PERSONAL DATA SECURITY POLICY FOR INDIVIDUALS

This document contains the Personal Data Security Policy for individuals (“Policy”) and is related to the General Terms and Conditions, but it is not an integral part of them, as it does not regulate rights and obligations. Its purpose is to explain to users what personal data we process, how, for what purpose, and what security measures are applicable. Additionally, it provides information about the rights you, our clients and users, have regarding the processing of personal data by “BOTANICAL EU TRADING” EOOD In case of changes to the Policy, the changes will be published here.

Update Date: 06.03.2020

Your privacy is extremely important to us. This security policy discloses what personal data we collect from you through our interactions and how we use this data.

DATA CONTROLLER

“BOTANICAL EU TRADING” EOOD, EIC 204312526, BG204312526, with registered office and address of management: Plovdiv, 4004, Southern district, Alexander Stamboliyski Blvd. 102, represented by Ilko Petkov (hereinafter referred to as “We,” “online store,” “Site,” “administrator”) is a data controller, including personal data, concerning the information collected or provided when browsing the website www.botanical.bg or when making a purchase through it, as well as when browsing or purchasing goods or services through our Facebook page (collectively referred to as the “Site,” “Website”). The Policy also applies in cases where, as individuals (hereinafter referred to as “Subjects”), you voluntarily provide us with personal data electronically (via email), by phone, or through other means, including on-site at our commercial outlet or office. “BOTANICAL EU TRADING” EOOD processes personal data from inquiries made by you to us, as well as for marketing and advertising purposes, profiling, participation in games, promotions, and raffles organized by us, and for any other purposes not prohibited by law. When processing personal data, “BOTANICAL EU TRADING” EOOD complies with all applicable regulations on personal data protection, including but not limited to Regulation (EU) 2016/679 (“Regulation”) and the Personal Data Protection Act, as the security of our clients’ personal data is of utmost importance to us. Therefore, this Policy applies in this case as well.

DATA PROTECTION OFFICER

The Data Protection Officer is Denitsa Hubenova.

Correspondence address: Plovdiv, 4004, Southern district, Alexander Stamboliyski Blvd. 102

Email address: onlineshop@botanical.bg

Contact phone: +359878515752

APPLICABILITY OF THE POLICY

This Policy applies to all our clients – individuals using our services by placing an order from the Site or expressing interest in the same by sending inquiries (hereinafter referred to as “data subjects,” “users”).

Partners and third parties who work with or for “BOTANICAL EU TRADING” EOOD, as well as those who have or may have access to personal data, are expected to familiarize themselves with, understand, and comply with this policy. No third party may have access to personal data stored by “BOTANICAL EU TRADING” EOOD without the company first having signed a data confidentiality agreement with the third party, which imposes obligations on the third party no less burdensome than those undertaken by “BOTANICAL EU TRADING” EOOD, and which gives “BOTANICAL EU TRADING” EOOD the right to conduct compliance checks on the obligations imposed by the agreement.

This policy applies to all employees/workers (and stakeholders) of “BOTANICAL EU TRADING” EOOD, as well as to external suppliers of products and services with whom “BOTANICAL EU TRADING” EOOD has contracts. Any violation of the General Regulation will be considered a breach of work discipline, respectively, as non-fulfillment of contracts with partners, and in the event of suspicion of a committed crime, the matter will be referred for consideration to the relevant state authorities as soon as possible.

For visitors to the Site who do not place orders or send inquiries but only browse our website, the accepted and published Cookie Policy on the Site applies.

DEFINITIONS “Regulation” – General Data Protection Regulation 2016/679 of April 27, 2016, referred to as GDPR. The purpose of this European legislative act is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge and, when possible, is processed with their consent. “Personal data” – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. “Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. “Processing” – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; “Controller” – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; “Data subject” – any living individual whose personal data is being processed by the Controller. “Data subject’s consent” – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; “Child” – The General Regulation defines a child as anyone under the age of 16. The processing of personal data of a child is lawful only if a parent or guardian has given consent. The Controller makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or authorized the consent. “Profiling” – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements; “Personal data breach” – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed; “Recipient” – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as “recipients”; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; “Third party” – a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

PRINCIPLES

When collecting and processing personal data, we are guided by the following principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability.

