FICOSOTA (“the Company” or “We”) treats its obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) and, respectively, the Bulgarian legislation, quite seriously and puts in a great deal of effort to meet the applicable standards and establish good practices for personal data processing. The competent leading regulatory body regarding personal data protection, processed by FICOSOTA is the Commission for Personal Data Protection of the Republic of Bulgaria.
Controller: The organization or the natural person setting the purposes and means for personal data processing.
Processor: The organization or the natural person processing personal data on the part of the controller.
Data subject: An identified or identifiable living natural person.
Personal data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person shall mean a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: Any personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Processing: Any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Third party shall mean a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct guidance of the controller or processor, are authorised to process personal data.
Personal data breach shall mean an action/ circumstance, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data protection
The General Data Protection Regulation (“GDPR”)will be applied in the EU Member States from 25 May 2018. FICOSOTA is making its business activity compliant with GDPR and the data protection principles outlined in the European and national legislation.
FICOSOTA ensures that the personal data processed by it will be:
processed legally, in good faith and transparently, regarding natural persons
collected for specific, expressly stated and legitimate purposes and will not be further processed in a way inconsistent with these purposes
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
accurate and if required maintained up-to-date
stored in a form enabling data subject identification, for a period not longer than the one relevant to the purposes for which the personal data are processed
processed in a way ensuring an adequate level of personal data security
The natural persons – data subjects have the following rights regarding their personal data:
right to information (this right is established through provision of explicit and easily comprehensible privacy notices, explaining the purposes for which we use your personal data, as well as your rights related to the processing of personal data)
right of access to the personal data being processed and to information concerning their processing
right to have personal data rectified, where they are inaccurate or incomplete
right to restriction of processing under the conditions stipulated in the law
right to erasure of personal data, where there is no ground for proceeding of the data processing
right to data portability of your data between different controllers (such as between different service providers)
right to object to certain personal data operations, such as direct marketing
the right not to be subject to decisions having considerable influence on you, which have been taken solely using automated means
right to separation of the personal data processing consent
right to complaint lodging to the to the competent supervisory authority
Six lawful bases for personal data processing are set out in the GDPR:
the data subject has provided his/ her informed consent for personal data processing for a specific purpose
processing is required for entering into or execution of a contract with the data subject
data processing is required for the fulfilment of a legal obligation
processing is required for the protection of vitally important interests of the data subjects or another natural person
processing is required for the performance of a task carried out in the public interest
processing is required for purposes related to the legitimate interests of the controller or a third party, except in the cases where this interest is dominated by the basic rights and freedoms of the data subject
Personal data processed by FICOSOTA
Personal data include not only facts but also opinions/ assessments expressed in relation to a specific natural person. Personal data processed by FICOSOTA may be conditionally divided into four categories:
Staff and associates of FICOSOTA, job applicants and former employees;
Natural persons (such as lawyers, auditors, other independent consultants) and representatives, contact persons, employees of customers, partners and goods suppliers / service providers, with which FICOSOTA has or is considering beginning contractual or factual relationships (such as a customers’ legal representative – legal persons, providers of transport and freight forwarding services, providers of telecommunication services, software and/or hardware solutions and infrastructure).
Visitors to the website of FICOSOTA and the official websites in the social networks, for instance Facebook and Instagram
Participants in games/ raffles/ campaigns organized by FICOSOTA on our websites, on official websites of FICOSOTA on Facebook and Instagram or through partners – marketing agencies
Visitors to facilities owned or rented by FICOSOTA
Employees, associates, job applicants: FICOSOTA processes personal data, including special categories of personal data related to an employment contract or a contract for services, data of job applicants. Generally, FICOSOTA processes such data for the purpose of preparing and carrying out of employment or other type of contracts, as well as to fulfil its legal obligations as an employer.
Representatives, contact persons and employees of customers, partners and suppliers of FICOSOTA– usually we receive your personal data from your employer or from you personally, whenever we need to prepare, conclude or execute a contract with it or establish a commercial relationship. For instance, you might be appointed as a legal representative or a contact person in a contract or business correspondence in relation to the conclusion, execution or termination of a contract, making an offer, settlement of commercial disputes which have arisen and other.
Visitors in the buildings of FICOSOTA– in case of visits to the office spaces, production facilities and common areas of the company, for the purpose of ensuring the security of our property and the bodily integrity of our employees, as well as access control, there are technical devices in place, which will register your visit.
