of TRAKE ORGANIC LTD for the data collected via trake.org online store
1. DEFINITIONS
1.1. GDPR or “The Regulation” means Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1.2. “Employee” means a person that has a labor contract with the Data Controller
1.3. “Data” or “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4. “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
1.5. “Data subject” or “personal data subject” means any person, whose data are processed by the Controller.
1.6. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.8. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Further in this document the word “Controller” shall refer to TRAKE ORGANIC LTD UIC 205672228, with registered address: No 14 Geo Milev str., 6155 Pavel Banya, Bulgaria.
1.9. “Website” or “Site” means the website with address www.trake.org, created and maintained by or on behalf of TRAKE ORGANIC LTD.
1.10. “Client” means a person who uses or has used the services, provided by the Controller via the Website.
1.11. “Policy” means this Data Protection Policy.
1.12. “Goods” mean goods offered by the Controller or by third parties to Clients via the Website.
1.13. “Services” mean services offered by the Controller or by third parties to Clients via the Website.
2. GENERAL TERMS
2.1. This policy regulates the processing of data by TRAKE ORGANIC LTD (“TRAKE”), registered in the Trade Register and Non-Profit Legal Entities Register of the Registry Agency of the Republic of Bulgaria with identification number 123145803.
2.2. As a personal data controller, TRAKE follows the principles described below:
2.2.1. personal data are processed only when there are legal grounds for the processing;
2.2.2. personal data are processed only for specific and clearly defined purposes;
2.2.3. only the minimum amount of data, required for the purposes, described in the previous paragraph are processed;
2.2.4. The Controller undertakes reasonable measures to keep personal data correct and current, as well as to delete Data without undue delay after the legal grounds for the processing have expired, unless the Controller is obliged to keep the data for archival purposes.
2.2.5. personal data are processed in a manner that guarantees an appropriate level of security, including protection against unauthorized and unlawful processing and against accidental loss, deletion or damaging of data, by applying appropriate technological and organizational measures.
2.3. The Controller is responsible and must be able to prove the keeping of the principles, described above.
2.4. The Controller processes personal data for the purposes of identifying and communicating with the Clients, entering into, managing and performance of contracts for the provision of the goods and/or services that the Controller provides, undertaking own activities (direct marketing), performing the legal obligations of the Controller and prevention, detection, investigation or prosecution of any sort of breach or violation of applicable rules, accomplished through unlawful use of our services, that may cause harm to the Controller, its partners, clients or any other person.
2.5. This policy contains the main principles and procedures for collecting, processing and storing the personal data of the users of the Website, developed, maintained and provided by the Controller. Before using the Site, Clients must carefully read this policy. When creating their user profile on the Site, Clients are able to give consent for the processing of their personal data by the Controller. Giving this consent binds the Clients with the terms of this policy.
2.6. The data subject may not receive the Goods and Services offered via the Website if he has not familiarized himself with the Policy and/or does not accept it. For that reason, before using the Site, the Controller requires the Clients to agree with the terms of the Policy. In case a Client does not agree with the terms of the Policy or a certain part thereof, he will not have the right to use the Website and/or the services, provided via the Website.
2.7. In order to give their consent for the processing of data and to accept the terms of this Policy, the Clients must be at least 18 years old or must be considered adults according to the laws of their country. The Controller may require data for the identification of the Clients in order to ensure they are adult persons at the time of giving the consent.
2.8. The Website provides services, which require the sharing of data with third parties (i.e. registration via Facebook or Google profiles). The Controller notifies the Clients in advance about the cases, when they data may be shared with third parties and points who these parties are. The Clients may check the applicable data protection terms and policies of these parties at any time.
2.9. Before requiring the consent for data processing, the Controller provides the following information to the Data subjects:
2.9.1. the identity and the contact details of the Controller and, where applicable, of the Controller’s representative;
2.9.2. the contact details of the data protection officer, where applicable;
2.9.3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
2.9.4. the types and categories of personal data, for which the consent is asked;
2.9.5. the recipients or categories of recipients of the personal data, if any;
2.9.6. where applicable, the fact that the Controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2.10. The data are kept for periods, specified for each type of data in this Policy. The data are stored in accordance with the procedures, specified herein.
2.11. Irrespective of the terms of this Policy, the Controller has the right to transfer data to public authorities when the data are requested by such authorities when exercising their lawful rights (i.e. bodies of the Ministry of Interior Affairs, investigative authorities, prosecutors’ office or court for the purpose of civil, administrative or criminal proceedings as evidence or in any other cases, specified by law).
