Privacy Policy

Privacy Policy of Art Park Ltd.

I. Information about the personal data controller:

Art Park Ltd., ID No: 130872183, with management address: Republic of Bulgaria, Sofia region, Municipality of Elin Pelin, village of Ravno Pole 2129, Industrial Zone 1

Email address: info@artpark.bg

II. Legal basis and purposes for which we use your personal data

We process your personal data on the following bases:

1) The contract concluded between us and you, in order to fulfill our obligations under it;

2) Explicit consent from you – the purpose is specified for each particular case;

3) When there is a legal obligation;

III. In the following paragraphs, you will find detailed information regarding the processing of your personal data, depending on the basis on which we process them.

1. FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS

We process your personal data to fulfill our contractual and pre-contractual obligations and to exercise the rights under the contracts concluded with you.

Purposes of processing:

1) Establishing your identity;

2) Management and execution of your request and fulfillment of the concluded contract;

3) Preparing a proposal for contract conclusion;

4) Preparing and sending an invoice/bill for the services you use with us;

5) To provide you with the necessary comprehensive service and to collect the amounts due for the services used;

6) Retaining correspondence related to placed orders, processing requests, reporting issues, etc.

7) Notification about everything related to the services you use with us;

8) Identifying and/or preventing unlawful actions or actions contrary to our terms for the respective services;

Data we process on this basis:

Based on the contract concluded between us and you, we process information regarding the type and content of the contractual relationship, as well as any other information related to the contractual legal relationship, including:

1) Contact personal data – contact address, email, telephone number,

2) Email, letters, information about your requests for problem resolution, complaints, requests, grievances;

3) Information about credit or debit card, bank account number, or other banking and payment information related to the payments made;

4) Other feedback we receive from you;

The processing of the specified personal data is mandatory for us to be able to conclude the contract with you and fulfill it. Without providing us with the above data, we would not be able to fulfill our contractual obligations.

We provide personal data to third parties

We provide the final services published on our Site, in view of which we do not provide your personal data to third parties before ensuring that all technical and organizational measures for the protection of these data have been taken, aiming to exercise strict control to achieve this goal.

We provide personal data to the following categories of recipients (personal data controllers):

1) Persons who, by assignment, maintain the equipment, software, and hardware used for the processing of personal data and necessary for the company's operations

2) Persons who, by assignment, provide accounting services necessary for the company's operations

2. FOR COMPLIANCE WITH LEGAL OBLIGATIONS

It is possible that the law requires us to process your personal data. In these cases, we are obliged to perform the processing, such as:

1) Obligations under the Anti-Money Laundering Act;

2) Fulfillment of obligations related to distance selling, off-premises sales, as provided for in the Consumer Protection Act;

3) Providing information to the Consumer Protection Commission or third parties, as provided for in the Consumer Protection Act;

4) Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the regulatory framework for personal data protection;

5) Obligations provided for in the Accounting Act, Tax and Social Security Procedure Code, and other related legislative acts, in connection with maintaining lawful accounting.

6) Providing information to the court and third parties within court proceedings, in accordance with the requirements of the applicable legislative acts governing the proceedings.

When do we delete the data collected on this basis

The data collected in accordance with a legal obligation stipulated by law are deleted after the obligation for collection and storage has been fulfilled or expires. For example:

1) Under the Accounting Act for the storage and processing of accounting data (11 years),

2) Obligations to provide information to the court, competent state authorities, and other grounds provided for in the current legislation (5 years).

Sharing data with third parties

When there is a legal obligation for us, it is possible to provide your personal data to the competent state authority or legal entity.

3. AFTER YOUR CONSENT

We process your personal data on this basis only after explicit, unambiguous, and voluntary consent from your side. We will not impose any adverse consequences on you if you refuse the processing of personal data.

Consent is a separate basis for processing your personal data, and the purpose of the processing is specified therein, not covered by the purposes listed in this policy. If you provide us with the relevant consent, until its withdrawal or termination of any contractual relationship with you, we prepare suitable offers for products/services for you.