Sharing of personal data
Usually FICOSOTA maintains complete confidentiality regarding your personal data and does not disclose them to any third parties.
Occasionally „FICOSOTA “ may share the personal data of its employees or the representatives of its customers, partners, couriers, carriers, contractors or suppliers with state authorities, as well as with other natural or legal persons – such as providers of software and/ or hardware solutions or infrastructure, with outside consultants in relation to the establishing and exercising of rights, based on a legal obligation or with regard to its legitimate interest, depending on the particular situation. Such disclosure of data is possible only if there is a justifiable reason therefor and if an adequate level of protection is ensured, including through written arrangements with third parties, to which the personal data are disclosed, whenever possible.
Special categories of personal data
FICOSOTA does not process any sensitive personal data of its customers – natural persons or of employees/ representatives of customers, partners and suppliers, visitors to the websites and the social network websites.
Personal data storage
FICOSOTA stores different types of personal data both electronically and on hard copies, which data are contained in different documents, for a firmly fixed period of time. The set periods for data storage always comply with the purposes for which the personal data are processed. These periods are set out in the Policy for document storage and destruction of FICOSOTA.
Exercising of the rights of the data subjects
If requests for the exercising of the rights of the data subjects have been submitted, FICOSOTA establishes communication with the natural person in a short, transparent, comprehensible and easily accessible form, using intelligible and plain language, especially where underage persons are concerned.
Where the rights of the data subjects are being exercised FICOSOTA is obligated to duly identify the natural person in order to avoid the risk of unauthorized access to personal data.
Information concerning the actions taken by FICOSOTA in response to the request submitted for the exercise of rights, shall be provided to the natural persons, without any undue delay and usually within one month from receipt of the request.
All the information related to the exercise of the rights of the data subjects is provided by FICOSOTA free of charge, except in the cases where the requests are apparently unfounded or excessive.
Further information concerning your rights related to the processing of personal data by FICOSOTA is provided in our Data Subjects Rights Policy.
Personal data security
FICOSOTA protects the collected personal data from unreasoned use and sees to their processing.
FICOSOTA maintains secure computer systems for the personal data protection. Adequate control mechanisms for data separation and data management are employed in our systems
FICOSOTA has strict policies and procedures applicable to its staff, for minimizing the risks of personal data processing.
The employees of FICOSOTA are aware of the applicable rules and are trained to process personal data by exercising the utmost care and by observing the good practices.
In conducting its business FICOSOTA works only with acknowledged organizations and avoids working with companies which it considers that might pose hazards to personal data security.
FICOSOTA adopts good practices for the introduction and administration of security systems and keeps up with technology regarding possible risks to the security of the information in the company.
FICOSOTA observes the security of computer systems and personal data contained therein, including the possibilities for access to certain personal data by its employees.
FICOSOTA provides access only to those personal data necessary for the performance of the duties of the respective employee.
Personal data breach
FICOSOTA has adopted procedures for effective establishing, reporting and investigating personal data breaches. In case of personal data breach FICOSOTA will take immediate measures to limit the effect of the breach and to inform the affected data subjects and the regulatory body in charge of personal data protection.
FICOSOTA will update, in a timely manner, by changing and complementing this policy, at all times in the future, whenever necessitated by the statutory provisions or other circumstances.
If you wish to receive further information concerning the processing of personal data carried out by FICOSOTA or if you have any questions or complaints regarding this privacy notice, or regarding the ways in which and purposes for which we use your personal data, please contact us or our data protection officer at:
For FICOSOTA: Bulgaria, the town of Shumen 48, Madara Blvd., email: email@example.com
You may contact our data protection officer at: firstname.lastname@example.org
What are cookies?
An HTTP cookie, usually called simply “cookie”, is a packet of data, which is sent by a web server to a web browser, such as Internet Explorer, Microsoft Edge, Safari, Opera, Mozilla Firefox, Chrome, etc. and then sent back by the browser every time it gains access to the said server. A cookie remains on your device to be used during the next session, as it may be deleted meanwhile. If you use more than one browser, each of them has separate for cookies storage. Cookies are not related to a certain person but to the device-browser combination. Therefore, a person using several browsers and/or devices, has a separate set of cookies for each device-browser combination. On the other hand, cookies cannot differentiate between a large number of users sharing the same device and browser, unless they use different user accounts.
Cookies serve many different functions. For example, they help us remember your user name or preferences, and analyse the performance of our websites.
