CONFIDENTIALITY

Amodoria EOOD (hereinafter referred to as "the Controller" or "the Company") operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with such processing.

Grounds for collecting, processing and storing your personal data

Art. 1. The Controller collects and processes your personal data in connection with the use of the online store www.amodoria.bg and the conclusion of contracts with the Company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and more specifically on the following grounds:

Explicit consent has been obtained from you as a client;
- Fulfillment of contractual obligations of the Controller to you;
- Compliance with a legal obligation that applies to the Controller;
- For the legitimate interests of the Controller or a third party;;

Objectives and principles in the collection, processing and storage of your personal data

Art. 2. (1) We collect and process the personal data you provide to us in connection with your use of the online store www.amodoria.bg and you signing a contract with the Company, including for the following purposes:

- create an account and provide full functionality when using the online store;
- individualization of a contracting party;
- accounting purposes;
- statistical purposes;
- protection of information security;
- ensuring the performance of the contract for providing the relevant service.
- sending a newsletter and emails with special offers at your explicit desire to receive such;

(2) We adhere to the following principles when processing your personal data:

- legality, integrity and transparency;
- limitation of processing purposes;
- correlation with the purposes of processing and minimizing the data collected;
- exactness and accurateness of data;
- limiting storage time to achieve goals;
- integrity and confidentiality of the processing and ensuring an adequate level of security of personal data.

(3) In the processing and storage of personal data, the Controller may process and store personal data in order to protect the following legitimate interests of theirs:

- fulfillment of its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities.

What kind of personal data is collected, processed and stored by our company

Art. 3. (1) The Company performs the following operations with the personal data you provide as customers for the following purposes:

- Registration of a customer in the e-shop and execution of a distance sale contract  – the purpose of this operation is to create an account in order to use the online store to purchase goods as well as to provide contact information for the delivery of goods purchased. Registering and creating an account in order to use the online store is not a necessary step in the provision of the service, and it is largely accessible without creating an account through the "Order as a Guest" option. The operation "Registration of a user in an e-shop and execution of a distance sale contract" is considered admissible and provides sufficient guarantees to protect the rights and legitimate interests of data subjects in accordance with GDPR requirements;
- Sending out of a newsletter – the purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news and new features to customers who have stated that they wish to receive them.
Exercise of the right to withdrawal or make a claim – the purpose of this operation is to administer the process of exercising the right to withdrawal or reclamation by the client for the goods in respect of which those rights may be exercised.

(2) The Administrator does not collect or process personal data relating to the following:

- revealing race or ethnic background;
- reveal political, religious or philosophical beliefs, or trade union membership;
- genetic and biometric data, health data or sexual life or sexual orientation data.

(3) Personal data are collected by the Administrator from the persons to whom they relate.

(4) The administrator does not make automated data decisions.

(5) The Company does not collect data for persons under the age of 16 except with the express consent of their parent or legal representative.

Art. 4. (1) The administrator processes the following categories of personal data and information for the following purposes and for the following reasons:

- Your personally identifiable information (email, name, etc.)

- Purpose of collecting the data: 1) Making contact with the user and sending information to them, 2) for the purpose of registering a user in an online store as well as for 3) sending newsletters, emails with special offers, promotions, promo codes, news and new features.
- Reason for processing your personal data – By accepting the terms of service and registering in the online store or performing an order without registration, or at the conclusion of a written contract, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data - Art. 6, para. 1, b. (b) GDPR. Your newsletter and email submission information is processed with your explicit consent - Art. 6, para. 1, b. (a) GDPR.

