I. GENERAL TERMS
Аrt.1.(1) In order to carry out its activities, pursuant to the General Terms, published on the website http://besco.bg/ (“Website”), herein referred to as (“Terms”), the “BULGARIAN ENTREPRENEURS AND STARTUP COMMUNITY“ ASSOCIATION, UIC 177239971, having its seat and registered address at Sofia city, PO 1407, “Lozenets” district, Cherni Vrah” blvd., № 47А, 5th floor, apt. Puzl Coworking, (“Besco”/”Association”/”Us”), processes Personal Data of natural persons (“Data Subjects”/”You”) in accordance with this Policy.
(2) When processing Personal Data, Besco complies with all applicable to its activities Personal Data protection legislation, including the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Art.2. In this Policy, the following definitions of the terms, deriving from Art. 4 of the Regulation, are used:
- “Regulation” – General Data Protection Regulation of 27 April 2016, repealing Directive 95/46/EC on the protection of Personal Data. It has direct effect and implies an amendment to the legislation of the member states in the field of Personal Data protection. Its purpose is to protect the “rights and freedoms” of natural persons and to guarantee that their Personal Data is not being processed without their knowledge, and where possible, processing is subject to their consent.
- “Personal Data” – can be any information that may be related to a natural person who is identified, or a natural person who might be identified, directly or indirectly, through the use of one or more specific features or identifiers associated with that natural person. From the point of view of the nature of the information, the term "Personal Data" includes any kind of statement concerning a person. This entails "objective" information and "subjective" information, opinions or assessments. With regards to the form or medium in which this information is contained, the term "Personal Data" includes information in any form, whether alphabetical, digital, graphic, photographic or acoustic. For example, it includes information stored on paper as well as information stored in computer memory.
- "Special (sensitive) categories of Personal Data" means a particular type of Personal Data due to the specific nature of the information it discloses about the natural person. In particular, this information reveals racial or ethnic origin, religious and philosophical beliefs, political views, membership in trade union (or professional) organizations, data concerning the health of the individual, biometric data for the sole purpose of identifying the natural person.
- "Personal Data Controller" means Besco, which determines the purposes and means of the processing of Personal Data of natural persons.
- "Personal Data Processor" may be any natural or legal person, public authority or body that processes Personal Data on behalf of and on the express written assignment of Besco. The processor of Personal Data is always a person who is external to the structure of the Association and is not in an employment relationship with the Association. The employees of the Association are not processors of Personal Data. The Association may also act as a Personal Data Processor. In such cases, the Association processes the relevant Personal Data, pursuant to a written contract with a Personal Data Controller, his documented instructions and in compliance with the Association’s statutory obligations.
- "Processing of Personal Data" means any operation or set of operations carried out with Personal Data, such as the collection, recording, organization, structuring, storage, modification, use, disclosure by transmission and access, arrangement, erasure or destruction. In practice, any activity involving the use of Personal Data in some form may involve the processing of Personal Data.
- “Data Subject”– any living natural person, who is subject to Personal Data stored by the Controller.
III. CATEGORIES OF DATA SUBJECTS
Art.3. In connection with the activity it undertakes, the Association processes data regarding the following Data Subjects:
- Natural persons, visitors of the Website;
- Applicants for Association membership and legal representatives of applicants for membership in the Association;
- Members of the Association, resp. legal representatives of members of the Association;
- Sponsors of the Association;
- Natural persons subscribed to the newsletter of the Website;
- Natural persons, who have sent inquiries (incl. by phone), requests, signals, complaints to or other correspondence with Besco;
- Natural persons, whose data is contained in inquiries (incl. by phone), requests, signals, complains to or other correspondence with Besco.
- Other categories of natural persons, whose Personal Data is processed in the course of the activity carried out by the Association.
IV. PERSONAL DATA PROCESSED
Art.4. Besco Processes the following Personal Data:
1. Mandatory data, which are provided when filling-out the electronic membership in Besco application form, as follows:
- Name and surname of the legal representative of the legal entity – applicant for membership, respectively member of the Association;
- Email and phone number of the legal representative of the legal entity – applicant for membership, respectively member of the Association;
2. Additional data, which is provided when filling out the electronic membership in Besco application form, as follows:
- Name and surname of the founders of the respective legal entity – applicant for membership, respectively member of the Association;
- Profile in the social network LinkedIn of the founders of the respective legal entity – applicant for membership, respectively member of the Association;
3. Name, middle name, surname and bank account of the sponsors of the Association (through the online platform Patreon);
4. Е-mail address of users subscribed to the newsletter of the Website;
5. Data provided in relation to a correspondence, complaints and signals, namely: data concerning customer or user communication, provided in the feedback form on the Website (name, e-mail address), including Personal Data provided over phone calls with Besco or sent with standard mail or e-mail;
6. The Website can store data concerning visits to the Website (date, time).
V. PURPOSES AND MEANS OF PROCESSING
Art.5. Besco collects, uses and Processes the information described above for the following purposes:
(1) To accept applicants for membership to the Association and their selection, as well as for establishing, acting on and terminating membership relationships with the Association.
