GDPR and Your Rights

The personal data controller is required to provide you, in a clear, transparent, comprehensible and easily accessible form, in plain and simple language, in writing or in any other appropriate manner, including by electronic means, information about:

• the identity and the contact details of the controller;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party where the processing is based on your consent;
• the recipients or categories of recipients of the personal data, if any;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning you or to object to processing as well as the right to data portability;
• where the processing is based on your consent, instruction of your right to withdraw consent at any time, along with notification proving the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data;
• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
• the intention of the controller to transfer personal data to a third country or international organisation and whether the legal conditions for that are met;
• the categories of personal data which the controller maintains for you where the personal data have not been obtained from you;
• from which source the personal data originate, and if applicable, whether it came from publicly accessible sources.

The same obligation to inform exists when the purpose of the processing is changed, i.e. when processing is required for a different purpose and not for the purpose the data were collected for.

You have the right to request and obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from you, any available information as to their source;
• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
• the appropriate safeguards where your personal data are transferred to a third country or to an international organization by the controller.

The controller provides you with a copy of the personal data which are being processed. For additional copies requested by you, the controller may charge you with a reasonable fee based on administrative costs. When you submit your request by electronic means, the controller will, if possible, provide you with the information in a widely used electronic form, unless you have requested otherwise.

Your right to receive a copy of your personal data should not adversely affect the rights or freedoms of others.

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.

Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay in the following cases:

• your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
• you object to the processing of your personal data and there are no overriding legitimate grounds for the processing;
• you object to the processing of your personal data for direct marketing purposes which includes profiling to the extent that it is related to such direct marketing;
• the personal data have been unlawfully processed;
• your personal data have to be erased for compliance with a legal obligation in Union, national legislation or Member State law to which the controller is subject;
• your personal data have been collected in relation to the offer of information society services (e-commerce, marketing, profiling, social networks) to children over the age of 16 years or to children at the lower age with the consent of their parents.

GDPR sets certain limits to the implementation of the right to erasure, so the data controller may not approve your request if processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
• for the establishment, exercise or defence of legal claims.

Where the controller has made your personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

You have the right to obtain from the controller restriction of processing where one of the following applies:

• you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
• you have objected to processing, including profiling, based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or to processing, including profiling, which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, pending the verification whether the legitimate grounds of the controller override yours.

Where processing has been restricted at your request, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted at your request, you shall be informed by the controller before the restriction of processing is lifted.

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. In this way you have the opportunity to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

You could exercise this right only in case the processing of your personal data is based on consent or on a contract and the processing is carried out by automated means.

The exercise of this right shall be without prejudice to the exercise of the right of cancellation and shall not apply to the processing necessary for the performance of a task of public interest or the fulfillment of the official powers conferred on the controller.

The right to data portability shall not adversely affect the rights and freedoms of others.

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling, which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or to processing, including profiling, which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, you may exercise your right to object by automated means using technical specifications.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Profiling involves automated processing of personal data to analyze the data subject, its behavior or other aspects of his/her personal/professional/social life. You may be subject to a decision based solely on automated processing, if the decision is necessary for entering into, or performance of, a contract between you and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or is based on your explicit consent. Where the decision is necessary for entering into, or performance of, a contract with you or it is based on your explicit consent, you have the right to require the controller to process and analyze your data not entirely automated and to use human intervention, you also have the right to express your point of view and to contest the decision.

You have the right to lodge an administrative complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR. This supervisory authority in Bulgaria is the Commission for personal data protection.

You have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you or where the competent supervisory authority does not handle your complaint or does not inform you within three months on the progress or outcome of the complaint. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

You also have the right to an effective judicial remedy where you consider that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR. You may ask the court to find a violation of GDPR against you and to award damages to you. The court in the Member State of establishment of the controller or the processor is competent. Alternatively, you may lodge your claim before a court in the Member State of your habitual residence unless the controller or the personal data processor is a public authority of the Member State acting within the scope of its public authority.

You have the right to mandate a not-for-profit organisation which is active in the field of the protection of data subjects’ rights and has statutory objectives which are in the public interest, to exercise the right of defence on your behalf where provided for by Member State law.