PERSONAL DATA PROTECTION POLICY
Applicable form 25.05.2018
This Policy explains how we, from Esri Bulgaria, collect and process your data as an Administrator of personal data. That is why it is important for you to be informed about the Policy. Please read the information in this document for your reference.
2. YOUR RESPONSIBILITIES
• Read this Policy and check it regularly.
• If you are in a contractual relationship with us, please check the terms and/or policies that apply to them: they may contain additional details on how we collect and process your data.
• Please pay attention to the additional information and conditions at the different stages of our interaction.
• If you provide us with personal information about other people or if others provide us with your information, we will only use this information for the specific purpose for which it was provided to us. If you provide us with information about third parties, you should have a legal basis for this. You should also inform the third parties about the way we process their data.
• By providing us with data, you declare that you are over 18 /eighteen/ years old.
3. WHO WE ARE AND HOW YOU CAN FIND US?
We at Esri Bulgaria Ltd. are an Administrator of your personal data and we have the legal duties of an Administrator. Our main activity is connected to the development and implementation of Geographic information systems (GIS). In some legal cases, we are in the role of the Data processing party, but in these cases, we have signed contracts with our clients – administrators, who also give us the right to process the personal data and we comply with the contracts` conditions.
If you have any questions regarding the Policy or your personal data, please do not hesitate to contact us.
Contact details with us:
Esri Bulgaria Ltd., UIC: 831747245, Address: 1407 Sofia, 35 Nikola Vaptsarov Blvd., еmail: firstname.lastname@example.org
It is very important that the information we have for you is true and up-to-date. Please inform us when making changes or if you notice any mistakes. Send us an email about this at email@example.com or update your information yourself at the place where you entered it.
4. WHAT KIND OF DATA FOR YOU WE PROCESS, WITH WHAT PURPOSES AND ON WHAT BASES?
We process personal data with certain goals and on relevant legal bases, depending on your role in our processes.
4.1. Visitor and user of our website www.esribulgaria.com
А) Automatically collected information
You have free access to Esri Bulgaria website www.esribulgaria.com and do not need to provide any additional personal data. However, there is an automatic processing of specific information such as Log files/Event Files/Cookies, Website Analytics via Google Analytics.
When you visit our website our web server automatically connects the name of the domain or the IP address of your computer (usually it is the computer of your internet provider), including information about the data, time and duration of your session, the visited website subpages/URL addresses and information about the application(s) and terminal(s) that you use to view our pages.
In order to make our website more user-friendly, we use the so-called “Cookies”, like many other website operators. “Cookies” are small text files that are stored in your browser. Most of the “cookies” we use are session “cookies”. They are automatically deleted at the end of your visit. We use permanent “cookies” as well. They serve to improve the user targeting. You can set up your browser to notify you about the generation of “cookies” so that their usage is completely transparent to you. However, this means that you may not be able to use all the features of the website.
B) Social media plug-ins and shortcut buttons for Facebook, Twitter, LinkedIn or others
Their usage depends on your own preferences. These buttons are hyperlinks to third party websites, that through cookies gather and process personal data according to their own policies. We are not responsible for them, but in connection to our commitment to protect your personal information and rights, we ask you to be aware of this.
We have put these social plug-ins and buttons in order to make our website more functional for the users and also to make our work and activities more popular if you if you voluntarily share our content in these websites. We consider this our legitimate interest. More information about the social plug-ins we use can be found here.
C) Links to other websites
Our website contains hyperlinks to other websites. Very often there are hyperlinks to www.esri.com, its subpages, and products` pages. This is due to the fact that we offer Esri Inc. software products, the world leader in the development of geographic information systems. Please keep in mind that the company is registered in the United States of America and if you decide to follow these links you need to read their policy for personal data protection to understand how your data will be processed. We use these links because this is our legitimate interest to develop our business and the legitimate interest of third parties like Esri Inc. You can find more information about the Esri Inc. policy for personal data protection here.
D) Personal data that you provide us through our website
When you use our contact form or other services through our website we process your personal data for the need you specify, i.e. according to the specific function and your request. It is our legitimate interest to answer your request. The mandatory fields that we placed (for example in the contact form) are the minimum information that we need. Please do not provide any additional personal information about you that is not necessary for these specific case. We also process information that is created through our interaction, for example, the content of your messages on the website.
