Coming into effect: 15 July, 2020
Last change: 15 July, 2020
Compulsory information about the rights of the person according to data protection
Information about the organisation which processes your data
Name of organisation: NGO “Seven Stories”
Unified Identification Code/Number (UIC): 206150959
Address: 1000 Sofia, 99 Evlogi & Hristo Georgievi Str.
Phone number: +359878448632
Information about the competent supervision institution for personal data protection
Name: Commission for Personal Data Protection
Address: 2 Prof. Tsvetan Lazarov Blvd, 1592 Sofia
Phone number: 02 915 3 518
NGO “Seven Stories” (called further down “Administrator” or “Organisation” for short) is complying its activities with the Law for Personal Data Protection and Regulation (EU) 2016/679 of the European Parliament and the Council as of 1 October, 2015 regarding the protection of physical bodies in reference to personal data processing and free distribution of such data. The current information aims to inform you about all aspects of personal data processing done by the Organisation as well as the rights you have in relation to this processing.
Grounds for collecting, processing and keeping your personal data
Article 1. The Administrator collects and processes your personal data in relation to using the website https://7istorii.com, signing contracts with the Organisation based on article 6, subparagraph 1, Regulation (EU) 2016/679 (GDPR) and more specifically based on the following grounds:
- Specific permission given by you as a client;
- Exection of the Administrator’s duties based on a contract signed by you;
- Keeping a legal obligation, enforced with the Administrator;
- To meet the legitimate interests of the Administrator or a third party.
Aims and principles about collecting, processing and keeping your personal data
Article 2. (1) We are collecting and processing the personal data you are giving in relation to the use of the website: https://7istorii.com as well as when signing a contract with the Organisation, including about the following:
- sending a message through the contact form;
- personification of a contract party;
- protection of information security;
- enforcing contract execution about giving a respective service;
- taking part in games, prize draws, advertising campaigns;
- sending a newsletter at your will.
(2) We are keeping the following principles about processing your personal data:
- lawfulness, good faith, transparency;
- limitations to aims of processing;
- correlation to the aims of processing and minimising the amount of data collected;
- accuracy and relevance of the data;
- limitations of keeping in order to reach the goals;
- wholeness and completeness of keeping and a guarantee of a suitable level of personal data protection.
(3) When processing and keeping personal data, the Administrator can process and keep this personal data in order to protect its legitimate interests:
- execution of its obligations to the National Revenue Agency, Ministry of Interior as well as other state and municipal organs.
What kind of personal data does our Organisation collect, process and keep
Article 3. The Organisation makes these operations with the personal data given by you to the following goals:
- Signing and execution of a sales deal or contract with a client – the goal of this operation is signing and enforcement of a contract with a trade partner or a client and its administration. On certain occasions the goal of the operation can be protection of the legal interests of the Organisation, too, when executing the deal. Given the limited range of the collected personal data and the circumstance that part of it is being collected by publicly available sources, the execution of an evaluation of the impact, it is not necessary to have an evaluation of the impact of the operation.
- Submitting a message through the contact form. Given the limited range of the collected personal data and the circumstance that part of it is being collected by publicly available sources, the execution of an evaluation of the impact, it is not necessary to have an evaluation of the impact of the operation.
- Distributing a newsletter – the goal of this operation is administering the process of sending newsletters to clients who have indicated that they wish to receive those. Given the limited range of the collected personal data and the circumstance that part of it is being collected by publicly available sources, the execution of an evaluation of the impact, it is not necessary to have an evaluation of the impact of the operation.
- Holding the right of refusal or claiming a refund. Given the limited range of the collected personal data and the circumstance that part of it is being collected by publicly available sources, the execution of an evaluation of the impact, it is not necessary to have an evaluation of the impact of the operation.
- Registering a contestant in events and sending information or awards – the goal of this operation is administering the process of registration of participants in events and games, as well as sending awards in conducted games. Given the limited range of the collected personal data and the circumstance that part of it is being collected by publicly available sources, the execution of an evaluation of the impact, it is not necessary to have an evaluation of the impact of the operation.
Article 4. (1) The Administrator processes the following categories of personal data and information on the following grounds:
- Data for registering and receiving a newsletter (names, email address)
- making contact with the user and sending him/her some information,
- to register a user for a prize draw
- to send a newsletter.
