PERSONAL DATA PROTECTION POLICY OF K-EXPRESS EOOD
General provisions
Article 1. (1) In relation to providing its services and performing its activities, K-EXPRESS EOOD processes the personal data of individuals (“Data Subjects”) as a Controller, in accordance with the rules and principles laid down in this Personal Data Protection Policy of K-EXPRESS EOOD (“the Policy”).
(2) The registered office and business address of K-EXPRESS EOOD are: BULGARIA, Sofia Region (capital), Sofia Municipality, Sofia 1000, Sredets Section, 5 Slavyanska Street, telephone: 0879 033 649, contact e-mail: contact@k-express.bg, Unified Identification Code: 131165677.
Official responsible for data protection
Article 2. A Data Subject may address any of their queries and questions related to the exercise of their rights for personal data protection to the responsible official.
(1) The contact details for the responsible official for K-EXPRESS EOOD are:
Name: Ivaylo Nikolov
E-mail: i.nikolov@talarfoods.com
Correspondence address: Sofia, 5 Slavyanska Street
Telephone: +359 886 848 487
Data Subject
Article 3. K-EXPRESS EOOD shall have the right to gather and process information about the following categories of individuals (Data Subjects):
- Clients – individuals;
- Legal representative of a contractor;
- Proxies;
- Individuals, contact persons under contracts with K-EXPRESS EOOD;
- Persons other than the ones listed above who come into contact with K-EXPRESS EOOD or make, directly or indirectly, claims to K-EXPRESS EOOD;
- Representatives of regulatory authorities;
- Auditors;
- Franchisees;
- Third parties in their capacity of witnesses or officials with regard to acts related to K-EXPRESS EOOD, performance of the licence and statutory obligations of the company.
Categories of personal data
Article 4. The information (categories of personal data) which K-EXPRESS EOOD processes with respect to Data Subject in accordance with this Policy may include:
- Identification data: names as per ID document; personal number/foreigner’s personal number/ex officio number/BULSTAT number (for individuals); date of birth; signature;
- Contact data: telephone numbers; fax numbers; e-mails; correspondence addresses; other contact/correspondence data provided by the Data Subject;
- Official identity: telephone numbers/fax numbers; position;
- Social identity: citizenship; data about place of work, certificates, education (educational degree); recommendations; length of service;
- Video recording during visits to sites under surveillance;
- Information about judicial disputes and cases in the preparation of legal opinions and checks of legality as well as in the event of procedural representation before judicial authorities/private enforcement officers/state enforcement officers, notary services, etc.;
- Additional information about representatives of partners: names, personal number/foreigner’s personal number; telephone numbers; e-mails; certificates; invoice numbers, amount of obligations, applications, declarations; position; place of work; capacity (type of legal representative, proxy, officer, partner in an entity which is not personified); changes and history of changes in the legal representation; powers of attorney; information about representative power; information about withdrawal or expiry of authorisation, contracts for companies under the Obligations and Contracts Act, information about the owners (if the latter is a legal entity or a company which is not personified) – e.g. information about partners/shareholders, number and type of shares/stock held and such others;
- Contractual and financial information: bank accounts; contracts and numbers and dates of conclusion of contracts; information about and dates of amendment and termination of contracts; full name, telephone, e-mail, customer (subscription) number; numbers and content of invoices; information about the coming into being, nature and amount of obligations (including interest); payments made; information and history of amounts transferred inaccurately; information about deferred payments; information about related parties and overdue obligations of related parties; repayment of obligations; information about paid bank bonds or cash amounts to the benefit of K-EXPRESS EOOD (amount, grounds, date of payment and similar); information about insurance; education; certificates and recommendations; copyright;
- Health data – the processing is necessary for the purposes of performance of the obligations and exercise of the special rights of the Controller or the Data Subject pursuant to the law in the field of healthcare, food safety and hygiene inasmuch as this is allowed under EU law or the law of a Member State or pursuant to a collective agreement in accordance with the law of a Member State which sets out appropriate guarantees for the fundamental rights and interests of Data Subjects;
- Information about complaints, applications, requests, queries and signals submitted (including in a free form) and about other correspondence with K-EXPRESS EOOD, including information about their processing and status and the end result of their processing;
- Other information and documents: any other information and documents (declarations; opinions; agreements for joint activities; lists; inventories; schedules, certificates and testimonies; applications, protocols; orders, certificates, declarations and other acts of competent authorities; contracts (including preliminary agreements) which Data Subjects, competent state authorities or third parties provide to K-EXPRESS EOOD or which are respectively generated in the pre-accession process and/or during the execution, amendment, performance and termination of contracts with a Data Subject.