Sometimes we process your personal data in the so-called pre-contractual basis. This we use in all cases that you requested to sign a contract with us and we process the necessary information to accomplish this. In other cases there can be a signed contract between us and the processing of your personal data through our website can be in connection to our contact agreements. If you apply for work in our company please read paragraph 4.7. bellow.
E) Sensitive data /special categories of data/
We do not gather such information. This special category data or the so-called “sensitive data” is this information that shows racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions, genetic data, biometrics for the sole purpose of identifying an individual, his/her health status, sex life or sexual orientation. Please do not provide such data. The provision of such data and other kinds of personal data that is not necessary for the goals of our business relations and may harm your rights.
F) Combining information
We sometimes combine information gathered through our website with other information that we gather from you by phone, email, other public sources like the Bulgarian commercial register or third parties – rating companies, professional profiles, our partners with whom you also interact, for example when you request a service, the provision of which requires a third party. When we combine this information we do not use it for any other purpose than one we informed you for.
4.2. If you are a visitor in our office
In this case, we will ask you to introduce yourself and provide basic information about you/your names, organization that you work for or you represent/, we will record the day you visited our office and sometimes the correct time you spent and the people you met. We will use this information as of our legitimate interest to control the access to our office and security as well as to control and keep a record of the activities of our employees that you have an appointment with.
4.3. If you are a participant in our event (demonstration, conference, cocktail, charity event, contest, etc.):
We will gather the necessary information for your involvement and participation. In some cases, we may request information about your preferences in order to make the event more pleasant for you. In some cases, the events may be filmed or recorded with cameras and photos and we may use the records, the photos and the information about your presence in order to advertise our event in the media, on our website, in presentations and other ways. If this concerns you, please inform us in advance that you do not want us to publish information and photos of you.
We will also save basic information about you in order to connect with you in the future and to send you information about other similar events that can be of interest to you. We may also ask you for feedback to tell us how you assess the event so that we can organize its next edition better. You always have the right to refuse to give such information and to object to this way of using your data.
4.4. If you are a participant in our promotional campaign
Sometimes we organize campaigns for example through our profiles in the social media or email campaigns. In these cases, we will process the information that you provide us for the needs of your participation in the campaign.
4.5. If you follow us on social media channels
If you “liked” our profile in the social media or “followed” us according to the social media practices of every social media you will see messages, advertisements or materials that we post on our pages. If you send us a message through these pages or for example wright comments under the posts we can use the capabilities of the same social media to answer you and if you requested to contact you in some other way /for example if you give us your phone number/, we will comply with your request in regard to our legitimate interest to answer your request for example.
4.6. If you are a participant in our training
We will gather the necessary information to register you. We will also process the information for your participation, exam /if such is conducted/.
We will also save the main information about you so that we can connect with you and inform you for other similar training and special offers in connection with them. We may also ask you for your feedback so that you can tell us what you think about the training and the lectors. You always have the right to refuse to fill out the feedback forms and surveys and also to object to this way of using your data.
4.7. If you are our business contact
This means that you represent a business organization – our partner, client or supplier or you are its employee. In order to maintain our business relations with this organization we often need an additional information about you, like for example: your name, phone number, email, skype contact, business card, information for your position in the company. We will also process the following information: written/email or other correspondence with you; data that are included in the documents connected to our relationship with your organization, like for example your signature, description of your behavior, your speeches and etc.; any other information that is needed in connection to our business relations.
4.8. If you are our potential business contact
This means that you represent an organization – our potential partner, client or supplier or are its employee. We may have your information from a professional public register, or from our common business partner that referred you, or from an event or meeting where you gave us your business card or contact. In this case, we will make an assessment of what purpose and on what basis we could use your contact details. We will have in mind the context that this information is gathered and the mindful expectation of the usage of your personal data. If we consider that we have a legitimate interest to contact you in order to request an offer, to propose a partnership or to offer you a product or service, you will always have the right to object to this way of using your data. In some cases, we may have to ask for your consent, and you will always be able to refuse to give it.
