Personal data protection policy

Personal data

Microklimat 2 EOOD, having its office and registered address at: 275, Tsar Osvoboditel Blvd., Varna, UIC 200877909, which trademark is “RUMELLA”, hereinafter referred to as the “Administrator” or “RUMELLA”, applies in its business relations with the Clients this Personal data protection policy.

PREAMBULE

RUMELLA, as a personal data administrator, collects and processes certain information about individuals.
This Personal data protection policy governs how personal data is collected, processed and stored to meet the standards of the Administrator’s establishment and be in compliance with legal requirements.

I. Legal ground

This Personal data protection policy is issued on the basis of the Personal Data Protection Act and its supplementary acts and the General Data Protection Regulation (EU) 2016/679 (GDPR).
Bulgarian legislation and GDPR provide rules on how organizations, incl. Microklimat 2 EOOD shall collect, process and store personal data. These rules are applied by the Administrator regardless of whether data are processed electronically, on a hard copy or on other media.
The Administrator shall take the necessary measures to ensure that the processed personal data are not subject to unlawful disclosure. The personal data Administrator is familiar with and follows the principles set forth in the GDPR:

  • personal data are processed in a lawful, conscientious and transparent manner. The user voluntarily gives their consent to the processing of the personal data they provide in the process of registering an account or placing an order in the RUMELLA system by ticking the relevant box;
  • personal data are collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Personal data processing for the purpose of advertising and marketing is done only with the voluntary consent of the user and may be terminated at any time by their request from the editing menu of the account;
  • personal data are appropriate, relevant and limited to what is necessary in relation to the purposes for which they are being processed. In order to create a user profile, the client shall fill in name, surname, phone number and e-mail address. In order to execute the orders of the client, together with the data from their registration, data are also collected: delivery address, names and phone number of recipient (if another person), IP address where the order was placed, photos (attached by the user for the purpose of their use when executing the order),
  • each user is required to monitor the accuracy of the personal data they provide and, if necessary, keep them up-to-date. RUMELLA’s system enables each user to view their personal data and, if necessary, request a correction. The administrator undertakes to examine and execute the order without undue delay and in any event within one month of receipt thereof. An exception is made in the cases where a mistake has been made in the application, the filled in data is invalid or there is a suspicion of an unscrupulous attempt for data corruption.
  • personal data shall be stored in a form which enables identification of the persons concerned for no longer than is necessary for the purposes for which the personal data are processed. RUMELLA stores your personal data for no longer than the duration of your website profile. Upon expiry of this period, RUMELLA takes the necessary care to delete and destroy all your data without undue delay.
  • personal data are processed in such a way to ensure an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures. All server-client connections are performed only through an encrypted connection via the https protocol. More information about the SSL certificate of rumella.com can be obtained at any time by clicking in the URL field of your web browser.
  • the right to delete (“right to be forgotten”) of personal data that are being processed unlawfully or with a faulty legal basis. Any user has the ability at any time to request a deletion of their profile and all personal data associated with it. The Administrator undertakes to examine and execute the request without undue delay and in any event within one month of receipt of the request. The user may be denied the deletion of their personal profile and personal data related to them for establishment, exercising or protection of legal claims in cases where they have outstanding commitments in respect of orders they have made that the terms of the PPA are distance contracts. Such commitments may include non-performed payments (both for the value of goods and for courier services), non-received or unlawfully refused goods made upon customer’s request.
  • right of data portability – the data subject is entitled to receive the personal data that concerns them and which they have provided to the Administrator in a structured, widely used and machine-readable format.

II. Policy objectives

The present Policy aims of the Administrator:

  • to be in compliance with the applicable legislation on personal data and follow best practice;
  • to establish the mechanisms for keeping, maintaining and protecting the accounting register
  • to establish the responsibilities of officials processing personal data and/or persons having access to personal data and working under the direction of personal data processors, their responsibility for non-performance of these obligations;
  • to protect the rights of staff, clients and partners;
  • to be open in how we store and protect the personal data of individuals;
  • to establish the necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination, and all other unlawful forms of processing of personal data);
  • to be protected against the risk of data breaches

III. Scope

This Policy applies to the processing of personal data of employees, managers, customers, suppliers, contractors, business contacts and other individuals with whom the Administrator has a connection, wants to establish a business contact or are users of the online store RUMELLA.

IV. Personal data collection

Personal data is any information relating to an individual who is identified or can be identified, directly or indirectly, by an identification number or by one or more specific features. It covers data of any nature which, alone or in combination with other data, may result in the unique identification of a particular individual.

Purposes for data collection

The administrator collects personal data in connection with the following objectives:

1. To perform activities related to conclusion, existence, amendment and termination of contractual relations, incl. for:

  • preparing of any documents;
  • establishing a contact with the person by telephone, e-mail or any other lawful means;
  • delivery and/or acceptance of goods/services, communication in connection with the provision and/or receipt of goods/services and the provision of related customer service;
  • keeping accounts in relation to performances under contracts to which the Administrator is a party;
  • processing payments in connection with the contracts concluded by the Administrator;
  • sending important information to entities in connection with changes to the Administrator’s policies, conditions and policies and/or other administrative information;

2. For marketing purposes – subject to the explicit consent of the data subjects;

3. For statistical purposes.

Data collection

Personal data for each person shall be provided voluntarily by the persons themselves and shall be collected by the Administrator in performance of a statutory obligation in connection with the conclusion of a contract and/or fulfillment of the obligations under a contract according to the provisions of the Commercial Act, the Accountancy Act, and contracts, Value Added Tax Act, etc. and the terms and conditions set forth in the sale contract with the respective client through: hard copy – written documents (including power-of-attorneys, contracts, attachment orders, bank information, etc.), by e-mail – provided in connection with the execution of a commercial contract and /or by filling of a registration form.

