DAS SHOPPING CENTER BURGAS EOOD, UIC 207600366, (“The Company”) with seat and address of management: 24 Acad. Metodi Popov Str., Izgrev Municipal district, 1113 Sofia, email: info@burgasplaza.bg.
The Company is owner of Burgas Plaza Mall (“The Commercial Center”), with address 31, Transportna Street, Burgas.
The Company being a personal data controller collects and process information about natural persons. Personal data are the information related to an identified or identifiable natural person. Personal data protection in the course of data processing is of foremost importance for the Company.
The present policy for personal data protection (“The Policy”) is part of “The rules and procedures for personal data protection” of the Company as it regulates the manner of processing and storage of personal data for compliance with the applicable legislation. Access to the full text of the rules, policies, instructions and registers can be gained at the Commercial Center's reception desk or personal data processor, stated below.
I. Personal data processing
The Company process personal data, collected in the course of managing the Commercial center (under relations with lessees, organizing advertising games and campaigns, inquiries by visitors of the Commercial center, relations with suppliers and subcontractors), as well as under signing of labor or mandate contracts with the employees/mandataries.
The rules of the applicable legislation for personal data protection are implemented by the Company whether data are processed electronically or on paper. For the compliance of the personal data processing with the applicable legislation, personal data are collected and used for a particular purpose, they are stored safely and the Company takes the necessary organizational and technical measures for preventing breach of the data security.
The Company process personal data for the following purposes:
1. In regard to the types of personal data of the persons - visitors of the Commercial center/ of the internet page of the Commercial center, they include data for the purpose of communication (name, phone number, email, IP address), as well as data such as video images and photos from advertising games and campaigns for the following purposes:
• information about product advertising and handing over a prize in relation to advertising games and campaigns- data are processed by virtue of the explicit consent given by the data subject. More information about the games and the discount promotional campaign is provided for each game by the conditions for participation ("Official Rules"). If the data subject does not provide his/her personal data, this may result in restrictions for him/her to exercise his/her rights in relation to the participation in the games and the receipt of prizes;
• promoting the Commercial center by publishing photos from games and campaigns including photos of the winners- these data are processed by virtue of an explicit consent by the data subject;
• guarding and maintenance of the order and the proprietorship of the Commercial center- video surveillance is performed on the grounds of the legitimate interest of the Company, as the latter does not include face recognition or any other automatic recognition of the data subjects;
• performing marketing activities such as distribution of newsletters and offers on the grounds of the legitimate interest of the Company for direct marketing, insofar an objection by the data person has not been submitted;
• for detection of breach or other irregularities on the internet page, as well as for security reasons- obligations of the Company in the field of personal data security and the legitimate interest for breaches and irregularities removal.
2. In regard to the natural persons- employees of the Company, their data are processed for the purpose of physical identification and for communication (name, PIN, phone number, email, address), as well as for information about education, employment status, employment experience, medical status and marital status, as the data are collected by virtue of a contract and under statutory obligation for collection of such information, for the following purposes:
• conclusion, execution and termination of a contract,
• performance of accounting services in relation to the contract,
• exercising the rights and protection of the legitimate interests in relation to the contract.
3. In regard to the natural persons- lessees, contractors, suppliers and subcontractors, as well as the natural persons who represent companies which act in the above-mentioned capacities, their data are processed for the purpose of communication (name, phone number, email, address), as well as for information about education, professional experience, as the data are collected by virtue of a contract and under statutory obligation for collection of such information, for the following purposes:
• conclusion, execution and termination of a contract,
• performance of accounting services in relation to the contract,
• exercising the rights and protection of the legitimate interests in relation to the contract.
4. In regard to the natural persons - shareholders, related persons, members of the board of directors, their data are processed for the purpose of physical identity and communication for exercising the rights of the persons and of the Company under the Commercial Law.
Personal data are processed on paper or electronically. Prior to the collection or as of the moment of data receipt, the natural persons are notified for the provisions of the present Policy. The Company does not process personal data of persons under the age of 16 years without the explicit consent of their parent/s.
