This document constitutes an information note regarding the activities carried out by the Company “Orgachim” AD /”Orgachim”/in which your personal data are involved and will provide the necessary aspects so that you can be informed in the most appropriate way about the processing of these data within the organization.
Thus, the Company “Orgachim” AD, represents the entity that will process your personal data. This data can most often be: your name, surname, phone number, e-mail address, and will be received and processed in various situations, such as: selling products, issuing a loyalty card, marketing activities, etc. If this is the case, we will obviously need to use your personal data in order to respond to your requests or to provide you with information that you need to know.
Furthermore, we also want you to be informed that the personal data we work with may come directly from you (when you place an order in physical or online stores, for example), from a third party (if the marketing agencies we collaborate with provide us with your data as a participant in the competitions organized) or from the activities carried out in the commercial relationships between you and Orgachim.
What entitles us to process your personal data is, first of all, the necessity of concluding and executing a Contract for the sale of “Orgachim”’s products and/or services (according to Article 6 letter “b”) as there can be no such contract in the absence of provision and use of personal data. Another ground on the basis of which we process personal data is the consent you give us (according to Article 6, paragraph 1, letter “a”) regarding certain activities that cannot be carried out in the absence of such consent. Also, we process personal data based on the legitimate interest in carrying out some activities that involve such data, where applicable (according to Article 6 paragraph 1 letter “f”).
In addition, we would like you to consider certain rights, which are detailed in Chapter VIII of this document, which you can exercise whenever you have a right and a reason to do so.
It is important to keep in mind that at any time you can contact us at the e-mail address email@example.com, if you which to contact us regarding the processing and protection of your personal data.
All this being said, briefly, you will have at your disposal detailed information about them provided herein below, in order to form a broader picture regarding the processing of personal data.
Chapter I Introduction
The protection of personal data is an important objective of our organization. We respect your privacy and personal life.
As of 25 May 2018, Regulation (EU) 2016/679 (of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation), became applicable.
We manage to comply with the provisions prescribed by this Regulation, by carrying out all the protection measures related to the processing of personal data.
One of them is to inform, in a transparent and accurate way, all users of our website www.orgachim.bg (where you will find this Information Note), as well as the customers of “Orgachim”.
Therefore, we will inform you below about the processing of personal data when you choose to be a customer of “Orgachim” or when you use the options included in our website, for example the contact form.
As a Controller, the Company “Orgachim” AD, hereinafter referred to as “Orgachim” or “the Company”, is a Bulgarian legal entity, having its registered offices in the Town of Ruse, 21, Treti Mart Blvd., entered in the Commercial Register with Unified Identification Code 117001047.
This Personal Data Protection Policy describes our practices regarding the processing of any data communicated to our organization, directly or indirectly, as well as the ways we use personal data for the purpose of providing services:
- The sales process carried out through the physical stores of “Orgachim”;
- The registration in the loyalty programs of our stores, for the registration of the loyalty card and also for the granting of loyalty bonuses.
- The sales through various platforms that facilitate this process;
- The participation in various competitions organized by “Orgachim” in the online media: Instagram, Facebook, etc.
- The marketing activities carried out through the Website (e.g. advertising spots).
In carrying out our activities, we are responsible for strictly observing the existing principles at the level of the Regulation, as follows:
- the lawfulness, fairness and transparency principle– in the sense that the data is processed in a concise, comprehensible form, only on the basis of legal grounds, respecting the conditions imposed by this Regulation;
- the purpose limitation principle – data processing is performed for a clear purpose, well defined and established from the beginning;
- the data minimisation principle – only those data are processed that are relevant in the given situation, and limited only to the established purpose;
- the accuracy principle – ensures that the processed data must be accurate and kept up-to-date.
Our data protection practices comply with the applicable law. However, if, for any reason, the terms set out in this Data Protection Policy are not acceptable to you, you may notify us of
your objection at firstname.lastname@example.org.
Chapter II Definitions and clarification of some notions
- Personal data
Personal data is all data that relates to you personally. In general, these include identification data and personal characteristics (name, surname, Personal Identification Number, citizenship, home/residence address, telephone number, etc.), electronic identification data (identification elements from various applications, IP, Skype ID, Facebook ID, Instagram, etc.).