Data we process on this basis:

On this basis, we only process the data for which you have given us your explicit consent. The specific data are determined for each individual case. Typically, the data include:

1. Email;

2. Names;

3. Address;

4. Phone number;

Sharing data with third parties

On this basis, we may provide your data to an accounting services firm, as well as to state institutions and agencies.

Withdrawal of consent

The provided consents can be withdrawn at any time. Withdrawal of consent does not affect the performance of contractual obligations. If you withdraw your consent for the processing of personal data for any or all of the methods described above, we will not use your personal data and information for the purposes specified above. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw a given consent, you only need to use our contact information.

When do we delete the data collected on this basis

We delete the data collected on this basis upon your request or 6 months after their initial collection.

Processing of anonymized data

We process your data for statistical purposes, meaning for analyses where the results are only aggregated, and therefore the data is anonymized. Identifying a specific individual from this information is impossible.

Your data can also be anonymized. Anonymization is an alternative to deleting data. With anonymization, all personally identifiable elements that allow your identification are irreversibly erased. There are no regulatory requirements for deleting anonymized data since they do not constitute personal data.

How we protect your personal data

To ensure adequate protection of the company's data and our clients, we implement all necessary organizational and technical measures as stipulated in the Personal Data Protection Act, as well as best practices from international standards.

The company has established rules to prevent abuse and security breaches and has appointed a Data Protection Officer to assist in safeguarding and securing your data.

In order to ensure maximum security during the processing, transmission, and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, and others.

User Rights

Every user of the website enjoys all rights for personal data protection in accordance with Bulgarian legislation and the law of the European Union.

The user can exercise their rights through the contact form or by sending a message to our email.

Every user has the right to:

1) Information (regarding the processing of their personal data by the data controller);

2) Access to their own personal data;

3) Correction (if the data are inaccurate);

4) Deletion of personal data (the right to be forgotten);

5) Restriction of processing by the data controller or data processor;

6) Data portability between separate data controllers;

7) Objection to the processing of their personal data;

8) The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

9) Right to judicial or administrative protection in case the data subject's rights have been violated.

The user may request deletion if one of the following conditions is met:

1) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

2) The user withdraws their consent upon which the processing of data is based, and there is no other legal basis for processing;

3) The user objects to the processing, and there are no overriding legitimate grounds for the processing.

4) The personal data have been processed unlawfully;

5) The personal data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject.

6) The personal data have been collected in connection with the offer of information society services to children, and consent was given by the holder of parental responsibility for the child.

The user has the right to restrict the processing of their personal data by the data controller when:

1) The accuracy of the personal data is contested. In this case, the restriction of processing is for a period that allows the controller to verify the accuracy of the personal data.

2) The processing is unlawful, but the user does not want their personal data to be erased and instead requests restriction of their use.

3) The controller no longer needs the personal data for the purposes of processing, but the user requires them for the establishment, exercise, or defense of legal claims.

4) The user objects to the processing pending verification whether the legitimate grounds of the controller override those of the user.

Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means. When exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to Object

Users have the right to object to the processing of their personal data by the controller. The data controller is obliged to cease processing unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. In case of objection to the processing of personal data for direct marketing purposes, the processing should be stopped immediately.

Complaint to the Supervisory Authority

Every User has the right to lodge a complaint against unlawful processing of their personal data to the Commission for Personal Data Protection or to the competent court.

Maintenance of a Register

We maintain a register of processing activities for which we are responsible. This register contains all of the information listed below:

1) The name and contact details of the data controller.

2) The purposes of the processing.

3) Description of the categories of data subjects and of the categories of personal data.

4) Categories of recipients to whom the personal data have been or will be disclosed.

5) Including recipients in third countries or international organizations.

6) Where possible, the envisaged time limits for erasure of the different categories of data.

7) Where possible, a general description of the technical and organizational security measures.

The current Privacy Policy of ART PARK LTD was adopted and approved by the company's management on May 23, 2018, and it is effective and applicable as of May 25, 2018.