The Athlete Sportswear – Privacy Policy

General

Kickstart Studio EOOD, UIC: 206227948, with address: Sofia, zh.k. Lagera 38B, tel .: +359 896 069 909 and e-mail address: athlete@kickstart.bg, applies in its commercial relations with the Clients the present Data Protection Policy,

Kickstart Studio, as a personal data administrator, collects and processes certain information about individuals.

This information may relate to employees, managers, customers, suppliers, contractors, business contacts, and other individuals with whom the Administrator has a relationship or wants to establish business contacts.

This privacy policy governs how personal data is collected, processed, and stored in order to meet the standards of the Administrator’s organization and to comply with legal requirements.

I. Legal basis

This Privacy Policy (“Policy”) is issued on the basis of the Personal Data Protection Act and its bylaws, as amended (“Bulgarian Legislation”), and the General Data Protection Regulation (EU) 2016. / 679 (“GDPR”).

Bulgarian legislation and the GDPR provide rules on how organizations, incl. Kickstart Studio EOOD must collect, process and store personal data. These rules are applied by the Administrator regardless of whether the data are processed electronically, on paper or on other media.

In order for the processing of personal data to be in accordance with the legal requirements, the personal data are collected and used reasonably, stored securely and the Administrator takes the necessary measures so that the processed personal data is not subject to illegal disclosure.

The controller is familiar with and follows the principles set out in the GDPR:

– personal data are processed lawfully, in good faith and transparently;
– personal data are collected for specific, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes;
– personal data are relevant, relevant and limited to what is necessary in relation to the purposes for which they are processed;
– personal data are accurate and, if necessary, kept up to date;
– personal data are stored in a form that allows the identification of the affected persons for a period not longer than necessary for the purposes for which the personal data are processed;
– personal data are processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

II. Policy Objectives

This Policy aims for the Administrator to:

– comply with applicable personal data legislation and follow established good practices;
– establish the mechanisms for keeping, maintaining and protecting the accounting registers;
– establish the obligations of the officials processing personal data and / or the persons who have access to personal data and work under the direction of the processors of personal data, their responsibility in case of non-fulfillment of these obligations;
– protects the rights of staff, customers and partners;
– be discovered how to store and protect the personal data of individuals;
– establish the necessary technical and organizational measures to protect personal data from unlawful processing (accidental or unlawful destruction, accidental loss of unlawful access, alteration or dissemination, as well as from all other illegal forms of personal data processing);
– be protected at the risk of infringements.

III. Scope

This Policy applies to the processing of personal data of suppliers, human resources, customers and partners, as described in the electronic reporting registers established in accordance with this Policy, Bulgarian legislation and Art. 30 of the GDPR (“Registers of Processing Activities”).

IV. Collection of personal data

Data categories and subjects

“Personal data” means any information relating to an identified natural person or an identifiable natural person (“Data subject”), namely:

The administrator collects personal data regarding the following categories of persons:

– persons representing the companies with which the Administrator has a business relationship;
– contact persons in the companies with which the Administrator has business relations;
– persons who are interested in receiving information services – information bulletin, directories, etc .;
– persons who register for the purpose of using an online store.

Objectives of data collection

The controller collects personal data in connection with the fulfillment of the following purposes:

1. For implementation of activities related to the conclusion, existence, amendment and termination of contractual legal relations, incl. for:

– preparation of any documents;
– to establish contact with the contact person by telephone, fax or in any other lawful manner;
– for delivery and / or acceptance of goods / services, for communication in connection with the provision and / or receipt of goods / services and for the provision of the related customer service;
– For keeping accounting records in connection with the performance of contracts to which the Administrator is a party;
– For processing of payments in connection with the concluded contracts by the Administrator;
– To send important information to the subjects in connection with changes in the rules, conditions and policies of the Administrator and / or other administrative information;

2. For marketing purposes – after obtaining the explicit consent of the personal data subjects;

3. For statistical purposes.

Data collection

Data of contractors (managers, representatives and / or contact persons of the legal entity under a commercial contract)

The personal data for each person are provided voluntarily by the persons themselves and are collected by the Administrator in fulfillment of a legal obligation, in connection with the conclusion of a contract and / or fulfillment of obligations under a contract under the provisions of the Commercial Law, the Accounting Act, the Obligations Act. and contracts, the Value Added Tax Act, etc. and the conditions specified in a commercial contract with the respective client through: paper – written documents (including powers of attorney, contracts, arrest notices, bank information, etc.), by e-mail – provided in connection with the performance of a commercial contract and / or by filling in on the registration form. Individuals are notified of the provisions of this Policy in advance or at the time of receipt of their data.

V. Legitimate interests pursued by the Administrator

In connection with the processing of data of managers and contractors:

Data processing is carried out on the basis of legitimate interest and in connection with the conclusion, existence, amendment and termination of commercial and civil contracts in the application and implementation of regulatory requirements of the Commercial Code, Social Security Code, Tax and Social Security Procedure Code, Insurance Code , Personal Income Tax Act, Accounting Act, Obligations and Contracts Act, etc.

VI. Transparency. Rights of the persons whose data are processed by the Administrator

Transparency and conditions for exercising the rights of individuals

The administrator shall provide information to persons in a concise, transparent, comprehensible and easily accessible form, in clear and simple language.

The controller strives to ensure that the persons are aware of the personal data processed by him and that the persons fully and completely understand and are informed in connection with the processing in accordance with the requirements of the GDPR and the Bulgarian legislation.

