INTERNAL REGULATIONS
of Heath Nutrition EOOD
for the confidentiality and protection of personal data under Regulation 2016/679
I. General information
From May 25, 2018 the requirements described in the Data Protection Regulation 2016/679, adopted by the European Union, enter into force. The regulation aims to ensure the protection of individuals' data from all EU Member States and to harmonize the regulations for their processing.
As an administrator of personal data for administration, management and maintenance of the Internet site www. heatfood.bg (hereinafter referred to as the Site), Heath Nutrition Ltd. meets all international requirements related to the new regulation. The Company collects data of the persons using the Site only for the provision of the offered service. In addition, Heath Nutrition Ltd. keeps responsibly and lawfully collected personal data of its customers.
II. Introduction
These Internal Rules for Privacy and Protection of Personal Data, hereinafter referred to as "Internal Rules" regulate the processing of personal data of individuals or representatives of legal entities that are customers of the Company or potential ones, as well as users of www.heatfood. bg, in connection with the services provided by Heath Nutrition EOOD, including those provided through and available on the Site. These internal rules, together with the General Terms of Use of www.heatfood.bg, and any other documents mentioned on the Site, determine the rules that "Heath Nutrition" Ltd. will follow when processing personal data collected from its customers , or which they provide us. These Internal Rules do not affect, restrict or revoke the rights arising from the Personal Data Protection Act ("PDPA") or other relevant legislation.
Each person is required to read these internal rules in advance before using the Site or providing personal data, whether electronically on the Site or on paper. The provision of personal data by customers is voluntary, in view of the use of certain services provided by us and the use of the Site and / or access to it, as well as in view of online shopping on the Site. It automatically leads to agreement with the General Terms and Conditions of the Company. In certain cases, the Company will not be able to provide the service and / or sell the goods requested by a customer if the necessary information is not provided. The provision of consent for the processing of personal data may not be necessary in specific cases if Heath Nutrition EOOD has another legal basis, such as fulfillment of statutory obligations.
III. General
1. (1) Heath Nutrition EOOD, hereinafter referred to only as the Company, is a legal entity registered in the Commercial Register of the Republic of Bulgaria with BULSTAT 205009820.
(2) Heath Nutrition EOOD is headquartered in Sofia and address of management: Sofia, Tsar Boris III Blvd., bl. 210A.
(3) As a legal entity, established by virtue of the law, the Company shall carry out the activities provided for in the Commercial Law, the Law on Obligations and Contracts and other normative acts, regulating the activity of the commercial companies.
(4) Heath Nutrition EOOD as a personal data controller complies with the principles of personal data protection of its customers provided for in the General Regulation on Data Protection (EU) 2016/679 and the legislation of the European Union and the Republic of Bulgaria. These internal rules regulate the organization of processing and protection of personal data of employees, including candidates for employment in the Company, contractors and partners of the Company, as well as all other groups of individuals with whom the Company enters into relations. of its activity.
2. (1) “Personal data” means any information relating to an identified or identifiable natural person
data ”). An identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as a name,
identification number, location data, online identifier or one or more features specific to the physical, physiological, genetic,
the mental, intellectual, economic, cultural or social identity of that individual.
(2) 'Processing of personal data' means any operation or set of operations carried out with personal data or a set of personal data by means of automatic or
other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing, transmitting, disseminating or otherwise making data available, arranging or combining, restricting, deleting or destroying.
(3) "Register of personal data" means any structured set of personal data, regardless of its type and medium, accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle.
3. (1) Principles for protection of personal data are:
▪ Legality, good faith and transparency - processing in the presence of legal grounds, in the provision of due care and in informing the data subject;
▪ Restriction of purposes - collection of data for specific, explicitly stated and legitimate purposes and prohibition of further processing in a way incompatible with these purposes;
Minimization of data - data to be relevant, relevant and limited to what is necessary in relation to the purposes of processing;
▪ Accuracy - keeping up to date and taking all reasonable measures to ensure timely deletion or correction of inaccurate data, taking into account the purposes of processing;
▪ Storage restriction - data to be processed for a period of minimum duration according to the objectives. Long-term storage is permissible for archiving purposes in the public interest, for scientific or historical research or statistical purposes, but provided that appropriate technical and organizational measures are applied;
▪ Integrity and confidentiality - processing in a way that ensures an appropriate level of security of personal data, applying appropriate technical or organizational measures;
▪ Accountability - the controller is responsible and must be able to demonstrate compliance with all principles related to the processing of personal data.
