PERSONAL DATA PROTECTION POLICY
I. General provisions
1. Data protection policy ("the Policy") is developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("the GDPR"), and is a document of the MD7 Trade Limited company (registration number 202814327, with its legal address at Sofia 1000, Sredets, 145, G.S.Rakovski str., entrance B, floor 2, office 6, Bulgaria) ("the Company"), which regulates the processing and protection of Personal data received by the Company from the Buyer.
2. The Policy aims to provide the Buyer with information about the purpose of the personal data processing, the legal basis, the extent of the processing, protection and processing period at the time of the personal data acquisition and during processing Buyer's personal data.
3. The Policy applies if a Buyer uses, has used or has expressed an intention to use or is in other way related to any of the services or goods provided by the Company, including to the relationship with the Buyer established before this Policy entered into force.
4. Personal data controller is the Company. Contact details of the Company are available on the Company`s website: www.md7trade.com.
5. Contact details on Data protection issues: firstname.lastname@example.org.
6. The Company may use processors for processing personal data. The Company takes needed steps to ensure that such processors process personal data under the instructions of the Company and in compliance with law and requires adequate security measures.
II. Principals of personal data processing
1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Buyer.
2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
7. Personal data shall be processed in accordance with the rights of data subjects under the GDPR.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the Buyer in relation to the processing of personal data. In the absence of the above stated, a transfer of personal data to a third country or an international organisation shall take place only under the conditions defined by GDPR as a derogation for specific situations.
III. Purposes and legal basis for personal data processing
1. The processing of personal data for the following purposes takes place on a contractual basis for the conclusion and performance of a contract:
1.a. identification of the Buyer;
1.b. the conclusion of the contract;
1.c. the supply of products and provision of services;
1.d. Buyers` service;
1.e. handling and processing of the objections, complaints;
1.f. billing administration.
2. The processing of personal data for the following purposes takes place on a consent basis:
a. the improvement of services, developing new products and services;
b. advertising of services or commercial purposes;
c. the Buyer`s satisfaction measurements.
3. The processing of personal data for the following purposes takes place on the legitimate interests:
3.a. in order to protect the Buyer's and/or the Company`s interest;
3.b. to provide evidence relating to the contracts and their performance (submitted documents and other information);
3.c. prevent, limit and investigate dishonest or unlawful use of the services and products provided by the Company;
3.d. conduct commercial activity.
4. The processing of personal data for the purpose of providing information to public authorities and subjects of operational activities is carried out on the basis of the fulfillment of the obligations defined by the law, in cases and to the extent established by external regulations.
5. If the Company intends to further process the personal data for a purpose other than that for which the personal data were collected, the Company shall provide the Buyer prior to that further processing with information on that other purpose and with any relevant further information.
IV. Categories of personal data
1. Personal data may be collected from the Buyer and from the Buyer’s use of the services. Personal data categories which the Company collects and processes are:
a. identification data such as name, personal identification code, date of birth, gender, data regarding the identification document (such as copy of the passport, ID card);
b. contact data such as address, telephone number, email address;
c. financial data such as accounts;
d. data obtained and/or created while performing an obligation arising from law such as data resulting from enquiries made by investigative bodies, tax administrator, courts;
e. communication data collected when the Buyer registers at the Company`s website, communicates with the Company via e-mail or messages;
f. data related to the services such as the performance of the agreements or the failure thereof, executed transactions, concluded agreements, submitted applications, requests and complaints;
g. data about habits, preferences and satisfaction such as the activeness of using the services, services used, survey responses.
2. Personal data provision is the prerequisite to conclude the contract. If personal data is not provided, the Company will not be able to enter into a contract without identifying the Buyer, or to ensure the fulfillment of contractual obligations accordingly.
V. Profiling and automated decision - making
1. Profiling means any form of automated processing of personal data, through the use of personal data for the purpose of assessing certain Buyer related personal aspects, in particular to analyse or predict aspects in relation to the Buyer's personal preferences, interests, behaviour, location.
2. The Company can apply automated decision - making regarding to the Buyer. The Buyer will be informed about such activities of the Company separately in accordance with regulatory enactments.
3. Automated decision - making that creates legal consequences for the Buyer may only be made in the course of the conclusion or execution of the agreement between the Company and the Buyer, or on the basis of the Buyer's consent.
VI. Recipients of personal data
1. Personal data is shared with other recipients, such as:
a. authorities (such as law enforcement authorities, tax authorities, supervision authorities and financial intelligence units etc.);
b. auditors, legal and financial consultants, or any other processor authorized by the Company;
c. other persons related to provision of services of the Company (product suppliers, credit institutions and financial institutions, etc.).
VII. Storage periods
1. The storage period may be based on agreements with the Buyer, the legitimate interest of the Company or applicable law (such as laws related to bookkeeping, statute of limitations, civil law, etc.).
2. After the circumstances specified in clause 1. are terminated, the Buyer's personal data is deleted.
VIII. Buyer`s rights as a data subject
1. A Buyer as a data subject has rights regarding his/her personal data processing. Such rights are to:
a. require his/her personal data to be corrected if it is inadequate, incomplete or incorrect;
b. object to processing of his/her personal data, if the use of personal data is based on a legitimate interests, including profiling for direct marketing purposes (such as receiving marketing offers or participating in surveys);
c. require the erasure of his/her Personal data, for example, that is being processed based on the consent, if he/she has withdrawn the consent. Such right does not apply if personal data requested to be erased is being processed also based on other legal grounds such as agreement or obligations based on applicable law;
d. restrict the processing of his/her personal data under applicable law, e.g. during the time when the Company assesses whether the Buyer is entitled to have his/her data erased;
e. receive information if his/her personal data is being processed by the Company and if so then to access it;
f. receive his/her personal data that is provided by him-/herself and is being processed based on consent or in order to perform an agreement in written or commonly used electronical format and were feasible transmit such data to another service provider (data portability);
g. withdraw his/her consent to process his/her personal data. The withdrawal of consent does not affect the processing of personal data performed at the time when the Buyer's consent was valid. Withdrawal of consent cannot interrupt the processing of personal data performed on the other legal basis;
h. not to be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects the Buyer. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the Buyer, if the decision-making is permitted under applicable law or if the Buyer has provided his/her explicit consent;
i. lodge complaints pertaining to the use of personal data to the supervisory authority, according to the article 77 of the GDPR, if he/she considers that processing of his/her personal data infringes his/her rights and interests under applicable law;
j. submit a request for the exercise of his or her rights regarding the processing of personal data, including information on possible personal data protection breaches by e-mail, specifying the Buyer`s registration number, and send to e-mail email@example.com.
2. Upon receiving the Buyer's request for the exercise of its rights, the Company verifies the Buyer's identity, evaluates the request and executes it in accordance with regulatory enactments.
3. The Company shall respond to the Buyer's request in writing or by other means, including, if necessary, in electronic form (by e-mail) taking into account, as far as possible, the manner in which the Buyer is provided with the response. When requested by the Buyer, the information may be provided orally, provided that the identity of the Buyer is proven.
4. The Company shall provide information on action taken on a request to the Buyer without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the Buyer of any such extension within one month of receipt of the request, together with the reasons for the delay.
5. If the Company does not take action on the request of the Buyer, the Company shall inform the buyer without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
IX. Validity and amendments of the Policy
1. The Policy is provided on www.md7trade.com.
2. The Company is entitled to unilaterally amend the Policy at any time.