4.9. If you apply for work in our company
This means that you expressed your intention to sign a work agreement with us by applying for an open position or sending us your CV/or motivational letter in order to contact you when a new position is opened. In order to review your application, we will review the information you send us. If we consider that your application is not appropriate for the position we will delete your information within a week. If we consider that you are suitable for our organization but we currently don’t have a suitable opened position for you we will save your personal data for a period of 3 /three/ years or for a period specified by you. Please do not provide us with any additional personal data that is not connected to the application process.
4.10. For what other purposes can we use your personal information?
All the above-mentioned cases describe the most typical purpose for processing personal data, but you should also keep in mind that we may use this information to:
- administer our business, including accountability and analysis within the company – our legitimate interest;
- prevent fraud and other illegal and criminal activities – our legitimate interest;
- establish and protect our legal claims – our legitimate interest;
- fulfill our contractual obligations with you – our legitimate interest;
- fulfill our obligations, applicable by law;
- carry out accounting, tax and other obligations;
4.11. On what legal basis do we process your data?
4.11.1. Our legal obligation
These are the cases in which the processing of your personal data is necessary in order to comply with our legal obligation.
4.11.2. Our legitimate interest
When we define our legal basis as “legitimate interest”, we first determine what it is and whether the processing of your personal data is necessary to achieve it. We also assess whether your interests, fundamental rights, and freedoms take precedence over it. Notwithstanding our judgment, you are always entitled to object to the processing of your personal data based on our legitimate interests as described below in paragraph 10.1.4.
4.11.3. Pre-contractual or contractual grounds
When we should take the necessary steps, at your request, to sign a contract with us or to execute already signed contract between us. In these cases, we will make sure that we process only the necessary personal information.
4.11.4. Your agreement
This is a free, explicit, specific, and unambiguous expression of your will articulated by a statement or a clear confirmation action that expresses agreement to process your personal data for a particular purpose. If we need to process your that is categorized as “sensitive” as your consent, it should also be explicitly given. In point 10.1.6. you will read how at any time you can redraw your consent.
Please note that consent is a legal basis other than those described above. For example, signing a contract between us is not similar to giving a consent. If you have concerns or hesitations about what is the exact legal basis for a particular purpose of processing your data, we encourage you to contact us.
5. MAY YOU NOT PROVIDE YOUR PERSONAL DATA?
If there is a contractual or statutory obligation, you are required to provide your personal data. In this case, if you still do not want to provide your personal data when requested, we may not be able to conclude or execute the contract or realize any other purposes in the contract.
6. WITH WHOM WE SHARE YOUR PERSONAL DATA?
We may have to provide your personal data with the third parties mentioned below:
6.1. Within the group of our shared companies – on the premises of our legitimate interest to administer and assess our activities.
6.2. Service providers processing personal data. This may be hosting companies, providers of IT services, mobile services, system integration, couriers. With them we have signed contracts that guarantee that your personal data is secured.
6.3. Other administrators of personal data that provide us the following services – banks, auditors, layers, professional consultants, event coordinators and etc. – when this is needed for our legitimate interest to provide us with a certain service.
6.4. Public institutions that require us to declare our activities in the sphere of personal data processing.
6.5. Third parties that we share parts of our business with or our activities – when this is necessary for accordance with their legitimate interest to analyze our activities and to conduct certain business contracts.
7. INTERNATIONAL EXCHANGE OF DATA
7.1. Your personal data is usually processed in the territory of the European Union or the European economic space and in rare cases in the territory of the third party countries like in point 7.2. (“Third party countries”).
7.2. In some cases, we may provide your personal data to the Environmental Systems Research Institute, Inc. (“Esri Inc.”) (www.esri.com) so that you can receive a license for software products as well as administration of access, use, and maintenance of Esri Inc. software products. Esri Inc. is a company that is working outside the European Union and in particular in the United States of America. Esri Inc. is officialy certified at the EU-US Privacy Shield - a program for protection of personal information and personal live between USA and EU. More information about the policy for the protection of the private live and personal data can be found on this website www.privacyshield.gov/list.
7.3. If a necessity appears to transfer data to “other country” we guaranty that before such transfer is conducted the necessary level of protection will be conducted in order to ensure that the certain third party country have the policy for personal information protection. This may be a result of the European Commission decision about the necessary level of protection of personal data in a certain third party country as a whole. As an alternative level of protection in a certain third party country may be based on the so-called “Standard contractual clauses in EU”, negotiated with the recipient or if recipients are in the USA, on the bases of the EU-US Privacy Shield. We will be happy to provide you with additional information about the suitable and reliable level of the protection of your personal data.
