adequate level of protection or appropriate guarantees and legal grounds for doing so. If it is necessary to transfer data to "another country", we guarantee, that prior to such transfer, the necessary level of data protection is ensured in the relevant third country or with the recipient in that third country. This may be based on consent, permission from a supervisory authority, mandatory corporate rules or a decision of the European Commission regarding the adequate level of data protection in a particular third country as a whole. As an alternative, data transmission may be based on. Sun. "EU Standard Contractual Clauses", agreed with the recipient (when new ones are approved by the EU) or if the recipients are in the US, on the basis of the EU-US Privacy Shield. Upon request, we will be happy to provide you with further information on suitable and appropriate safeguards to maintain an appropriate level of data protection.
VIII. What are your rights regarding personal data?
According to European and local legislation, depending on the legal basis, You have the following rights in relation to your personal data:
- Right of access: You have the right to receive confirmation as to whether personal data is being processed, related to you, and if that is the case, to access the data and information, related to them, as well as a copy of these data, if that is possible;
- Right to rectification: You may require us to correct inaccurate personal data, related to you, completing incomplete personal data, related to you;
- The right to delete personal data (right "to be forgotten"): you have the right to request deletion of your personal data, but as long as there are grounds for it;
- Restriction of processing: To the extent that the legal conditions are met, You can request us to restrict the processing of personal data, relating to you;
- Right to object: You are right, at any time and for any reason, related to the specific type of processing, of objection to the processing of personal data on the basis of legitimate interest. If on this basis we process your data for direct marketing purposes, then we are obliged to terminate the processing;
- Right to data portability: If we process personal data on a contractual basis or based on your consent, You may request that the personal data you provide be received by you in a structured manner, widely used and machine-readable format and/or pass them on to another personal data controller;
- Right to object to automated individual decision-making, including profiling;
- Right to withdraw consent: In case we process personal data on the basis of your consent or express consent, You have the right to withdraw your consent at any time, without prejudice to the lawfulness of data processed on the basis of consent, before it is withdrawn;
- The right to appeal to the supervisory body - CPLD (Sofia 1592, is it. "Prof. Tsvetan Lazarov" №2 or www.cpdp.bg).
You should note that not all of the above rights are absolute and may not always apply, there may be exceptions. In response to a request, you need to confirm your identity and/or provide additional information, which will help for a better and complete understanding of your request.
- How you can exercise your rights?
Any one of the rights provided for in the law can be exercised by submitting a request to exercise the corresponding right. Requests to exercise the rights of personal data subjects may alternatively be submitted in any of the following ways:
- By email to the following email address: dataprotection@oragie.net.
- In person at the following address: Sofia city 1592, Iskar district, zh.k. Company I, bl. 183 – Paterer, The request to exercise personal data rights should contain the following information:
- Identification data of the subject - names and social security number;
- Feedback Contacts - Address, telephone, e-mail;
- Request - description of the request.
Rossbull Arm provides information on actions, taken in connection with a request to exercise your rights, within one month of receiving the request. If necessary, this period can be extended by another month, taking into account the complexity and number of requests. Rossbull Arm will inform you of any such extension within one month of receiving the request, indicating the reasons for the delay. The information provided in connection with the exercise of the data subject's rights is provided free of charge, except in case of abuse of the granted rights. Then, we may charge a reasonable fee based on our administrative costs, necessary to provide the information. We may request the provision of additional information, required to verify your identity, when there are concerns regarding the identity of the natural person, which submits a request. When exercising your rights through a proxy, it should be expressly authorized to us. Rossbull Arm has no obligation to respond to a request, in case it is unable to identify the data subject. When the request is submitted by electronic means, if possible, the information is provided by electronic means, unless you have specifically requested otherwise, but subject to compliance with the requirements of the Labor Code.
Policy Update
This policy is subject to change by Rosbull Arm, as last updated on 10.05.2023 Mr. Any future changes or additions to this policy will be duly updated and posted on our Oragie.Net page