- Data Subject. Processing. Controller, respectively Processor authorized by the Controller
First of all, we would like to explain the notion of a Data Subject, which is commonly encountered in this Information Note and not only.
This notion means the person whose personal data are processed, and who benefits from protection and safety due to the requirements of the Regulation implemented by the Controller in its activity. In the activities of Orgachim, it may be represented, for example, by people who use our website or people who choose to purchase our products.
“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by using automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Therefore, whenever the personal data provided by you is collected, being then used for the purposes described in this Information Note, your personal data will be processed.
According to the Regulation, “Controller” means the natural person or legal entity, public authority, agency or other body “which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Orgachim fulfills the role of a Controller, processing the personal data received from the data subjects, being the one who establishes the purposes and means of processing these data. Thus, it is obliged to ensure the compliance of its processing activity with the rules imposed by the Regulation, in order to provide security to the data of the data subjects, who entrust their personal data for the fulfillment of certain purposes.
Also, the text of the Regulation defines the notion of “Processor”, as “a natural person or legal entity, public authority, agency or other body, which processes personal data on behalf of the controller”. It will not process the personal data of the data subjects except with the consent of the Controller, within the limits and uner conditions imposed by it.
Given the factual situation, the persons authorized by the Controller may be persons with certain responsibilities for the purposes of its activities and who come into contact with the personal data of data subjects in the course of carrying out their
activities, such as various providers or collaborators. (for example, an advertising agency).
Chapter III The purposes of the processing of personal data and their type in relation to each purpose
Next, we will present, in turn, the purposes for which your personal data is processed at the level of our organization, illustrating for each of these purposes the categories of personal data in question, which are the subject of discussion.
- Processing of personal data for the purpose of selling the products made available by “Orgachim”
Being its main activity, “Orgachim” provides specific products to interested persons: paints, varnishes, finishing materials, etc.
Their sale takes place through two main channels:
1.1.Sale of “Orgachim” products in physical stores
In this activity, the Company processes the following categories of personal data, necessary for the invoicing process:
- name, surname;
- address of residence;
- e-mail address;
- customer account details;
- name of the person who takes over / receives the products.
- financial data related to payments (bank card, bank account)
- delivery address details (where applicable)
1.2.Sale of “Orgachim” products through various platforms
In this case, we are talking about online stores platform (own/partners), through which interested persons can order the products of “Orgachim”. This activity concerns the following personal data:
- name, surname;
- company/personal e-mail address;
- financial data related to payments (bank card, bank account)
- delivery address details (where applicable)
- Processing of personal data for the purpose of registering “Orgachim” customers in the loyalty program
As part of this process, if you are interested in participating in the “Orgachim” loyalty program, you will have “Orgachim” representatives available in the partner stores / online platforms / by filling in a form with the following personal data:
- first name,
- phone number,
- e-mail address.
Once you have completed the form, it will be possible for you to register your card and you can use it later for the intended purposes.
- Processing of personal data for the purpose of conducting competitions organized by Orgachim
Occasionally, the Company organizes, in collaboration with a specialized marketing agency, competitions on the platforms of “Orgachim” (Instagram, Facebook, other social media platforms). At these competitions, products of “Orgachim” are offered as prizes, and the registration therein takes place by registering the User ID on one of these platforms. If you are the winner of one of these competitions, you will be asked for the following personal data:
- name, surname;
- telephone number and/or e-mail address;
- delivery address for the prize.
For the situations of awarding prizes/gifts, the aforementioned data can be complemented with:
- identification data from the identity card: Personal Identification Number, address, serial number and identity card number
- financial data: bank account
- Processing of personal data for market research
We process your personal data for the purpose of market research and opinion polls. You can revoke your consent at any time (with effect for the future, without stating your reasons), and the data will be anonymized based on the express request. For this purpose, your personal data will be anonymized, used by us exclusively for statistical purposes, and no correlations can be made with you under any circumstances
This data processing is especially useful for improving the service offerings that are more relevant to you
- Other categories of processing
The processing of personal data may also take place with a view to the following processes:
- updating of data,
- assessments of customer satisfaction,
- responses to requests,
- to contact you by ephone,
Our Company does not request or process personal data from special categories, but only non-sensitive, necessary and relevant data, unless it is legally necessary to do so at a later stage.