Where the personal data are collected on the grounds of an explicit consent given by the data subject, the consent may be withdrawn in the manner in which the latter is given- by filling the sample for respond on the present web page with free-text request for termination of personal data processing for the purposes specified by the data subject (provided that the consent had been given via internet page), or by filling a sample for consent withdraw, which sample may be obtained at the reception of the Commercial center, provided that the consent had been given via written statement of consent.
The consent for processing of personal data (names, e-mail, etc.) disclosed in the contact form on the website shall be documented by pressing a check box in the contact form, as well as the user shall declare by pressing a check box that the latter is familiar with the data protection rules, the user is informed about the rights regarding the personal data protection and that the latter is an adult. The Company shall keep the data subjects’ consents for the processing of personal data in electronic form.
II. Log files, “Cookies”, Web analytics and social media
1. Log files
Each click in the web browser by the person transfers a particular information, stored by the Company in log files. This information is kept for short term for the purpose of detection of irregularities, as well as for security reasons. Log files, which are supported for evidentiary purpose, shall not be erased until the particular accident (an attempt for or breach of data security) is fully resolved, as they may be handed over to the investigative bodies. The Log files are used for the purpose of analytics, as well (without IP address or with shortened one).
In the log files the following information is stored:
- IP address (internet protocol address) of the device used for access to the website of the Company;
- the name of the loaded files or information;
- date and time, as well as the length of stay on the website;
- data transfer rate;
- Operating system and information about the web browser, including the installed add-ons (e.g. Flash Player).
2. “Cookies”
“Cookies” are small text files that are saved on the computer used by the data subject, when the latter visits a website. If you have access to this website at any other time, the browser sends back the content of the “cookies” to the respective offeror, thus allows re-identification of the device.
When the websites of the Company are visited, the data subject is asked in the cookie layer pop up whether to allow the “cookies”, which are in the website, or to block/deactivate them in the settings.
In the event that “cookies” are blocked, an opt out “cookie” is saved on the browser. This “cookie” serves only for the purpose of activating the objection of the data subject. Blocking/deactivating cookies may forbid individual features on the Company’s website.
The Company uses the following “cookies”:
- Cookies that store certain settings of the website;
- Cookies that store data in order to ensure unobstructed reproduction of any audio or audio content;
- Google Maps Cookies - to visualize the virtual tour of the website, as well as the Google map on the Contact page, namely:
Name: NID
Domain: google.com
Typical content: Specific key.
3. Web analytics
The Company collects statistical information on the use of its websites in order to make them more accessible, as well as for market research. The profiles, created by these tools using analytical cookies or log files assessment, do not contain personal data. The tools either do not use users’ IP address, or make them concise immediately after their collection.
Tool providers process the data only in the capacity of personal data processors in accordance with the Company’s instructions, but not for their own purposes.
Provider of such tool is:
Google Analytics
Google Analytics is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The Company uses Google Analytics along with the provided by Google additional function for anonymization of IP addresses.
Data subject have right to objection against collection and processing of his/her personal data by downloading and installing browser plug-in from the following link:
http://tools.google.com/dlpage/gaoptout?hl=en
4. Social networks plug-ins
The Company also uses the so-called “social plug-ins” from different social networks. When plugins are used, the web browser used by the data subject establishes a direct connection to the servers of the respective social networks. Therefore, the respective provider obtains information that the data subject's web browser has accessed the relevant social network website even if the data subject does not have a user profile with that provider or is not currently logged into his/her account/profile. In this case, the log files (including IP address) are handed over directly from the web browser to the data subject on a server of the respective provider and they are stored there. The provider or her/his/its server may be located outside of the EU or EEA.
Plug-ins are self-extensions created by social network providers, thereby the Company cannot influence the range of data collected and stored by them. The purpose and scope of collection, the length of processing and use of social networks’ data, as well as the rights of data subjects can be found in the privacy policy of the respective social network.
5. External links
The websites of the Company can contain links to websites of third persons/legal entities.