SUBJECTS WHOSE DATA WE PROCESS

In connection with its activities, “BOTANICAL EU TRADING” EOOD enters into and fulfills distance sales contracts, reviews job applications and proposals, forms for exercising consumer rights, as well as data subject requests, responds to inquiries, issues and receives invoices, processes statistical data, manages a user panel on the site, conducts advertising activities through advertising campaigns (promotions, games, etc.). In the course of these activities, “BOTANICAL EU TRADING” EOOD processes information regarding the following data subjects:

(a) individuals using the site without registration, without leaving any data (in this case, we process data, but not personal data), and individuals using the site without registration who have voluntarily provided a limited amount of personal data (e.g., phone number and/or email address);

(b) individuals using the site with registration as registered users – in these cases, we process data about the user that they have entered during registration – email address, delivery address, names, billing information, order details, other data entered by the user.

(c) individuals who have made inquiries (including by phone), requests, initiatives, alerts, complaints, or other correspondence to us, including through the site, phone, email, or other means;

(d) individuals whose information is contained in inquiries (including by phone), requests, initiatives, alerts, complaints, or other correspondence addressed to us;

(e) individuals with whom we enter into contracts (civil, including commercial or labor contracts, primarily distance contracts) electronically (through the site or social networks, as well as via electronic correspondence) or on-site at our office or commercial outlet.

“PERSONAL DATA WE PROCESS

Depending on the reason necessitating the processing of personal data, the type of data may vary. The functionalities provided on the Site are not intended for the storage and processing of special categories of data as defined in Articles 9 and 10 of the Regulation. (Note: Read Articles 9 and 10 of the Regulation here). We require only such personal data that is necessary for providing the activity/service/product requested from us. In the course of using the site by individuals, we may also process other data that does not contain personal data but relates to the subject, such as their IP address, activity data on the site, and similar information.

Data provided when placing an order

To fulfill a distance contract between you and “BOTANICAL EU TRADING” EOOD (order), we require certain information from you. You decide whether and how to use the options for concluding a distance sales contract provided through the Site or the Facebook page. In the forms through which personal data is entered, we clearly indicate the mandatory or voluntary nature of providing the data. The mandatory data are those without which it is impossible to conclude the respective contract. These include: names, email address, delivery address, contact phone, your payment information (e.g., bank card), billing information, including personal identification number (if you wish an invoice as an individual).

Data provided during registration on the Site

If you choose to save information about yourself on the Site by registering a profile, we store the above-mentioned data as well as the order history made by each registered account on the Site. The requested data matches those required when placing an order. In addition, we process IP address, activity data (time and date of registration, acceptance of Security Policy and Terms and Conditions, account login, etc.);

Data provided when concluding other contracts

In cases where “BOTANICAL EU TRADING” EOOD concludes other contracts with individuals, different from distance sales, we require full name, personal identification number, address, email address.

Data provided by, through, and to other websites and applications, referred to as third parties

In certain cases, you have the option to share information with social networks or use their sites to create your profile or connect your account on our website with the respective social network. In this case, the social network may provide us with automatic access to certain personal information they have collected about you (e.g., content you have viewed, desired content, information about the ads you have been shown or clicked on, etc.). By linking your social network profile with your account on our website, you allow us to access your personal data processed by the respective social network and to collect, use, and store this information in accordance with this Privacy Policy. This linking of a social network profile with registration on our website occurs if you click on a link provided to create a Registration on our website through social media, thereby voluntarily establishing a connection with the respective social media site. If you choose to register on our site through a social network, we may process your data such as names, phone, email, gender, marital status, age, photo, education, place of birth, place of residence, and other data you have provided to these platforms and which are visible to us if you log in with them on our site.

If you provide your personal data to “BOTANICAL EU TRADING” EOOD via Viber, Skype, Facebook, or another platform/social network, we inform you that these platforms/websites/social networks have their own privacy policies and we do not accept any responsibility or liability for these policies, as their processing cannot be controlled by “BOTANICAL EU TRADING” EOOD In this regard, we recommend that you review these policies before sending us your personal data via these websites/applications.

Data provided when posting a comment, review, publication

If you leave a post or comment on this website, your IP address will be saved along with your name if you have entered this information. This is for the safety of the website operator. If your text violates the law, he would like to be able to trace your identity. Additionally, “BOTANICAL EU TRADING” EOOD is obliged to store this data (referred to as “traffic data”) for certain periods and for specific purposes outlined below. Due to the fact that sending comments, inquiries, and other messages to the site, Facebook page/group, or their administrators constitutes sending an electronic statement, under the Electronic Document and Electronic Certification Services Act, the administrator is obliged to maintain logs of the fact of sending the statement for a period of 1 year. The log contains the date of the statement, the name, and the email address of the sender.

