GDPR

Mandatory information for the rights of the persons in relation to personal data protection Information for the company – controller, processing the data: Controller: “Gebr. Heinemann Bulgaria” OOD, company incorporated and registered in the Republic of Bulgaria, head office and management address: Sofia, 141-B, Tsarigradsko shose, Blvd., mailing address: the city of Sofia, 141-B, Tsarigradsko shose, Blvd., entered in the Registry Agency under Unique ID No. 131022298, VAT No. BG131022298, contact telephone: +359884550610, e-mail: info@travel-free.bg

The company controller is established in the Republic of Bulgaria, the following address for contact: Sofia141-B, Tsarigradsko shose, Blvd., mailing address: the city of Sofia, 141-B, Tsarigradsko shose, Blvd., entered in the Registry Agency under Unique ID No. 131022298, VAT No. BG131022298, contact telephone:
+359884550610, e-mail: info@travel-free.bg

Information for the personal data protection competent supervisory body: Name: Commission of Personal Data Protection Head office and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd. Mailing address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; email: kzld@cpdp.bg.

“Gebr. Heinemann Bulgaria” OOD via its site www.travel-free.bg (hereinafter for short the “Controller”) performs its activity in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The goal of this information is to inform you for any and all aspects of the processing of your personal data by the Company and the rights you have in relation to such processing.

Grounds for collection, processing and storing of your personal data

1. The Controller collects and processes personal data of the Users in relation to the use of the site www.travel-free.bg and execution of agreements with the company pursuant to article 6, paragraph 1 of Regulation (EU) 2016/679 (GDPR), and more particularly pursuant to the following grounds:

Explicitly received Users’ consent;
Performance of the Controller’s contractual obligations;
Compliance with a legal obligation, applicable to the Controller;
For the purpose of the legitimate interests of the Controller or of a third party;
Goals and principles at the collection, processing and storing of the users’ personal data.

The Controller collects and processes the personal data, provided by the Users in relation to the Site’s use and execution of an agreement with the company, including for the following purposes:

making a registration and provision of full functionality at using the Site;
execution and performance of a distance agreement with and without registration;
individualization of a party under the agreement;
accounting purposes;
statistical purposes;
protection of the information security;
ensuring the performance of the agreement for provision of the respective service;
sending an information bulletin at expressed desire.

The Controller complies with the following principles when processes personal data:

lawfulness, fairness and transparency;
limitation of the processing purposes;
relevance of the processing purposes and minimizing the collected data;
data exactness and currency;
limitation of the storage in view of the purposes’ achievement;
integrity and confidentiality and privacy of the processing and guaranteeing adequate level of personal data security.

At processing and storage of personal data, the Controller may process and store the personal data for the purpose of protection of his following legitimate interests:

Categories personal data the Controller collects, processes and stores:
Given name and surname
E-mail;
Gender;
Address;
Telephone No.;
Other data for contact with the users
The Controller performs the following operations with the provided by the users personal data for the following purposes:

- User’s registration in the site and performance of distance purchase and sale agreement – the goal of this operation is making a registration for using the site for purchase of goods and provision of contact data for delivery of the purchased goods. The registration and creation of a profile for using the site is not a mandatory step from the provision of the service , and it is accessible and available to a significant extent even without the creation of a profile.
- Conclusion of the impact assessment: Based on the impact assessment, the operation “Registration of user in the site and performance of distance purchase and sale agreement” is admissible for implementation and provides sufficient guarantees for protection of the rights and legal interests of the data subjects in accordance with the provisions of the GDPR.
- Execution and performance of a commercial transaction with a client or partner – the goal of this operation is the execution and performance of a contract with a trade partner or client and the administration thereof. Considering the limited scope of the collected personal data and the circumstance that part thereof is collected from publicly available sources, conducting an impact assessment of the operation is not required.
- Sending an information newsletter – the goal of this operation is administration of the process of sending newsletters to the users, who have expressed their desire to receive such. Considering the limited scope of the collected personal data, conducting an impact assessment of the operation is not required.
- Exercising of right to refuse or making a claim – the goal of this operation is the administration of the process on exercising the right to refuse (withdraw) or making a claim by the client. Considering the limited scope of the collected personal data, conducting an impact assessment of the operation is not required.


