(in force from 24.05.2018, last amended on 15.06.2023)
SCOPE AND APPLICATION
Adventure Facility Concepts and Management Ltd. (“we” “our” or “us”), UIC 202387264, with registered office and address of management Sofia city 1784, 111B Tsarigradsko Shosse Blvd., as a administrator of personal data, is aware of the importance of protecting your personal data.
This General Data Protection Policy (“General Policy”) aims to inform you about:
- Categories of personal data that we collect and process:
(ii) when you apply for positions we have announced, or when you are hired and start working with us as our worker, employee or subcontractor;
(iii) when you contact us (including through one of our websites) or request that we provide you with information about the goods and services we offer;
(iv) in the performance of work assigned to us, including the sale of goods and services we offer;
(v) when you use the services we offer in our physical sites.
- The sources and ways in which we collect and protect the personal data we process.
- The purposes for which we process personal data and the legal basis for the processing.
- The collection and processing of personal data relating to children.
- Cases in which we provide your personal data to others.
- How long we store your personal data and when we delete it.
- Your rights in connection with the processing of your personal data.
- Protection of your personal data.
- The ways to contact us on issues related to the processing of your personal data.
This general data protection policy applies in all cases where we process personal data. Our special policies for protection of certain categories of personal data apply in addition to this General Policy.
We may periodically update this general data protection policy. In these cases, we will post a notice to this effect on our website, as well as an updated version of the policy.
If you have any questions related to this General Policy, do not hesitate to contact us in any of the ways described at the end of this document.
For the purposes of this General Policy:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Sensitive personal data” includes personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data or data on the sexual life or sexual orientation of the natural person.
Data that cannot be related to or associated with a specific natural person are not “Personal data”.
- WHAT CATEGORIES OF PERSONAL DATA WE PROCESS
The personal data we process includes:
Identification data, including your name or the name of the person you are a parent/guardian of, date of birth, email and contact telephone number.
Basic information, such as your name (including prefix), the organization you represent or work in, and the position you hold.
Contact data, such as postal address, e-mail address, telephone number, fax number and Skype name.
Financial data, such as your credit/debit card number or bank account in connection with a specific transaction or series of related transactions.
Technical data, such as data generated as a result of using our website or an integrated application (application, plugin, etc.), as well as information related to materials and communications that we receive from you or send to you electronically.
Information relating to business meetings, such as information you provide to us in connection with your participation in business seminars, conferences and other similar commercial events organized by us or by any of our related businesses.
Image data, in the course of video surveillance in our physical sites, related to ensuring the security of their users.
Physical identity data such as face picture taken upon initially passing through the Face Access Terminal at Waltopia Climbing Center.
Other personal data that you have provided to us or that have been provided to us on your behalf, or that have been generated in connection with the preparation and execution of the order you have placed with us, such as a history of orders or payments.
III. SOURCES AND METHODS OF COLLECTING PERSONAL DATA
Personal data that you provide to us directly
Some of the personal data that we collect and process is provided to us directly by you (e.g. when you register on or use one of the websites we operate or contact us by phone or online in order to find a job or to obtain information for the goods and services we offer or for the status of execution of your order)
The personal data you provide to us directly in particular includes:
Identification data, such as your name, date of birth, face picture, permanent address, delivery or correspondence address, telephone number and e-mail address, password and user name, in the cases when you register your own customer profile on one of the websites we operate (as far as the respective website supports such functionality);
In some cases, the personal data you provide to us may include age, gender, interests or membership in a trade (industry) organization;
Personal data contained in electronic communications that you have sent us, such as the data contained in an email message addressed to us or our employee or sales representative;
Data created by you in the context of the assignment and execution of orders that you have made with the help of a website operated by us or in another way, such as the history of orders, incl. data on the date of assignment and/or acceptance of the orders and their status of execution;
Financial information, such as your debit or credit card number or bank account, in connection with the execution of a specific financial transaction or series of similar transactions.
