Personal data security policy for individuals

Personal Data Security Policy for Natural Persons

This document contains the Personal Data Security Policy for Natural Persons (the „Policy“) and is related to the General Terms and Conditions but is not an integral part of them, as it does not regulate rights and obligations. Its purpose is to explain to users what personal data we process, how and why we process it, and what security measures are applied. It also provides information about the rights you, our clients and users, have in connection with the processing of personal data by IMG CONNECT Ltd., UIC 207379619, VAT No. BG207379619, with registered office and address: Varna, 4 Bregalnitsa Street. Any changes to this Policy will be published here.

Last updated: 10.01.2024

Your privacy is extremely important to us. This Security Policy outlines what personal data we collect from you through our interactions and how we use this data.

DATA CONTROLLER

IMG CONNECT Ltd., UIC 207379619, VAT No. BG207379619, with registered office at: Varna, 4 Bregalnitsa Street, contact phone: +359 886 991 001, email: events@internetmediagroup.org (hereinafter referred to as „We“, the “online store”, the “Website”, the “Site”, the “Administrator”, or „IMG CONNECT“) is the data controller of all information collected or provided when browsing the website www.digital4varna.com, when making a purchase through it, or through interaction with our Facebook page (hereinafter jointly referred to as the „Site“). This Policy also applies to personal data voluntarily provided by natural persons (hereinafter „Data Subjects“) electronically (via email), by phone, or by any other means, including in person at a physical location.

IMG CONNECT also processes personal data from inquiries sent by you, as well as for marketing, advertising, profiling, participation in games, promotions, sweepstakes organized by us, and for any other legally permissible purposes. While processing personal data, IMG CONNECT complies with all applicable legal acts, including but not limited to Regulation (EU) 2016/679 (“the Regulation”) and the Bulgarian Personal Data Protection Act, because the security of our clients’ data is of paramount importance.

DATA PROTECTION OFFICER

Data Protection Officer: Preslav Bobev
Correspondence address: Varna, 4 Bregalnitsa Street
Email: events@internetmediagroup.org
Phone: +359 886 991 001

SCOPE OF THE POLICY

This Policy applies to all our clients – natural persons using our services by placing orders through the Website or expressing interest by sending inquiries (hereinafter “Data Subjects”, “Users”).

Partners and third parties working with or for IMG CONNECT, or who may have access to personal data, are expected to be familiar with, understand, and comply with this Policy. No third party shall have access to personal data stored by IMG CONNECT without a signed confidentiality agreement with terms no less stringent than those undertaken by IMG CONNECT, and which gives IMG CONNECT the right to audit compliance.

This Policy also applies to all employees/staff (and stakeholders) of IMG CONNECT, as well as to external providers of products and services under contract with IMG CONNECT. Any violation of the Regulation will be treated as a disciplinary offense or contract breach, and in cases of suspected criminal acts, the matter will be referred to the appropriate authorities as quickly as possible.

For visitors who do not place orders or send inquiries but only browse our website, the applicable policy is the Cookie Policy published on the Site.

DEFINITIONS

“Regulation” – General Data Protection Regulation 2016/679 (GDPR) from 27 April 2016, aiming to protect the “rights and freedoms” of natural persons and ensure that personal data is not processed without their knowledge or, where possible, without their consent.
“Personal Data” – Any information relating to an identified or identifiable natural person („data subject“); an identifiable person is one who can be identified directly or indirectly.
“Special Categories of Personal Data” – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, health, or sexual life/orientation.
“Processing” – Any operation performed on personal data, whether automated or not, such as collection, storage, use, disclosure, deletion, etc.
“Controller” – The person or entity that determines the purposes and means of the processing of personal data.
“Data Subject” – Any living natural person whose personal data is processed by the Controller.
“Data Subject Consent” – Any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes.
“Child” – Under the GDPR, a child is any person under the age of 16. Parental or guardian consent is required for data processing.
“Profiling” – Automated processing of personal data to evaluate certain personal aspects of an individual.
“Personal Data Breach” – A breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.
“Recipient” – A person or entity to whom personal data is disclosed, including public authorities under specific conditions.
“Third Party” – Anyone other than the Data Subject, Controller, or Processor, who has access to personal data.

PRINCIPLES

When collecting and processing personal data, we adhere to the following principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability.