(2) To protect and enforce Besco’s legitimate interests. Those are purposes linked to Besco’s lawful interests and/or third parties such as other users, companies, and others. Those purposes include:
- Ensuring the normal functioning and utilization of the Website on Your end and on other users’ ends, maintenance and service management, dispute resolution, detection and prevention of malicious actions.
- Identifying and resolving technical issues linked to functionality, development and improvement of the Website.
- Carrying out communication with You, including by electronic means.
- Acceptance and processing of received signals, complaints, requests and other correspondence;
- Exercising and protecting the rights and legitimate interests of Besco, including in court proceedings, as well as cooperation in the exercise and protection of the rights and legitimate interests of other users of the Website and/or affected third parties.
For those purposes, it may be necessary to process a part of or all of the abovementioned categories.
(3) Purposes, for which you have given your explicit consent. Your data may be processed, on the grounds of Your explicit consent, where such processing is specific in its extent and range, as provided for in the relevant consent.
(4) For Besco to comply with its legal obligations, including fulfillment of obligations provided for in the legislation, to retain or provide information when an order by a competent state or judicial authority is received, when providing an opportunity to the competent authorities to exercise their control powers, when fulfilling Besco’s legal obligations to inform You about circumstances relating to Your rights, the provided Services or with the protection of Your data and other. For these purposes, it may be necessary to process a part of or all of the abovementioned categories.
(5) So as to respond to Your inquiries and to process Your complaints. In order to resolve Your complaints, signals, disputes, inquiries, requests and other questions, put forward in a communication via the Website, through phone calls with Besco, via standard mail or e-mail, We store and Process such information, as well as the result of such Processing.
(6) For statistical purposes including analyzing the performance of applications on the Website as well as their utilization by users.
(8) Website logs related to security, maintenance, development and other aims may be used for the following purposes:
• For securing the reliable functioning of the Website and identification of technical issues;
• For security reinforcement and detection of malicious actions;
• For the development and improvement of the Website;
• For measuring traffic and usability of the Website;
• Logs as required by the law
Server logs, logs on devices guaranteeing security (Web Application Firewalls) and other devices falling in this category. Those logs are necessary for detecting technical issues, detecting malicious activities and other purposes as listed above. Logs are retained for a period of up to 1 (one) calendar year. Logs can contain the following information: date, hour, URL, browser and userdevice metadata.
Art.6. The Services provided by Besco and the provided functionalities in the Website are not intended for storage and Processing of special categories of Personal Data pursuant to Art. 9 and Art. 10 of the Regulation.
Art.7. Besco does not collect and does not process Personal Data of minors aged 16 or below, unless with the consent of a parent, subject to the applicable local legislation. Should Besco find out that Personal Data of a minor has been accidentally collected, We shall delete the data as soon as reasonably possible.
VI. RETENTION PERIOD
Art.8. Besco stores Your Personal Data for a period necessary to achieve the purposes for which it was collected. Upon achieving the relevant purpose, Your Personal Data shall be immediately destroyed, unless Besco is obliged to Process it for a longer period pursuant to applicable legislation.
Art.9. Personal Data, collected in relation to a Website registration, respectively with regard to the contract between us, shall be Processed until you request to have Your profile deleted. In this event we shall destroy the collected Personal Data, unless we are obliged to Process it for a longer period pursuant to applicable legislation, including when protecting the Association’s legitimate interests (including limitation periods pursuant to applicable legislation that governs filing claims and others.)
Art.10. In certain circumstances Besco has the right to anonymize Your Personal Data for research, statistical or other purposes, in which event the Association may use this data for an indeterminate period of time without having to additionally notify You.
Art.11. In the event that Besco no longer requires Your Personal Data, the latter shall be deleted or anonymized, so that all details which lead to Your identification shall be removed. In the absence of legal grounds for the lawful Processing of Your Personal Data or when you have withdrawn Your consent to Processing, Besco shall delete the Personal Data within a reasonable time period.
Art.12. In events where we Process Your Personal Data on the grounds of Your consent, including but not limited to marketing purposes, the data shall be Processed and stored until we receive Your request to have it deleted (forgotten).
Art.13 In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a longer period than the one specified, until resolution of the dispute or completion of the legal proceedings at all judicial levels. The specified period is subject to change if an alternative retention obligation is determined pursuant to the current legislation.
VII. THIRD PARTIES.
Art.14 Your Personal Data may be provided to third parties only in the following events:
- when this is provided for in the legislation;
- when duly requested by a competent state or judicial authority;
- when we have received Your explicit consent;
- when necessary for the protection of the rights and legitimate interests of Besco and/or other users.
Art.15. In the events of Art.13, p1, Besco implements contractual arrangements and mechanism for data security, aiming to protection Your Personal Data, as well as to comply with the data protection, privacy and security standards.