Personal data that you generate or that are related to your customer profile on that website, such as data that you enter when you update your customer profile or information about products that you have added to your cart or wishlist.
Data that you generate when you use a particular social plugin, such as the Facebook “like” or “follow” plugin, in order to express your attitude toward certain material or content that we have posted on one of our websites or our pages in social networks that we support.
Other data that you have provided to us at our request, when we are obliged or legally entitled to collect this data for the purpose of identifying you or confirming the information we have received.
In certain cases, where permitted by law, we collect data related to convictions and violations. For example, if the law obliges us not to hire people who have been convicted of specific crimes, we will process the data provided by you to the extent necessary to fulfill the obligation imposed on us by law.
Personal data that we collect automatically
Some of the personal data we process is collected by us automatically when you register or use the website we operate to contact us or place an order. This information is provided by the devices (e.g. your personal or business computer, smartphone or tablet, etc.) that you use to access our websites, our pages in social networks or applications and other online services we offer, such as the device ID or a unique identifier, associated with the device or browser you are using, location data, device type, or the browser you are using.
We do not carry out automated decision-making, including profiling, as a result of automated processing of personal data.
Personal data that we collect from other sources
In addition to the personal data we collect directly from you or from the device you use, we collect information from other sources as well. For example, in certain cases, we collect information related to your credit history, as well as other similar information, provided by credit bureaus or licensed credit or financial institutions with which you have maintained or maintain financial or business relationships, in cases where the law does not prohibit this.
Personal information provided by third parties includes information contained in your public social media account, which we access when you choose to log in to your client account using your social media account, such as Facebook or G +. Keep in mind that much of the data you post on your social media accounts, such as your public profile, location or location data, language, public postings and comments, is publicly available, resulting in certain responsibilities and privacy risks of your personal space. You control what data will be shared with us through the settings of the site of the respective social network, as well as the consents you provide to us in connection with the processing of your data stored by the sites of social network.
Personal data from video surveillance
In our physical sites, where means for video surveillance are installed, information boards are placed in locations visible to visitors, which collect data on your personal image.
- THE PURPOSES FOR WHICH WE PROCESS PERSONAL DATA AND THE LEGAL GROUNDS FOR THE PROCESSING
We collect, store and otherwise process personal data insofar as this is not against the law and in accordance with our own privacy policies. We process personal data for various business purposes, and this processing is carried out on various legal grounds. By law, we must have legal basis to process your personal data. Depending on the basis on which we process your personal data, you have certain rights. You can find more information on your rights in Section IX.
In particular, we process the personal data collected by us on the legal grounds set out below for one or some of the following purposes:
We process your personal data in connection with the conclusion and execution of a contract with you.
We may collect and process your personal data for the purposes of concluding and executing a contract with you, as well as in cases where, at your request, we take certain steps before concluding a contract. The main purposes for which we process personal data on this basis are:
- identifying the customer who wishes to order or has ordered products and services offered by us, as well as of the persons who wish to become or have already become our suppliers or subcontractors;
- establishing the legal possibility for concluding a contract, as well as the additional requirements for the validity of the contract, such as the presence of consents from third parties;
- preparing and communicating of proposals for concluding and amending a contract and draft contracts, including distance contracts;
- providing additional information and explanations about the characteristics and the way of using the products and services we offer;
- fulfillment of an order made by the client for products and services;
- preparation of invoices, bills, credit/debit notices and protocols for our sales or free deliveries of products and services,
- tracking of the payments made on orders made;
- contacting customers, suppliers and subcontractors on issues related to the implementation or amendment of a contract for the supply of goods and services;
- providing oral and written technical advice and information, including advice on the optimal and safe use of our products and services;
- sending messages, bulletins and notifications for withdrawal of certain products from the market,
- fulfillment of our obligations under product guarantees issued by us;
- coordination of the activities for implementation of a concluded contract with a client or subcontractor;
- performing credit risk assessment, including in cases when deferred payment of contractual obligations is envisaged or has been envisaged;
- consideration and analysis of complaints and signals related to our products and services, as well as taking the necessary measures to eliminate the problems encountered in the implementation of contracts concluded by us or the use of products and services supplied by us;
- establishing and preventing illegal actions taken by a client, including actions contrary to a valid contract concluded by us;
- preventing unauthorized disclosure, use, alteration or destruction of confidential information or other information protected by law;
- ensuring the normal functioning of the e-shops operated by us and other similar channels for sale and distribution of our products and services;
- registration of customer profiles on the websites that we maintain and operate;
We process your personal data in order to fulfill the regulatory obligations we have under the legislation of the European Union and the EU member states.
