Data Protection Policy in MARTINI 2001 LTD

„MARTINI 2001" LTD,
BULSTAT Unified Identification Code/Number (UIC): 205065881,
Address: Pleven Str. 3, Entr. 7, Fl. 5, apt 13, Rousse 7000, Bulgaria

VAT №: BG205065881,
phone:  +359 877 817 617 and
e-mail: info@martinishops.com,
applies in its trade relationships with the Customers the following General Terms, ("The Controller" or "MARTINI 2001"),

PREAMBLE

MARTINI 2001, as a Controller of personal data, collects and processes certain information about individuals.

This information may refer to employees, managers, clients, suppliers, contractors, business contacts and other individuals with whom the Controller has a connection or wants to establish business contact.

This privacy policy governs how personal data is collected, processed and stored to meet the standards of the Controller's organization and is in compliance with legal requirements.

I. Legal Basis

This Policy on Protection of Personal Data (“Policy") is issued pursuant to the Law on Protection of Personal Data and its regulations acts as they change (“Bulgarian legislation") and the General Regulation on data protection (EU) 2016 / 679 ("GDPR").

Bulgarian law and GDPR provide rules on how organizations, including MARTINI 2001 Ltd., must collect, process and store personal data. These rules are applied by the Controller regardless of whether they are data processed electronically, on paper or on other media.

In order to process personal data in accordance with legal requirements, personal data is collected and used reasonably, is stored securely and the Controller takes the necessary measures to ensure that the processed personal data is not subject to unlawful disclosure.

The Controller of personal data is accustomed with and follows the principles set forth in the GDPR:

- the personal data is processed in a lawful, conscientious and transparent manner;

- the personal data is collected for specific, explicit and legitimate purposes and not further processed in an incompatible way with those purposes;

- the personal data is appropriate, related and limited to what is necessary in relation to the purposes for which it is being processed;

- the personal data is accurate and, if necessary, kept up-to-date;

- the personal data shall be stored in a form which permits identification of the persons concerned for a period no longer than is necessary for the purposes for which the personal data is processed;

- the personal data is processed in such a way as to ensure an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

II. Policy Objectives

The present Policy aims Controller to:

- comply with the applicable legislation on personal data and follow best existing practices;

- establish the mechanisms for keeping, maintaining and protecting the reporting registers;

- establish the responsibilities of the officials handling personal data and / or persons having access to personal data and working under the direction of personal data processors, their liability for non-compliance of such obligations;

- protects the rights of the staff, clients and partners;
- to be transparent about how the personal data of individuals is stored and protected;
- establish the necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination, as well as any other unlawful forms of processing of personal data);
- be protected against the risk of breaches.

III. Coverage

The following Policy applies to the processing of personal data of suppliers, human resources, customers and partners as described in the electronic reporting registers established in accordance with this Policy, Bulgarian Legislation and Art. 30 of the GDPR ("Registry of Processing Activities").

IV. Collection of personal data

Categories of data and entities

"Personal data" means any information relating to an identifiable individual or an individual that can be identified ("Data subject"), namely:

The Controller collects personal data with respect to the following categories of persons:

- persons representing the companies with whom the Controller has business relationships;

- contact persons in the companies with whom the Controller has business relationships;

- persons who are interested in receiving information services - newsletter, guides, etc .;

- persons who register for the use of an online shop.


Objectives of data collection
The Controller collects personal data in connection with the following purposes:

1. To carry out activities related to the concluding, existence, modification and termination of contractual relations, incl. for:

- preparation of any documents;

- to establish contact with the contact person by telephone, fax or any other lawful means;

- for the delivery and / or acceptance of goods / services, communication in connection with the provision and / or receipt of goods / services and the provision of related customer service;

- For keeping accounting in connection with the performance of contracts under which the Controller is a party;

- For processing payments in relation to the contracts concluded by the Controller;

- For sending important information to the subjects regarding changes to the Controller's policies, terms and policies and / or other administrative information;


2. For marketing purposes - subject to the explicit consent of the data subjects;
3. For statistical purposes.

Collecting the data

Data of contractors (managers, representatives and / or contact persons of the legal entity under a commercial contract)
The personal data for each person shall be provided voluntarily by the persons themselves and shall be collected by the Controller in fulfillment of a statutory obligation in connection with the conclusion of a contract and / or fulfillment of the obligations under a contract under the provisions of the Commercial Act, the Accountancy Act, the Obligations and Contracts Act, the Value Added Tax Act and others. and the terms and conditions set out in a trade agreement with the respective client through: paper - written documents (including powers of attorney, contracts, attachments, bank information, etc.), by e-mail - provided in connection with the execution of a commercial contract and / of a registration form. Individuals are notified of the provisions of this Policy in advance or at the time of receiving their personal data.

