Privacy Policy

Mandatory information on the rights of individuals with regard to the protection of personal data

Information about the company processing your data:

Name: Export Expert Ltd.

UIC/BULSTAT: 202 171 728

Registered office and address of management: 1421 Sofia, 1421 Sofia Str. Mylin Stone 10

Address for correspondence: 1421 Sofia, 1421 Sofia Str. Mylin Stone 10

Phone: 02 989 1800

E-mail: office@parfen.online

Website: www.parfen.online

 Information on the competent data protection supervisory authority

Name: Commission for Personal Data Protection

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg

(Hereinafter referred to as “Controller” or “the Company”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information aims to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.

Grounds for collecting, processing and storing your personal data

Art. 1.The Controller collects and processes your personal data in connection with the use of the e-shop www.parfen.bg and conclusion of contracts with the company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following basis:

• Explicit consent received by you as a customer;
• Fulfillment of the Administrator’s obligations under a contract with you;
• Compliance with a legal obligation that applies to the Administrator;
• For the purposes of the legitimate interests of the Administrator or of a third party;

Objectives and principles for the collection, processing and storage of your personal data

Art. 2. (1)We collect and process the personal data that you provide to us in connection with the use of the e-shop and conclusion of a contract with the company, including for the following purposes:

• creating an account and providing full functionality when using the online store;
• conclusion and performance of a distance contract;
• individualisation of a party to the contract;
• accounting purposes;
• statistical purposes;
• protection of information security;
• performance of the contract for the provision of the service concerned.
• sending a newsletter at your request;

(2) We observe the following principles when processing your personal data:

• legality, good faith and transparency;
• restriction of processing purposes;
• accountability with the purposes of processing and minimising the data collected;
• accuracy and timeliness of the data;
• restriction of storage in order to achieve the objectives;
• integrity and confidentiality of the processing and ensuring an appropriate level of security of personal data.

(3) In the processing and storage of personal data, the Controller may process and store the personal data in order to protect its following legitimate interests:

• fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.

What types of personal data does our company collect, process and store

Art. 3. (1) The Company shall perform the following operations with the personal data provided by you for the following purposes:

• Registration of a user in the e-shop and execution of a distance purchase contract – the purpose of this operation is to create a profile for the use of the e-shop for the purchase of goods and the provision of contact details for the delivery of purchased goods. Registering and creating an account to use the online store is not a mandatory step in providing the service and it is accessible to a significant extent without creating an account.
  Conclusion of the impact assessment: Based on the impact assessment carried out, the operation “Registration of a consumer in the e-shop and performance of a distance purchase contract” is permissible and provides sufficient guarantees to protect the rights and legitimate interests of the data subjects in accordance with the gdpr requirements.
• Conclusion and execution of a commercial transaction with a client or partner – the purpose of this operation is to conclude and execute a contract with a trading partner or client and its administration. Given the limited scope of the personal data collected and the fact that some of it is collected from publicly available sources, an impact assessment does not need to be carried out.
• Sending a newsletter – the purpose of this operation is to administer the process of sending newsletters to customers who have stated that they wish to receive. Given the limited scope of the personal data collected, an impact assessment does not need to be carried out.
• Exercising the right to refuse or make a claim – the purpose of this operation is to administer the process of exercising the right of withdrawal or claim by the customer. Given the limited scope of the personal data collected, an impact assessment does not need to be carried out.

(2) The controller shall process the following categories of personal data and information for the following purposes and on the following grounds:

• Your individualizing data (e-mail, name, etc.)
  • Purpose for which the data are collected: 1) Making contact with the user and sending information to him, 2) for the purposes of registering a user in the online store, as well as 3) to send a newsletter.
  • Reason for processing your personal data – By accepting the general terms and conditions and registering in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Controller and you on which we process your personal data – Art. 6, para. 1, b. (b) GDPR. Your data for sending a newsletter is processed at your explicit consent – Art. 6, para. 1, b. (a) GDPR.
• Delivery data (names, telephone, address, etc.)
  • Purpose for which the data are collected: Fulfillment of obligations of the administrator under a contract for purchase and sale and delivery of the purchased goods.
  • Reason for processing your personal data – By accepting the general terms and conditions and registering in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Controller and you on which we process your personal data – Art. 6, para. 1, b. (b) GDPR.
• Additional data provided by you – If you want to supplement your account, you can fill in the name, surname, phone number.
  • Purpose for which the data is collected: Supplement user information in their user account.
  • Grounds for processing the data: You have given explicit consent to the processing of his/her personal data for one or more specific purposes – 6, para. 1, b. (a) of the GDPR at the time of registration in the online store. The provision of this data is not mandatory for registration in the online store.

The Controller does not collect or process personal data that relate to the following:

• racial or ethnic origin;
• political, religious or philosophical beliefs or trade union membership;
• genetic and biometric data, health data or data on sexual life or sexual orientation.

(4) The personal data have been collected by the Controller from the persons to whom they relate.

(5) The Company does not carry out automated decision-making with data.

Art. 4. (1) The Company shall perform the following operations with the services provided by you, as legal representatives or proxies of legal entities- trading partners, personal data for the following purposes:

• Conclusion and execution of a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we process only the full names of the legal representative or the person authorized by the company. Conclusion of the impact assessment: Given the small volume of natural persons whose data are processed and given the limited volume of personal data being collected, an impact assessment is not necessary for this operation.

(2) The personal data have been collected by the Controller from the persons to whom they also refer from the Commercial Register to the Registry Agency.

(3) The Company shall not carry out automated data decision-making.

Art. 5. The administrator may use the so-called cookies for the purpose of providing full functionality of the website, improving the user experience, statistical purposes, facilitated access, etc., which you agree to through the use of our website. You can control and/or delete cookies at any time through the settings of the browser you use. Cookies do not constitute personal data and are not used to identify visitors and users of the e-shop.

Shelf life of your personal data

Art. 6. (1) The Controller shall keep your personal data for no longer than the existence of your online store account. After deleting your account, the Administrator takes the necessary care to delete and destroy all your data without undue delay or to anonymize it (i.e. to bring it into a form that does not reveal your personality).

(2) The Controller processes your personal data, which you have provided when placing an order without registration in the e-shop, until the completion of the order, unless you have given your explicit consent when placing the order to process your data for the purposes of improving the service, providing recommended content for you, individual conditions, promotions, as well as for statistical purposes.

(3) The Controller shall keep your personal data provided in connection with online orders made for a period of 5 years for the purpose of protecting the legal interests of the Controller in legal or administrative disputes with users of the online store.

(4) The Controller shall notify you in case the data retention period is necessary to be extended in order to fulfil a legal obligation or in view of the legitimate interests of the Controller or otherwise.

(5) The Controller shall keep the personal data that he/she needs to keep under the applicable legislation for the relevant period of time, which may exceed the duration of your e-shop account or until the order is completed.

Art. 7. The Controller shall keep the personal data of the legal representatives of his trading partners for the duration of the performance of the contract, for compliance with the legitimate interests and legal obligations of the Administrator, which may exceed the term of the concluded contract.

Transfer of your personal data for processing

Art. 8. (1) The Controller may, at its sole discretion, transfer some or all of your personal data to processors for the fulfilment of the processing purposes with which you have agreed, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Controller shall notify you in case of intention to transfer some or all of your personal data to third countries or international organizations.

Your rights in the collection, processing and storage of your personal data

Withdrawal of consent to the processing of your personal data

Art. 9. (1) If you do not wish the personal data provided by you to be processed for marketing purposes and receiving a newsletter, you may at any time withdraw your consent to processing by filling in the form for withdrawal of consent in Appendix 1 or by a free text request and sending it to us by email.

(2) After receiving your request, we will send you the email you have indicated for receiving newsletters and advertisements, a letter with detailed instructions for your verification as a recipient of newsletters and subject to the personal data for which withdrawal of consent has been requested.

