RIDE SHARE BULGARIA EAD
PRIVACY POLICY
Sofia
2022
Content
KEY
DEFINITIONS
GENERAL
PROVISIONS
PROCESSING OF PERSONAL DATA
FOR THE PURPOSE OF PROVIDING AN ELECTRIC
VEHICLE
SHARING SERVICE
PROCESSING OF PERSONAL DATA
FOR THE PURPOSE OF DIRECT MARKETING
MOBILITY
MONITORING DATA STORAGE
PERIODS
RIGHTS OF THE
DATA SUBJECT
DATA
PROTECTION OFFICER
PROCEDURE FOR MANAGING
PERSONAL DATA SECURITY BREACHES AND DEALING WITH
SUCH BREACHES
TECHNICAL AND ORGANIZATIONAL
MEASURES FOR PERSONAL DATA SECURITY
CONTACT
DETAILS
FINAL
PROVISIONS
1.1. “Responsible Person” means the employee of the Data Controller who,
by the nature of his work, is entitled to perform the specific functions
related to the processing.
1.2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46/EC ( General Data Protection Regulation).
1.3. "Employee" means a person who has concluded an employment
contract or similar contract with the Personal Data Controller.
1.4. "Data/personal data" means any information related to an
identified or identifiable individuals (data subject); an identifiable
individuals is an individual who can be identified directly or indirectly, in
particular by reference to an identifier such as name, identification number,
location data, online identifier or one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person.
1.5. "DPA" means a data processing agreement to be entered
into with each Personal Data Processor in accordance with the terms set out in
section 3 below.
1.6. "Recipient" means the individuals or legal entity, government
body, agency or other body to which the personal data is disclosed, whether or
not it is a third party.
1.7. "Data subject" means a customer or employee of the Data
Controller or any other person whose personal data is processed by the Data
Controller.
1.8. "Processing" means any operation or set of operations
performed on personal data or a set of personal data by automatic or other
means such as collection, recording, organization, structuring, storage,
adaptation or modification, retrieval, consultation, use, disclosure by
transmission, distribution or other way in which the data is made available,
arranged or combined, restricted, deleted or destroyed.
1.9. "Processor of personal data" means a individuals or legal
entity, public body, agency or other structure that processes personal data on
behalf of the Controller.
1.10. "Data Controller" means Ride Share Bulgaria EAD,
registration number of the legal entity 204787918, registered at the address: Sofia, 11-13 Yunak Str., 4th floor. Insofar as the SPARK mobile application is
used in the processing of personal data of registered users on the territory of
the Republic of Bulgaria, "Ride Share Bulgaria" EAD acts as a joint
data controller with the mother company - owner of the mobile application, specified
in item 1.14.
1.11. "Customer" means a person who uses or has used the
services provided by the Data Controller.
1.12. "Mobility Monitoring" means the collection and
processing of data about employees and customers using the vehicles belonging to
the Data Controller, whether or not the data is recorded in a file.
1.13. "Policy" means this Privacy Policy.
1.14. “Owner of the Mobile Application" means UAB SPARK
TECHNOLOGIES, a limited liability company established and existing under the
laws of Lithuania, legal entity code 304953141, Vilnius, Lithuania. As far as
the processing of personal data of registered users on the territory of the
Republic of Bulgaria use the SPARK mobile application, Ride Share Bulgaria EAD
acts as a joint data controller with the mother company - owner of the mobile
application.
1.15. “Owner of the site" means Ride Share Bulgaria EAD,
registration number of the legal entity 204787918 with headquarters in the city
of Sofia, 11-13 Yunak
Str., 4th floor
1.16. For the purposes of this Policy, the remaining terms correspond to
the terms used in the GDPR, the Bulgarian Personal Data Protection Act
(hereinafter referred to as "DPRA") and the Bulgarian Electronic
Document and Electronic Signature Act (hereinafter referred to as "EDESA").
2.1. The Data Controller collects certain personal data for the purposes
of administration, conducting its own activity and exercising legal
obligations.
2.2. This policy contains the basic principles and procedures for the
collection, processing and storage of personal data of the users of the website
http://spark.bg/, administered by the Data Controller (hereinafter referred to
as the "website") and the SPARK mobile application (hereinafter
referred to "mobile application") (client). Before starting to use
the Website and/or Mobile Application, you should carefully read and
familiarize yourself with this policy. By using the services provided by the
Data Controller, you confirm that you agree to comply with this Policy.