V. Legitimate interests pursued by the Controller

In relation to data processing of managers and contractors:

The processing of the data is done on the grounds of a legitimate interest in connection with the conclusion, existence, modification and termination of commercial and civil contracts in the implementation and enforcement of the normative requirements of the Commercial Act, the Social Security Code, the Tax Insurance Procedure Code, The Law on the Taxes on Income of Individuals, the Accountancy Act, the Law on Obligations and Contracts, etc.

VI. Transparency. Rights of individuals whose data is processed by the Controller

Transparency and conditions for exercising the rights of individuals.
The Controller shall provide information to the persons in a clear, transparent, comprehensible and easily accessible form, in a clear and simple language.
The Controller shall endeavor to ensure that the persons are aware of the personal data he is processing and that the persons fully and completely understand and are informed about the processing in accordance with the requirements of the GDPR and the Bulgarian legislation.

The Controller provides the information to the persons in writing or otherwise, including, where appropriate, by electronic means. If the person has requested so, the information may be given orally, given that the identity of the person is proved by other means.

The Controller shall provide the persons with free of charge information on the action taken in connection with a request concerning their right of access, rectification, erasure, limitation of processing, portability, objection and automated decision making without undue delay, and in any event within one month of receipt of the request.
If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. The Controller shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where a person submits a request by electronic means, the information shall, if possible, be provided by electronic means, unless the person has requested otherwise.

If the Controller fails to act on the request, the Controller shall notify the person without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to an Authority and seeking legal protection.

Where the person's claims are manifestly unfounded or excessive, in particular because of their repeatability, the Controller may either:

- impose a reasonable fee, taking into account the administrative costs of providing the information or communication or undertaking the requested action, or

- refuse to act on the request.
Right of access of individuals.
Everyone has the right to receive from the Controller a confirmation that personal data relating to him / her is being processed and, if so, to access the data and the following information:

- the purpose of the processing;

- the relevant categories of personal data;

- recipients or categories of recipients to whom personal data (including third countries or international organizations) are or will be disclosed;

- where possible, the period for which the data will be stored and, if that is not possible, the criteria used to determine that period;

- the existence of a right to require the Controller to correct or delete personal data or restrict the processing of personal data relating to the individuals concerned or to object to such processing;

- the right to complain to the The Commission for Personal Data Protection;

- where personal data are not collected by the persons themselves, any available information on their source;

- the existence of automated decision making, profiling, and at least in these cases, essential information about the logic used, as well as the meaning and foreseeable consequences of such processing for the individuals.
When personal data is transferred to a third country or an international organization, individuals have the right to be informed of the appropriate transmission assurance.

The Controller provides the person with a copy of the personal data that is being processed. For additional copies requested by the persons, the Controller may impose a reasonable fee based on administrative costs. Where a person submits a request by electronic means, the information shall, if possible, be provided in widely used electronic form, unless the person has requested otherwise.
Right of rectification.
Any person whose data is processed by the Controller may request the Controller to correct inaccurate personal data relating to him without undue delay. Given the purpose of the processing, the person has the right to complete the incomplete personal data.

Right of erasure (right "to be forgotten").
Any person whose data is processed by the Controller has the right to request from the Controller the erasure of the related personal data without undue delay and the Controller has the obligation to erase personal data without undue delay when:

- personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

- the person withdraws his consent on which the processing of the data is based and no other legal basis for the processing;

- the person objected to the processing and there are no legitimate grounds for the processing that would have an advantage;
- personal data has been tampered with;

- personal data must be deleted in order to comply with a legal obligation applying to the controller;

- personal data has been gathered in connection with the provision of information society services.