The administrator shall provide the information to persons in writing or otherwise, including, where appropriate, by electronic means. If the person has requested this, the information may be given orally, provided that the person’s identity has been proved by other means.

The administrator shall provide individuals with free information on the action taken on a request for their right of access, rectification, deletion, restriction of processing, portability, objection and automated decision-making, without undue delay and in any case within one month of receiving the request.

If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. The administrator shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where the person concerned submits a request by electronic means, the information shall, where possible, be provided by electronic means, unless the person has requested otherwise.

If the Administrator does not take action on the request, the Administrator shall notify the person without delay and at the latest within one month of receiving the request of the reasons for not taking action and of the possibility to file a complaint to a supervisory authority and seek protection in court.

Where the person’s requests are manifestly unfounded or excessive, in particular because of their recurrence, the Administrator may either:

– to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the requested action, or
– refuse to take action on the request.

Right of access for persons

Each person has the right to receive confirmation from the Administrator whether personal data related to him are processed, and if so, to have access to the data and the following information:

– the purposes of the processing;
– the relevant categories of personal data;
– the recipients or categories of recipients to whom the personal data are or will be disclosed (including in third countries or international organizations);
– where possible, the estimated period for which the data will be stored and, if this is not possible, the criteria used to determine this period;
– the existence of the right to require the Administrator to correct or delete personal data or to restrict the processing of personal data related to the affected persons, or to object to such processing;
– the right to appeal to the Commission for Personal Data Protection;
– where personal data are not collected by the persons themselves, any available information on their source;
– the existence of automated decision making, incl. profiling, and at least in these cases essential information about the logic used, as well as the significance and intended consequences of this processing for individuals.

When personal data are transferred to a third country or to an international organization, persons have the right to be informed of the appropriate safeguards in connection with the transfer.

The administrator provides the person with a copy of the personal data that are being processed. For additional copies requested by individuals, the Administrator may charge a reasonable fee based on administrative costs. Where a person submits a request by electronic means, the information shall, where possible, be provided in a widely used electronic form, unless the person has requested otherwise.

Right of adjustment

Any person whose data is processed by the Administrator has the right to ask the Administrator to correct inaccurate personal data related to him without undue delay. Taking into account the purposes of the processing, the person has the right to supplement the incomplete personal data.

Right to delete

Any person whose data is processed by the Administrator has the right to request from the Administrator the deletion of the personal data related to him without undue delay, and the Administrator has the obligation to delete without undue delay the personal data when:

– personal data are no longer needed for the purposes for which they were collected or otherwise processed;
– the person has withdrawn his consent on which the data processing is based and there is no other legal basis for the processing;
– the person objects to the processing and there are no legal grounds for the processing to take precedence;
– personal data have been processed illegally;
– personal data must be deleted in order to comply with a legal obligation that applies to the controller;
– personal data

VII. Technical and organizational measures for data protection

The protection of data on paper copy, as well as on electronic media from unauthorized access, damage, loss or destruction is ensured by a series of internally regulated technical and organizational measures.

VIII. Transfer of personal data

The controller does not and will not transfer personal data in countries outside the European Union.

IX. Violations. Notification of violations

Violations

A data security breach occurs when the personal data for which Kickstart Studio EOOD is responsible is affected by a security incident, as a result of which the confidentiality, availability or integrity of personal data is violated. In this sense, a data breach occurs when there is a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data that is transmitted, stored or otherwise processed.

In case of violation of personal data security should be immediately notified to athlete@kickstart.bg or phone 0896 069 909.

Assessment of violations

After the respective employee of Kickstart Studio EOOD receives information about a violation, it must determine whether the specific event is a violation of personal data and notify the managers of the Administrator of the event (in case they do not know).

In the event of a breach of personal data security, which is likely to pose a risk to the rights and freedoms of individuals, the Administrator (through the employee concerned), without undue delay and where practicable – no later than 72 hours after found out about it, notifies the Commission for Personal Data Protection of the violation.

Where and to the extent that it is not possible to submit the information at the same time, the information may be submitted in stages without further undue delay.

When the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, the Administrator shall, without undue delay, notify the subject of the breach.

The controller shall document any breach of personal data security, including the facts related to the breach, its consequences and the actions taken to deal with it.

X. Destruction

The accounting and commercial information, as well as all other information and documents relevant for the taxation and the obligatory social security contributions shall be kept by the Administrator in the following terms:

– payroll – 50 years;
– accounting registers and financial statements – 10 years;
– documents for tax and social security control – 5 years after the expiration of the limitation period for repayment of the public obligation to which they are related;
– all other carriers – 5 years.

After the expiration of the term for their storage, the information carriers (paper or technical), which are not subject to transfer to the National Archive Fund, may be destroyed.

After the expiration of the storage period, the data are destroyed as soon as possible by destroying the paper media by shredding, and the technical media – by deleting and deleting the relevant files from the computers of the Company.

Additional provisions

For the purposes of these internal rules:

1. “Personal data administrator” is “Kickstart Studio EOOD is a sole proprietorship with limited liability, with UIC 206227948, as actions on behalf of the administrator are performed by Pavel Ivanov;

2. “Processing” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmitting, distributing or otherwise making the data available, arranging or combining, restricting, deleting or destroying it;

3. This Policy is subject to approval and notification of the persons concerned by the order of the Manager of the Administrator.

The policy has been approved by the managers of Kickstart Studio EOOD: 08.11.2020
The policy is effective from 11.11.2020.