It is also worth mentioning that in the sales activity carried out by Orgachim, there may also be situations in which, as a customer / buyer, there could be person who has not yet reached the age of 16 years (in the case of contracts for the sale and purchase of products, made in the name and on behalf of
minors by their legal representatives/guardians, or even minors themselves – depending on the value of the purchased products). In this situation, the Controller will take care to undertake all the measures necessary to ensure that the processing of their personal data will be carried out in accordance with Article 8 of the Regulation. For clarification, the data of persons who have not reached the age of 16 will be collected only for the purpose explained herein above.
Chapter IV Duration of data storage
Regarding the duration for which we keep your personal data, it is 10 years, with the aim of ensuring continuity in case that after completing the current order or request you wish to continue or to place other orders or requests also through our teams.
It is also good to know that your personal data will be kept for the duration of the Contract.
Chapter V Use of service providers for the processing of personal data / data processing in countries outside the European Economic Area
“Orgachim” does NOT use for the provision of services and the processing of your personal data any providers outside the European Economic Area.
In the event that this happens, we will make sure that our providers and collaborators ensure the confidentiality and provide adequate protection for your personal data, based on signed agreements.
Chapter VI Source of personal data
Personal data can be obtained from the following sources:
- directly from you when: you provide the data necessary for invoicing when you purchase our products; fill in the form in order to obtain the loyalty card, etc.;
- indirectly from third parties, such as where we receive your personal data from third parties with whom we collaborate (for example, own platform or other partners platforms through which you place an order, the advertising agency that organizes the competitions in which you participate);
- through the activities you carry out while you are our client/user of the website of “Orgachim”.
Chapter VII Legal grounds for the processing of personal data
The legal grounds for the operations on the processing of personal data described in this Information Note are:
- (i) the performance of a contract to which you are a party or to make arrangements prior to the conclusion of a sale-purchase agreement for our products;
- (ii) our legitimate interests in accordance with the legal provisions on data confidentiality;
- (iii) your consent;
We would like to inform you that in cases (i) and (ii), in the absence of personal data necessary for the completion of the respective contract, it will be impossible to conclude it.
Our legitimate interests or those of a third party include our requirements to use your personal data in litigation, government
investigations, marketing or advertising or for other legal purposes involving “Orgachim”.
In the event that “Orgachim” is obliged by a normative act (law, regulation, decision), an ordinance or a court decision to communicate personal data, compliance can and will be fulfilled without the need for information or consent of the data subject.
Chapter VII Data security
In order to prevent unauthorized access, to maintain data accuracy and to ensure the correct use of data, we implement reasonable and appropriate physical, IT and organizational security measures to effectively protect all personal data that we process.
The information you provide through the online platforms will be transmitted later, in encrypted form, using the SSL (Secure Socket Layer) protocol to prevent the misuse of the data by third parties. You can identify this aspect by the fact that in the status bar of your browser, the symbol of a closed padlock appears, and the URL begins with “https”.
In order to improve the measures presented in the current Personal Data Protection Policy, we will make every effort to ensure that the data is accurate, complete, up-to-date and relevant for the intended use, and any changes that will occur will be described in the updated version.
“Orgachim” will periodically test and review the effectiveness of the measures to protect data from the risks of loss, misuse, unauthorized access, disclosure, modification or deletion/destruction without having the right to do so.
The provision of personal information by you is entirely voluntary and you have the right not to provide personal information.
If you need assistance in accessing, updating, correcting or deleting your personal information, or if you no longer wish to use our services, you may send a request to the e-mail address at any time: email@example.com.
Among the organizational measures taken by our organization and which guarantee the security of the processing of your personal data is the fact that the training procedure of our employees and of the persons authorized by the Controller and their employees is also included, in the sense of complying with the GDPR rules and awareness of their importance. If there is a transfer of personal data from the Controller to the Processors or to the employees, this will be carried out under legal, security conditions, meeting the necessary guarantees.