Purposes for the processing of personal data
Article 6. (1) K-EXPRESS EOOD shall gather, use and process in any other way the information under Article 5 and Article 6 for the purposes laid down in this Policy which may be as follows, depending on the grounds for processing:
- Purposes related to the observance of statutory obligations of K-EXPRESS EOOD; and/or
- Purposes related to and/or necessary for the performance of the contracts concluded with K-EXPRESS EOOD or for the taking of steps upon a request of a Data Subject before the conclusion of a contract; and/or
- Purposes of the legitimate interest of K-EXPRESS EOOD or of third parties;
- Purposes for which a Data Subject has provided consent for the processing of their data.
(2) Personal data may be processed K-EXPRESS EOOD for the same purposes simultaneously on more than one of the legal grounds listed above.
Article 7. The purposes for personal data to be processed by K-EXPRESS EOOD in relation to the observance of statutory obligations include:
- Acceptance, servicing and management of the process of servicing signals, complaints, service applications, requests and such others, as well as of returns and trade guarantees (if applicable), including preparation of responses to them or performing checks of legality;
- Activities related to accounting and reporting for payments received under contracts concluded with K-EXPRESS EOOD in view of the legislation in force (tax and accounting legislation, etc.);
- Activities related to ensuring food safety and hygiene;
- Video surveillance of the sites of K-EXPRESS;
- Activities related to ensuring quality control in audits associated with this activity, staff training and validation of capacity, equipment, systems, processes and cleaning, sample taking, and all secondary documents arising from this activity.
- Activities of calibration of measurement devices, measurement instruments;
- Activities related to fire safety and health control as well as investigation of accidents and incidents in the company;
- Activities related to the statutory norms for technical service of power capacity and facilities in the production process;
- Collection of receivables to K-EXPRESS EOOD, including through assignment to third parties;
- Other activities related to the performance of statutory obligations (tax, accounting, regulatory, licence, judicial, etc.) of K-EXPRESS EOOD related to presenting/reporting for information to competent state and judicial authorities and to cooperating in checks of competent authorities;
- Activities related to pest control.
Article 8. The purposes to process personal data related to and/or necessary for the performance of contracts or for taking steps upon the request of a Data Subject before the conclusion of a contract with K-EXPRESS EOOD shall include:
- Establishing relations with Data Subjects;
- Conclusion, amendment, performance and termination of preliminary agreements and contracts with Data Subjects and the sub-activities related to this;
- Receiving, planning, requesting, ensuring and delivering production requests:
– All activities related to purchases; for example – supply of materials and services;
- Deferring/postponing payment.
- Administration and management of the services provided by K-EXPRESS EOOD and providing services to Data Subjects, including online services.
- Communicating with Data Subjects in relation to the conclusion, amendment and performance of contracts. Tracing, recording, maintaining registers and archiving the communication.
- Checks upon complaints and signals about the services provided.
- Collection and processing of the payments owed by Data Subjects for the services provided.
- Reimbursement of amounts transferred inaccurately, compensation and others.
- Performing checks about use/consumption.
- Quality management and control for the products and services provided by K-EXPRESS EOOD.
Article 9. The purposes to process personal data necessary for the legitimate interests of K-EXPRESS EOOD or of third parties shall include:
- Legitimate interest – (1.1.) exercise and protection of legitimate rights and interests of K-EXPRESS EOOD; and (1.2.) assistance in exercising and protecting the legitimate rights and interests of Data Subjects; of processors of personal data on behalf of K-EXPRESS EOOD and of commercial partners of K-EXPRESS EOOD:
- Establishing, exercise or defence of legal claims of the persons listed above in (1.1) and (1.2), including in a judicial procedure, including submitting complaints, signals and such to the competent state and judicial authorities;
- Preparing legal opinions, checks of legality, procedural representation before judicial authorities/private enforcement officers/state enforcement officers, notary services and others;
- Activities related to the administration and servicing of complaints, signals, requests, etc.;
- Extending notary invitations;
- Legitimate interest – prevention, reduction and protection against loss:
- Loss management, including but not limited to checks, corrections, losses, video surveillance.