2.3. The data subject is not entitled to use the Website and/or the
Mobile Application if he has not familiarized himself with the Policy and does
not accept it. In cases where the Data Subject does not agree with the Policy
or the relevant part thereof, he should not use the Website and/or the Mobile
Application. Otherwise, it is considered that the Customer has familiarized
himself with and unconditionally accepted the Policy, which he expressly agreed
to upon registration.
2.4. The Data Controller should respect the privacy of personal data.
This policy explains the acceptable practice regarding privacy at our company.
It explains the ways of collecting and using your Personal Data and the rights
exercised by you.
2.5. Use of third-party services, such as the services of the social
network Facebook, may be subject to third-party terms and conditions. For
example, all Facebook users and visitors are subject to the Data Privacy
Policy. Therefore, for the purpose of using the services of third parties, it
is recommended that you familiarize yourself with their applicable terms.
2.6. The Data Controller should ensure that it complies with the
following basic data protection principles:
2.6.1. Personal data are processed lawfully, in good faith and in a transparent
manner with respect to the Data Subject (lawfulness, good faith and
transparency);
2.6.2. Personal data is collected for specific, explicit and legitimate purposes
and is not processed in a way that is incompatible with these purposes; the
subsequent processing of personal data for the purposes of archiving in the
public interest, scientific or historical research or statistical purposes is
not considered incompatible with the original purposes (purpose limitation);
2.6.3. Personal data must be relevant, relevant and limited to what is
necessary in relation to the purposes for which it is processed (data
minimisation);
2.6.4. Personal data must be accurate and, if necessary, updated; all
reasonable steps must be taken to ensure that personal data which are
inaccurate, having regard to the purposes for which they are processed, are
deleted or rectified immediately (accuracy);
2.6.5. Personal data stored in a form that allows the identification of
data subjects is stored no longer than is necessary for the purposes for which
the personal data is processed; Personal data may be stored for longer periods
insofar as they will be processed solely for the purpose of archiving for
public interest, scientific or historical research or statistical purposes in
accordance with Article 89, paragraph 1 of the GDPR provided that appropriate
technical and organizational measures required by the GDPR to protect the
rights and freedoms of the Data Subject (restriction of storage);
2.6.6. Personal data is processed in a way that ensures adequate
protection of personal data, including protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organizational measures (integrity and
confidentiality);
2.6.7. The Data Controller is responsible and should be able to prove
compliance with the principles set out above (accountability).
2.7. Data is processed by sending proper notification to the Data
Subjects. Users of the mobile application must expressly read and agree to the
Data Controller's privacy notice before registering to use the mobile
application and/or site.
2.8. The data is stored for the periods indicated for each type of
personal data provided for in this policy. Storage is carried out in accordance
with the procedures provided in this policy.
2.9. The rights of the Data Processor to access the data shall be
revoked in the event of termination of the personal data processing contract
concluded with the Data Controller or upon expiry of the term of the agreement.
2.10. The data is transferred to other Data Controllers and recipients
when the legal acts provide the right and / or the obligation to do so on the
relevant grounds.
2.11. The Data Controller will have the right to provide personal data
to the authorities of the investigation, the prosecutor's office or the court
for the purposes of administrative, civil, criminal proceedings as evidence or
in other cases established by law.
3.1.
The Data Controller provides its Customers with the service of sharing the use
of electric cars, for the provision of which the following groups of Customer
Data are processed: 3.1.1. Name;
3.1.2. Sure;
3.1.3. Personal identification number;
3.1.4. Date of birth;
3.1.5. Place of residence (address);
3.1.6. E-mail address;
3.1.7. Phone number;
3.1.8. Driving license number, date and place of issue, validity;
3.1.9. Certain data about the payment cards used by the Customer,
received from the company providing the card processing service (card type,
part of the card number).
3.2. The data specified in paragraphs 3.1.1 - 3.1.8 are received
directly from the Client, but part of the data recorded in the system can also
be received from the Client's employer, if the latter uses the services of the
Data Controller as a client or employee of the relevant company.
3.3. For the purposes of registration, recording and reporting of
Customers, conclusion, administration and execution of a contract, compliance
with legal obligations (e.g. cars to be provided only to legally competent
persons, compliance with accounting reporting requirements, reporting of
violations, ensuring the accuracy of data), protection and control over the
assets owned by the company, the Data Controller additionally provides the
following Data:
3.3.1. Categories of vehicles that the Data Subject has the right to
drive, the date this right was granted and the date it expires;
3.3.2. Vehicle location, distance traveled, date, time, vehicle speed
and duration of vehicle use;
3.3.3. Moment of unlocking and locking the vehicle;
3.3.4.
