PRIVACY POLICY OF “RPA.BG” WEBSITE

With the purpose of providing the services (“Services“), pursuant to the Terms of Use published on the website http://rpa.bg/ („Website”), „RPA Consulting“ OOD, UIC 204737534, having its seat and registered address at Sofia city PO 1326, “Obelya” district, 232, ent. A, fl. 4, ap. 10, (hereinafter referred to as „RPA“ or the „Company“), processes Personal Data of natural persons („Data Subjects”/”You“), in accordance with this Policy.

When processing Personal Data, RPA complies with all applicable to its activities Personal Data protection legislation, including the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.

I. DEFINITIONS

Art.1. In this Policy, the following definitions of the terms, deriving from Art. 4 of the Regulation, are used:

(1) „Regulation“ – General Data Protection Regulation of 27 April 2016, repealing Directive 95/46/EC on the protection of Personal Data. It has direct effect and implies an amendment to the legislation of the member states in the field of Personal Data protection. Its purpose is to protect the “rights and freedoms” of natural persons and to guarantee that their Personal Data is not being processed without their knowledge, and where possible, the processing is subject to their consent.

(2) „Personal Data“ – can be any information that may be related to a natural person who is identified or a natural person who might be identified, directly or indirectly, through the use of one or more specific features or identifiers associated with that natural person. From the point of view of the nature of the information, the term “Personal Data” includes any kind of statement concerning a person. This entails “objective” information and “subjective” information, opinions, or assessments. With regards to the form or medium in which this information is contained, the term “Personal Data” includes information in any form, whether alphabetical, digital, graphic, photographic, or acoustic. For example, it includes information stored on paper as well as information stored in computer memory.

(3) „Special (sensitive) categories of Personal Data“means a particular type of Personal Data due to the specific nature of the information it discloses about the natural person. In particular, this information reveals the racial or ethnic origin, religious and philosophical beliefs, political views, membership in trade union (or professional) organizations, data concerning the health of the individual, biometric data for the sole purpose of identifying the natural person.

(4) „Personal Data controller“ means RPA, which determines the purposes and means of the processing of Personal Data of natural persons.

(5) „Processor of Personal Data“ – may be any natural or legal person, public authority, or body that processes Personal Data on behalf of and on the express written assignment of “RPA” AD. The processor of Personal Data is always a person who is external to the structure of the Company and is not in an employment relationship with the Company. The employees of the company are not processors of Personal Data.

(6) „Processing of Personal Data” means any operation or set of operations carried out with Personal Data, such as the collection, recording, organization, structuring, storage, modification, use, disclosure by transmission and access, arrangement, erasure, or destruction. In practice, any activity involving the use of Personal Data in some form may involve the processing of Personal Data.

(7) „Data Subject“ – any living natural person, who is subject to Personal Data stored by the Controller.

II. DATA SUBJECTS

Art.2. In connection with the provided Services, the Company Processes data regarding the following Data Subjects:

• • Natural persons, visitors of the Website;
  • Natural persons, who have sent inquiries (incl. by phone), requests, signals, complaints to or other correspondence with RPA;
  • Natural persons, whose data is contained in inquiries (incl. by phone), requests, signals, complains to or other correspondence with RPA.

III. PERSONAL DATA SUBJECT TO PROCESSING

Art.3. RPA Processes the following Personal Data:

• • Data provided in relation to correspondence, complaints, and signals, namely: data concerning customer or user communication, provided in the inquiry form on the Website, including Personal Data provided over phone calls with RPA or sent with standard mail or e-mail.
  • Data provided in relation to the “Request a process analysis” form.
  • Data provided in relation to the visit to the Website, as well as its use.

IV. PURPOSES OF PERSONAL DATA PROCESSING MEANS OF PROCESSING

Art.4. RPA collects, uses and Processes the information described above for the following purposes:

(1) To protect and enforce RPA’s legitimate interests. Those are purposes linked to RPA’s lawful interests and/or third parties such as other users, companies, and others. Those purposes include:

• • Guaranteeing the normal functioning and use of the Website on Your end and on other users’ ends, maintenance and service management, dispute resolution, detection, and prevention of malicious actions.
  • Identifying and resolving technical issues linked to functionality, development and improvement of the Website
  • Carrying out communication with You, including by electronic means
  • Acceptance and processing of received signals, complaints, requests and other correspondence;;
  • Exercising and protecting the rights and legitimate interests of RPA, including in court proceedings, as well as cooperation in the exercise and protection of the rights and legitimate interests of other users of the Website and/or affected third parties.