- Reason for collecting data:
- Basis for processing your personal data – accepting the general terms and conditons of the website or else when signing a written contract between the Administrator and you there occurs a contractual relationship on the basis of which we process your personal data – article 6, subparagraph 1, b (GDPR). Your data for sending a newsletter are being processed on the basis of your specific consent – article 6, subparagraph 1, b (GDPR).
- Data for receiving a newsletter (names, email address)
- To send a newsletter.
- Reason for collecting data:
- Basis for processing of your personal data – your data for sending a newsletter are being processed based on your specific consent – article 6, subparagraph 1, b (GDPR).
- Data for making a delivery (names, phone, email, address)
- Reason for collecting data: complying with the administrator’s obligations by contract for donations.
- Basis for processing of your personal data – by consenting to the general terms and conditions, making a donation or signing a written contract between the Administrator and yourself there occurs a contractual relationship on the basis of which we process your personal data – article 6, subparagraph 1, b (GDPR).
- Data from your profiles on the social media (publicly accessible information from your profiles on Facebook, Instagram, LinkedIn)
- Making contact with the user and sending him/her information,
- in order to register a user for a game, prize draw or campaign etc.
- Reason for collecting the data:
- Basis for processing of your personal data – your data for participating in our events, concerts, games, campaigns, etc. are being processed based on a specific consent given by you – article 6, subparagraph 1, b (GDPR).
(2) The Administrator does not collect or process personal data regarding:
- disclosing racial or ethnic origins;
- disclosing political, religious, or philosophical beliefs, or membership in trade unions;
- genetic or biometric data, data concerning one’s health condition or data about persons’ sexual life or sexual orientation.
(3) The personal data is collected by the Administrator about the persons it concerns.
(4) The Organisaton does not operate with automatised decision-making.
Terms of keeping your personal data
Article 5 (1) The Administrator keeps your personal data for a period no longer than your subscription for our newsletter or your withdrawing of your consent to have your data processed. After successful termination of your agreement, the Administrator does his/her best to delete and erase all your data, with no delay or to make it anonymous (that is, to modify it so that it does not disclose your identity).
(2) The Administrator keeps your personal data, given in relation to newsletter subscriptions for a 5-year period for the purpose of the legal interests of the Administrator at judiciary or administrative arguments with users, the accountancy documents being kept for the respective statutory term.
(3) The Administrator informs you that in case that the period for keeping the data is necessary to be prolonged in order to enforce a legal obligation or in order to protect the lawful interests of the Administrator etc.
Article 6. The Administrator keeps the personal data of the legal representatives of his/her trade partners for the term of the contract, for keeping the legitimate interests and legal obligations of the Administrator, and this period can exceed the period of the signed contract.
Submitting your personal data for processing
Article 7. (1) The Administrator can at his/her own judgement submit part or all of your personal data to organizations processing personal data in order to perform the goals for processing which you have agreed with, keeping the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The Administrator informs you in case he/she intends to submit part of all of your personal data to third parties or international organisations.
Your rights about collecting, processing and keeping your personal data
Withdrawal of your consent for personal data processing
Article 8. (1) If you don’t want that all or part of your personal data keeps being processed by the Organisation for a specific or all reasons of processing, you can at any given time withdraw your consent for processing by writing a message in free text.
(2) The Administrator can ask you to verify your identity with the identity of the person the data refers to, by asking you to enter your email address and names in the Organisation’s premises in front of our employee.
Right of access
Article 9. (1) You have the right to demand and receive from the Administrator a confirmation if data is being processed related to you and if you have subscribed to our newsletter, you can at any given time see the personal data in your profile you have given and is being processed.
(2) You have the right to receive access to the data related to you as well as to information about collecting, processing and keeping your personal data.
(3) The Administrator gives you upon demand a copy of the personal data about you, which is being processed, in an electronic or some other form.
(4) Giving access to the data is free of charge, but the Administrator preserves the right to charge an administrative fee in case of repetitiveness or excessiveness of demands.
Rights of correction or completion
Article 10. You can correct or complete inaccurate or incomplete personal data, related to you directly or through your subscription to our newsletter through the website form or a request to the Administrator.