What data do we collect?
We collect data for the following purposes: troubleshooting, website administration, trend analysis, demographic data collection, compliance with applicable law and cooperation with the law enforcement authorities. We may also share such information with our authorised Third Party Service Providers and Advertisers, in order to determine the overall effectiveness of our online advertising, content and programming.
Other tracking techniques
We may use other standard industrial technologies, such as pixel tags and other web beacons in order to track the way you use our websites and promotions, and we may also allow Third Party Service Providers to use these techniques on our behalf. The pixel tags and other web beacons are small images located on different parts of our websites or in our emails and enable us to get to know whether you have performed certain operation or not. Whenever you gain access to such websites or visit, or click on an email, the pixel tags or other web beacons send a Non-Personally Identifiable notice of that action. Pixel tags enable us to better understand the user behaviour and calculate the web traffic of our websites. We may also use pixel tags and other web beacons provided to us by our Affiliates and/or Marketing Partners for the same purposes.
Does anyone else use the cookies on the websites of FICOSOTA OOD?
Whenever you visit our websites, we and/or our authorised Third Party Service Providers and Advertisers may automatically gather such information by using electronic techniques, such as Cookies and other web beacons or pixel tagging.
We use or authorise third parties to use our cookies on our websites. We use Google Analytics to track the web traffic of our websites.
We may use third-party cookies which help us research the market, track our revenues, improve our performance and monitor whether our rules are being abided.
How to disable cookies?
All up-to-date web browsers enable you to change the cookie settings. Normally, you may find those settings by clicking the “options” or “preferences” menu of your browser. To understand these settings, you may use the following links or click the “Help” button of your web browser for more details:
If third-party advertising cookies is a cause for concern, you may disable them from here: Your Online Choices site.
Please remember that if you opt to disable the cookies, some of the sections on our website may not function properly.
Does FICOSOTA OOD use any cookies containing my personal data?
No, the cookies we use are anonymous and contain no personal data.
Should you have any questions regarding this Policy, please do not hesitate to contact us on the following email: email@example.com
These rules (the Rules) stipulate the modalities under which natural persons whose personal data are processed by FICOSOTA Ltd (“Ficosota”) may exercise their rights in accordance with the data protection law.
Part 1: General principles
Ficosota processes and protects the personal data collected in its course of business fairly, lawfully and for the purposes for which they are collected.
The employees who carry out personal data processing for the purposes of product marketing, conclusion of contracts for procurement of goods, fulfilment of obligations under such contracts, as part of their employment obligations, shall adhere to the following principles when processing personal data:
The personal data are processed in a lawful and fair manner.
The personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Personal data collected and processed in the process of human resources management shall be relevant, relating to and serving only the purposes they have been collected for.
The personal data are accurate and, where necessary, kept up to date.
The personal data are deleted or rectified where it is ascertained that they are inaccurate or disproportionate to the purposes for which they are processed.
The personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The employees who carry out personal data processing undergo initial and regular trainings on data privacy and familiarize themselves with the applicable legislation.
Part 2: Definitions
The definitions below shall have the following meanings:
“Personal data” means any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Applicable legislation” means the legislation of the European Union and the Republic of Bulgaria which is relevant to the personal data protection;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“Data Subject” an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Regulation (EU) 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on 4 May 2016
Part 3: Rights of the data subjects
The data subjects have the following rights in respect of their personal data:
Right of access;
Right to rectification;
Right to data portability;
Right to erasure;
Right to erasure (‘right to be forgotten’);
Right to restriction of processing;
Right to object to the processing of personal data:
Right of the data subject not to be subject to a decision based solely on automated processing, regardless of whether the processing includes profiling.
Right of access
2.1. Upon request, Ficosota shall provide the data subject with the following information:
information as to whether Ficosota is processing or is not processing data of the person concerned;
a copy of the person’s personal data being processed by Ficosota, and
an explanation about the data being processed
2.2. The explanation under item 2.1 (iii) above shall include the following information about the personal data being processed by Ficosota:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, regardless of whether the processing includes profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer
2.3. The explanation about the data being processed shall contain information which Ficosota provides to data subjects by means of privacy notices.
3.1. Upon request of the data subject, Ficosota may submit a copy of the personal data being processed.
personal data of third parties, unless they have granted their express consent thereto;
data which are trade secret, intellectual property or confidential information;
any other information protected under the applicable legislation
3.3. Providing data subject with access shall not have adverse effect on the rights and freedoms of third parties or result in Ficosota’s non-compliance with its statutory obligation.