Data of employees and data collected when processing job applications

We process data when concluding employment contracts and when evaluating and processing job applications. When concluding employment contracts, we require full name, personal identification number, address, age, gender, education data, work experience, bank details, and subsequently process health data. When processing resumes, we process names, address, email address, age, gender, education, work experience, photo, data provided voluntarily by the candidate during the interview or in the resume.

Data provided for correspondence, complaints, and alerts

To resolve submitted complaints, alerts, disputes, inquiries, requests, or other issues communicated to “BOTANICAL EU TRADING” EOOD, received through electronic forms on the Site, phone calls to “BOTANICAL EU TRADING” EOOD, or via regular or electronic mail, “BOTANICAL EU TRADING” EOOD stores and processes this information as well as the result of this processing. This may include names, email address, phone, address.

Additionally, due to the fact that sending comments, inquiries, and other messages to the site, Facebook page/group, or their administrators constitutes sending an electronic statement, under the Electronic Document and Electronic Certification Services Act, we have the obligation to maintain a log of the fact of sending the statement (without its content) for a period of 1 year. The log contains the date of the statement, the name and email address of the sender, and the identification of the sender.

If you provide us with personal information about someone else, you should do so only with that person’s authorization. You should inform them how we collect, use, disclose, and store personal information in accordance with this Privacy Policy for Individuals.

Technical data collected during the use of the Site

In addition, we collect information from your computer, phone, tablet, or other device you use. This information may include the following:

Device identifier, device type, and unique identifier for that device, “log data,” including information that your browser automatically sends to us when visiting a website; this log data includes the internet protocol address, address and activity of the websites you visit, searches, browser type and settings, date and time of your request, how you used the site, cookie data, and device data; if you want to get more details about the information we collect – contact us through the contact form.
Location information transmitted by the device if you have set it to display location data – please note that mobile devices allow you to control or disable the use of location services for any application on your mobile device in the device’s settings menu;
Computer and connection information, such as statistical data on page views, IP address, browsing history on the site, language settings, date and time;
Logs to facilitate your searches – quick links for repeating previous searches allow you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. When using the Site, a cookie with a randomly generated number is stored in your browser, allowing the Site to show you quick links for repeating previous searches. The Site stores and displays the last 10 searches associated with this browser, and when you log into your account, you can save and use them there. If you use the Service with registration (currently inactive function), the last 10 searches are stored in your account;
Logs related to security, technical support, development, etc.:
To ensure the reliable functioning of the services and to identify technical problems;
To ensure the security of the services and detect malicious actions;
For the development and improvement of the services on the site;
To measure the site’s traffic and usability;
Logs in cases required by law (such as logs of electronic statements);
Log for logging into a user profile (account) – this log allows the detection and automatic blocking of unauthorized access attempts to accounts; it is maintained for a period of up to 1 year and contains the date and time of account login, status, whether the login is through a mobile version, application, or desktop browser, IP address;
Server logs, logs of security devices (Web Application Firewalls), and other devices falling into this category. These logs are necessary for identifying technical problems, detecting malicious actions, and other purposes outlined above; they are stored for a period of up to 1 year. Logs may contain the following information: date and time, IP address, URL, information about the browser and device. Additionally, some devices may use cookie-based security technology;
Cookies – the functioning of the Site requires the use of cookies. In this regard, a Cookie Policy has been adopted; please review the Policy for more details regarding: the type of cookies we use, their storage duration, and usage, etc.;
We may choose to reduce the amount of data we store and process in accordance with the purposes of processing.
We do not require and will not collect and process personal data that reveal: racial or ethnic origin; political, religious, or philosophical beliefs; membership in trade unions; genetic and biometric data; health data, as well as data about sexual life or sexual orientation. If a subject voluntarily provides such categories of data on their own initiative, “BOTANICAL EU TRADING” Ltd. is not responsible for their provision but only undertakes to provide the same protection measures for them as those provided for the requested personal data. We do not transfer data to third countries. Additionally, we do not make automated decisions regarding personal data and do not process data of individuals under 16 years of age. If you are under 16 years of age, you should not provide us with personal data about yourself.