(2) If the specific purpose or purposes for which personal data are processed by Heath Nutrition EOOD do not require or no longer require identification of the data subject, the Company is not obliged to maintain, obtain or process additional information, to identify the data subject for the sole purpose of proving compliance with the requirements of Regulation 2016/679.
4. Heath Nutrition EOOD organizes and takes measures to protect personal data from accidental or illegal destruction, from unauthorized access, from alteration or dissemination, as well as from other illegal forms of personal data processing.
5. Personal data shall be collected for specific purposes specified by law, shall be processed lawfully and in good faith and may not be further processed in a manner incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, for scientific, historical research or statistical purposes shall not be considered incompatible with the original purposes.
IV. Processing of personal data
1. Heath Nutrition Ltd. may process publicly available personal data and / or personal data provided by its customers. The main types of personal data that are processed are:
◦ Information for personal identification (including name, email address, language of communication, etc.);
◦ Contact details (including postal and e-mail address, telephone number or designated contact person, etc.);
◦ Financial information (bank account and others);
◦ Information about a representative (legal representative or proxy of such) of a legal entity - client of the Company;
◦ Profile data on the Site (including name, postal and e-mail address, telephone number, date of birth, etc.);
◦ Data on concluding contracts for sale, dealership, wholesale, deferred payment, etc. with natural or legal persons (such as names, PINs, etc.).
2. Heath Nutrition EOOD may process data prepared and generated by www.heatfood.bg in the process of providing the services offered by the Company:
◦ Data on the final electronic communication device used, the type of device, the operating system used, IP address, location;
◦ Data on the goods and services preferred by the clients;
◦ Data from the communication between the Company and its clients, preferences, customer satisfaction with the services offered (activity in using the services, complaints, requests, etc.);
◦ Information about visits to the Site and the use of the Site, including operations and history of use of the Site;
◦ Data obtained in the performance of obligations arising from regulations (ie data arising from inquiries, regulations, investigative bodies, notary, tax authorities, court, bailiff);
3. Heath Nutrition Ltd. does not knowingly collect personal information from children under the age of 16. In the event that the collection of personal information of a child under the age of 16 is established, the necessary measures will be taken for its immediate deletion or for obtaining the consent of the person responsible for parental responsibility for the child.
4. In order to ensure the proper performance of services and obligations arising from contracts concluded with customers of the Company, "Nutrition Nutrition" Ltd. has the right to process any information available in public registers (including public database and data disclosed on the Internet) as well as information received from third parties on the implementation of legal provisions concerning customers.
5. Heath Nutrition EOOD has the right and obligation to verify the accuracy of personal data recorded in the database, and for this purpose requires its customers to verify the data and, if necessary, to correct or confirm the accuracy of their data.
6. The different types of personal data may be processed alone or in combination with each other.
V. Purposes and legal grounds for personal data processing
1. Heath Nutrition Ltd. processes personal data necessary for the conclusion or performance of contracts or in connection with the preparation for the conclusion of contracts with the Company, related to the following purposes:
◦ Identification of a client when: concluding a new or amending an existing contract with us; explanations about the used services; fulfillment of a concluded contract.
◦ Preparation of proposals for concluding contracts, sending pre-contractual information and draft contract; management of pre-sales activities;
◦ Data received from clients in the performance of obligations arising from contracts concluded with a natural or legal person, exercise of rights and ensuring the performance of contracts by clients of the Company;
◦ Administration and response to customer complaints / inquiries / complaints / complaints; return of amounts and goods; product replacement;
◦ Technical assistance for creating account (s) and recovering a forgotten password for access to the Internet site www.heatfood.bg, maintained by Heath Nutrition EOOD, for electronic servicing of electronic invoices.
◦ Identification and validation of the statutory age for online shopping;
◦ Payment of debts, rescheduling of amounts due; management of receivables collections;
◦ Warranty and service;
◦ Update offers to dealers; sharing important information regarding changes in our policy and other administrative information;
◦ Management and administration of online shopping activities; payment management.