8. SECURITY OF THE INFORMATION
We have provided certain security measures to prevent the accidental loss, usage, change, revile or unauthorized access to your personal data. We also provide access to your personal data to only this employees and partners that have a certain business necessity to have access to this data. Our company is certified under the strict standard for information security ISO/270001, and under the standard for quality ISO/9001.
9. PERIOD FOR DATA STORAGE
We will only store your personal data for as long as we need to meet the purposes we have collected it for, including to comply with statutory, accounting, tax or reporting requirements. When we are deciding what is the exact time for storing the data, we take into account its volume, nature and sensitivity, the potential risk of harm from unauthorized use or disclosure, the purpose of processing if they can be achieved by other means and legal requirements.
For accounting and tax purposes, the law requires us to store basic information about our clients (including contact details, identity, financial data and transaction data) for five years (plus the current year) after we finish our partnership.
In many cases, we will comply with the prescriptive deadlines for filing certain claims under the Bulgarian law. The longest ones are up to 10 years.
In any case, we take steps to limit the access to personal data at appropriate stages, in connection with the ongoing processing of the data and its objectives. Under certain circumstances, we may anonymize your personal data for research or statistical purposes, in which case we may use this information for an unlimited period of time without further notice.
10. YOUR RIGHTS
10.1. Under the law, under certain conditions, you have the following rights in relation to your personal data:
10.1.1. A right of access: You have the right to receive confirmation that the personal data related to you is being processed and if so, to access this data and the related information as well as a copy of that data.
10.1.2. A right to correction and deletion: You may require us to correct inaccurate personal data related to you, supplement your incomplete personal data (considering the purposes of processing), or delete personal data related to you – as long as the legal conditions for doing so are met.
10.1.3. Restriction of processing: As long as the legal conditions are met, you may require us to restrict the processing of personal data related to you.
10.1.4. A right of objection: You have the right, at any time and on grounds related to your particular situation, to object the processing of personal data on the grounds of legitimate interest. In order to continue the processing, we need to prove that there are convincing legal grounds for processing that take precedence over your interests, rights, and freedoms, or for the establishment, exercise or protection of legal claims. If, on this basis, we process your data for direct marketing purposes, we are obliged to discontinue processing.
10.1.5. Data portability right: If we process personal data on a contractual basis or based on your consent, you may require personal data to be obtained by you in a structured, widely used and machine-readable format, and/or transfer it to another administrator of personal data.
10.1.6. A right of withdrawal of consent: If we process personal data on your consent or express consent, you have the right to withdraw your consent at any time, without prejudice to the lawfulness of consent-based processing before it is withdrawn.
10.2. Exercise your rights. If you wish to exercise any of the rights mentioned above or to receive more information about it, please send us an email at firstname.lastname@example.org or send us a letter to our physical address mentioned in item 3.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your application is manifestly unfounded, repeated or excessive, or we will refuse to execute your request in these circumstances. We may need to ask you for specific information to help us verify your identity and to guarantee your right to access the personal data (or to exercise any of your other rights). It is a security measure that ensures that the personal data is not disclosed to a person who is not entitled to receive it. We may also contact you for additional information about your request to expedite your response.
We try to respond to all legitimate requests within one month. Sometimes it can take us more than a month, in which case we will inform you.
11. YOUR JURISDICTION TO A SUPERVISORY AUTHORITY
If you are not satisfied with any aspects of how we collect and use your data, you have the right to object in front of the relevant competent authorities. The Commission for personal data protection is the supervisory authority of the Republic of Bulgaria, as defined by the Personal Data Protection Act:
Address: 2 “Prof. Tsvetan Lazarov” Blvrd., Sofia 1592. GPS coordinates N 42.668839 E 23.377495. Center for Information and contacts – tel. 02 / 91-53-518, e-mail: email@example.com, website: www.cpdp.bg
In case of a complaint, we would be grateful if you first contact us to try to help you.
12. CHANGES TO THIS POLICY
We have the right to change and update this Policy. We will publish this changes on our website www.esribulgaria.com. If these changes are significant, we will inform you further about them on your email or other appropriate means for contact with you.