(3) The withdrawal of consent shall not affect the lawfulness of the processing of personal data that the Controller has carried out so far.

Right of access

Art. 10. (1) You have the right to request and receive from the Controller confirmation whether personal data related to you are being processed by sending a request in free text by email.

(2) You have the right to access the data relating to you as well as the information relating to the collection, processing and storage of your personal data.

(3) After receiving your request, we will send you to the email you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as subject of the personal data to which access has been requested.

(4) After carrying out the verification pursuant to para. 3. The Controller shall provide you, upon request, with a copy of the processed personal data relating to you in electronic or other appropriate form.

(5) The provision of access to the data shall be free of charge, but the Controller reserves the right to impose an administrative fee in case of recurrence or excessiveness of requests.

Right to rectification or replenishment

Art. 11. (1) You may at any time correct or fill in inaccurate or incomplete personal data relating to you through the option “Edit account”.

(2) You may correct or fill in inaccurate or incomplete personal data relating to you directly through your website account or by requesting the Controller by email using the form in Appendix No 4 or by a free text request.

Right to erasure (“to be forgotten”)

Art. 12. (1) You have the right to request from the Controller the erasure of some or all of the personal data related to you, and the Controller has the obligation to delete them without undue delay when there are any of the following grounds:

• personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• You withdraw your consent on which the processing of the data is based and there is no other legal basis for the processing;
• You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legitimate grounds for the processing that prevail;
• personal data have been processed unlawfully;
• personal data must be deleted in order to comply with a legal obligation under EU or Member State law that applies to the Controller;
• personal data have been collected in connection with the provision of information society services.

(2) The Controller shall not be obliged to delete the personal data if he/she stores and processes them:

• the exercise of the right to freedom of expression and information;
• to comply with a legal obligation requiring processing provided for in EU law or the law of the Member State applicable to the Controller or to the performance of a task in the public interest or in the exercise of official powers conferred on him;
• for reasons of public interest in the field of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• the establishment, exercise or defence of legal claims.

(3) In order to exercise your right to be forgotten, it is necessary to send by email a request for deletion of your personal data, which the Controller processes by filling in the form in Appendix No 2 or by a free text request, after which the Administrator will send to the email you have used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and subject of the personal data for which a request for erasure has been made.

(4) After verifying the identity of the person making the request and the person to whom the data relate in accordance with the instructions sent to you, we will delete all data we process about you in accordance with para. 3.

(5) If there is an order made by you that is under processing, the earliest time you can ask to be “forgotten” is at the successful completion of the order.

Right to restriction

Art. 13. You have the right to require the Controller to restrict the processing of the data related to you by sending us a request in free text by email when:

• dispute the accuracy of the personal data for a period that allows the Controller to verify the accuracy of the personal data;
• processing is unlawful, but you do not want the personal data to be deleted, only to limit their use;
• The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or protection of your legal claims;
• You have objected to the processing pending verification that the legitimate grounds of the Controller take precedence over your interests.

(2) After receiving your request, we will send you to the email you have used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a user of the store and subject of the personal data for which a request for restriction of processing has been made.

(3) After carrying out the verification pursuant to para. 2. The Company will stop processing your data, but will not remove posts you have made in the online store, if any.

Right to portability

Art. 14. (1) If you have given consent to the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you may:

• to ask the Controller to provide you with your personal data in a readable format and transfer it to another Controller;
• ask the Controller to directly transfer your personal data to an administrator designated by you, where technically feasible.

(2) You may exercise the right to portability by emailing us a completed form according to Appendix No 3 or a free text request, after which the Administrator will send to the email you have used for registration or placing orders in the e-shop a letter with detailed instructions for your verification as a store user and subject of personal data, portability request.

(3) After carrying out the verification pursuant to para. 2. The Company sent to the email specified by you the data it processes for you in XML format.

Right to receive information

Art. 15. You may ask the Controller to inform you about all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The administrator may refuse to provide this information if this would be impossible or require disproportionate effort.