- Activities related to checks of sites and service of instructions; Legitimate interest – preservation of the licences granted to K-EXPRESS EOOD:
- Activities related to performing licence obligations.
- Legitimate interest – analysis and planning of the policy of K-EXPRESS EOOD concerning relations with Data Subjects and boosting the quality of services:
- Analysis of the satisfaction of Data Subjects and planning activities to boost it as well as customer retention activities;
- Receiving, processing and preparing responses to applications, requests not related to complaints and complaints from Data Subjects in relation to services they have used;
- Control, analysis and optimisation of business processes to improve the quality of the services offered to Subjects.
- Legitimate interest – internal reporting:
- Management and archiving of the data submitted by Azira Food Holding AD to K-EXPRESS EOOD and vice versa, necessary to determine the obligations of the Data Subject;
- Activities related to the assessment of suppliers and maintenance of a register of selected suppliers;
- Reference information and reports related to the overall performance of the company.
Article 10. Purposes for which Data Subjects have consented for their personal data to be processed:
- Participate in a raffle and have follow-up contact as a winner for surveys filled out.
Provision of personal data and consequences in the event of refusal to provide such to K-EXPRESS EOOD
Article 11. (1) In all of its forms for applications, requests, protocols and other forms (electronic or hard copy) K-EXPRESS EOOD clearly notes whether the indication/provision of the respective data and/or documents is a mandatory or contractual requirement or a requirement for the conclusion of a contract.
(2) If additional clarification is needed, a Data Subject may request such at i.nikolov@talarfoods.com, telephone 0886848487, directly from the official responsible for data protection at K-EXPRESS EOOD.
(3) Any refusal to provide data and documents indicated as mandatory may be an insurmountable barrier to the conclusion of a contract with K-EXPRESS EOOD, to the provision of a service by K-EXPRESS EOOD, to satisfying and executing any requests, applications, queries, signals, etc. which releases K-EXPRESS EOOD of liability for non-performance.
(4) Any refusal to provide data and documents or the provision of untrue ones may result in the impossibility to provide the respective services or products or to the suspension of access to the services and products provided by K-EXPRESS EOOD.
(5) Data Subjects shall not provide to K-EXPRESS EOOD any special categories of data within the meaning of Article 9 and Article 10 of the Regulation (namely: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health (except for the cases set out in Article 4 of this Policy) or data concerning a natural person’s sex life or sexual; and personal data related to convictions and offences or related security measures).
Other sources of personal data
Article 12. In certain cases, the personal data processed by K-EXPRESS EOOD is not gathered or received directly from the Data Subject to whom they relate but from third parties such as:
- Contractor or representatives of a contractor other than the Data Subject;
- Official public registers (e.g. Commercial Register, Property Register, etc.);
- Control authorities;
- State and municipal authorities;
- Witnesses;
- Trade partners and subcontractors of K-EXPRESS EOOD;
- Companies from the Azira Food Holding AD Group.
Processing of the information about a Data Subject by third party – personal data processors
Article 13. (1) For the purposes provided for in this Policy and the General Terms and Conditions, K-EXPRESS EOOD may assign activities related to the processing of the personal data of Data Subjects to third parties – personal data processors – in line with and within the scope of the requirements of the Regulation and the other applicable rules for personal data protection.
(2) When personal data about Data Subjects is disclosed to and processed by personal data processors, this shall take place solely in the degree and volume necessary for them to perform the tasks assigned by K-EXPRESS EOOD.
(3) Personal data processors shall act on behalf of K-EXPRESS EOOD and shall be obligated to process the personal data only and solely in strict compliance with the instructions issued by K-EXPRESS EOOD and they shall not have the right to use or process in any other way the information about the Data Subjects but for the purposes provided for in this Policy.
Categories of recipients of personal data
Article 14. The staff of K-EXPRESS EOOD, working for the company under a contract who shall be bound by a declaration of confidentiality, shall be Recipients of the personal data and shall be granted an access to them.
