Personal data security policy

PERSONAL DATA SECURITY POLICY 

OF NATURAL PERSONS, PROCESSED BY PERSY

            This document contains the Personal Data Security Policy of natural persons (“Policy”) and is related to the General Terms and Conditions, but is not an integral part of them, as its purpose is to explain what personal data Persy processes, in what way, for what purpose and what applicable security measures exist. It also provides information on the rights of the individuals whose data are processed in connection with the processing. In case of amendments to the Policy, the changes will be published here.  
                                                    Effective from: 01.05.2025

            In the processing of personal data, all applicable legal acts on data protection are observed, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“Regulation”) and the Personal Data Protection Act. 

DATA CONTROLLER


            “PERSY” Ltd., UIC 030413948, VAT № BG 030413948, with seat and registered office: Sofia, Tsar Boris III Blvd., 136b, correspondence address: Sofia, “Zlatna Dobrudzha” Str. No.18, contact phone: 0700 420 30, email: info@persy.com (“Persy”) is a data controller, including of personal data of natural persons (data subjects“, “users”)with respect to information collected or provided when browsing and using the www.persy.com platform (hereinafter the Platform”) or when ordering goods and services offered by “PERSY” Ltd., as well as in the course of the company’s activity.

APPLICABILITY OF THE POLICY

This Policy applies to all natural persons with whom Persy has a legal relationship regarding the goods and services it offers, including but not limited to through the Platform.

When a person with whom Persy has a legal relationship is a legal entity or other legal formation, the data about these entities are NOT personal data, but the data about the individuals working for them or using goods or services of Persy, constitute personal data. 

The Policy also applies to all persons who visit the Platform in order to review its functionalities, goods and services offered, to register therein or to send an inquiry or request to Persy. In this regard, the Policy also applies in cases where the person has voluntarily provided their data. 

Partners and third parties working with or for Persy, as well as those who have or may have access to personal data, are obliged to be familiar with, understand and comply with this Policy. No third party may have access to personal data stored by Persy without the company having first entered into a data confidentiality agreement imposing obligations on the third party no less burdensome than those assumed by Persy, and granting Persy the right to carry out checks on compliance with the obligations imposed by the agreement.

This Policy applies to all employees and representatives of Persy, as well as to external suppliers of products and services with whom Persy has concluded contracts. Any violation of the General Regulation shall be considered a breach of labor discipline, respectively a non-performance of contracts with partners, and in case there is a presumption of a crime committed, the matter shall be referred as soon as possible to the relevant state authorities.

By accepting and agreeing to this Policy, it is deemed that the data subject does not object to the processing of data by Persy and the Platform in the manner and under the conditions specified herein. “Acceptance” and “agreement” with the Policy is present when the data subject clearly marks their consent, for example by ticking a checkbox indicating that ticking means acceptance of this Policy, or by a written statement of the subject that they are familiar with and agree to the processing of data by Persy in accordance with the Policy. 

DEFINITIONS

“Regulation” - General Data Protection Regulation 2016/679 of 27 April 2016, called GDPR. The purpose of this European legislative act is to protect the "rights and freedoms" of natural persons and to ensure that personal data are not processed without their knowledge, and where possible, that they are processed with their consent. 

“User” means a natural or legal person who uses the Platform or orders goods or services offered by Persy

“Data subject” – any living natural person who owns the personal data stored by Persy and the Platform. 

“Personal data" – any information relating to an identified or identifiable natural person (“data subject”).

“Identifiable natural person” means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or membership in trade unions, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

“Processing” – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Controller” – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law. When downloading the Platform or using the services offered therein, the data controller is “PERSY” Ltd.

“Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them by Persy and the Platform.

“Profiling” – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Personal data breach” – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Recipient” – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as “recipients”; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“Third party” – any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

PRINCIPLES

When collecting and processing personal data, Persy and the Platform apply the following principles:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimization;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality;
  • accountability.