PURPOSES FOR WHICH WE PROCESS YOUR DATA The main purpose for which WE process your personal data is generally related to providing services through the Site and social networks, namely the conclusion of a distance sales contract and the delivery of the goods and services you have ordered, as well as the accounting of revenues. We use your personal information to provide and improve our Services, to offer you a personalized experience on our site, to contact you about your account and our Services, to provide you with customer service, to deliver personalized advertising and marketing according to your interests, to conduct raffles and games organized by us, and in certain cases to detect and investigate fraudulent or illegal activities. “BOTANICAL EU TRADING” EOOD collects, uses, and processes the information described above for the purposes provided in this Policy, which may be related to: The conclusion of a distance sales contract for goods/services between you and “BOTANICAL EU TRADING” EOOD through the Site or social networks – we require your identification, contact, and payment data to conclude a contract with you and accordingly to send you the order; The conclusion of a consumer credit contract when you have requested the purchase of a good or service from the Site through credit; Processing payments and preventing fraudulent transactions (we may pass your data to a third party to perform these functions); The conclusion of employment contracts and the processing and evaluation of submitted resumes; Protection and enforcement of the legitimate interests of other users of the Services, third parties, and the Site – the legitimate interest pursues goals related to the lawful interests of “BOTANICAL EU TRADING” EOOD and/or third parties. These goals include: Detecting and resolving technical or functionality issues, developing, and improving the Site’s purpose; Communicating with you, including electronically, on important issues related to the services we provide and the execution of the concluded contracts; Directing our marketing, updating services, and offering you promotional offers based on your preferences. Receiving and processing received signals, complaints, requests, and other correspondence; Exercising and protecting the rights and legitimate interests of the Site, including through legal proceedings, and assisting in the exercise and protection of the rights and legitimate interests of other users of the site and/or affected third parties; Administering the website and application and keeping them secure and safe; Analyzing and improving the use of our website, application, and retail, (including using information about how you navigate our website, App, and/or stores); Measuring and analyzing our advertising and making suggestions and recommendations to you based on the information you share with us; Communicating with you about your account, resolving issues with your account. When we contact you by phone, to ensure efficiency, we may use automated or pre-recorded calls and text messages. Informing you about products and services you wish to receive information about via email, mail, mobile phone, and/or other digital means (depending on your stated preferences), including social media platforms – only when we have received your explicit consent for this; Registering you on the website (in this case, we will use your personal information to maintain and update your profile (e.g., change of address or change in your marketing preferences)); Administering any competitions/raffles/games of chance conducted by “BOTANICAL EU TRADING” EOOD; Providing you with location-based services (such as advertising, search results, and other personalized content); Fulfilling legal obligations of “BOTANICAL EU TRADING” EOOD, which include: Fulfilling legal obligations to retain or provide information regarding our tax obligations to the state (e.g., based on the Accounting Act and other tax laws – VAT Act, Income Taxes on Natural Persons Act, Corporate Income Tax Act, Tax-Insurance Procedure Code, etc.); Fulfilling legal obligations based on the Labor Code, the Commercial Register and Non-Profit Legal Entities Register Act, and other regulatory acts; Fulfilling orders received from competent state or judicial authorities (e.g., based on the Ministry of Interior Act, the Penal Procedure Code, the Electronic Communications Act); Fulfilling obligations under the General Data Protection Regulation, related to notifying you of various circumstances related to your rights, the provided Services, or data protection, and similar; Fulfilling obligations under the Consumer Protection Act, such as ensuring the right of withdrawal, the right to statutory warranty; Defending “BOTANICAL EU TRADING” EOOD in legal proceedings; Your data may be processed based on your explicit consent, with the processing in this case being specific and to the extent and scope provided in the relevant consent. Usually, such consent is requested from you when we wish to process your personal data without a legal obligation or legitimate interest for “BOTANICAL EU TRADING” EOOD Most often, such consent is requested when we wish to offer you information about new promotions, products, etc. DATA RETENTION PERIOD When storing data, WE apply the general principle of storing data in a minimal amount and for a period not longer than necessary for providing the Services and fulfilling the contracts, ensuring their security and reliability, and complying with legal requirements. We will retain your personal information for a period necessary to fulfill the purposes set out in this “Personal Data Protection Policy,” unless the law or our legitimate interest requires us to retain it for a longer period. According to the type of data and the purposes for which they were collected, a retention period is determined, upon the expiration of which the information is permanently deleted.

Date Type

Retention Period

Basis for Processing

Explanations

Registration data (name, surname, email address, phone, address)

and

information on registration and agreement to the Terms

(date, time, IP address)

Retention Period

For the entire period of maintaining the account on the Site and up to 5 years after the termination of the registration

Basis for Processing

Performance of contractual obligations; compliance with legal obligations; protection of legitimate interest

Your data identifies you as a registered user on the Site. To resolve any potential disputes that arise or become known after the termination of the agreement for using the Site and in connection with the Electronic Document and Electronic Certification Services Act (ZEDES), these data are stored for up to 5 years after the termination of the account.

Important! Based on ZEDES (see below), some of these data (activity, IP address) must be stored by the administrator for up to 1 year after the termination of the account. The extension of the retention period is due to the protection of the legitimate interests of the administrator.