Article 15. K-EXPRESS EOOD shall be obligated not to disclose personal data about a Data Subject, about the services requested and used by a Data Subject, and not to provide the information gathered to third parties unless in the cases when:
- This is necessary to comply with a statutory obligation of K-EXPRESS EOOD to:
- Competent state and municipal authorities;
- Bulgarian Chamber of Commerce and Industry;
- Bulgarian Food Safety Agency;
- Bulgarian Stock Exchange;
- Labour Medicine Office/medical institutions.
- This is expressly provided for in the Policy:
- Personal data processors;
- Companies from the Azira Food Holding AD Group;
- Subcontractors for the services of K-EXPRESS EOOD.
- This is necessary to conclude, amend, perform or terminate contracts:
- Banks and payment service providers (e.g. for the purposes of the payments between K-EXPRESS EOOD and Data Subjects);
- Accounting service providers;
- Postage operators;
- Notaries;
- Licenced translation agencies;
- Insurance companies;
- External trainers;
- Event management companies;
- Trade partners of K-EXPRESS EOOD.
- A Data Subject has provided express consent:
- Trade partners of K-EXPRESS EOOD;
- Companies from the Azira Food Holding AD Group;
- Other persons expressly laid down in the respective consent.
- In view of the protection of the rights or legitimate interests of K-EXPRESS EOOD, of third parties or the Data Subject:
- State and judicial authorities;
- Private and state enforcement officers;
- Lawyers;
- Auditors;
- Notaries;
- Consultants;
- Providers of information society related services (IT services);
- Expert witnesses, etc.
- In other cases laid down in the law.
Period of storing the information
Article 16. (1) K-EXPRESS EOOD may process and store information about a Data Subject until the respective purposes are achieved. In the cases of a contract, the personal data may be processed until the contract/order is in force and for another 11 (eleven) years after its termination in view of the requirements of the accounting legislation.
(2) In view of its internal regulations and the applicable legislation, K-EXPRESS EOOD shall have the right to process and store information about a Data Subject within the following terms:
- Personal data of a Data Subject related to and/or contained in documents/information carriers with respect to which there are statutory terms for storage (accounting documents; documents, information and other records related to tax control, etc.; documents related to ensuring healthy and safe conditions; documents related to ensuring food safety and hygiene; documents related to consumer protection) shall be stored for the terms laid down in the existing legislation unless a longer term for storage of the respective documents/information carriers is set out below;
- A period of up to 3 (three) years shall be the period of storage of data related to and/or contained in documents related to:
- Purchases – register of approved suppliers;
- Contracting with suppliers – protocols to determine that goods are not fit for sale, register of approved suppliers;
- Quality assurance – reports, opinions, protocols, reference information, registers, declarations and diaries.
- A period of up to 1 (one) year shall be the period of storage of data related to and/or contained in documents related to:
- Consent provided by Data Subjects.
(4) If a law or another statutory instrument (including but not limited to statutory instruments in the area of tax and accounting legislation) mandates the storage of the respective information and/or documents or other carriers of information for a period which is longer than the one set out in Article 2, the longer period provided for in the statutory instrument shall apply.
Rights with respect to personal data
Article 17. (1) In relation to the processing of the personal data related to a Data Subject, the Data Subject shall have the following rights provided for in the Regulation:
- Right to information – to obtain information about the processing of their personal data by K-EXPRESS EOOD.
- Right to access:
- To obtain confirmation if personal data related to them is processed;
- To obtain access to the personal data processed and to the detailed information about the processing and the rights under the Regulation.
- Right to rectification – to require rectification or amendments to the personal data if it is inaccurate or incomplete.
- Right to erasure – to require the erasure of their personal data if the grounds for this provided for in the Regulation are in place.
- Right to restrict the processing of personal data – to require of K-EXPRESS EOOD to restrict the processing of their personal data in line with the provisions of the Regulation if the grounds provided for in the Regulation for this are in place.
- Notification of third parties – right to ask K-EXPRESS EOOD to inform the third parties to whom their personal data was disclosed about any rectification, erasure or restriction of processing of the personal data unless this proves impossible or involves disproportionate effort of K-EXPRESS EOOD.