In particular, we process personal data in fulfillment of our legal obligations arising from the fact that we are both an employer and a buyer and a seller of goods and services. In this regard, we process personal data in order to fulfill our specific obligations arising out of or in connection with:
- the social security of our workers, employees and subcontractors, including the obligations arising from the Social Security Code, the Health Insurance Act and the laws in the field of personal income taxation, as well as their equivalents in other EU member states.
- the sale (including distance selling) of goods and services to consumers within the meaning of the Consumer Protection Act
- identifying clients when necessary to fulfill our obligations under the Anti-Money Laundering Measures Act or the Anti-Terrorist Financing Measures Act;
- the lawful accounting of the business operations in which we participate, including the taxation of the supplies and services made and received by us;
- our obligation to assist the competent authorities in the course of their checks, audits and inspections, as well as in all other cases in which these authorities exercise their supervisory powers on a lawful basis;
- our involvement in legal proceedings and related proceedings as a party or a third party, such as our obligation to provide data and information relevant to the resolution of a particular litigation;
We may collect and process your personal data with your consent
In certain cases, after we obtain your consent for a certain way of processing your personal data, we may use this data:
- for the purposes of direct marketing of products and services offered by us or by persons related to us, which may be marketed in the form of telephone calls, sending letters or short text messages or emails. For example, if you subscribe to our newsletter or wish to receive promotional offers, we may ask you to provide information such as your name, telephone number, email address, and other relevant information. In case you do not wish to receive more promotional and marketing messages from us, you can notify us at any time or simply follow the “unsubscribe” instructions contained in the communications and messages sent to you. We take steps to limit the marketing content we submit to a reasonable and proportionate volume by sending you only content that we believe may be of interest to you or that may be relevant to you based on the information in our possession.
- for the purposes of your participation in various surveys, consultations, events and activities of a commercial or non-commercial nature, e.g. parties organized by us or any of our related businesses;
- to fulfill specific obligations towards you arising from law or contract, insofar as the processing of relevant personal data (e.g. health information or other sensitive personal data) is not prohibited by law.
- To ensure the security when using the facilities in our physical sites, through video surveillance.
You have the right to withdraw your consent to the processing of your personal data at any time. More information about this right can be found below.
We may process your personal data when we have a legitimate interest in doing so, such as our legitimate interest to:
- constantly and continuously improve and develop the products and services we offer, including their functionalities, design and/or content
- encourage and see to the introduction and implementation of improved and/or innovative measures for the safe use of the products and services offered by us or related parties;
- monitor and analyze our performance in the relevant market;
- develop the skills of our staff and subcontractors to work with clients from the respective markets;
- personalize the products and services we provide to you in order to increase your overall satisfaction with them and with your communication with us;
- monitor the technical condition of our information systems and resources, including our e-shops and other websites, as well as eliminate any problems related to their proper functioning or their security and integrity;
- COLLECTION AND PROCESSING OF PERSONAL DATA RELATING TO CHILDREN
We understand the importance of taking additional measures to protect the personal data of children who use our products and services, including the websites we operate. We do not collect personal data from children under the age of 16, or data relating to children under the age of 16, without parental consent or, if applicable, without the consent of another person who may by law consent to the processing of a child’s personal data (e.g. a child’s guardian).
We do not allow children under the age of 16 to create their own customer accounts on the websites we operate or otherwise provide their personal data to us.