3. TYPES OF PROCESSED PERSONAL DATA
3.1. In order to provide the services, the Controller processes or may process the following Data of Clients:
– Name;
– Surname;
– Address;
– E-mail address;
– Phone number]
– Data regarding the payment cards used;
– the Client’s public profiles in social networks;
– the Client’s location.
3.2. For the purpose of direct marketing the Controller processes or may process the following Data of the Clients:
– Name;
– Surname;
– Address.
– E-mail address;
– Phone number;
– Location.
3.3. In order to receive information about the services, offered by the Controller, the Client must give his/her consent for the processing of his/her data for the purpose of direct marketing. This consent can be given at the moment of registration or at any time after that, when the Client enters his/her user profile and chooses the function to receive a newsletter.
3.4. The data described in Articles 3.2. and 3.3. are received directly from the Client. In the event the Client is a legal entity, they may provide the Controller with data, relating to other persons (such as employees of the Client). In such cases, the Client has to inform their employees for the data, provided to the Controller.
3.5. The legal grounds for the processing of data are:
– Article 6, paragraph 1 a) of GDPR (consent of the Client to the processing of his/her personal data for one or more specific purposes)
– Article 6, paragraph 1 b) of GDPR (processing, necessary for the performance of a contract)
– Article 6, paragraph 1 f) of GDPR (processing, necessary for the purposes of the legitimate interests pursued by the controller or by a third party)
3.6. The Controller processes the Personal data of the Clients for the following purposes:
3.6.1. identifying the Clients;
3.6.2. entering into, managing and performance of contracts for the provision of the Controller’s services;
3.6.3. communicating with and notifying the Clients in connection with using the services;
3.6.4. ensuring the normal functioning and use of the Website by each Client;
3.6.5. managing and supporting the Services, including detecting and solving technical or functional problems, developing and improving the Services.
3.6.6. receiving and processing signals, complaints or requests by Clients;
3.6.7. direct marketing (notifying the customers for changes in the services, new services, etc.);
3.6.8. solving disputes between Clients or between a Client and the Controller;
3.6.9. prevention, detection, investigation or prosecution of any sort of breach or violation of applicable rules, accomplished through unlawful use of the Controller’s services, that may cause harm to the Controller, its partners, customers or any other person.
3.6.10. fulfilling legal obligations of the Controller.
3.7. The processing of all or some of the abovementioned Data may be necessary for the purposes, described in Article 3.6.
4. SHARING PERSONAL DATA WITH THIRD PARTIES (RECEPIENTS)
4.1. In order to ensure the payment functionality for the Services, the Controller collects data for the payment cards, used by the Clients. These Data may be shared with bank, financial institutions and providers of payment facilitating software.
4.2. For storing the processed Data, the Controller uses servers, situated in the EU and owned by third parties The data are stored encrypted, so that they can’t be accessed and/or read by third parties.
4.3. The Controller may share the Data with providers of post and carrier services, in connection with the delivery of Goods and Services purchased via the Website.
4.4. Data sharing is suspended at the moment of withdrawal of the Client’s consent. Within 7 days of the withdrawal, the Controller notifies the Recipients for the withdrawal and for the necessity to delete the Data shared by the Controller, unless the same Data are processed by the Recipient on other legal grounds. The Data provided by the Clients is stored by the company hosting the Website, together with the whole information regarding the Website. Therefore, withdrawal of the consent to process that Data is only possible when deleting the Client’s user profile.
4.5. The Controller undertakes reasonable effort to ensure that all Recipients guarantee the level of Data protection, required by the Regulation.
4.6. A full list of the Recipients, the types of Data and the purposes, for which Data may be shared, as well as link to the General terms and Data protection policies of the recipients can be found at the following address: “A full List of Recipients | GDPR“. The Controller keeps the list up to date and notifies the Clients and asks for their consent before sharing the Data with a new Recipient, which has not been in the list at the time when the initial consent for data processing was given by the Client.
5. DATA PROCESSING ON BEHALF OF THIRD PARTIES
5.1. The Controller may process Data on behalf of third parties – providers of Goods or Services. In these cases, the Controller acts as a data processor within the meaning of Article 4, paragraph 8 of the Regulation.
5.2. When collecting data on behalf of third parties, the Controller notifies the Data subjects for the types of Data collected, the identification of the third party – data controller, its contact data and the purposes of the processing.
5.3. In the cases described in this section the third parties are responsible for keeping their obligations as data controllers and for applying the required level of data protection.