Personal data from orders and issued or received invoices by the administrator, payment documents (orders, statements), reports, and other accounting, reporting, and payment documents.

Personal data from employee records

Retention Period

For the period during which the rights and obligations of the parties under the legal relationship are in force, up to 5 years from the termination of the legal relationship.

Certain data are also stored for a longer legally determined period than the one specified above, as they constitute accounting information – transaction data, billing data – between 5 and 50 years.

Basis for Processing

Compliance with legal obligations; protection of the legitimate interests of the administrator

Your data identifies you as a party to the distance sales contract and is stored to ensure your rights and to comply with our legal obligations as taxpayers. Storage is also necessary to ensure the rights of buyers (individuals) when a period is provided for them (e.g., a 2-year warranty). Legal obligations also dictate the determination of the retention period in the described manner.

 

According to Article 38 of the Tax and Social Insurance Procedure Code (TSIPC), accounting and commercial information, as well as all other data and documents relevant to taxation and mandatory insurance contributions, are stored by the obligated person in accordance with the procedure established in the National Archive Fund Act, within the following periods: payroll records – 50 years; accounting registers and financial statements – 10 years; documents for tax and social insurance control – 5 years after the expiration of the limitation period for the settlement of the public obligation to which they are related; all other carriers – 5 years. According to Article 38, paragraph 2 of TSIPC, after the expiration of the storage period, the information carriers under paragraph 1 (paper or technical), which are not subject to transfer to the National Archive Fund, may be destroyed.

Personal data from correspondence, complaints, and signals, requests, initiatives

Retention Period

Data from correspondence, complaints, signals, requests, and initiatives are stored for a period of up to 5 years based on the Obligations and Contracts Act (limitation periods for filing claims).

Basis for Processing

Protection of the legitimate interests of the administrator

To resolve submitted complaints, signals, disputes, inquiries, requests, or other issues communicated to us through electronic forms on the Site, or by sending regular or electronic mail, we store and process this information, as well as the result of this processing. Given the limitation periods under Bulgarian legislation for resolving disputes, this information is stored for up to 5 years.

Log verifying the submission of a comment, inquiry, order, or other statement (contains sender, recipient, date, and time of the statement)

Retention Period

For a period of 1 to 5 years

Basis for Processing

Compliance with legal obligations; protection of the legitimate interests of the administrator

Due to the fact that sending a comment, review, inquiry, or other statement constitutes sending an electronic statement from you to us under the Electronic Document and Electronic Certification Services Act (ZEDES), the company is obliged to maintain a log of the fact of sending the statement for a period of 1 year.

The legitimate interest of the administrator allows in certain cases to extend the retention period of these data up to 5 years from the submission of the statement.

Quick searches

do not contain personal data

Retention Period

Until deleted by you; until the termination of your registration or up to 6 months if you use this functionality without registration

Basis for Processing

Consent of the subject and protection of the legitimate interests of the administrator

This option allows you to repeat your searches instead of entering them each time. The functionality can be used with or without registration. Quick links for repeating the last 10 searches are stored. You can change the setting from the browser you use. Quick searches do not contain personal data.

Settings and System Logs

do not contain personal data, but may include information such as date and time, IP address, URL, browser version, and device information

Retention Period

Until deleted by you or until the termination of your registration. If stored in a cookie – between 6 and 12 months from the last use.

Basis for Processing

Consent of the subject; compliance with legal obligations; protection of the legitimate interests of the administrator

This category includes settings such as language selection and similar options.

Control over the settings is yours, and you can change them through your browser.

System logs, including server logs and logs from security devices (Web Application Firewalls) and other devices in this category. These logs are necessary for identifying technical problems and/or detecting malicious actions.

Information stored in a mobile applicationFor the period of use of the application (until it is uninstalled)Information necessary for the technical provision of services (such as settings and others)

Cookies

Retention Period

Between 6 and 12 months depending on the type of cookie and your browser settings

Basis for Processing

Consent of the subject; protection of the legitimate interests of the administrator

For a description of the cookies used, see the “Cookie Policy”

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES

“BOTANICAL EU TRADING” EOOD, respectively the Site, does not provide your personal data to third parties unless there is a legal basis for this – legal or contractual obligation, legitimate or vital interest, or your consent. We strive to minimize the personal data we disclose, ensuring that it is always directly related to and necessary for achieving the specified purpose. We do not sell, rent, or otherwise disclose your personal information to third parties for their marketing and advertising purposes without your consent. We guarantee that access to your data by private legal entities – third parties is carried out in accordance with legal provisions in the field of data protection and information confidentiality, based on contracts concluded with them.