A change in the vehicle's battery charge level while the Customer is using the
vehicle; 3.3.5. Fee charged;
3.3.6. Obligation data / Payments due;
3.3.7. Transaction data such as history of services used, data on obligations
(level of obligation, amount of obligation, date of occurrence of obligation,
deadline, date of payment) credit rating, accumulated eGo points equal to
kilometers traveled, rewards;
3.3.8. Correspondence regarding complaints, requests, opinions, evaluation
of the services or of other users, etc.;
3.3.9. IT management data such as IP address, operating system,
communication data and other metadata from the use of the application, location
of the mobile device while in use;
3.3.10. Data related to legal or insurance claims: data on damage to the
electric vehicle, security incidents/traffic accidents or other violations in
case they occurred while you were using the electric vehicle (date, place, time
of the traffic accident/violation, amount of damages, faults, etc.), unpaid
debts, accrued penalties, etc.
3.4. The Data Controllers shall not transmit to the recipients the
above-mentioned data of the Customers. The data of the former Customers is
provided only to the law enforcement authorities according to the procedure
established by law.
3.5. The legal
grounds for the processing of personal data for the purposes specified in item
3.1. and
3.3 above, are Article 6, paragraph1, letter “b” and Article 6,
paragraph1, letter “c” of the GDPR.
3.6. On the basis of the Data Controller's legitimate interest in
business development (Article 6, paragraph 1, letter “f” of the GDPR),
anonymized aggregated data about the services used by customers may also be
used for the purposes of statistical analysis and marketing research after
complete removal of the identifying customers personal data.
3.7. With the consent of the data subject, data on the location of the
mobile device may also be obtained while using the mobile application for the
purpose of notification of available electric vehicles in the immediate
vicinity and reporting of services while using the mobile application. The data
subject reserves the right to withdraw the consent so given at any time by
changing the settings of his mobile device.
3.8. In order to verify the validity of the driving license, the Data
Controller must provide certain Personal Data (such as the motor vehicle
driving license number and personal identification number) to the Processors
responsible for verifying the registered personal data and for technical and
administrative Customer support.
3.9. When providing services and ensuring their proper performance, the
owner of the mobile application must hire RUPTELA UAB as a Data Processor,
providing information that allows to establish the location of the vehicle, the
period of parking, the speed of the vehicle, the distance traveled, the date ,
the time and duration of the use of the vehicle, the time the vehicle is
unlocked and locked, the change in the charge level of the vehicle's battery
while the Customer is using the vehicle, information whether the vehicle is
being charged and whether the vehicle door is closed.
3.10. In order to ensure a smooth and high-quality payment settlement
for the services provided, the owner of the mobile application must conclude a
subcontract with the payment operations provider Adyen, which mediates the
execution of payment operations.
3.11. The Data Controller confirms that, in order to ensure data
protection, all technical and organizational data protection measures have been
implemented.
3.12. The Mobile Application Owner also subcontracts Amazon Web Services
Limited as a Data Processor to perform the server rental and installation
services.
3.13. The Data Controller concludes an agreement with the owner of the
mobile application as joint Data Controllers, which defines the respective
responsibilities for the protection of personal data. According to this
agreement, "Ride Share Bulgaria" EAD is responsible for providing the
information required by law and for processing the requests of data subjects,
provided for in the GDPR and described in this notification, for users in the
territory of the Republic of Bulgaria.