Art.16. Personal Data, stored by Besco, may be transferred to:
- Other companies, part of Besco’s network, where this is necessary for administrative purposes and allowing us to deliver professional services to our customers (example, when providing services incorporating consulting by other companies, part of our network, located in different countries).
- Third parties and/or organizations, which supply us with applications and/or functionalities; IT services and services related to Personal Data Processing.
- Third parties who assist us with the provision and management of our internal IT systems. For example, provider of information technologies, providers of cloud services, identity management, hosting and website management, data analysis, data archiving, security and storage services. The servers that power up and facilitate this cloud infrastructure are located in protected data centers around the globe and Personal Data can be stored in any of them;
- Third parties/organizations, who assist us with service or information delivery in alternative means;
- Auditors and other professional consultants;
- Law enforcement authorities, other state and regulatory agencies and other third parties as required by and in compliance with the applicable legislation;
Art.17. With regards to Personal Data regulated by EU legislation, please bear in mind that cross-border transfers might include countries outside of the European Economic Area (EEA) and countries, which have no laws to provide for specific Personal Data Protection. We have taken all necessary steps to guarantee that all Personal Data has the necessary protection and that all transfers of Personal Data outside of EEA are conducted lawfully. When transferring Personal Data outside the EEA in a country which is not classified by the European Commission as providing adequate level of Personal Data protection, such transfers take place in accordance with an agreement, complying with the requirements of EU for Personal Data transfers outside the EEA – for example, the approved by the European Commission Standard Contractual Clauses (SCCs). You can find more about those clauses here.
VIII. DATA SUBJECT RIGHTS.
Art.18. The Regulation envisages the following rights:
- Right to be informed.
This Policy is intended to inform You in detail about the Processing of Your Personal Data in connection with the Services provided.
- Right to Access.
You have the right to receive a confirmation whether Your Personal Data is being Processed, access to such data and information regarding their Processing and Your respective rights. The right to access can be exercised at any time.
- Right to rectification.
You have the right to rectify Your Personal Data in the event it is incomplete or inaccurate.
You can exercise the right to rectify Your Personal Data at any time through a request to Besco.
- Right to deletion.
You have the right to request the deletion of Personal Data, except in cases where there is a substantial basis and/or legal obligation for its Processing.
Data can be deleted upon expiry of the specified period. Meanwhile, the data can be provided in due course only to the competent state authorities in exercise of their control powers or to a court of competency in the case of court proceedings which the court has a standing for. In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a period longer than the one specified, until resolution of the dispute or completion of the legal proceedings at all levels.
- Right to restriction of processing.
The Regulation provides for the possibility of restricting the Processing of Your Personal Data, provided that the statutory grounds required to exercise this right are present.
- Right to inform third parties.
Where applicable, You have the right to request from the Controller of Your Personal Data to inform relevant third parties, whom the Controller has shared Your Personal Data with, about any rectification, deletion or restriction of Processing of Your Personal Data.
It is important to note that Besco is not an intermediary in the relationship between You and third parties.
- Right to data portability.
You have the right to obtain Your Personal Data in a structured, commonly used and machine readable format, and have the right to transmit this data to another Controller at Your own discretion.
- Automated decision-making.
You have the right not to be subject to automated decision making, including profiling, which produces legal effects for Your or in a similar fashion significantly affects You, unless the grounds provided for in the applicable Personal Data Protection legislation and appropriate safeguards for Your rights, freedoms and legitimate interests are present.
The Website does not utilize technologies falling in this category.
- Right to withdraw consent.
You have the right, at any time, to withdraw Your consent from the Processing of Personal Data, which is on the grounds of Your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
For Services like the subscription to email advertisements, where the subscription is on the grounds of Your will (consent), an option to terminate the subscription at any time (withdrawal of consent) is given.
- Right to object.
You have the right to object to the Processing of Your Personal Data which is based on the grounds of public interests, exercise of official authority or legitimate interest.
In the event of such objection, Besco shall process Your request and if found reasonable, we will fulfill it. Should we consider that there are convincing statutory grounds for such Processing or it is necessary for the establishment, exercise or defense of legal claims, we shall inform You of such development.
- Right to lodge a complaint.
You have the right to lodge a complaint with the supervisory authority or a judicial authority, if you consider that Processing of Your Personal Data violates the applicable Personal Data protection legislation. The supervisory authority of Republic of Bulgaria is the Commission for Personal Data Protection, with address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd.
IX. DATA ACCURACY.
Art.19. Besco does not bear any responsibility for the accuracy of Your Personal Data, does not conduct checks in this regard, and does not guarantee the true identity of the natural persons who have provided the data. In all events of doubt on your behalf, of established fraud and/or misuse, we kindly ask you to inform us immediately. You are obliged, when providing any information on the Website, not to violate the rights of third parties in relation to the protection of their Personal Data or other rights.