We may disclose your personal data when we are subject to a legal obligation. In certain cases, “BOTANICAL EU TRADING” EOOD is required to disclose your data to public authorities such as the police, prosecutor’s office, court, in connection with the prevention or detection of crimes. This also includes exchanging information with other companies and organizations for fraud protection and credit risk reduction. You should be aware that if the police or another regulatory or state authority investigating alleged illegal activities requests your personal information or other information we have received about you, we have the right to do so after ensuring the validity of the request from the state authorities. When we receive income from sales, we may be required by revenue authorities to provide sales data containing your order data, including personal data. In this regard, we provide your data to the accounting firms we work with. The legal obligation of the Site and “BOTANICAL EU TRADING” EOOD is to safeguard the security of the networks and the data processed by the company. In this context, we apply several measures, the implementation of which may require the processing of your data by IT companies responsible for our security.

We may have a contractual obligation to provide your data when we have concluded a distance sales contract with you, under which we are required to deliver the goods or services you requested via courier. This applies if you choose to purchase and pay for a product or service from our Site through payment, credit, or banking services, whose providers you personally share your data with or entrust us to do so. If you choose to insure a product/service during the purchase through the Site, your data is shared with insurance companies through the order. If we install a purchased product through a subcontractor, we may provide your data to them to perform the service/warranty service.

Our legitimate interest justifies, in certain cases, providing personal data to third parties. Such would be the situation in proceedings before the Commission for Personal Data Protection, the Consumer Protection Commission, and other state authorities. “BOTANICAL EU TRADING” EOOD has a legitimate interest when we engage other companies and individuals to perform certain tasks on our behalf, supplementing our services within data processing agreements. We would always like you to be informed about the best offers for the products/services you are interested in. In this regard, we may provide certain data of yours – only with your explicit consent, to providers of marketing/telemarketing services and other companies with which we may develop joint programs to market our goods and services.

Our website may also contain links to and from third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies, and we do not accept any responsibility or liability for these policies. Please check these policies before submitting any information to these websites. Our site uses YouTube LLC, represented by Google Inc., to integrate videos. Usually, when you visit an embedded video page, your IP address will be sent to YouTube, and cookies will be installed on your device. However, our YouTube videos are embedded in enhanced privacy mode (in this case, YouTube still contacts Google’s DoubleClick service, but personal data in accordance with Google’s privacy policy is not used). As a result, YouTube does not store any information about visitors unless you watch the video. If you click on the video, your IP address will be sent to YouTube, and YouTube will know that you have watched the video. If you are logged into YouTube through your user profile, this information will be linked to your user profile (you can prevent this by logging out of YouTube before clicking on the video to watch it). We have no information about the possible collection and use of your data by YouTube. For more information, see YouTube’s Privacy Policy at www.google.com/intl/bg/policies/privacy/.

TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA

Currently, we store and process your personal data in Bulgaria.

However, it is possible that some of your personal data may be transferred to entities located in the European Union or outside it, including to countries where the European Commission has not recognized an adequate level of data protection.

We will always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests. Transfers of data to service providers and other third parties will always be protected by contractual obligations and, where appropriate, by other safeguards such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for data transferred from the EU to the United States.

You can contact us at any time using the contact details provided at the end of the Policy to find out which countries we transfer your data to and what safeguards we apply in relation to these data transfers.

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

According to the General Data Protection Regulation (GDPR), you have the following rights:

Right to be Informed

This Policy aims to inform you in detail about the processing of your personal data in connection with the processing of your personal data. When there is a risk of a personal data breach, the controller is obliged to inform you about the nature of the breach and what measures have been taken to remedy it, as well as whether the supervisory authority has been notified of the breach. The data subject may also request information about all recipients to whom the personal data for which correction, deletion, or restriction of processing has been requested has been disclosed.

Right of Access

You have the right to receive confirmation as to whether your personal data is being processed, access to it, and information about how it is being processed and your rights in relation to it. As a data subject, you have the right to request confirmation as to whether your personal data is being processed and, if so, to access your data and the following information: the purpose for which the data is processed, what personal data, the recipients of the data, the processing period. Requests for access must be made in written/electronic form and addressed to the controller. In this case, we provide a copy of the processed personal data in electronic or other appropriate form.