- Right to data portability – to receive the personal data concerning them which they have provided to K-EXPRESS EOOD in a structured, commonly used and machine-readable format and to transmit the data to another controller without hindrance from K-EXPRESS EOOD.
The right to data portability shall apply when the following two conditions are simultaneously in place:
- The processing is based on consent or a contractual obligation; or
- The processing is carried out in an automated way.
If technically possible, the Data Subject shall have the right to obtain a direct transmission of the personal data from K-EXPRESS EOOD to another controller. The right to data portability may be exercised in a way which does not affect adversely the rights and freedoms of other persons.
- Rights in the event of automated individual decision-making, including profiling – not to be the subject of automated decision-making based solely on automated processing (i.e. processing without human involvement), including profiling within the meaning of the Regulation which produces legal effects concerning the Data Subject or similarly affects them, unless the grounds for this provided for in the Regulation are in place and there are appropriate safeguards for the protection of the rights and freedoms and legitimate interests of the Data Subject. Such safeguards shall be at least the right to human involvement on the part of K-EXPRESS EOOD, the right of the Data Subject to express their point of view and to contest a decision. If such a decision, including profiling, is taken with respect to the Data Subject, for each specific case the Data Subject shall have the right and shall obtain from K-EXPRESS EOOD separately material information about the logic applied, the significance and envisaged consequences of the processing to the Data Subject and the manner of exercise of the rights under this item.
- Right to withdraw consent for processing – when the processing of personal data is based solely on the consent provided by the Data Subject, the Data Subject may withdraw their consent at any time. Any such withdrawal shall not affect the legality of processing based on the consent provided until the time of its withdrawal.
Right to object
Article 18. (1) A Data Subject shall have the right, at any time and based on grounds related to their specific situation, object to the processing of personal data related to them, including profiling within the meaning of Regulation, which is based on public interest, exercise of official powers and of legitimate interests of K-EXPRESS EOOD or a third party.
(2) In such cases, K-EXPRESS EOOD shall terminate the processing of personal data unless it proves that there are compelling grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise and defence of legal claims.
Article 19. (1) A Data Subject may exercise their rights related to the protection of personal data by sending a written request to the official responsible for data protection at K-EXPRESS EOOD – submitted in person by the Subject at K-EXPRESS EOOD or via a request with a notarial certification sent by post.
(2) A Data Subject may exercise the rights related to their personal data in person or via a person who has been expressly authorised by them (with a power of attorney with a notarial certification).
Right to complaint to a supervisory authority
Article 20. Every Data Subject shall have the right to submit a complaint to a supervisory authority for personal data protection, more specifically in the Member State (of the EU/EAA) of their habitual residence, place of work or place of alleged breach if they believe that the processing of their personal data is contrary to the provisions of the Regulation or of other applicable requirements for personal data protection.
Supervisory authority in the Republic of Bulgaria
Article 21. The supervisory authority in the Republic of Bulgaria is:
Personal Data Protection Commission
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd
Website: https://www.cpdp.bg/.
Restriction of rights
Article 22. The scope of the rights of Data Subjects and of the obligations of K-EXPRESS EOOD in relation to these rights may be restricted via a legislative measure of EU law or the law of a Member State applied with regard to K-EXPRESS EOOD.
Clarification and additional information
Article 23. A Data Subject may receive clarification about the content, grounds for coming into being, manner of exercise of their rights under this Policy as well as any additional information in relation to their rights in the processing of personal data by K-EXPRESS EOOD from the official responsible for data protection.
Terms applicable for the consent of a person under the age of 18 in relation to information society services
Article 24. In the cases when the grounds for processing of personal data of a Data Subject is their express consent and the processing is related to the direct offering of information society services to a Data Subject under the age of 18, the processing of the personal data of such a Data Subject shall be performed solely with the consent provided by a parent/guardian/trustee of the Data Subject.
This Personal Data Protection Policy has been drawn up by K-EXPRESS EOOD in its capacity of a personal data controller with a view to performing its obligations to provide information to data subjects under Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
This Personal Data Protection Policy has been approved by a Managing Director of K-EXPRESS EOOD and is in force as of 25 May 2018.