2. In fulfillment of its legal obligations, Heath Nutrition EOOD processes the personal data of its clients for the following purposes:
◦ Issuance of invoices;
◦ For tax and social security control by the relevant competent authorities;
◦ Fulfillment of obligations in connection with the sale of goods offered at a distance, sale off-premises, provided for in the Consumer Protection Act;
◦ Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation on personal data protection - Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc .;
◦ Obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related normative acts in connection with the maintenance of proper and lawful accounting.
3. Heath Nutrition EOOD processes the relevant data provided with the express written consent of the client for their processing for the following purposes:
◦ Creating and managing a personal profile on the Site;
◦ Technical assistance for creating profile (s) and recovering a forgotten password for access to the Site maintained by the Company;
◦ Direct marketing of products and services;
◦ Participation and management of surveys, gift games, promotional campaigns, etc .;
4. The processing is necessary for the purposes of the legitimate interests of Heath Nutrition EOOD, described as follows
◦ Evaluation and establishment of customer satisfaction, as well as the effectiveness of advertising that the Company offers to its customers, as well as to meet their expectations by presenting adequate advertising;
◦ Analysis of data on the history of purchases, preferences and customer behavior;
◦ Guaranteeing the quality of service to its customers.
5. Categories of third parties that access and process your personal data:
◦ Transport / courier companies, postal operators in order to fulfill the obligations of Heath Nutrition EOOD, sending correspondence and communications in connection with the contract between the Company and its customers, concluded for the purpose of sending purchased goods;
◦ Persons who, on behalf of Heath Nutrition EOOD, maintain equipment and software used to process your personal data;
◦ Debt collection service providers, notary, lawyer, bailiff or other third party, if the client has breached the obligation arising from a contract concluded with the Company;
◦ The banks servicing the payments made by and to the clients of the Company;
◦ Persons to whom Heath Nutrition EOOD has provided the performance of part of the activities or obligations related to a specific service that it owes to its clients; persons processing personal data, which on the basis of a contract concluded with Heath Nutrition EOOD;
◦ Persons providing consulting services in various fields - lawyers, accountants, marketing agencies, etc .;
◦ Bodies, institutions and persons to whom the Company is obliged to provide personal data by virtue of applicable law.
VI. Storage of personal data
The duration of storage of personal data of the Company's customers depends on the purposes of processing for which they are collected:
1. Personal data processed for the purpose of concluding / amending and executing contracts between Heath Nutrition EOOD and a natural person / legal entity shall be stored for the term of the respective contract and until the final settlement of all financial relations between the parties. Heath Nutrition EOOD may store some of the personal data of its clients / contractors for a longer period until the expiration of the relevant statute of limitations in order to protect against any claims on their part in connection with the performance / termination of contracts, and for a longer period in case of a legal dispute until its final settlement with an effective court / arbitration decision;
2. Personal data processed for the purpose of issuing accounting / financial documents for tax and social security control, such as but not limited to - invoices, debit, credit notices, handover protocols, contracts for the provision of services / goods shall be stored for at least 5 years after the expiry of the limitation period for repayment of the public receivable, unless the applicable legislation provides for a longer period.
3. Personal data processed for the purpose of direct marketing - until the explicit withdrawal of the given consent for direct marketing or receipt of an objection for processing personal data for direct marketing.
VII. Customer rights in connection with the processing of their personal data
1. Common rights
In connection with the processing of personal data, each client of the Company has the following rights, which can be exercised at any time while the Company stores or processes his personal data by sending an application to the address of Heath Nutrition EOOD, specified in - above, or electronically at the e-mail address: www.heat.healthyfood@gmail.com. In this regard, each client has the right to request from Heath Nutrition EOOD:
◦ Copy of your personal data and access to them at any time;
◦ Correction, without undue delay, inaccuracies in the data, as well as data that are no longer up to date;
◦ Your personal data in a form convenient for transfer to another personal data controller, or the Company to do so without being hindered by Heath Nutrition EOOD (right of portability);
◦ His personal data to be deleted without undue delay in the presence of any of the legal grounds for this;
◦ Restrict the processing of his personal data, in which case his data will only be stored, but not processed. Refusal by Heath Nutrition EOOD to restrict will be explicitly mentioned only in writing, and the Company is obliged to motivate its decision with a legitimate reason.