In the event that we, as a Controller, collaborate with another controller in the processing of personal data, we guarantee the conclusion, in a legal and transparent manner, of an agreement on the processing of personal data, in the content of which is explained in detail the disclosure of personal data to the other controller, all being done under conditions that ensure the protection of the processing of your personal data.
Chapter VIII Your rights
- The right of access
You have the right to request information from us at any time about the data stored about you, as well as, among other things, about its origin, the recipients or the categories of recipients to whom this data is transmitted and about the purpose of the storage. Reasonable administrative costs may be charged for all other copies except the first copy. This does not apply to the communication of information electronically.
- The right to withdraw consent
If you have given your consent to the use of the data based on the legal grounds of consent, you can withdraw it at any time with effect for the future, without stating your reasons. For this purpose, it is enough to send an email to the firstname.lastname@example.org. This will not affect the data processing carried out until that moment, this remaining a legal and valid process.
- The right to rectification
If your personal data collected by our organization is incorrect, you can request their rectification at any time by contacting the project/service of interest to you or the representative you are in contact with.
- The right to erasure
You have the right to obtain from “Orgachim” the deletion of your data, which may be exercised in certain circumstances provided by the applicable law, including:
- the situation in which the personal data are no longer needed in connection with the purposes of the processing;
- the situation in which the data subjects object to the processing and there are no other legitimate interests that prevail for the processing;
- the situation in which the personal data have been processed illegally.
The deletion of your personal data can be made at any time, upon request, through the methods already stated or using our general contact details related to each project/service. As a rule, your personal data will be deleted immediately, but not later than one month after this right is requested. If the deletion is contrary to the interests of the organization or the retention of the data is necessary in accordance with the obligations of data retention established by law, under a contract or by any legislative, respectively commercial regulations or for any other reasons provided by law, instead of deletion, only the blocking of your data can be carried out. If this is the case with your client account, you will receive a notification from us in this regard. After deleting your data, it is no longer possible for you o receive the information from us.
- The right to transfer data
If you ask us for the personal data to be made available, we will provide or communicate to you or to another person designated
by you the data in a structured, common and electronically processable format. The latter only if this is technically feasible and only in relation to the data which you have entrusted to us.
- The right to object
You have the right to object to the processing of your data under the conditions and in the cases provided for by the applicable law (in situations which include, for example: the processing of data for direct marketing purposes), at any time and without stating your reasons. In addition, we would like to inform you that by refusing all data processing processes, it is possible that the performance of the contract regarding the services used and the development of customer programs may be limited or can no longer be performed, thus asking you to carefully analyze before submitting such requests.
- The right not to be subject to a decision based solely on automated processing
We do not make decisions based solely on automated processing. If, in the future, we will use automatic processing and profile creation within the meaning of Article 4.4, this will be done with human intervention and with the observance of the right to challenge the decision and to express your point of view.
In case that “Orgachim” refuses your request, for example, on the basis of the right of access, we will provide you with an explanation of this decision, which in turn you have the right to legally challenge.
Chapter IX Changes to the Personal Data Protection Policy
“Orgachim” reserves the right to change the Personal Data Protection Policy at any time whenever necessary. If and when changes occur, these will be reflected in a timely manner in the updated version of this document.
You may return to this Personal Data Protection Policy from time to time in order to be informed about the latest version of this document.
Chapter X Contacts (with reference to the exercising of the rights of data subjects)
If you contact us by e-mail at the email@example.com or by mail at the address: 21 Treti Mart Blvd., Town of Ruse, postal code 7000, the information provided by you. (your e-mail address, your name and your telephone number, if applicable) will be stored by us to answer your questions or requests.
Chapter XI The right to lodge a complaint
You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing, the competent supervisory authority regarding the processing of your personal data, if you believe that your data protection rights have been violated, using the data available in Chapter XII.
Chapter XII Questions about data protection
Questions related to all data processing can be addressed at any time to:
Address: 21, Treti Mart Blvd., Town of Ruse, postal code 7000
Phone: 02 886 210
Last but not least, you have the right to contact the National Supervisory Authority for Personal Data Processing at the following contact details:
Web page: www.cpdp.bg
E-mail address: firstname.lastname@example.org
Updated version on 19th August 2021