DATA SUBJECTS WHOSE DATA WE PROCESS

In relation to its activities, IMG CONNECT Ltd. enters into distance contracts, reviews job applications and proposals, responds to user rights requests, issues invoices, manages user accounts, and conducts marketing campaigns. During these activities, IMG CONNECT processes data of:

(a) Unregistered website users who have not provided any personal data (or limited data such as a phone number or email);
(b) Registered website users – in which case we process user-provided data such as names, delivery address, billing data, order details, etc.;
(c) Individuals who send inquiries, requests, complaints, etc. via phone, email, or other channels;
(d) Individuals mentioned in communications sent to us;
(e) Individuals with whom we conclude contracts electronically or in person;
(f) Individuals whose data is provided by third parties (e.g., ordering a gift for someone else).

PERSONAL DATA WE PROCESS

Depending on the reason necessitating the processing of personal data, the type of such data may vary. The functionalities provided on the Site are not intended for the storage and processing of special categories of data within the meaning of Articles 9 and 10 of the Regulation. (Note: Read Articles 9 and 10 of the Regulation here.) We require only the personal data necessary for providing the activity/service/product requested by us. In the course of using the site by individuals, we may also process other data that does not contain personal data but relates to the subject, such as their IP address, activity data on the site, and similar.

Data provided during event registration

To fulfill a contract concluded between you and IMG CONNECT remotely for participation in an event, we require certain information from you. You decide whether and how to use the opportunities to conclude a service contract remotely, offered via the Site or our Facebook page. In the forms through which personal data is entered, we clearly indicate whether the data provision is mandatory or voluntary. Mandatory fields are such without which we cannot conclude the respective contract. These include: full name, email address, delivery address, contact phone number, your payment information (e.g., bank card), invoicing data including a personal identification number (EGN) if you want an invoice as a private individual. If you provide data of third parties (e.g., for gifts or donations), you are responsible for having authorization to provide that data.

Data provided during Site registration

If you choose to save your information on the Site by registering an account, we will store the above-mentioned data as well as order history from the registered account. The required data matches the data needed when placing an order. We also process IP address, activity data (date and time of registration, acceptance of Privacy Policy and Terms and Conditions, account log-ins, etc.).

Data provided when concluding other contracts

In cases where IMG CONNECT concludes other contracts with individuals beyond remote sales, we require full name, personal identification number (EGN), address, and email address.

Data provided through or by third-party websites and applications

In some cases, you may share information with social networks or use their sites to create or link your profile on our website. In such cases, the social network may automatically provide us with certain personal information collected about you (e.g., content you viewed, ads you interacted with, etc.). By linking your social media profile with our website account, you authorize us to access and use this data in accordance with this Privacy Policy. If you register on our site using a social media account, we may process data such as your name, phone, email, gender, marital status, age, photo, education, place of birth, residence, and other data visible to us.

If you provide your personal data via Viber, Skype, Facebook, or other platforms/social networks, please be informed that these platforms have their own privacy policies and IMG CONNECT assumes no responsibility for their practices. We recommend you review these policies before submitting your data.

Data provided through comments, reviews, posts

If you leave a comment or post on the website, your IP address will be saved, along with your name if provided. This is for the site’s security. If your post violates the law, the site operator would need to identify you. IMG CONNECT is also obligated to keep this data („traffic data“) for specified periods and purposes. According to the Law on Electronic Documents and Electronic Certification Services, we must maintain logs of the statement submission (excluding content) for one year. The log includes the statement date, sender’s name and email.

Employee data and data collected during job applications

We process data when concluding employment contracts and evaluating job applications. For employment, we require full name, EGN, address, age, gender, education, work experience, banking data, and later health data. For resumes, we process name, address, email, age, gender, education, experience, photo, and voluntarily provided data during interviews or in the CV.

Data related to correspondence, complaints, and reports

For resolving submitted complaints, reports, disputes, queries, requests, or other issues communicated to IMG CONNECT via forms, calls, regular or email, we store and process this information and the result of its processing. This may include name, email, phone, and address.

Also, as sending comments, inquiries, or other messages to the site or social media pages constitutes electronic statements, we must maintain a log of such statement submissions (excluding content) for one year, containing date, name, email, and sender identification.

If you provide personal data of another person, you must do so only with their authorization and inform them of how their data will be collected, used, disclosed, and stored in line with this policy.