CATEGORIES OF DATA SUBJECTS

Persy processes information regarding the following categories of natural persons (data subjects):

  • visitors to the Platform who browse the functionalities, goods and services offered;
  • registered users of the Platform;
  • individuals who have sent inquiries, complaints or other correspondence to Persy;
  • clients and contractual partners of Persy – natural persons, as well as representatives and employees of legal entities;
  • job applicants, individuals with CVs, candidates for positions at Persy;
  • employees of Persy;
  • other persons whose data is processed by Persy in connection with the company’s activities and the services provided.

TYPES OF DATA PROCESSED

Depending on the category of the data subject, Persy may process the following personal data:

  • Identification data: names, unique civil number (EGN), personal ID number of a foreigner, date and place of birth, nationality, personal identification document details (ID card, passport), photograph, signature.
  • Contact details: address, telephone, e-mail.
  • Registration data: username, password, date of registration, user profile settings, account activity, acceptance of Terms and Privacy Policy.
  • Data related to contractual relations with Persy: contract number, date, order details, invoices, warranty cards, acceptance-delivery protocols, correspondence.
  • Payment information: bank account, bank card data, payment history, tax and accounting data.
  • Employment-related data: employment history, CV, education, professional qualification, training, certificates, work position, employment contracts, labor and social security data, payroll information, health information required by law, performance evaluation.
  • Technical data: IP address, log files, device identifiers, browser, operating system, location data when enabled, cookies and similar technologies.
  • Correspondence data: content of requests, complaints, claims, applications, signals, inquiries, as well as records of communication with Persy.

SENSITIVE DATA

Persy and the Platform do not intend to process special categories of personal data as defined in Article 9 and Article 10 of the Regulation (sensitive data).

In cases where such data is voluntarily provided by a data subject, Persy applies the same protection measures as for other categories of personal data.

CHILDREN AND MINORS

Persy and the Platform do not process personal data of children under the age of 16. In the event that a child under this age has provided personal data, Persy will immediately delete the information once aware of it.

PURPOSES OF PROCESSING

Persy processes personal data of natural persons (data subjects) only when there is a legal basis for doing so and for specific purposes, namely:

  • fulfillment of legal obligations of Persy under Bulgarian and EU law;
  • conclusion, execution and management of contracts with clients, suppliers, partners, employees;
  • accounting, invoicing, taxation and payroll;
  • delivery of ordered goods and services, including installation, warranty and post-warranty support;
  • registration, administration and use of user profiles in the Platform;
  • communication with users, handling of inquiries, complaints and correspondence;
  • recruitment and selection of candidates, human resource management;
  • direct marketing, advertising, promotions and personalized offers – only with the explicit consent of the data subject;
  • ensuring the functioning, security and development of the Platform and services;
  • protection of Persy’s legitimate interests, including in judicial and administrative proceedings.

RETENTION PERIOD

Persy processes and stores personal data only for the period necessary to achieve the purposes for which they are collected, after which the data is deleted, unless a longer period is required by law. Examples:

  • Registration and account data – retained until deletion of the profile, and up to 5 years after that for settlement of possible disputes;
  • Contracts, invoices and accounting documents – kept for the periods provided by the Accounting Act, the Tax-Insurance Procedure Code and other laws (from 5 to 50 years depending on the document);
  • Employment documents – payroll data: 50 years; other HR records: 5–10 years according to the law;
  • Inquiries, complaints, correspondence – retained up to 5 years after final settlement of the issue;
  • Log files and cookies – usually 6 to 12 months, unless otherwise required by law or technical necessity.

When there is an ongoing legal or administrative proceeding, data may be retained until its conclusion, even if the above terms expire.

SHARING PERSONAL DATA

Persy does not sell, rent or trade personal data of data subjects. Disclosure to third parties takes place only when there is a legal basis and with the necessary protection measures. Recipients may include:

  • employees of Persy – only those who need access to the data to perform their duties, bound by confidentiality;
  • software developers, hosting and IT service providers maintaining the Platform;
  • accountants, auditors and legal advisers engaged by Persy;
  • couriers and postal operators for delivery of goods and correspondence;
  • banks and payment institutions for processing payments;
  • public authorities and institutions (NRA, NSSI, courts, investigative bodies, police, supervisory bodies) when required by law;
  • partners and subcontractors of Persy – only on the basis of a written agreement imposing data protection obligations equivalent to those of Persy.