For those purposes, it may be necessary to process a part of or all of the abovementioned categories.

(2) Purposes, for which you have given your explicit consent. Your data can be processed on the grounds of Your explicit consent, where such processing is specific in its extent and range, as provided for in the relevant consent.

(3) For RPA to comply with its legal obligations, which include fulfillment of obligations provided for in the legislation to retain or provide information when order by a competent state or judicial authority is received when providing an opportunity to the competent authorities to exercise their control powers when fulfilling RPA’s legal obligations to inform You about circumstances relating to Your rights, the provided Services or with the protection of Your data and other. For those purposes, it may be necessary to process a part of or all of the abovementioned categories.

(4) So as to respond to Your inquiries and to process Your complaints. In order to resolve Your complaints, signals, disputes, inquiries, requests, and other questions, put forward in communication via the Website, through phone calls with RPA, via standard mail or e-mail, We store and Process such information, as well as the result of such Processing.

(5) For statistical purposes including analyzing the performance of applications on the Website as well as their utilization by users.

(6) The Website needs cookies to function properly. You can find a detailed description of the cookies used by us and their purpose in the Cookie Policy published on the Website.

(7) Website logs related to security, maintenance, development and other aims may be used for the following purposes:

• • For securing the reliable functioning of the Website and identification of technical issues;
  • For security reinforcement and detection of malicious actions;
  • For the development and improvement of the Website;
  • For measuring traffic and usability of the Website;
  • Logs as required by the law (like logs on the electronic expression of will).

Server logs, logs on devices guaranteeing security (Web Application Firewalls), and other devices falling in this category. Those logs are necessary for detecting technical issues, detecting malicious activities, and other purposes as listed above. Logs are retained for a period of up to 1 (one) calendar year. Logs can contain the following information: date, hour, IP address, URL, browser, and user device metadata.

Art.5. Тhe provided functionalities in the Website are not intended for storage and Processing of special categories of Personal Data pursuant to Art. 9 and Art. 10 of the Regulation.

Art.6. RPA does not collect and does not process Personal Data of minors aged 16 or below, unless with the consent of a parent, subject to the applicable local legislation. Should RPA find out that the Personal Data of a minor has been accidentally collected, We shall delete the data as soon as reasonably possible.

V. RETENTION PERIOD

Art.7. RPA stores Your Personal Data for a period necessary to achieve the purposes for which it was collected. Upon achieving the relevant purpose, Your Personal Data shall be immediately destroyed, unless RPA is obliged to Process it for a longer period pursuant to applicable legislation.

Art.8. In certain circumstances, RPA has the right to anonymize Your Personal Data for research, statistical or other purposes, in which event the Company may use this data for an indeterminate period of time without having to additionally notify You.

Art.9. In the event that RPA no longer requires Your Personal Data, the latter shall be deleted or anonymized, so that all details which lead to Your identification shall be removed. In the absence of legal grounds for the lawful Processing of Your Personal Data or when you have withdrawn Your consent to Processing, RPA shall delete the Personal Data within a reasonable time period.

Art.10. In events where we Process Your Personal Data on the grounds of Your consent, including but not limited to marketing purposes, the data shall be Processed and stored until we receive Your request to have it deleted (forgotten).

Art.11. In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a longer period than the one specified, until resolution of the dispute or completion of the legal proceedings at all judicial levels. The specified period is subject to change if an alternative retention obligation is determined pursuant to the current legislation.

VI. PROVIDING PERSONAL DATA TO THIRD PARTIES

Art.12. Your Personal Data may be provided to third parties only in the following events:

• • when this is provided for in the legislation
  • when duly requested by a competent state or judicial authority;
  • when we have received Your explicit consent;
  • when necessary for the protection of the rights and legitimate interests of RPA and/or other users.

Art.13. In the events envisaged by Art.12, p.1, RPA implements contractual arrangements and mechanisms for data security, aiming to protect Your Personal Data, as well as to comply with the current data protection, privacy, and security standards.