Right of deletion (“to be forgotten”)
Article 11. (1) You have the right to demand that the Administrator delete part or all personal data related to you, and the Administrator has the obligation to delete it with no delay, when any of the following grounds is present:
- the personal data is no longer needed for the purposes of their collection or else for processing it in any other way;
- you withdraw your consent on the basis of which the data processing is made and there is no other legal basis for data processing;
- you object against the processing of personal data related to you, including for the purposes of direct marketing and there is no legal basis for data processing, which are being prioritised;
- the personal data has been processed unstatutorily;
- the personal data has to be deleted in order to keep a legal obligation by virtue of an EU law and the right of a member state which is being applied towards the Administrator;
- the personal data has been collected in regard to offering services to information society.
(2) The Administrator is not obliged to delete the personal data if he/she keeps it and processes it:
- to exert the right of freedom of speech and the right to information;
- to keep a lawful obligation which requires processing embedded in the EU law or the law of the member state which is applied to the Administrator or to the fulfillment of a task of social interest or about exerting some official rights which have been bestowed upon it;
- due to reasons of social interest in the field of common health;
- in order to archive in social interest, for scientific or historical research or else for statistical reasons;
- to establish, enforce or defend legal claims.
(3) In case of exerting your right to be forgotten, the Organisation will delete all your data, to the exception of the following:
- information which is necessary to acknowledge that your right to be forgotten has been fulfilled;
- technical information about the functioning of the website, which information cannot be linked in any way to your identity.
(4) To exert your right to be forgotten, you need to apply through the contact form or by email to the Administrator.
(5) The Administrator can request to authorise your identity and prove you are the same person as the one that the data refers to.
(6) If there is a subscription which has started processing, the earliest point you can request to be forgotten is at the successful completion of your subscription.
(7) By deleting your personal data, your subscription will become inactive. Of course, you can browse the website and all the information available on it.
(8) The Administrator does not delete the data which he/she has the legal right to keep, including about protection at certain claims made against legal accusations or proving of rights.
Right of limitation
Article 12. You have the right to request from the Administartor to limit the processing of your data, when:
- you dispute the accuracy of the personal data within a period which allows the Administrator to check the accuracy of the personal data;
- the processing has been unlawful but you do not wish to delete the personal data, but only to limit its use;
- the Administrator does not need the personal data anymore for the reasons of processing, but you request it to acknowledge, exert or protect your legal claims;
- you have objected against the processing in anticipation of an inspection about whether the legal claims of the Administrator have precedence over your interests.
Right for portability
Article 13. (1) You can at any given time withdraw or receive in a device-readable format the data which has been kept and processed about you in relation to using the services of the Administrator directly through your subscription or via email.
(2) You can request from the Administrator to transfer you personal data directly to an Administrator appointed by you whenever this is technically viable.
Right to receive information
Article 14. You can request from the Administrator to get you informed about all receivers the personal data of whom have been disclosed about requesting corrections, deletion or limiting of usage. The Administrator can refuse to give this information if this would be impossible or demands excessive efforts.
Right to objection
Article 15. You can object at any given time against processing personal data by the Administrator which refers to him/her, including if it has been processed for the reasons of profiling or direct marketing.
Your rights when there has been a breach of your personal data security
Article 16. (1) If the Administrator establishes a breach of your personal data security which could result in a high risk of your rights and freedoms, he/she has to inform you with no delay about this breach, as well as about the measures taken or about to be taken.
(2) The Administrator is not obliged to inform you if:
- he/she has already undertaken suitable technical and organisational measures for protection of data endangered by the breach of security;
- has taken measures afterwards that guarantee that the breach is not going to lead to high risk for your rights;
- getting you informed would require excessive efforts.
Persons to whom your personal data is given
Article 17. The Administrator does not make any transfer of your data to third parties.
Article 18. In case of breach of your rights according the above mentioned or else the applied legislation for protection of the personal data, you have the right to file a complaint to the Commission for Personal Data Protection, as follows:
Name: Commission for Personal Data Protection
Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Phone number: 02 915 3 518
Article 19. You can exert all your rights about protection of your personal data by addressing your demands in any form which contains an expression of this and identifies you as the owner of this data.
Article 20. If the consent refers to a transfer, the Administrator describes all possible risks for tranferring the data to third parties in the absence of a solution for adequate protection and suitable means for protection.