2. Additional rights of each client of the Company:
◦ To withdraw its consent for the processing of their personal data at any time with a separate request addressed to Heath Nutrition OOD, subject to prior consent for processing;
◦ To object to the processing of his personal data and automated processing, including profiling;
◦ Not to be the subject of a solution based solely on automated processing, including profiling.
◦ To file a complaint to the supervisory body, the competent body being the Commission for Personal Data Protection, address: Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№2 (www.cpdp.bg).
◦ To object to the processing of his personal data for the purposes of direct marketing and advertising, as well as to their disclosure to third parties and their use on their behalf for the purposes of direct marketing and advertising, withdrawing the consent at any time. For this purpose, it is necessary to send an e-mail with the relevant request to stop using the data of the customer for the purposes of direct marketing at: www.heat.healthyfood@gmail.com
VIII. protection of personal data
Heath Nutrition Ltd. applies organizational, physical, information technology and other necessary measures to ensure the security and protection of personal data of its customers, as well as monitoring the processing of available personal data.
Heath Nutrition Ltd. takes the following security measures:
• The requirements for processing, registration and storage of personal data are established by internal procedures, compliance with which is constantly monitored;
• The access of the employees of Heath Nutrition EOOD to personal data and the permission for personal data processing in the database of the Company is limited, depending on their obligations;
• Heath Nutrition EOOD has established confidentiality obligations for its employees;
• Access to the office equipment of Heath Nutrition EOOD and the computers of each employee is limited.
• The company applies all necessary organizational and technical measures provided for in the Personal Data Protection Act, as well as best practices of international standards;
• In order to ensure maximum security in the processing, transmission and storage of personal data of its customers, the Company may use additional protection mechanisms such as encryption, pseudonymization, etc. The security measures that are applied are subject to constant improvement and adaptation to the latest technologies.
IX. Rights and obligations of the persons processing personal data
1. A data protection officer shall be appointed by the Manager of the Company.
2. A data protection officer shall have the following powers and duties:
• Provides the organization for keeping the registers, according to the envisaged measures for guaranteeing adequate protection;
• Monitors the observance of the specific measures for protection and control of access, according to the specifics of the kept registers with personal data;
• Carries out control over the observance of the requirements for protection of the registers in accordance with the current legislation and the current internal rules;
• Liaises with the Commission for Personal Data Protection regarding the measures and means taken to protect the registers and the submitted applications for personal data;
• Controls the observance of the rights of the users, in connection with the registers and the program-technical resources for their processing;
• Specifies the technical resources used for personal data processing;
• Monitors compliance with the organizational procedure for processing personal data, including time, place and order of processing, by registering all actions performed with the registers in the computer environment;
• Determines the order for storage and destruction of information carriers;
• Defines the order when setting, using and changing passwords, as well as the actions in case of learning a password and / or cryptographic key;
• Defines rules for regular prophylaxis of computer and communication means, including checking for viruses, for illegally installed software, the integrity of the database, as well as data archiving, updating system information and more.
• Conducts periodic control for compliance with data protection requirements and in case of detected irregularities takes measures for their elimination;
• Keeps a register of personal data processing activities in Heath Nutrition EOOD.
X. Cookies Policy
To read the Cookies Policy, please visit the following link: https://www.heatfood.bg/cookies/
XI. Amendments to the Privacy Policy
Heath Nutrition EOOD reserves the right to periodically update the Internal Rules for Privacy and Personal Data Protection. In case of a change in the present Rules, a respective notice related to the changes will be published on the Company's website, as well as an update of the Internal Rules. All amendments and supplements to the Internal Rules for Confidentiality and Protection of Personal Data of the Company will be applied only after the publication of their current content, available at www. heatfood.bg.
XII. Additional provisions
1. All employees of Heath Nutrition EOOD are obliged to get acquainted with the present Internal Rules and to observe them daily in the performance of their position and the work assigned to them.
2. For all issues not settled in these Internal Rules, are
applicable provisions of the General Data Protection Regulation (EU)
2016/679, the applicable law of the European Union and the legislation of the Republic
Bulgaria on the protection of personal data.
XIII. The internal rules of Heath Nutrition EOOD for confidentiality and protection of personal data according to Regulation 2016/679 were approved by the Manager of the Company on 17.06.2019.