Right to Rectification

You have the right to correct and supplement your personal data if it is incomplete or inaccurate. For registered users, this option is also valid in the user panel on the Site. Unregistered users can obtain this information by making a request to the controller. As a data subject, you have the right to request the correction or supplementation of your personal data, which is inaccurate/outdated or incomplete. For this purpose, you need to submit a separate request. Your request will be responded to by the controller in writing at the email address you provide.

Right to Erasure (Right “to be forgotten”) and Account Deletion

As a data subject, you have the right to be “forgotten,” i.e., to request that your personal data be deleted without undue delay, meaning that the controller deletes your personal data from all systems and records where it is stored, including notifying all third parties/processors to whom the data has been provided.

If you wish, you can delete your account on the site at any time. This option is also valid in the user panel on the Site. After deleting the account, all or part of the data is deleted. In connection with our obligations, responsibilities, and legal requirements (e.g., ZES or ZEDES), it is possible to retain certain data for a certain period (see the section above).

To ensure the reliability of the services and prevent data loss due to technical reasons, the Site applies a data backup policy. The maximum period for updating (deleting data) from all backups is 30 days.

A request for deletion can be submitted on the grounds provided in the Regulation, including in the presence of one of the following grounds:

The personal data is no longer necessary for the purposes for which it was collected;
You have withdrawn your consent;
You have objected to the processing of personal data and there are no legitimate grounds for processing that prevail;
The processing is unlawful;
The personal data must be deleted to comply with a legal obligation under Union law or the law of the Member State to which the controller is subject;
The personal data has been collected in connection with the offering of information society services.
Please note that we may refuse to delete part or all of the personal data if there is a significant reason and/or legal obligation for processing it. You will be promptly informed of this. The controller may refuse to delete personal data on the grounds specified in the Regulation if the processing is for the purpose of:

Exercising the right to freedom of expression and information;
Compliance with a legal obligation that requires processing provided for by Union law or the law of the Member State to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Reasons of public interest in the area of public health;
Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
The establishment, exercise, or defense of legal claims.
Right to Restrict Processing

The GDPR provides the possibility to restrict the processing of your personal data if there are grounds for this, as provided in the Regulation. Restriction is allowed in the following cases:

When you believe that your personal data is not accurate, in which case the restriction is for the period necessary for the controller to verify the accuracy;
When the processing of your personal data is unlawful, but you do not wish for it to be deleted, but only want its use to be restricted;
When the controller no longer needs your personal data for processing purposes, but you, as the data subject, require it for the establishment, exercise, or defense of legal claims;
When you have objected to the processing pending verification of whether the legitimate grounds of the controller prevail over your interests.
Right to Notification of Third Parties

Where applicable, you have the right to request the controller of your personal data to notify third parties to whom it has provided your data, regarding the correction, deletion, or restriction of the processing of your personal data.

Right to Data Portability

You have the right to receive the personal data that concerns you and that you have provided, in a structured, commonly used, and machine-readable format and have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on consent or contractual obligation and the processing is carried out by automated means.

Important: The responsibility for storing data exported from the Site, as well as for all consequences of providing it to other controllers, lies entirely with you.

Right Not to be Subject to Automated Decision-Making

You have the right not to be subject to automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you unless there are grounds provided in applicable data protection legislation and appropriate safeguards are in place for protecting your rights, freedoms, and legitimate interests.

Right to Withdraw Consent

You have the right, at any time, to withdraw your consent given in connection with the processing of personal data based on your previous consent. Such withdrawal does not affect the lawfulness of the processing based on the consent given before its withdrawal. For services like email announcement subscriptions, where the subscription is based on your desire (consent), the possibility of unsubscribing at any time (withdrawing consent) is provided. In the event of withdrawal of consent, we have the right to request verification of the applicant’s identity to establish their identity as the data subject.

Right to Object

You have the right to object to data processed based on a legitimate interest. Upon receiving such an objection, we will consider your request, and if it is justified, we will fulfill it. If we believe there are compelling legal grounds for processing or that it is necessary for the establishment, exercise, or defense of legal claims, we will inform you of this.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint against our company (data controller) with a supervisory authority if you believe that the processing of personal data concerning you violates applicable data protection legislation. The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, with the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., email: kzld@cpdp.bg, website: www.cpdp.bg, phone: 02 915 3 518.

HOW TO EXERCISE YOUR RIGHTS

Response Times

You can exercise the mentioned rights free of charge at any time via email or by sending a request to the addresses indicated in the contact form on the Site or at the end of this Privacy Policy. You can address your requests to the controller or directly to the Data Protection Officer. Requests must be made in a way that allows for the identification of the applicant’s identity. Regarding some rights, technical options may apply for their exercise, such as an Unsubscribe button. In all cases, the controller must respond to the request or decide on the exercised right at the address provided in the request, including an electronic address, within one month of receiving it.