4.1. In the cases where the access requests are apparently unfounded or excessive due to their repeatability, Ficosota may charge a reasonable fee based on the administrative expenses incurred for information provision or it may refuse to respond to such access request.
4.2. Ficosota shall decide on a case by case basis whether a request is apparently unfounded or excessive or not.
4.3. If Ficosota refuses access to personal data, it shall present arguments supporting its refusal and inform the data subject of his/her right to file a complaint to the Commission for Personal Data Protection.
Right to rectification
5.1. Data subjects may demand that their personal data, which are processed by Ficosota, be rectified if they are inaccurate or incomplete.
5.2. If the request for personal data rectification has been complied with, Ficosota shall notify the other recipients to whom data have been disclosed (for example state authorities, service providers), so that they could reflect the changes.
Right to erasure (‘right to be forgotten’)
6.1. Upon request, Ficosota shall be obligated to erase personal data, if any of the following grounds exists:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the data subject objects to the processing of personal data for direct marketing purposes;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation to which Ficosota is a subject;
the personal data have been collected in relation to the offer of information society services to children within the meaning of Article 8(1) of Regulation (EU) 2016/679
6.2. Ficosota shall not be obligated to erase the personal data if their processing is required:
for exercising the right of freedom of expression and information;
for complying with the legal obligation to which Ficosota is a subject;
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of Regulation (EU) 2016/679;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
Right to restriction of processing
7.1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject; the restriction of processing applies for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
Ficosota no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing on the grounds of the legitimate interest of Ficosota and verification whether the legitimate grounds of the controller override those of the data subject is pending.
7.2. Ficosota may process personal data, whose processing is restricted, only for the following purposes:
for data storage
with the consent of the data subject;
for the establishment, exercise or defence of legal claims;
for protection of the rights of another natural person; or
on important grounds of public interest
7.3. If a data subject has requested restriction of processing and if any of the grounds under item 7.1 above exists, Ficosota shall inform the data subject prior to revocation of the restriction of processing.
The right to data portability
8.1. The data subject shall have the right to receive the personal data concerning him/her, which he/she has provided to Ficosota, in a structured, commonly used and machine-readable format.
8.2. Upon request, such data may be transmitted to another controller appointed by the data subject, where technically feasible.
8.3. The data subject may exercise his/her right to data portability in the following cases:
8.4. The right to data portability shall not adversely affect the rights and freedoms of others.
Right to object
9.1. The data subject shall have the right to object Ficosota’s processing of his/her personal data, if such data are processed based on any of the following grounds:
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for purposes related to the legitimate interests of Ficosota or a third party;
data processing includes profiling
9.2. Ficosota shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to object to the processing of personal data for direct marketing purposes
10.1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing, including to profiling to the extent that it is related to such direct marketing.
10.2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to obtain human intervention in case of automated decision-making
11.1. If Ficosota makes automated individual decisions, irrespective of whether such decisions have been made using profiling or not, and they result in legal consequences for any natural persons or affect them considerably in a similar way, such persons may request re-examination of the decision, with human intervention, as well as to express their point of view.
11.2. Ficosota shall provide the natural persons subject to automated decision-making with substantial information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person.
Part 4: Modalities for the exercise of the rights of the data subjects;
12.1. Data subjects may exercise their rights under these Rules by submitting a request for the exercising of the respective right.
12.2. Data subject’s requests for the exercising of rights may be submitted as follows:
Electronically to the following email address: firstname.lastname@example.org
Personally in an office of Ficosota
By post – at the address of the headquarters of Ficosota: Shumen, 48, Madara Blvd., Bulgaria
12.3. Requests for the exercising of rights related to personal data protection shall include the following information:
The person’s identification – name and Personal Identification Number
Feedback details – address, telephone, e-mail
Request – description of the request
12.3. Ficosota shall provide information about the measures taken in relation to the data subjects’ requests for the exercising of rights, within one month from receipt of such a request.
12.4. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests filed by the person concerned. Ficosota shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
12.5. Ficosota shall not be obligated to respond to a request, if it cannot identify the data subject.
12.6. Ficosota may request provision of additional information necessary for confirming the subject data’s identity if there are reasonable doubts concerning the identity of the natural person making the request.
12.7. Where the request is made by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
12.8. These Rules shall become effective on 25.05.2018.