Art.14. Personal Data, stored by RPA, may be transferred to:

• • Third parties and/or organizations, which supply us with applications and/or functionalities; IT services and services related to Personal Data Processing.
  • Third parties who assist us with the provision and management of our internal IT systems. For example, providers of information technologies, providers of cloud services, identity management, hosting and website management, data analysis, data archiving, security, and storage services. The servers that power up and facilitate this cloud infrastructure are located in protected data centers around the globe and Personal Data can be stored in any of them;
  • Third parties/organizations, who assist us with service or information delivery in alternative means;
  • Auditors and other professional consultants;
  • Law enforcement authorities, other state, and regulatory agencies, and other third parties as required by and in compliance with the applicable legislation;

Art.15. With regards to Personal Data regulated by EU legislation, please bear in mind that cross-border transfers might include countries outside of the European Economic Area (EEA) and countries, which have no laws to provide for specific Personal Data Protection. We have taken all necessary steps to guarantee that all Personal Data has the necessary protection and that all transfers of Personal Data outside of EEA are conducted lawfully. When transferring Personal Data outside the EEA in a country that is not classified by the European Commission as providing an adequate level of Personal Data protection, such transfers take place in accordance with an agreement, complying with the requirements of EU for Personal Data transfers outside the EEA – for example, the approved by the European Commission Standard Contractual Clauses (SCCs). You can find more about those clauses here.

VII. DATA SUBJECT RIGHTS

Art.16. The Regulation envisages the following data subject rights:

• • Right to be informed.

This Policy is intended to inform You in detail about the Processing of Your Personal Data in connection with the Services provided.

• • Right to Access.

You have the right to receive a confirmation of whether Your Personal Data is being Processed, access to such data, and relevant information regarding the Data Processing and Your respective rights. Such right to access can be exercised at any time.

• • Right to rectification.

You have the right to Rectify Your Personal Data in the event it is incomplete or inaccurate.

You can exercise the right to Rectify Your Personal Data at any time through a request to us.

• • Right to deletion.

You have the right to request the deletion of Personal Data, except in cases where there is a substantial basis and/or legal obligation for its Processing.

Data can be deleted upon expiry of the specified period. Meanwhile, the data can be provided in due course only to the competent state authorities in the exercise of their control powers or to a court of competency in the case of court proceedings for which the court has a standing for. In the event a dispute or legal proceedings have arisen, requiring the retention of Personal Data and/or upon request by a competent state authority, it is possible to retain the Personal Data for a longer period than the one specified, until resolution of the dispute or completion of the legal proceedings at all judicial levels.

• • Right to restriction of the processing.

The Regulation provides for the possibility of restricting the Processing of Your Personal Data, provided that the statutory grounds required to exercise this right are present.

• • Right to inform third parties.

Where applicable, You have the right to request from the Controller of Your Personal Data to inform relevant third parties, whom the Controller has shared Your Personal Data with, about any rectification, deletion, or restriction of Processing of Your Personal Data.

It is important to note that RPA is not an intermediary in the relationship between You and third parties.

• • Right to data portability.

You have the right to obtain Your Personal Data in a structured, commonly used and machine-readable format, and have the right to transmit this data to another Controller at Your own discretion.

• • Right not to be subject to a decision based solely on automated processing.

You have the right not to be subject to automated decision making, including profiling, which produces legal effects for You or in a similar fashion significantly affects You, unless the grounds provided for in the applicable Personal Data Protection legislation and appropriate safeguards for Your rights, freedoms and legitimate interests are present.

The Website does not utilize technologies falling in this category.

• • Right to withdraw consent.

You have the right, at any time, to withdraw Your consent from the Processing of Personal Data, which is on the grounds of Your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

For Services like the subscription to email advertisements, where the subscription is on the grounds of Your will (consent), an option to terminate the subscription at any time (withdrawal of consent) is given.

• • Right to object.

You have the right to object to the Processing of Personal Data on the grounds of legitimate interest.

In the event of such objection, RPA shall process Your request and if found reasonable, we will fulfill it. Should we consider that there are convincing statutory grounds for such Processing or it is necessary for the establishment, exercise, or defense of legal claims, we shall inform You of such development.

• • Right to file a complaint with the supervisory authority or the courts.

You have the right to lodge a complaint with the supervisory authority or judicial authority if you consider that Processing of Your Personal Data violates the applicable Personal Data protection legislation. The supervisory authority of the Republic of Bulgaria is the Commission for Personal Data Protection, with address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd

VII. DATA ACCURACY

Art.17. RPA does not bear any responsibility for the accuracy of Your Personal Data, does not conduct checks in this regard, and does not guarantee the true identity of the natural persons who have provided the data. In all events of doubt on your behalf, of established fraud and/or misuse, we kindly ask you to inform us immediately. You are obliged, when providing any information on the Website, not to violate the rights of third parties in relation to the protection of their Personal Data or other rights.

The Privacy Policy is drafted in two identical copies, in Bulgarian and English, and if there is a difference between the Bulgarian and English text, the Bulgarian text will be will prevail.

The Privacy Policy is effective as of 11.05.2021г.