- Delivery details (names, phone, address, etc.)
- Purpose of collecting the data: Fulfillment of obligations of the Controller under a contract for sale and delivery of the purchased goods.
- Reason for processing your personal data – By accepting the terms of service and registering in the online store or performing an order without registration, or at the conclusion of a written contract, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data - Art. 6, para. 1, b. (b) GDPR.
- Purpose of collecting the data: 1) Contacting the user and sending information to them and 2) for the purpose of registering a user in the e-shop.
- Reason for processing your personal data – By accepting the terms of service and registering in the online store or performing an order without registration, or at the conclusion of a written contract, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data - Art. 6, para. 1, b. (b) GDPR.
- Data from your social media accounts (publicly available information from your Google+ accounts, Facebook)

Storage period for your personal data

Art. 5. (1) The Controller stores your personal data for a period that is not longer than the existence of your online store account or the execution of a guest order. After deleting your account or completing the order, the Controller takes the necessary care to delete and destroy all your data without unnecessary delay or anonymize it(ie, to make it in a form that does not reveal your identity).

(2) The Controller stores your personal data provided in connection with online orders for a period of 5 years for the purpose of protecting the Controller's legal interests in litigation or administrative disputes with users of the online store, keeping the accounting records for the relevant statutory term.

(3) The Controller shall notify you in the event that the data retention period is required to be extended for the purpose of fulfilling a regulatory obligation or for the legitimate interests of the Controller or otherwise.

(4) The Controller stores the personal data that must be stored under applicable law for the relevant estimated period, which may exceed the duration of your online store account or until the order is completed.

Art. 6. (1) The Controller stores the personal data of the legal representatives of his trading partners for the term of performance of the contract, for observance of the legitimate interests and legal obligations of the Controller, which may exceed the term of the concluded contract..

Transmission of your personal data for processing

Art. 7. (1) The Controller may, at their sole discretion, transmit some or all of your personal data to data processors for the fulfillment of processing objectives that you have agreed to, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Controller notifies you in case they intend to transmit some or all of your personal data to third countries or international organizations.

Your rights in the collection, processing and storage of your personal data

Withdrawal of consent to the processing of your personal data

Art. 8. (1) If you do not wish all or part of your personal data to be further processed by the Company for specific or all processing purposes, you may at any time withdraw your consent to the processing by completing the “Consent Withdrawal Form” or by requesting so in free form.

(2) The Controller may ask you to verify your identity and the fact that you are the data subject.

(3) With the withdrawal of consent to process personal data  required to create and maintain an account in the online store, your account will become inactive. Of course, you will be able to browse the online store and the products offered and place orders as a guest or re-register.

(4) If you have an order that is in the process of being processed, the earliest time you can withdraw your processing consent is when the order is successfully completed.

(5) You may withdraw your consent to the processing of your personal data for direct marketing purposes at any time.

(6) Withdrawal of consent does not affect the lawfulness of the processing of personal data that the Controller has performed so far.

Right to access

Art. 9. (1) You have the right to request and receive confirmation from the Controller whether personal data relating to you is being processed, and you may at any time see in your account, if you are a registered user, the data that we process for you.

(2) You have the right to access data related to you, as well as information related to the collection, processing and storage of your personal data.

(3) The Controller shall provide you, upon request, with a copy of the personal data processed relating to you, in electronic or other appropriate form.

(4) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repeated or excessive requests.

Right of correction or amendment

Art. 10. You may correct or amend inaccurate or incomplete personal data related to you directly through your website account or by sending a request to the Controller.

Right to be deleted ("to be forgotten")

Art. 11. (1) You have the right to request the Controller to delete some or all of your personal data, and the Controller has the obligation to delete them without undue delay when any of the following reasons exist:

- personal data are no longer necessary for the purposes for which they were otherwise collected or processed;
- You withdraw your consent on which data processing is based and there is no other legal basis for processing;
- You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legitimate grounds for processing that could take precedence;
- personal data were processed illegally;
- personal data must be deleted in order to comply with a legal obligation under EU or Member State law that applies to the Controller ;
- when personal data have been collected in connection with the provision of services to the information society.

(2) The Controller is not obliged to delete personal data if it is stored and processed:

- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation that requires processing provided for in EU or Member State law applicable to the Controller or for the performance of a public interest task or in the exercise of official powers conferred on the Controller;
- for reasons of public interest in the field of public health;
- for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
- for the establishment, exercise or defense of legal claims.