If we become aware that we have collected from or processed a child’s personal data without the required parental consent, we will take steps to destroy this information without undue delay.
- IN WHICH CASES DO WE PROVIDE YOUR DATA TO THIRD PARTIES
To persons processing data on behalf of the Company
We may outsource the processing of your personal data to third parties who assist us in processing this data. These third parties process your data on our behalf and in accordance with our instructions for all or some of the purposes set out in this General Policy. We do not allow third parties – subcontractors to use your personal data for their own purposes, including direct marketing purposes.
We require from all third parties who process your personal data on our behalf to process this data in accordance with the law, as well as to ensure their security, including by taking the necessary technical and organizational measures to protect personal data. The categories of recipients who process personal data on our behalf are:
- accounting and auditing companies that process personal data for the purposes of accounting and auditing of our financial statements, as well as for the implementation of our regulatory obligations in the field of labor, tax and social security legislation;
- persons who provide services to the information society, including hosting services, and/or information and technical services related to the maintenance, security and development of our information and communication infrastructure and resources
- licensed postal operators and transport or forwarding companies, in the cases when we send you products ordered by you, licensed payment service providers for the purposes of processing payments from/to you;
- security companies licensed to carry out private security activities for the purposes of ensuring security and access regime in the buildings and premises that we own or use legally
- To public authorities to which we are required by law to provide your personal data, such as courts or administrative authorities, performing regulatory, supervisory or other similar functions (e.g. Commission for Consumer Protection, Commission for Personal Data Protection, Commission for protection of competition and other competent authorities which are permitted by law to collect and process personal data);
To protect our legitimate interests
In certain cases, when this is prompted by our legitimate interests, we may disclose your personal data to third parties, such as:
- our legal advisers and legal representatives in connection with obtaining legal advice or preparing and organizing our defense in a current or potential legal dispute, including for the purpose of our participation in a mediation procedure or other voluntary dispute resolution procedure.
- persons who have acquired part or all of our enterprise or activity as a result of our reorganization (e.g. merger, acquisition, etc.), a transaction concluded by us (e.g. sale, exchange) or an act of a competent authority;
To persons for whom we have received your explicit consent, such as:
- companies that can provide to you information or offers for their own products and services.
VII. HOW LONG WE STORE YOUR PERSONAL DATA AND WHEN WILL WE DELETE IT
We store your personal data for the period that is necessary or permitted in view of the purposes for which we process them. Once these objectives have been achieved or after our legitimate interest or legal basis for processing the data has ceased to exist (e.g., when the consent for processing of certain data is withdrawn), we will delete the personal data without undue delay.
The criteria, on the basis of which the retention period of your personal data is determined, include: (a) the period during which we maintain business relations with you and provide our services to you,(b) the retention periods provided for in the laws applicable to us; and (c) the period for which we are required to retain the data in connection with our participation and protection of our rights and legitimate interests in judicial and administrative proceedings and the expiration of the relevant limitation periods.
For example, we will store personal data contained in our accounting records for the periods provided for in the Accounting Act.
VIII. HOW WE PROTECT YOUR PERSONAL DATA
When processing your personal data, we take the necessary technical and organizational measures to protect this data from unauthorized access, alteration or deletion. These measures include:
- establishing internal policies for processing of personal data, which aim to prevent unauthorized access to the systems we use and to the premises where we store your personal data;
- establishing a confidentiality obligation for our employees, subcontractors and suppliers;
- outsourcing the processing of your personal data only to those organizations that process personal data in accordance with the law, ensuring their security, including by taking the necessary technical and organizational measures to protect personal data.
- YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA
At any time during the period of processing of your personal data by us, you have certain rights, as set out below.
You can exercise your rights under this policy and the General Data Protection Regulation by sending an email or letter to our Data Protection Officer, which contains your specific request and which, if possible, is signed by hand or with a qualified electronic signature. If you are unable to sign your request in one of our preferred ways, we may ask you to provide additional information in order to establish your identity.