If you exercise these rights manifestly unfounded or excessive, particularly because of their repetitive nature, we reserve the right to impose a reasonable fee, considering the administrative costs for providing the information or communication or taking the requested actions, or to refuse to act on the request. We will inform you of our fees, if applicable, before responding to your request.

Accuracy of Information

We are not responsible for the accuracy of the data provided by you, we do not perform checks in this regard, and we do not guarantee the actual identity of the individuals who provided the data. In any case of doubts on your part, of established fraud and/or misuse, please notify us immediately. You are obliged, when providing any information on the Site, not to violate the rights of other persons concerning the protection of their personal data or other rights.

GENERAL INFORMATION ABOUT THE POLICY

This Privacy Policy may be changed or supplemented due to changes in applicable Bulgarian or European legislation, on the initiative of “BOTANICAL EU TRADING” EOOD or a competent authority.

“BOTANICAL EU TRADING” EOOD will inform users about changes or additions to this Privacy Policy by publishing the updated Privacy Policy on our website.

It is recommended that users periodically check the latest version of this Privacy Policy on the “BOTANICAL EU TRADING” EOOD website.

HOW WE PROTECT YOUR RIGHTS

SECURITY MEASURES

To ensure the best possible protection of the data of the company and our clients/users/contractors/visitors on the Site, WE apply all necessary organizational and technical measures provided in the General Data Protection Regulation and the Personal Data Protection Act, as well as the best practices from international standards. We apply the appropriate and necessary level of protection and for this purpose, we have developed efficient physical, electronic, and administrative procedures to protect the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data.

We store your data on secure servers using the latest encryption algorithms and ensure the storage of backup copies.

The company has adopted the necessary rules and procedures related to the lawful processing of your personal data, including a Data Breach Action Plan, established structures for preventing misuse and security breaches, and designated a Data Protection Officer who assists in the lawful processing, safeguarding, and securing your data.

Access to your personal data is only granted to those employees, service providers, or affiliated persons on a need-to-know basis for official purposes or who need it to perform their official duties. All employees/workers are required to be trained and to accept the relevant contractual clauses/declarations/rules for compliance with the organizational and technical access measures before being granted access to any type of information.

A principle in our structure is that all employees/workers are responsible for ensuring the security of the data they are responsible for and that we process, as well as that the data is stored securely and not disclosed under any circumstances to third parties unless we have granted such rights to that third party by entering into a confidentiality agreement/clause. In this regard, all personal data is accessible only to those who need it, and access can only be granted following the established access control rules. All personal data is treated with the utmost security and stored:

In a separate room with controlled access; and/or
In a locked cabinet accessible to authorized persons; and/or
On a computerized system protected by a password in accordance with internal requirements specified in organizational and technical measures for access control; and/or
On computer media protected in accordance with organizational and technical measures for access control.
Personal data is deleted or destroyed only in accordance with internal procedures for data storage and destruction.

For maximum security in processing, transferring, and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, and backup technology.

We use a payment service to process payments. All payment information is encrypted using SSL technology.

When you post on forums, chat rooms, or social network services, the personal information you share is visible to other users and can be read, collected, or used by them. In these cases, you are responsible for the personal information you choose to provide.

Despite the measures we take to protect your personal data, we are aware that in general, the transmission of information over the internet or other public networks is not completely secure, and there is a risk that data can be viewed and used by unauthorized third parties. We cannot take responsibility for these vulnerabilities in systems that are not under our control. In the event of a data breach containing personal data, we guarantee that we will comply with all applicable notification norms in such cases.

COOKIE POLICY

As an integral part of this Privacy Policy for personal data protection, “BOTANICAL EU TRADING” EOOD has adopted a Cookie Policy, published and available both on the Site and on our Facebook page.

CONTACT US

DATA PROTECTION OFFICER

Questions and requests related to the exercise of your data protection rights can be addressed to “BOTANICAL EU TRADING” EOOD through the contact form available on the Site or through one of the specified contact methods:

“BOTANICAL EU TRADING” EOOD, EIC 204312526, BG204312526, with headquarters and address of management: Plovdiv, 4004, Southern District, Alexander Stamboliyski Blvd. 102, represented by Ilko Petkov

Data Protection Officer: Denitsa Hubenova

Correspondence address: Plovdiv, 4004, Southern District, Alexander Stamboliyski Blvd. 102

Email address: onlineshop@botanical.bg

Contact phone: +359878515752

#TeaExperience FOLLOW US
What are you looking for?...