Technical data collected during Site usage

We collect data from your device (computer, phone, tablet, etc.) such as:

Device ID, type, and unique identifier;
Log data including IP address, visited URLs, browser type/settings, request date/time, site usage, cookies, and device data;
Location data if enabled on your device;
Computer and connection information (e.g., page views, IP, browsing history, language settings, date/time);
Search logs (up to 10 past searches saved via cookies, shown in browser or account if logged in);
Security, maintenance, and development logs (for service reliability, detecting threats, analytics);
Logs for electronic statements, user logins (date/time, mobile/app/desktop, IP), server logs, WAF logs, etc., kept for up to one year;
Cookies are used for site functionality, see our Cookie Policy for details.

We may choose to reduce the amount of stored and processed data based on the purposes of processing.

We do not require or process personal data revealing racial/ethnic origin, political/religious/philosophical beliefs, union membership, genetic/biometric data, health, or sexual orientation. If you voluntarily provide such data, IMG CONNECT is not liable but will protect it equally. We do not transfer data to third countries. We do not make automated decisions regarding personal data, nor process data of individuals under 16 years of age. If you are under 16, do not submit personal data.

PURPOSES FOR PROCESSING YOUR DATA

The main purpose of processing your personal data is to provide services via the Site and social networks—e.g., concluding remote sales contracts and delivering ordered products/services, as well as accounting for revenue. We also use personal data to improve our services, personalize your experience, contact you regarding your account, provide customer service, personalize marketing, and detect fraudulent or illegal activities.

IMG CONNECT uses this data for purposes including:

Concluding distance sales contracts via the Site or social networks;
Processing credit applications for purchases;
Processing payments and preventing fraud;
Employment contracts and job application evaluations;
Protecting legitimate interests of users, third parties, and the Site (e.g., problem resolution, communication, development, service improvement);
Marketing, service updates, promotional offers (with your explicit consent);
Handling complaints, requests, correspondence;
Legal rights protection, including legal proceedings;
Administering and securing the website/app;
Analyzing site/app/retail usage and advertising effectiveness;
Contacting you regarding your profile and preferences (including automated or recorded calls/messages if needed);
Sending product/service updates via digital means (only with consent);
Website registration maintenance;
Administering contests, raffles, lotteries;
Providing location-based services;
Fulfilling legal obligations (e.g., accounting, labor law, consumer protection law, GDPR, legal requests from authorities);
Informing you of rights or services-related updates;
Protecting IMG CONNECT legally.

DATA RETENTION PERIOD

We apply the general principle of retaining data in minimal volume and for no longer than necessary to provide services, fulfill contracts, ensure security and comply with the law. We will retain your personal data for the period required to fulfill the purposes stated in this Privacy Policy unless a longer retention is required by law or legitimate interest. Data is retained according to its type and purpose, and deleted permanently upon expiration of the retention period.

Data Type & Explanation	Retention Period	Legal Grounds
Registration Data (name, email, phone, address) and registration metadata (date, time, IP address). Used to identify you as a registered user. Necessary to resolve disputes and for compliance with ZEDEUU.	While the account is active and up to 5 years after deactivation. Certain data (IP/activity) must be stored 1 year by law.	Contractual performance, Legal obligation, Legitimate interest
Order and billing data, invoices, payment records, accounting and tax documents. Needed for contract execution and buyer protection (e.g. warranties).	During the validity of the contract and up to 5 years after; specific accounting data stored between 5 and 50 years.	Legal obligation, Legitimate interest
Employee HR data stored in employment records.	Depending on document type, up to 50 years.	Legal obligation
Correspondence, complaints, signals, requests, initiatives. Used for dispute resolution and communication handling.	Up to 5 years, per Bulgarian legal limitation periods.	Legitimate interest
Logs confirming actions (comments, orders, requests). Include sender, recipient, time. Required as proof of electronic statements.	From 1 to 5 years depending on purpose.	Legal obligation, Legitimate interest
Quick search links (no personal data). Allow repeated searches without retyping.	Until deleted by user, account termination, or up to 6 months if used without registration.	User consent, Legitimate interest
Settings and system logs (may contain IP, browser, time, etc.). Used for technical support and security.	Until deleted or account is terminated. If stored in cookies: 6–12 months from last use.	User consent, Legal obligation, Legitimate interest
Mobile app data (e.g. settings). Needed for technical delivery of services.	While using the app, until it is uninstalled.	Necessary for service provision
Cookies. See Cookie Policy for detailed info.	Between 6–12 months, depending on type and browser settings.	User consent, Legitimate interest

Exceptions to Data Retention Periods

Please note that we will not delete or anonymize your personal data if it is required for ongoing judicial, administrative, arbitration, enforcement proceedings, or complaint procedures initiated by you. Data deletion will be carried out once the necessity for retaining the data has ceased, which may occur after the retention periods specified above have expired.