 When processing personal data the Controller makes no profiling, which could lead to legal consequences for the users or affect them significantly otherwise.

The Controller provides the users’ personal data to partners for the purpose of implementation of the delivery of the goods ordered, for the purpose of the accounting servicing of the users’ orders, the handling of legal claims and/or the receipt of other services or consultations.

The Controller does not foresee for the users’ personal data to be transmitted outside the borders of the European Union.

 At registration on the Site, using the option for registration via the users’ social media accounts, the Controller will receive information for the users’ profiles in this media and networks. The Controller is not responsible for the available information in these networks and social media.

The Controller’s site uses the so-called “cookies” for the purpose of providing full functionality of the website, improvement of the user’s experience, statistical purposes, facilitated access, etc. The users may at any time control and/or delete the “cookies” through the settings of the used by them browser. The “cookies” do not constitute personal data and are not used for identifying the site’s visitors and users.

The Controller stores the users’ personal data for a term not longer than the existence of the profile in the site. After deletion of the profile, the Controller shall use all reasonable efforts to delete and destroy any and all personal data, with no undue delay or making them anonymous (i.e. reducing them to a form, not showing the users’ identity). The Controller stores personal data provided in relation to Preorders made for a 5 year term for the purpose of protection the Controller’s legal interests in case of court or administrative disputes with users of the site. The period for storing the data could be extended in view of meeting a legal obligation or for protection of the Controller’s legitimate interests, or otherwise. The Controller stores the personal data he is required to keep according to the applicable legislation for the respective stipulated period, which may exceed the period of existence of the registration in the site or until the completion of the order.
Withdrawal of consent for personal data processing
If the user disagrees for the provided by him/her personal data to be processed for marketing purposes and for the receipt of a newsletter, she/he may at any time withdraw her/his consent for processing, filling in a consent withdrawal form or through e declaration in free text form, and sending it to the Controller’s e-mail or using the link, provided in the commercial or advertising message. The withdrawal of the consent does not impact the lawfulness of the personal data processing, which the Controller has performed until that moment.

Access right
The user shall be entitled to request and to receive from the Controller confirmation whether the related to him personal data are being processed, sending an e-mail with free text. The user is entitled to receive access to the related thereto personal data, as well as to the information, related to the collection, processing and storage of his personal data. Upon request the Controller shall provide a copy of the processed personal data, concerning the user, in electronic or another suitable form.

Right to rectification
The user shall be entitled at any time to rectify or to fill out the inaccurate or incomplete personal data, concerning him, directly via the registration form in the site or sending a request email to the Controller, using the form in Appendix No. 4 or request in free text format.

Right to erasure (right to be forgotten)
The user may request from the Controller to erase a part of or all concerning him personal data, and the Controller shall erase it with no undue delay, when any of the circumstances, listed below, exist:

the personal data is no longer required for the purposes, for which it has been collected or otherwise processed;
the user withdraws his consent, based on which the data is processed, and there are no other legal grounds for the processing;
the user objects to the processing of the related thereto personal data, including for the purposes of the direct marketing, and there are no prevailing legal grounds for the processing;
the personal data has been processed unlawfully;
the personal data should be erased in view of the compliance with a legal obligation under the EU law or the law of a member – state, applicable to the Controller;
the personal data has been collected in relation to the offering of services to the information society.
To exercise the right to erasure (to be forgotten), the user shall send an email with a request for the erasure of his personal data, which the Controller processes, filling out the form in Appendix No. 2 or through a request in free text format. Upon a request received the Controller shall erase any and all data, processed for the user.

Right to restriction of processing
The user shall have the right to obtain from the Controller restriction of processing of the related thereto personal data, through sending an email in free text format, where one of the following applies:

the accuracy of the personal data is contested by the user, for a period enabling the Controller to verify the accuracy of the personal data;
the processing is unlawful and the user subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Controller no longer needs the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defence of legal claims;
the user has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the user.
At received request from the user the Controller shall suspend the processing of the personal data.