5.4. The Data under this section may include types of data that TRAKE ORGANIC LTD does not process in the capacity of data controller. Such Data are only processed after the express consent of the Data subjects.
6. TERMS FOR KEEPING THE DATA
6.1. The Collector keeps the Clients’ Data for as long as they have a user profile, registered on the Website.
6.2. The Data are rectified or deleted in the moment the Client does the respective action within the profile settings on the Website. Rectifying or deleting the Data and their backup copies may require technical time, in accordance with the policy of the servers’ owner, but can be no longer than 30 days from the Client’s request, made by performing the specific action.
6.3. In case that at the time the Client deletes his/her profile, they have an unresolved argument with the Controller or a third party provider of Goods or Services via the Website, regarding payments or compensations for damages, the data are kept for a term of three months after resolving the matter with a written agreement or a final court judgement.
6.4. In case there is an ongoing investigation for fraud or breach of applicable laws against a Client by competent authorities and the Controller has been notified about the investigation by these authorities, the Client’s data are kept for a term of three months after the investigation is complete.
6.5. Upon the expiration of the described terms, the Personal data are deleted by the Controller in a way that doesn’t allow for them to be recovered or reproduced.
7. DATA SUBJECTS’ RIGHTS
7.1. The data subject has the following rights, according to GDPR:
7.1.1. Right to be informed – to receive information as to whether or not personal data concerning him or her are being processed by the Controller, and, where that is the case, the term for keeping the data and the Recipients they are shared with;
7.1.2. Right to access – to receive a copy of the Data concerning him/her, processed by the Controller;
7.1.3. Right to erasure, when one of the requirements of Article 17, para 1 of GDPR is met;
7.1.4. Right to rectification – to request from the Controller to rectify without undue delay any data, concerning him/her;
7.1.5. Right to request the restriction of processing the Data by the Controller in any of the cases, described in Article 18, para 1 of GDPR;
7.1.6. Right to portability – to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;
7.1.7. Right to object to the processing of Data concerning him/her which is based on point (e) or (f) of Article 6, paragraph 1, including profiling based on those provisions;
7.1.8. The right not to be subject to a decision based solely on automated processing, including profiling.
7.2. When Clients exercise the rights, described in 7.1., the Controller fulfills his obligations according to GDPR in the following terms after receiving a request from a Data subject:
| Request from the data subject | Term |
| Right to information | 15 days |
| Right to access | 15 days |
| Right to rectification | In the user profile – immediately |
| On the servers, used by the Controller – the technical period, required for the rectification, but no longer than 30 days | |
| Right to erasure | In the user profile – immediately |
| On the servers, used by the Controller – the technical period, required for the erasure, but no longer than 30 days | |
| Right to restriction of processing | 15 days |
| Right to data portability | 15 days |
| Right to object | 15 days |
7.3. Exercising the rights of Data subjects, described above, is free.
7.4. When the requests from a Data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller has the right to refuse to act on the request of the Data subject or to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
7.5. Requests for exercising the rights of Data subjects under GDPR are sent to the data protection officer and where no such person is appointed – to the person mentioned in Article 11.1.
7.6. In order to be sure about the grounds of a request and to protect the data of third parties, the Controller may require the names, personal ID number and/or ID card number of the Data subject when he/she exercises one of their rights according to GDPR, for the purpose of identifying the Data subject. These data are kept by the Controller for one year after the filing of a request for exercising a right under GDPR and may be used only for the purpose of identifying the Data subject in the event of a signal for any breach or fraud, committed by him/her in connection with the request.
7.7. The Controller notifies for every rectification, erasure or restriction of processing each Recipient, with whom Data have been shared, unless this is impossible involves disproportionate effort. The controller informs the Data subject about those Recipients if the Data subject requests it.
8. DATA PROTECTION OFFICER
8.1. In the event a data protection officer is appointed, the Controller publishes that information s well as the contact data of the data protection officer.
8.2. The data protection officer has the rights and obligations, described in GDPR and this Policy, as well as in his/her job characteristic, in case the officer is an employee of the Controller or in the service contract, in case the officer performs his/her activities under a service contract.
9. DATA SECURITY BREACH
9.1. In case the Controller’s employees, who have access to Data, notice any security breach (action or inaction by any person that may lead to or has led to a risk for the security of Personal data), they immediately inform the Controller and the specified contact persons, as well as the data protection officer, when there is one.
9.2. The Controller makes the decisions regarding the necessary measures for coping with the data security breach and its consequences, as well as notifying the concerned subjects, where applicable, by taking into account the possible risks of data security breach, the impact of the breach and the possible implications and damages, resulting from it.