You may always request that we delete specific information or close your account. We will respond to such requests while retaining certain data, even after account deletion, where applicable laws or our legitimate interests require it. If we are legally obligated or it is reasonably necessary to comply with regulatory obligations, resolve disputes, prevent fraud or abuse, or enforce our terms, we may retain some of your personal data for a limited period after your account has been deleted.

To ensure the reliability of our services and to prevent data loss due to technical issues, a data backup policy is implemented on the Site. The maximum update (deletion) period for all backup copies is 30 days.

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

„IMG CONNECT“ Ltd., and respectively the Website, do not provide your personal data to third parties, unless there is a legal basis for doing so – a legal or contractual obligation, legitimate or vital interest, or your consent. We strive to minimize the personal data we disclose, and it is always directly related to and necessary for achieving a specific purpose. We do not sell, rent, or otherwise disclose your personal information to third parties for their marketing or advertising purposes without your consent. We ensure that any access to your data by private third parties complies with data protection and privacy laws, and is based on contracts signed with them.

We may disclose your personal data when we are subject to a legal obligation. In certain cases, IMG CONNECT Ltd. is obligated to disclose your data to public authorities such as the police, prosecutor’s office, court, in connection with the prevention or detection of crimes. This also includes the exchange of information with other companies and organizations for the purpose of fraud protection and credit risk reduction. You should be aware that if the police or other regulatory or state authority investigating alleged illegal activities requests your personal information or other data we hold about you, we have the right to provide it, once we confirm the validity of the request. If we receive income from sales, we may be required by the tax authorities to provide sales data containing your order information, including personal data. In this regard, your data may be shared with accounting firms we work with.

The Website and IMG CONNECT are also legally obliged to protect the security of networks and the data processed by the company. For this purpose, we implement a number of measures which may require the processing of your data by IT companies that ensure security for our company.

We might have contractual obligations to provide your data if we have entered into a remote sales contract with you, under which we are required to deliver the product or service you requested via courier. The same applies if you have chosen to purchase and pay for a product or service on our website using payment, credit, or banking services whose providers you either directly share your data with or authorize us to do so. If you choose to insure a product/service at the time of purchase through the Site, your data will be shared with insurance companies. If we install a purchased product through a subcontractor, we may provide your data to them so they can fulfill the service or warranty.

Our legitimate interest may, in certain cases, justify providing personal data to third parties. This applies, for example, to cases before the Data Protection Commission, Consumer Protection Commission, and other public authorities. A legitimate interest also exists when we engage other companies or individuals to perform certain tasks on our behalf, supplementing our services under data processing agreements. We want you to always be informed about the best product/service offers you may be interested in. For this purpose, with your explicit consent, we may share certain data with marketing/telemarketing service providers or other companies with whom we develop joint programs for offering our products and services.

Our website may contain links to and from third-party websites. If you follow a link to any of these websites, please note that they have their own privacy policies and we do not accept any responsibility or liability for them. Please check these policies before submitting any information to these websites. Our site uses YouTube LLC, represented by Google Inc., to embed videos. Normally, when you visit an embedded video page, your IP address will be sent to YouTube and cookies will be installed on your device. However, our YouTube videos are embedded in enhanced privacy mode (in this case YouTube still contacts DoubleClick, a Google service, but personal data is not used according to Google’s privacy policy). As a result, YouTube does not store any information about visitors unless they watch the video. If you click on the video, your IP address will be sent to YouTube and it will know that you viewed the video. If you’re logged in to YouTube through your profile, this information will also be linked to your user profile (you can prevent this by logging out before clicking the video). We do not have information about YouTube’s data collection or usage practices. For more details, see YouTube’s privacy policy at: www.google.com/intl/bg/policies/privacy/

TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?

Currently, we store and process your personal data in Bulgaria.

However, it is possible that some of your personal data may be transferred to entities located within the European Union or outside, including to countries not recognized by the European Commission as having an adequate level of data protection.