3.14. The Data Controller and/or the owner of the mobile application
enter into agreements with all Data Processors on behalf of the Data
Controller. Data processors process personal data only on behalf of the Data
Controller for the purposes set out in these data protection agreements. In
particular, each Processor shall:
-
process Personal Data only in
accordance with the Data Controller's documented instructions, including in
relation to the transfer of Personal Data to a third country or international
organization, unless required to deviate from such instructions to comply with
the requirements of the applicable EU Data Protection Regulation , to which the
Processor is subject. In such a case, the Processor must, without unreasonable
delay, inform the Data Controller of the relevant requirement prior to the
processing of personal data;
-
ensure that the persons authorized
to process the personal data have undertaken an obligation of confidentiality
and compliance with the applicable data protection regulation within the EU or
are bound by an appropriate legal obligation of confidentiality;
-
support the Data Controller upon
his express written request, with a view to ensuring the fulfillment of his
legal obligations, such as those related to data security with the Data
Controller, the assessment of the impact on data protection and prior
consultation laid down in the GDPR, and, in particular, to implemented
appropriate technical and organizational measures to protect the Personal Data
covered by the Data Processing Agreements from accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access to the
Personal Data. For the avoidance of doubt, the parties expressly agree that the
Processor shall be obliged to perform all of its obligations as a Personal Data
Processor, in full compliance with the Personal Data Protection Regulation, at
its own expense;
-
support the Data Controller by
implementing appropriate technical and organizational measures to fulfill the
Data Controller's obligation as a Personal Data Controller, namely: to respond
to requests to exercise the rights of Data Subjects under the Data Protection
Regulation. The Processor must immediately notify the Data Controller of any
request made by any Data Subject and not respond to the relevant request before
receiving the Administrator's instructions;
-
provide the Data Controller with
all the information necessary to prove compliance with the obligations of the
Processor of personal data specified in these data processing agreements and in
the GDPR, and to allow and assist in audits, including inspections carried out
by the Data Controller or another auditor authorized by the Data Controller;
-
maintain accurate records of all
processing activities under the data processing agreement in accordance with
the requirements set out in the GDPR and provide the Data Controller with the
relevant records within ten (10) working days of receiving the request from the
Data Controller;
-
ensures that no personal data is
transferred, released, assigned, disclosed or otherwise made available to a
third party without the prior express written consent of the Data Controller;
-
ensures that data protection
obligations similar to those set out in this document are imposed on other
Processors of personal data who are engaged by the Processor by means of a
contract. The Processor is responsible to the Data Controller for the
fulfillment of these obligations by the other Processors;
-
shall inform the Data Controller
immediately if an instruction of the Data Controller violates the Data
Protection Regulation or if personal data is or will be processed in violation
of the Data Protection Regulation or the Agreement and informs the Data
Controller immediately about complaints or audits by data protection
supervisory authorities of the data related to the processing of Personal Data;
-
shall inform the Data Controller
without undue delay (but no later than 48 hours) after becoming aware of a
security breach of personal data, which means a security breach resulting in
accidental or unlawful destruction, loss, alteration, unauthorized disclosure
or access to Personal data that is transmitted, stored or otherwise processed.
The notification must describe the nature of the violation, the number of
Subjects affected, the likely consequences of the violation, the measure taken
or proposed, as well as other data related to the violation listed in Article
33, paragraph 3 of the GDPR; and
-
upon termination of the processing
contract or at the Data Controller's written request, or destroy or return all
Personal Data, unless otherwise provided for in the GDPR or national
legislation within the EU to which the Processor is subject.
4.1. The Data
Controller may process the customer's photo/s with biometric data for the purpose:
• accurate identification of customers that
registered users are legally competent to drive a vehicle and identical to the
driver of the electric vehicle;
• guaranteeing the accuracy of the Clients'
personal data, their security and the security of third parties;
• the prevention of fraud and traffic accidents,
the protection and control of the company's property and the establishment and
exercise of legal claims.
4.2.
The legal grounds for processing
biometric data is the establishment and exercise of legal claims (Article 9,
paragraph 1, letter e) of the GDPR).
4.3.
For the purpose of collecting, processing
and storing customers' biometric data, the owner of the mobile application
enters into a biometric data processing contract with JUMIO, which is certified
with the PCI DSS data protection certificate and provides a high level of
protection equivalent to bank protection information.
4.4.
The data processor is obliged to
process the data solely for the purposes of accurate customer identification
and for no other purposes. Although the check for data validation and
confirmation of the customer's identity is done by automated means, decisions
to refuse registration are made only after human intervention and additional
validation of documents.
5.1. The Data Controller carries out direct marketing in relation to the
Customers.
5.2. In order to receive proposals for the services provided by the Data
Controller, the Customer must give his consent to the processing of Data for
the purposes of direct marketing at the time of registration or enter his
personal profile and select the function of receiving a newsletter.
5.3.
The Data Controller processes the following personal data of the Customers for
the purposes of direct marketing: 5.3.1. Name;
5.3.2. Surname;
5.3.3.
Email address; 5.3.4. Phone number;
5.3.5. Address.
5.4. The Data Controller also carries out direct marketing (sending
newsletters and offers by e-mail) to persons who have entered their e-mail
address on the Data Controller's web site spark.bg and/or in the Mobile
Application and have expressed a desire to receive such communications. In such
a case, the Data Controller processes the e-mail address of the relevant
person.