Right to object

Art. 16. You may object at any time to the processing of personal data by the Controller relating to him or her, including if processed for profiling or direct marketing purposes.

Your rights in case of a breach of the security of your personal data

Art. 17. (1) If the Controller finds a breach of the security of your personal data that may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the breach, as well as of the measures taken or to be taken.

(2) The administrator shall not be obliged to notify you if:

• has taken appropriate technical and organisational protection measures in respect of data affected by the security breach;
• has subsequently taken measures to ensure that the infringement does not result in a high risk to your rights;
• notification would require disproportionate efforts.

Persons to whom your personal data is provided

Art. 18. (1) For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Controller may provide the data to the following data processors:

Processor Purpose of the processing of personal data

……………………………………….. ……………………………………………………………

……………………………………….. ……………………………………………………………

……………………………………….. ……………………………………………………………

(2) Processors shall comply with all legality and security requirements for the processing and storage of your personal data.

Art. 19. The controller does not transfer your data to third countries.

Art. 20. In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection.

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg

Art. 21. You can exercise all your rights regarding the protection of your personal data through the forms attached to this information. Of course, these forms are optional and you can make your requests in any form that contains a statement of this and identifies you as the data holder.

Art. 22. If consent concerns a transfer, the Controller shall describe the possible risks to the transfer of data to third countries in the absence of an adequate protection decision and appropriate remedies.

Annex No 1

Form of withdrawal of consent for processing purposes

Your name*: …………………….

Your email you used in the e-shop*: …………………….

Feedback (e-mail)*: ……………………………..

Until

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and address of management: …………………….

Address for correspondence: …………………….

Phone: …………………….

E-mail: …………………….

Website: …………………….

I hereby withdraw my consent to the processing of the personal data provided by me for the purpose of obtaining a newsletter, advertisements or other marketing materials, and am aware of the conditions for withdrawal of consent in accordance with the Mandatory Information on the Rights of Individuals with Personal Data Protection of the e-Shop.

In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection.

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg

Annex No 2

Request “to be forgotten” – to delete the personal data related to me

Your name*: …………………….

Your email with which you have registered or used for orders in the e-shop*: …………………….

Feedback (e-mail)*: ……………………………..

Until

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and address of management: …………………….

Address for correspondence: …………………….

Phone: …………………….

E-mail: …………………….

Website: …………………….

I ask that all personal data you collect, process and store provided by me or by third parties that are related to me, according to the specified identification, be deleted from your databases.

I declare that I know that some or all of my personal data may continue to be processed and stored by the controller for the purpose of fulfilling his/her legal obligations.

In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection.

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg

Annex No 3

Request for portability of personal data

Your name*: …………………….

Your email with which you have registered or used for orders in the e-shop*: …………………….

Feedback (e-mail)*: ……………………………..

Until

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and address of management: …………………….

Address for correspondence: …………………….

Phone: …………………….

E-mail: …………………….

Website: …………………….

I ask that all personal data relating to me that is collected, processed and stored in your databases be sent in XML format to:

e-mail: …………………….

Controller – receiving the data: …………………….

Name: …………………….

Identification number (UIC, BULSTAT, reg. number in the KN): …………………….

E-mail: …………………….

In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection.

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg

Annex No 4

Request for correction of data

Your name*: …………………….

Your email with which you have registered or used for orders in the e-shop*: …………………….

Feedback (e-mail)*: ……………………………..

Until

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and address of management: …………………….

Address for correspondence: …………………….

Phone: …………………….

E-mail: …………………….

Website: …………………….

I ask that the following personal data that you collect, process and store provided by me or by third parties that are related to me be corrected as follows:

Data to be corrected:

…………………………………………..

Please correct them as follows:

…………………………………………..

In case of violation of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection.

Registered office and address of management: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Address for correspondence: 1592 Sofia Blvd. “Prof. Dr.Sc.(Econ. 2 Tsvetan Lazarov Str.

Phone: 02 915 3 518

Website: www.cpdp.bg