V. Personal data processing

Personal data processing is any operation or set of operations carried out in respect of personal data by automatic or non-automatic means such as collecting, recording, organizing, storing, adapting or changing, downloading, consulting, using, disclosing to third parties for transmission, distribution or other form, connection or combining, blocking, erasure or destruction.
The administrator collects and uses personal information to better understand customers’ needs and interests and to offer better services. In addition to the information that customers provide, RUMELLA can also collect information during a user session in the online store through automatic data collection tools that include cookies, links, pages, and other commonly used information gathering tools.
Data and personal information provided by users is used by RUMELLA to manage orders, deliver products and services, process payments, communicate with users about orders, products, services, and promotional offers, product recommendations, and services.

The information that RUMELLA collects to understand the needs and interests of its customers helps make every user’s visit consistent and personalized. For example, the Administrator can use the user’s personal data to:

  • help for filling in of an order ;
  • inform about products or services
  • provide services and support
  • announce about new services or other benefits;
  • provide personalized promotional offers
  • select content to be shown to the user;

Data provided by users are: name, surname, delivery address, e-mail address and phone number, name of the order recipient (delivery address, phone number), and financial data.
The data provided by the users are: name, surname, delivery address, e-mail address and phone number, name of the order recipient (delivery address, phone number), and financial data.
A series of data is collected in an automated module from the RUMELLA system, such as the Internet Protocol (IP) address used to connect the computer to the Internet; login; e-mail address; password; information about your computer and connection methods such as the type of browser and operating system version; data that is sometimes combined with similar information collected from other clients in order to create features such as “Recently reviewed”; URL (Uniform Resource Locator) full time (including date and time), number of cookies; viewed or sought after products; as well as any phone number used to connect with our operators.
RUMELLA’s team values the personal space of our customers. All data required during the order process is confidential and is not shared with third parties. An exception is made only by supplying delivery data to the courier company such as name and surname, telephone, e-mail address, delivery address. Data may also be provided if requested by law, police, prosecution offices or investigation services. If you have questions about your personal data or want to change something in it, you can contact the RUMELLA team via the online contact form.

VI. Registering and security of user profile

Registration.

In the RUMELLA online store the user can order by registration. By registering, users use many advantages such as saving the entered data for multiple use, history of their orders, accruing bonuses, getting discounts, etc.
Upon their registration, the user undertakes to provide accurate, correct and complete information about them, as well as to renew it in a timely manner so as to preserve accuracy, correctness and completeness.
Through the registration form, the Administrator collects the following type of information:
personal: email, name, surname, phone number.
non-personal: the browser you are using, IP address, operating system, device type, etc.
The information is used by RUMELLA to connect and communicate with clients by telephone or e-mail.

Account security.

RUMELLA recommends its clients to use complex passwords and to keep the confidentiality of the username and password used to enter the site in order to avoid unauthorized access. For each access through a user’s account, the latter assumes responsibility for all actions that will be taken when using the site through this account.
By using the site, users agree to take all necessary precautions to ensure that password security will not be disclosed by third parties.
If the user has doubts about unauthorized use or misuse when using the account, it is necessary to inform the Administrator about this immediately.

VII. Breaches. Notification of breaches

Data security breaches occur when personal data that RUMELLA is responsible for are compromised by a security incident that results in a breach of privacy, availability, or integrity of personal data. In this sense, a breach of data arises when there is a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.
In the event of a personal data breach likely to pose a risk to the rights and freedoms of individuals, the Administrator (through the relevant employee), without undue delay and where feasible – no later than 72 hours after getting to know about it, informs about the breach the Commission for Personal Data Protection.
The administrator shall document any breach of personal data security, including the facts related to the breach, its consequences, and the action taken to address it.

VIII. Destruction

Accounting and business information as well as any other information and documents relevant to taxation and statutory contributions are kept by the Administrator within the following deadlines:

  • salary payroll – 50 years;
  • accounting records and financial reports – 10 years;
  • fiscal supervision documents – 5 years after expiry of the limitation period for repayment of the public obligation with which they are connected
  • all other media – 5 years.

After the expiry of the storage period, media (paper or technical) which are not subject to submission to the National Archives Fund may be destroyed.
After the storage period has expired, data is destroyed as quickly as possible by the destruction of paper media by shredding, and by deleting and erasing the relevant files from the company computers.

IX. Additional provisions

Within the meaning of this Personal data protection policy:
§ 1. “Personal Data Administrator” is Microklimat 2 EOOD, having its office and registered address at: 275, Tsar Osvoboditel Blvd., Varna, registered at the Commercial Register and the Register of Non-profit legal entities of NGOs kept with the Registry Agency under UIC 200877909; actions on behalf of the Administrator shall be performed by Rumyana Ivanova.
§ 2. If the above Policy is modified or supplemented, amendments will be posted on this page without notice. After publishing, customers are considered to be automatically familiar with them.
Please check our Personal data protection policy section regularly.

Date of publishing: 30.11.2018

Date of last revision: 30.11.2018