5.5. The data subject can withdraw his consent at any time and refuse to
receive newsletters by clicking on the "unsubscribe" link in the
e-mail messages we send, changing the notification settings from his account,
or sending a targeted message requesting this.
5.6. The data processed for the purposes of direct marketing is not
transmitted by the Data Controller to the recipients.
5.7. The legal grounds for data processing is Article 6, paragraph 1,
letter “a” of the GDPR.
5.8. When processing data for direct marketing purposes, the Data
Controller uses the Airship platform, through which newsletters are sent to
Data Subjects, as well as Amazon Web Services Limited as a data processor,
perform the services of renting and installing servers.
6.1. The Data Controller monitors the mobility of the vehicles provided
to the Customer for use.
6.2. Mobility monitoring aims to ensure the security of the assets
belonging to the Data Controller, the use of the services provided by the
Customers in good faith and in an appropriate manner and the provision of the
services with due quality, guaranteeing the security of the client and third
parties.
6.3. Mobility monitoring is carried out by means of GPS transmitters installed
in the vehicles belonging to the Data Controller. The data includes information
about the distance traveled, speed, route and location of the vehicle.
6.4. Mobility monitoring data is not transmitted to recipients.
6.5. The legal grounds for data processing is Article 6, paragraph 1,
letter “b” and Article 6, paragraph 1, letter “f” of the GDPR.
6.6. In order to carry out mobility monitoring, the Data Controller
hires RUPTELA UAB as an administrator, providing information that allows
determining the location of the vehicle, the route, the speed and the distance
traveled.
7.1. In order to provide high-quality services and rewards, the Data
Controller uses automated decision-making to calculate e-Go points in a completely
objective and non-discriminatory manner based on the Customer's kilometers
traveled. The charged fee for the use of the services is also calculated in an
automated manner based on the minutes for which the electric car is used. The
administrator values the subjects' privacy and does not use the subjects'
personal data to profile them.
8.1. The Data Controller protects the privacy of the subjects' personal
information and does not disclose personal data to third parties, except with
the subject's consent and in cases permitted by law.
8.2. With guaranteed protection and control measures, disclosure is
possible with other companies part of our corporate group or with our service
providers in order to ensure the smooth functioning of the electric car rental
system and high quality of services (e.g. with server providers, telemetry
services, data validation, technical and administrative customer support, EV
mobility monitoring, car rental platform, statistical data analysis, etc.). In
this case, the service providers we use are required to strictly comply with
their contractual obligations and applicable data protection legislation,
including taking the necessary measures to protect the confidentiality of the
subjects' personal information.
8.3. It is also possible for customer data to be shared with third
parties if there is a justified need:
•
public bodies such as traffic
police, Ministry of interior affairs, etc. in order to fulfill our legal
obligations to report infringements, prevent fraud and traffic accidents or to
fulfill our other legal requirements e.g. for accounting reporting;
•
insurers, law firms, private
bailiffs, debt collection companies (eCollect AG, with address
Neuhofstrasse 21, 6340 Baar, Zug, Switzerland, with registration number:
CHE – 180.481.291., represented by Mark Schillinger in his capacity of the
Executive Director) etc. in order to enforce the general conditions of use of
the mobile application and our contract with the customer and to guarantee the
property of the company and our other rights and legal interests;
•
to protect the security, rights
and interests of our other users or third parties.
9.1. Transfer of personal data to a third country or an international
organization outside the European Union and the European Economic Area can only
take place if one of the following conditions is met:
9.1.1. The company is based in the USA and is certified under the US-EU
Privacy Shield (https://www.privacyshield.gov);
9.1.2. There is a decision of the European Commission regarding the
adequate level of personal data protection that the third country in which the
data is received provides;
9.1.3. There is an explicit consent of the data subject, after being
informed of the possible risks associated with the transfer due to the absence
of a decision on the adequate level of protection and of adequate guarantees;
9.1.4. The transmission is necessary for the performance of a contract
between the data subject and the administrator or for the performance of
pre-contractual measures taken at the request of the data subject;
9.1.5. The transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the data subject between the
Company/Group and another natural or legal person;
9.1.6. The transfer is necessary for the establishment, exercise or
defense of legal claims;
9.1.7. The transmission is carried out by a public register.
9.2. In case of need for
manual data verification during customer registration, data transfer is also
done by the JUMIO validation service providers who have companies in the USA
and India. The transfer is carried out on the basis of standard contractual
clauses (Article 46, paragraph 2, letter “c”) of the GDPR) with the necessary
level of data protection, insofar as JUMIO is certified according to the PCI
DSS standard and is subject to an annual audit for its compliance.