9.3. Where applicable, the Controller notifies the Commission for Personal Data Protection immediately, but no later than 72 hours from becoming aware of the breach. The notification includes:
9.3.1. a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
9.3.2. contact details of the data protection officer or other contact point where more information can be obtained;
9.3.3. a description of the likely consequences of the personal data breach;
9.3.4. a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.4. In the events described in the previous article, the Controller notifies the affected Data subjects about the breach without undue delay but no later than one week after becoming aware of the breach.
9.5. Where the affected Data subjects cannot be determined, the Controller notifies those Data subjects, which are most likely to be affected by the breach.
9.6. In the events described in Article 8.5., as well as when notifying the affected Data subjects would require disproportionate effort, the Controller makes a public announcement or undertakes another similar measure to effectively inform the Data subjects.
10. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES FOR PERSONAL DATA SECURITY
10.1. The technical and organizational data security measures, taken by the Controller, guarantee a level of data security, according to the nature of data, processed by the Controller and the risks of the processing and include, but are not limited, to those described in this section.
10.2. Data security measures include at least:
10.2.1. Administrative measures (establishing a procedure for the security of documents, computer data and archives, organizing the work in different areas of activity, training the employees, etc.);
10.2.2. Technical and software protection (administration of servers, information systems and databases, workplace support, operating systems defense, observation (control) of user access, computer virus protection, encrypting the memory of devices that hold Personal data, etc.);
10.2.3. Contractual measures (entering into contacts or agreements with all Recipients and persons, who may get access to personal data in connection with providing services to the Controller, which guarantee that these persons apply a level of data protection in accordance with GDPR).
10.3. The Controller implements a data recovery procedure in the event of incidental loss of data. The Controller/The owner of the servers creates backup copies of the data, present in his system. Data are recovered according to the internal procedure from backup libraries. In the event of lawful erasure of Data, within 30 days of the erasure the backup copies are erased as well.
10.4. The data security measures the Controller undertakes include:
10.4.1. Using VPN technology for remote access to the internal network of the Controller;
10.4.2. Using a digital certificate to identify the users who gain access to the Controller’s database.
10.4.3. Registering the access to the Personal data, processed by the Controller, including access identificator, date, time, duration, result of access attempt (successful, unsuccessful). The records are kept by the Controller for at least 1 year after each access to data;
10.4.4. Restricting the access to premises where devices, used for storing and processing Data are kept, only to persons, appointed by the Controller to perform processing activities;
10.4.5. Using security protocols and/or passwords when transferring data vie external networks;
10.4.6. Recording all actions, connected with restoring Data (who, when and by what means has performed the actions).
10.5. Personal data, collected in electronic form, are not printed and stored in paper form, unless that is specifically requested by the Data subject or by a public authority within its competence or is required in order to fulfil a legal obligation of the Controller under GDPR or the national legislation.
11. CONTACT DATA
11.1. For more information regarding personal data, processed by the Controller, regarding GDPR or this Policy, as well as for exercising the rights of Data subjects under GDPR, the Controller assigns the following contact point:
Dechko Minchev Dechev
e-mail: [email protected]
12. FINAL PROVISIONS
12.1. This Policy may be amended by the Controller in the event of change in the scope of Data processed, the purposes and/or means of processing, changes in applicable data protection legislation, or other reasons.
12.2. The Policy and any amendments thereof are active from the date of their approval and publication on the internet in such a way that makes them available to the Clients.
12.3. The Controller notifies the Data subjects about each change in the Policy. Insofar as such changes are unilateral acts of the Controller, an explicit consent with the changes may not be required. When the amendment is connected with a change in the scope of Data processed, the purposes and/or means of processing, the Controller asks for the consent of Data subjects before applying the change where such consent is necessary. In case the processing is required in order for the Controller to provide Goods or Services via the Website, the consent of Data subjects may be required in order to keep the registered user account in the Website.
12.4. If they believe there is a breach of applicable data protection laws, Data subjects may file a complaint to the Commission for Personal Data Protection. More information can be found at https://www.cpdp.bg/
12.5. The Controller is not responsible for the accuracy of Data, submitted by the Clients, does not perform any checks in this respect and cannot guarantee the true identity of the physical persons, who have submitted Data. In case of uncertainty, suspected or revealed breach or fraud, Data subjects may inform the Controller without prejudice to their right to file a complaint or signal the competent authorities.
12.6. Clients are responsible for any violations they have committed of other persons’ rights, with respect to the protection of their data or any other right.