When the Controller has made the personal data publicly available and is required under the preceding paragraph to erase the personal data, the Controller, taking into account the available technology and implementation costs, takes reasonable steps, including technical measures to inform the Controllers processing the personal data that the person concerned has requested the erasure by these Controllers of any links, copies or replicas of his or her personal data.

Right to Restrict Processing.
Any person whose data is processed by the Controller may request the administrators to restrict the processing when one of the following applies:
- the accuracy of the personal data is disputed by the person for a period which allows the Controller to verify the accuracy of the personal data;

- processing is unlawful, but the data subject does not want data to be deleted, and requires instead limiting their use;

- The Controller no longer requires personal data for the purposes of processing, but the data subject requires them to identify, exercise or protect legal claims;

- the data subject has objected to the processing pending verification that the legal grounds of the Controller have an advantage over the interests of the data subject.

Where processing is limited pursuant to the above paragraph, such data shall be processed, except for its storage, only with the consent of the data subject or for the establishment, exercise or protection of legal claims or for the protection of the rights of another individual or for important reasons public interest.

When a data subject has requested a limitation of processing, the Controller shall inform him / her prior to the revocation of the processing limitation.

Obligation to notify when correcting or deleting personal data or restricting processing
The Controller shall report any correction, deletion, or limitation of processing to any recipient to whom the personal data has been disclosed unless this is impracticable or requires disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject so requests.

Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (i) the processing is based on consent pursuant to specific goals or contractual obligation of the entity or taking steps before signing the contract and (ii) the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to the previous paragraph, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to object
The data subject may, at any time and on grounds relating to his particular situation, object to the processing of personal data relating to him / her (when processing is necessary for the performance of a public interest task or in the exercise of official authority Administrator, or processing is for the purposes of the legitimate interests of the Administrator or a third party), including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right referred to in the previous paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

 

VII. Technical and organizational measures for data protection

Data protection of a hard copy and an electronic medium from unauthorized access, damage, loss or destruction is ensured through a series of internally regulated technical and organizational measures.

VIII. Transfer of personal data

The Controller does not and will not transfer personal data to countries outside the European Union.

IX. Violations. Notification of violations

Violations
Breach of security of data occurs when data, for which MARTINI 2001 is responsible, is affected by security incidents and violates the confidentiality, availability and integrity of personal data. In this sense, a breach of data arises when there is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.
In the event of a breach of security of personal data, it should be immediately notified

Ivan Ivanov.
Assessment of violations
Once the relevant employee of MARTINI 2001 has received information about a violation, he / she has to determine if the particular event is a violation of personal data and notify the Controller about the incident (in case he is not aware).

In the event of a personal data breach likely to pose a risk to the rights and freedoms of individuals, the Controller (through the relevant employee) shall, without undue delay and where feasible, not later than 72 hours after having become aware of it,notifies the Commission for the protection of personal data.

Where and as far as it is not possible to submit the information at the same time, the information may be submitted in stages without further unnecessary delay.

Where the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall without undue delay notify the offender of the violation.

The Controller shall document any violation of personal data security, including the facts of the violation, its consequences, and the action taken to address it.

X. Destruction

Accountancy and commercial information as well as any other information and documents relevant to taxation and mandatory insurance contributions are kept by the Controller within the following deadlines:
- salary payroll - 50 years;

- accounting records and financial reports - 10 years;

- tax and social control documents - 5 years after expiry of the limitation period for repayment of the public obligation with which they are connected;

- all other media - 5 years.

After the storage period has elapsed, carriers of information (paper or technical) that are not subject to submission to the National Archives Fund may be destroyed.

After the storage period has expired, the data will be destroyed as soon as possible by destruction of the hard copies by means of shredding, and by the technical means by deleting and removing the relevant files from the computers of the Company.

Additional provisions
Under current internal rules:
§ 1. "Personal Data Controller" is "MARTINI 2001" Ltd. which is a limited liability company with UIC 205065881.
§ 2. "Processing" means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data become available, arranged or combined, restricted, deleted or destroyed;

§ 3. This Policy is subject to affirmation and disclosure to the persons concerned by order of the Manager of the Controller.

The policy was approved by the managers of "MARTINI 2001" Ltd.: 25.05.2018

The policy is effective from: 25.05.2018