We will respond to your request free of charge and without undue delay. In cases where we receive repeated requests from you, we may refuse to take action on the request or set a fee (based on the costs we will incur) that you should pay for providing the information or communication or taking the requested action, or
RIGHT OF ACCESS AND INFORMATION
You have the right to request and receive:
- information about the purposes of the processing of your personal data, what categories of personal data we process and who are the recipients or categories of recipients to whom your personal data are or will be disclosed, as well as any information about the source of your personal data;
- a copy of your personal data that we process, in electronic or other appropriate form;
RIGHT TO CORRECT AND TO SUPPLEMENT
If you find that the personal data we process is inaccurate and/or incomplete, you may ask us to correct and/or supplement it.
RIGHT TO OBJECT
When we process your personal data based on our legitimate interest, you have the right to object to such processing. We will terminate such processing without undue delay and delete your data unless we provide justified reasons for continuing to process your data, which reasons outweigh your rights and legitimate interests or the processing of your personal data is necessary for the establishment, exercise or defense of legal claims. In addition, you have the right to object at any time to the processing of your personal data for marketing and advertising purposes. We will terminate such processing without undue delay as soon as we receive your objection.
RIGHT TO RESTRICT THE PROCESSING
You have the right to ask us to restrict the processing of your personal data in the future when:
- you believe that the personal data we process is inaccurate and require us to correct it, for as long as we check the accuracy of your data and until we make the necessary correction;
- it has been established that for some reason we are processing your personal data illegally, but you do not want your data deleted, but instead want us to process part of your data;
- we no longer need your personal data, but you require us to keep this data for the purpose of exercising rights or defense against third party claims; or
- you have objected to the processing of your personal data (where such processing is based on our legitimate interest) if it is necessary to verify whether we have an interest or a legal obligation to process your personal data.
RIGHT TO DELETION (RIGHT TO BE FORGOTTEN)
You have the right to ask us to delete your personal data, and we are obliged to delete them without undue delay when:
- The personal data are no longer needed for the purposes for which they were collected or otherwise processed;
- You have withdrawn your consent to the processing of data when the data have been processed on the basis of your consent and there is no other legal basis for the processing;
- You have objected to the processing and we have no legitimate grounds for the processing taking precedence over your interests, rights and freedoms;
- Your personal data has been processed illegally;
- The personal data must be deleted in order to comply with our legal obligation;
- The personal data has been collected in connection with the provision of information society services.
In some cases, we will not be able to fulfill your request to the extent that the processing of your personal data is necessary for:
- exercising the right to freedom of expression and the right to information;
- complying with our legal obligation;
- the establishment, exercise or defense of legal claims.
RIGHT TO WITHDRAW YOUR CONSENT
In cases where we process your personal data on the basis of your consent, you have the right to withdraw this consent with immediate effect. In this case, we will suspend the processing of your personal data in the future.
PORTABILITY OF YOUR DATA
In cases where we process your personal data on the basis of your consent or to fulfill our contractual obligations to you, insofar as this does not prejudice the rights and freedoms of others, you have the right to receive the data that you have provided to us in a structured, frequently used and machine-readable format or – if technically feasible – request that we transfer this data to a third party.
RIGHT OF COMPLAINT
If you believe that we are processing your personal data in breach of applicable law, you have the right to lodge a complaint with a competent authority. You can contact the supervisory authority responsible for your place of residence or your country or the supervisory authority responsible for us.
The competent authority in the Republic of Bulgaria is the Commission for Personal Data Protection, whose address is:
City of Sofia 1592
blvd. Prof. Tsvetan Lazarov No. 2
tel. 02/915 – 3518
- WAYS TO CONTACT US
For all questions related to the processing of your personal data or the exercising of your rights, you can contact our data protection officer in one of the following ways:
By e-mail, sending him an e-mail to email@example.com
By mail at: City of Sofia 1784, 111B, Tsarigradsko shosse blvd., floor 3