(3) In the event that you exercise your right to be forgotten, the Company will erase all your data, except for the following data:

- data needed to verify that your right to be forgotten is fulfilled - email, IP address;
- technical data about the functioning of the online store, which data cannot in any way be associated with your identity;
- the email you used to register in the online store.

(4) In order to exercise your right to be forgotten, you need to take the following steps:

- Submit a request by submitting a completed "Request to be Forgotten";
- Identify yourself as the account holder;

(5) After verifying the identity of the requester and the data subject in accordance with the above steps, we will delete all the data we process about you in accordance with para. 3.

(6) If you have an order in progress, the earliest moment you can ask to be "forgotten" is when the order is successfully completed.

(7) By deleting your personal data, your account will become inactive. Of course, you will be able to browse the online store and the products offered and place orders as a guest or re-register.

(8) The Controller shall not delete the data which they have a legal obligation to store, including for protection in connection with legal claims against them or for proving their rights.

Right of restriction

Art. 12. You have the right to request that the Controller restrict the processing of your related data when:

- challenge the accuracy of personal data for a period allowing the Controller to verify the accuracy of personal data;
- the processing is unlawful, but you do not want the personal data to be deleted only their use to be restricted;
- The Controller no longer needs your personal data for processing purposes, but you require it to establish, exercise or defend your legal claims;
- You have objected to the processing, pending a review of whether the Controller's legitimate grounds outweigh your interests.

(2) In the event that your right of restriction is exercised, the Company will cease processing your data, but will not remove the entered data that you entered in the online store.

Right to transfer

Art. 13. (1) If you have consented to the processing of your personal data or the processing is necessary to perform contract with the Controller, or if your data is processed in an automated manner, you may, after identifying yourself to the Controller:

- request that the Controller provide you with your personal data in a readable format and transfer it to another Controller;
- request that the Controller directly transfers your personal data to the Controller designated by you when technically feasible.

(2) You may at all times download or receive machine-readable data, which is stored and processed about you in connection with the use of the services of the Controller by email request.

Right to receive information

Art. 14. You may request that the Controller informs you of any recipients to whom the personal data for which correction, deletion or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information if this would be impossible or would require a disproportionate effort.

Right to object

Art. 15. You may object at any time to the processing of personal data by the Controller that relate to the Controller , including if it is processed for profiling or direct marketing purposes.

Your rights in the case of a breach of your personal data security

Art. 16. (1) If the Controller identifies a breach of your personal data security that may pose a high risk to your rights and freedoms, the Controller shall notify you without undue delay of the breach, as well as of the measures taken or about to be taken.

(2) Controller is not obligated to inform you if:

- has taken appropriate technical and organizational safeguards with respect to data affected by a security breach;
- subsequently took measures to ensure that the infringement would not pose a high risk to your rights;
- notification would require a disproportionate effort.

Entities to whom your personal data are provided

Art. 17. For the purposes of processing your personal data and providing the service with its full functionality as well as keeping your best interest, the  Controller may provide your data to the following  processors of personal data:

Processor of personal data

Purpose of processing personal data

Supplier / Courier Company

Delivery to address

Abovementioned personal data processors comply with all requirements of legality and security for the processing and storage of your personal data.

Art. 18. The  Controller does not transfer your data to third countries.

Art. 19. In the event of a violation of your rights under the aforementioned or applicable personal data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name

Commission for Personal Data Protection

Head office and registered office

Sofia 1592, „Prof. Tsvetan Lazarov” blvd № 2

Mailing address

Sofia 1592, „Prof. Tsvetan Lazarov” blvd № 2

Telephone

02 915 3 518

Website

www.cpdp.bg

 

Art. 20. You may exercise all your rights regarding the protection of your personal data through the forms attached to this information or through the features in your user account. Of course, these forms are optional and you can submit your requests in any form that contains a statement about this and identifies you as the data owner.

Art. 21. In case the consent concerns a transfer, the  Controller shall describe the potential risks of transferring the data to third countries in the absence of adequate protection solutions and adequate protection instruments.