In case that data subject clicks on the link, the Company cannot influence the processing of personal data, which are sent by the data subject to the third person/legal entity, thereby the Company takes no responsibility for the processing of personal data by third persons/legal entities.
III. Data transfer
Personal data can be transferred to personal data processor in relation to accounting and legal service of the Company, data hosting, as well as for activities concerning security of the Company. All service providers are obliged to maintain their activities in strict confidence, to comply with the applicable legislation, as well as to apply the rules and the policies of the Company for personal data protection.
IV. Rights of the persons whose data are processed by the Company
The Company provides information to the data subjects in concise, easy to understand and easy accessible form, using clear and plain language. The Company provides information to the persons in written or other form, including electronically.
The Company provides the persons with free information about the actions undertaken in relation to their requests within one month as of the receipt of the requests. If necessary, this period may be extended by two months, taking into account the complexity and the number of requests. The Company shall notify the person of any such extension within one month as of the receipt of the request, indicating the reasons for the delay.
Should the Company refuse to act on the request, the latter shall notify the person within one month as of the receiving the request for the reasons of the delay, as well as for his/her right to complaint to the Commission of Personal Data Protection.
Where the requests of the person are manifestly unfounded or excessive, in particular due to their repetitive character, the Company may charge a fee upon the costs of providing information or communication or undertaking the requested actions.
The rights of the data subject are, as follows:
1. Rights of information and access:
Any data subject has the right to obtain from the Company confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the information, related to them. The Company provides the person with a copy of his/her processed personal data.
2. Rights to rectification and erasure:
Data subject has the right of request to the Company for rectification of inaccurate personal data, related to him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The Data subject has the right of request for his/her personal data erasure, unless the data erasure might breach rights and legitimate interests of other persons or legal entities, including the Company, or a statutory obligation prescribes the data storage.
Where the Company has made the personal data public and is obliged to erase them, the Company undertakes reasonable steps, including technical measures, to notify the personal data controllers and processors that the data subject concerned has made a request for erasure of all links, copies and replica of his/her personal data by those data controllers.
4. Restriction of processing:
The Data subjects have the right to obtain from the Company restriction of processing, pursuant to the conditions, in which the right of restriction is exercised.
5. Objection to personal data processing:
Data subjects have the right to object their personal data processing at any time, unless processing is necessary for the performance of a task carried out in the public interest or processing is necessary for the purposes of the legitimate interest of the Company or third persons or legal entities.
The objection to the direct marketing is unconditional and shall be applied by the Company without undue delay.
If personal data are processed only on the grounds of data subject’s consent, the latter have the right to withdraw his/her consent immediately. The lawfulness of the data processing prior to the withdraw remains unchanged.
6. Data portability:
The data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format or if it is technically feasible to request the Company to transmit these data to third persons/legal entities.
7. Right to lodge a complaint before the Commission of Personal Data Protection:
Data subject have the right to lodge a complaint before the Commission of Personal Data Protection at: Sofia 1592, 2 Professor Tsvetan Lazarov blvd., phone number: 02/91-53-518, Email: kzld@cpdp.bg.
V. Destruction
The accounting and business information, as well as all other documents relevant to taxation and compulsory social insurance contributions are stored by the Company within the following terms:
- salary payroll- 50 years;
- accounting registers and financial statements - 5 years;
- documents relevant to tax and social control- 5 years as from the expiry of the prescription period for the public obligation repayment, which the documents are related to;
- data from advertising games- 30 days following the hand over of the prize;
- data received through visitor’s inquiries, including submitted in the contact form at the website – 1 month following the end of the communication regarding the inquiry;
- the other data storage devices – 5 years.
Following the data storage expiry, the data shall be erased without undue delay by destruction of papers via shredding, as to the technical devices data shall be erased by deleting the relevant files from them.
VI. Miscellaneous
The company reserves its right to change the security measures for personal data protection, if this is necessary due to technical development for the purpose of better data protection. The Company shall amend the policy of personal data protection accordingly and shall update the current version of notification related to personal data protection.