We always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests. Transfers to service providers and other third parties will always be safeguarded by contractual obligations and, where appropriate, by other guarantees such as standard contractual clauses issued by the European Commission or certification schemes such as the EU-US Privacy Shield.

You can contact us at any time using the contact information at the end of this Policy to learn which countries we transfer your data to and what protective measures we apply in relation to these transfers.

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right to be informed

This Policy aims to inform you in detail about the processing of your personal data. In case of a data breach that poses a risk to your personal data, the controller is required to notify you of the nature of the breach, the measures taken, and whether the supervisory authority has been informed.

Right of access

You have the right to receive confirmation of whether we are processing your personal data, access to that data, and information on how it is being processed. You can request this in writing or electronically. A copy will be provided in a suitable format.

Right to rectification

You have the right to have your personal data corrected or updated if it is incomplete or inaccurate. Registered users can do this in their user panel. Unregistered users can submit a request to the controller.

Right to erasure (“right to be forgotten”) and account deletion

You can request your personal data to be deleted. Account deletion can also be done via your user panel. Note: we may retain some data due to legal obligations (e.g., telecom or tax laws). Backups are deleted within 30 days.

Reasons for deletion may include:

Data no longer needed
Consent withdrawn
Objection to processing with no overriding legal grounds
Unlawful processing
Compliance with a legal obligation
Data collected from children in connection with information society services

We may refuse deletion if legal grounds exist (e.g., public interest, legal claims, health/public safety, etc.).

Right to restrict processing

You can request processing to be limited if:

You dispute data accuracy
Processing is unlawful, but you oppose deletion
Data is needed for legal claims
You’ve objected to processing, pending verification

Right to notify third parties

You may request that we notify third parties with whom your data has been shared about rectification, deletion, or restriction.

Right to data portability

You have the right to receive your data in a structured, machine-readable format and to transfer it to another controller if processing is based on consent or a contract and carried out automatically.

Important: You are responsible for the storage and further sharing of exported data.

Right not to be subject to automated decision-making

You have the right not to be subject to a decision based solely on automated processing, including profiling, unless safeguards are in place.

Right to withdraw consent

You may withdraw your consent at any time. This does not affect the lawfulness of prior processing. Example: unsubscribing from email notifications. We may verify your identity to prevent misuse.

Right to object

You may object to processing based on a legitimate interest. We will review the objection and may continue processing only if we have compelling lawful reasons.

Right to lodge a complaint

You may file a complaint with a supervisory authority if you believe your data rights are violated. In Bulgaria, this is the Commission for Personal Data Protection:
Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Email: kzld@cpdp.bg
Website: www.cpdp.bg
Phone: +359 2 915 3 518

HOW TO EXERCISE YOUR RIGHTS – RESPONSE TIMES

You can exercise your rights free of charge at any time by email or written request via the contact form on the Site or the contact details provided in this Privacy Policy. Requests must be verifiable (identity confirmed). Some rights may be exercised through technical means (e.g., unsubscribe button). The controller must respond within one month.

If a request is clearly unfounded or excessive (especially repetitive), we may charge a reasonable fee or refuse the request. You will be informed of this in advance.

DATA ACCURACY

We are not responsible for the accuracy of the data you provide. We do not verify it and cannot guarantee your actual identity. If you suspect fraud or misuse, please notify us immediately. You must not violate the rights of others when providing information on the Site.

GENERAL INFORMATION ABOUT THE POLICY

This Privacy Policy may be amended due to changes in applicable laws or at the initiative of IMG CONNECT Ltd. or a competent authority. Users will be informed of updates via publication on the Website. We recommend periodically reviewing the current version.

HOW WE PROTECT YOUR RIGHTS – SECURITY MEASURES

We implement organizational and technical security measures to protect your personal data. These measures meet current industry best practices and include data encryption, anonymization, pseudonymization, secure data centers, firewalls, antivirus systems, employee confidentiality agreements, and more. Despite all efforts, we cannot guarantee absolute security when using the Internet.

COOKIE POLICY

See the Cookie Policy here: [Link to Cookie Policy]

CONTACT DETAILS

Data Controller: IMG CONNECT Ltd.,
UIC: 203905177
Address: Sofia 1000, Bulgaria, 59 Vitosha Blvd.
Email: office@imgconnect.store