INTERNATIONAL TRANSFERS

Personal data is generally processed and stored in the Republic of Bulgaria and the European Union. If transfer outside the EU/EEA is required, Persy ensures an adequate level of protection by:

  • applying an adequacy decision of the European Commission (e.g. EU–US Data Privacy Framework);
  • concluding Standard Contractual Clauses (SCCs) approved by the European Commission;
  • applying binding corporate rules or other mechanisms under the Regulation.

In such cases, the data subject is informed and the same level of protection is guaranteed as within the EU.

RIGHTS OF DATA SUBJECTS

In accordance with the Regulation, every natural person whose data is processed by Persy has the following rights:

  • Right to be informed – to know how their data is processed and for what purposes;
  • Right of access – to receive confirmation whether their data is being processed and to obtain a copy;
  • Right to rectification – to request correction of inaccurate or incomplete data;
  • Right to erasure (“right to be forgotten”) – to request deletion of their personal data when certain grounds exist;
  • Right to restriction – to request limitation of processing in certain cases;
  • Right to data portability – to receive their data in a structured, commonly used, machine-readable format and to transmit it to another controller;
  • Right to object – to object to processing based on legitimate interest of Persy or for direct marketing purposes;
  • Right to withdraw consent – to withdraw their consent at any time, without affecting the lawfulness of processing prior to withdrawal;
  • Right not to be subject to automated decision-making, including profiling, without safeguards;
  • Right to lodge a complaint – before the Commission for Personal Data Protection (CPDP), website: www.cpdp.bg, email: kzld@cpdp.bg.

Requests regarding the exercise of rights are submitted to Persy at the contact details indicated below. Persy responds without undue delay, within one month of receiving the request. Where necessary, this period may be extended by two further months, taking into account the complexity and number of requests. In certain cases, Persy may request verification of the identity of the person making the request. Persy may charge a reasonable fee when requests are manifestly unfounded or excessive.

ACCURACY OF DATA

Persy relies on data subjects to provide accurate and complete information and to update it when circumstances change. Persy does not bear responsibility for incorrectly provided data by the data subject.

AMENDMENTS TO THE POLICY

Persy may amend this Policy at any time by publishing the updated version on the Platform. The updated Policy enters into force immediately for new users and new orders, and for existing users – from the moment they are notified or continue to use the Platform and services after the change. Amendments do not affect already concluded contracts unless required by law.

SECURITY MEASURES

Persy applies appropriate technical and organizational measures to ensure the protection of personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including:

  • restricted access to personal data on a “need-to-know” basis;
  • use of secure servers, firewalls, encryption and backup systems;
  • physical protection of premises where data is stored;
  • training of employees regarding confidentiality and data protection;
  • monitoring and logging of access to systems;
  • internal procedures for retention and deletion of data;
  • confidentiality agreements with employees and partners.

Despite the measures taken, Persy cannot guarantee absolute security of data against all risks existing in the digital environment. In the event of a personal data breach, Persy will notify the competent authorities and the affected data subjects in accordance with the Regulation.

CONTACTS

For all matters related to the processing of personal data, the exercise of rights, or in case of questions and complaints, data subjects may contact:

Persy Ltd.
UIC: 030413948, VAT № BG030413948
Seat and registered office: Sofia, Tsar Boris III Blvd. 136B
Correspondence and service address: Sofia, “Zlatna Dobrudzha” Str. No.18
Phone: +359 700 420 30
Email: info@persy.com, sales@persy.com (for inquiries and orders), service@persy.com (for service and complaints)

Data Protection Officer:
E. Kurpachev
Sofia 1330, “Zlatna Dobrudzha” Str. No.18
Email: info@persy.com
Phone: +359 700 420 30