Right to data portability
If the user has given consent for the processing of personal data or the processing is required for the performance of the agreement with the Controller, or if your data is processed in by automated means, the user shall have the right to:

receive from the Controller the personal data in a machine – readable format and to transmit the data to another controller;
demand from theController to transmit directly personal data to another controller, indicated by the user, where technically feasible.
The user shall be entitled to exercise his data portability right via submitting electronically the fill out form according to Appendix No. 3 or a request in free text format, after which the Controller shall send to the indicated by the user email the data, which he processes, in HML format.

Right to receive information
The user shall have the right to request from the Controller to be informed regarding all recipients, of whom the personal data, for which rectification, erasure or restriction of processing was requested, have been disclosed. The Controller shall have the right to refuse to provide such information, if this proves impossible or involves disproportionate efforts.

Right to object
The user shall have the right to object at any time against the processing of personal data, concerning her/him, including if processed for the purpose of profiling or direct marketing.

Term for reply
The Controller shall, with no undue delay, and in any case in one month term from the receipt of the user’s request reply to the user. If necessary such term could be extended by another two months, taking into account the complexity and number of requests. The Controller shall inform the user for each such extension within one month from the receipt of the request, stating the reasons for the delay as well.

In case of violation of the users’ rights according to the above or the applicable legislation on personal data protection, the users shall have the right to file a claim to the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Head office and management address: Sofia 1592, 2 Prof. TsvetanLazarov Blvd.
Mailing address: Sofia 1592, 2 Prof. TsvetanLazarov Blvd.
Telephone: 02 915 3 518
Internet site: www.cpdp.bg

Appendix No. 1
Form for withdrawal of consent for the purposes of processing

 Your name*: .........................

Your e-mail, used in the site*: .........................
Return contact data (e-mail)*: .........................

 To "Gebr. Heinemann Bulgaria” OOD,

Unique ID No. 131022298,
Head office and management address:
Sofia, 141-B, Tsarigradsko shose, Blvd.,
mailing address:
Sofia, 141-B, Tsarigradsko shose, Blvd.

Herewith i withdraw my consent for processing the provided by me personal data for the purposes of receipt of information newsletter, advertising messages or other marketing materials, as I am aware of the conditions for withdrawal of the consent in accordance with the Mandatory information for the persons’ rights in relation to the personal data protection of the Site.

Appendix No. 2
Request “to be forgotten”- for erasure of the personal data concerning the user

Your name*: .........................
Your e-mail, used in the site*: .........................
Return contact data (e-mail)*: .........................

To
"Gebr. Heinemann Bulgaria” OOD,
Unique ID No. 131022298,
Head office and management address:
Sofia, 141-B, Tsarigradsko shose, Blvd.,
mailing address:
Sofia, 141-B, Tsarigradsko shose, Blvd.

Please, I would like all personal data, you collect, process and store, provided by me or by third parties, related to me, according to the stated identification, to be erased from your data base. I declare that I am aware that a part of or all my personal data may continue to be processed and stored by the Controller for the purpose of the execution of his legal obligations.

Appendix No. 3
Request for personal data

Your name*: .........................
Your e-mail, used in the site*: .........................
Return contact data (e-mail)*: .........................

To
"Gebr. Heinemann Bulgaria” OOD,
Unique ID No. 131022298,
Head office and management address:
Sofia, 141-B, Tsarigradsko shose, Blvd.,
mailing address:
Sofia, 141-B, Tsarigradsko shose, Blvd.

I would like all concerning me personal data, collected, processed and stored in your data base, to be send in XML format to:
e-mail: .........................
Controller – data recipient: .........................
Name: .........................
Identification No. (Unique ID No., BULSTAT, registration No. in the Commission for Personal Data Protection): .........................
E-mail: .........................

Appendix No. 4
Request for data rectification

Your name*: .........................
Your e-mail, used in the site*: .........................
Return contact data (e-mail)*: .........................

To
"Gebr. Heinemann Bulgaria” OOD,
Unique ID No. 131022298,
Head office and management address:
Sofia, 141-B, Tsarigradsko shose, Blvd.,
mailing address:
Sofia, 141-B, Tsarigradsko shose, Blvd.

I would like for the following personal data, you collect, process and store, provided by me or by third parties, related to me, to be rectify as follows:
Data to be rectified:
..................................................
To be rectified as follows:
..................................................