10.1. The Data Controller applies different personal data storage
periods depending on the categories of personal data processed and the purposes
of processing.
10.2. If the registration process has not been successfully completed
without the Customer being granted the right to use the electric car sharing
services, his personal data is stored for a period of 3 years and is deleted
(anonymized) immediately after the Customer has selected the "Forget
me" button through the mobile application in the event that the Customer
has not used the electric car sharing services.
10.3. Upon completion
of a successful registration with the right to use the services for the shared
use of electric cars, the Data Controller applies the following personal data
storage periods:
No |
Personal Data Categories |
Storage period |
|
|
|
1. |
Data related to accounting and insurance
claims |
5 years from the date of issue of the document or occurrence of the insured event. |
2. |
Personal data from the customer profile, processed for the purposes of providing the electric car sharing services |
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Data of customers whose accounts are not active will be stored for 3 years from the date of the last login. |
3. |
ДBiometric data |
The data is deleted immediately after establishing the identity / after the successful verification of the account from the database of the Administrator. The biometric data is then stored in specialized JUMIO servers for a period of 5 years, starting from the date on which the Customer's identity verification process was successfully completed. |
4. |
Data used for direct marketing purposes |
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Data of customers whose accounts are not active will be stored for 3 years from the date of the last login. |
5. |
Mobility control data |
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Data of customers whose accounts are not active will be stored for 2 years from the date of the last login. |
10.4. Exceptions to the above storage periods may be established insofar
as the relevant deviations do not violate the rights of the Data Subjects,
comply with legal requirements and are duly documented.
10.5. Documents and data about Customers, in respect of which the Data
Controller has initiated administrative or judicial proceedings, are stored and
destroyed according to the instructions of the legal department for a period of
5 years after the conclusion of the proceedings with an effective court decision
or final payment of the debt.
10.6. After the expiration of the established terms, the data are
anonymized or destroyed in a secure way by deleting them from the information
systems or by shredding if they are on paper.
11.1. The data subject has the right to exercise the following rights
according to the procedure established in the GDPR and the DPA:
11.1.1. Right to information: before processing the data, the Data
Controller is obliged to provide the data subject with information in the form
of a privacy notice about what personal data it collects, on what grounds and
for what purposes it uses it, with whom it shares it, the Administrator's
intention to transfer the data to third countries outside the EU, the storage
period and security measures, the consequences of not providing the data, the
presence of automated decision-making, the rights of the data subject,
including his right to lodge a complaint with a supervisory authority. Before
registering as a user and installing the mobile application, the data subject
is obliged to read and agree to the privacy notice in order to be able to use
the mobile applicationе;
11.1.2. Right of access: this right enables the data subject to obtain a
copy of the personal data that the Data Controller stores about him, as well as
information related to the processing. The history of the services used by the
subject and the data provided during registration can be accessed through the
customer profile of the mobile application, and a special access request can
also be submitted;
11.1.3. Right to erasure: this right enables the data subject to request
their personal data to be deleted when there is no valid reason for the Data
Controller to continue processing it e.g. if the purpose for which the data
were collected has been achieved or if the data subject has withdrawn consent.
If the legal requirements are met, the Data Controller should delete the
personal data within 1 month, unless there is a legal obligation to continue
processing them or the retention of the data is necessary for the
establishment, exercise or defense of legal claims;
11.1.4. Right to have personal data concerning him or her rectified:
this right enables the data subject to request that any incomplete or inaccurate
information about him be corrected. The data subject is obliged to promptly
note any change in his/her personal data in his/her profile or to notify us
thereof;
11.1.5. Right to restriction of data processing: this right enables the
data subject to request the Administrator to temporarily suspend the processing
of personal data if, for example, he wishes to establish the accuracy of the
data or the reasons for its processing
11.1.6. Right to data portability: this right is limited to cases where
the data is processed in an automated manner and is provided by the data
subject on the basis of his consent or for the purposes of the performance of a
contract, giving the possibility to require the Data Controller to provide the
personal data stored in electronic form to the subject of data or of a third
party;
11.1.7. Right to object: in cases where the Data Controller relies on its
legitimate interests as a basis for processing, the data subject may object to
this processing on grounds related to his particular situation. He also has the
right to object when the processing is for direct marketing purposes or the
data is processed for statistical purposes;
11.1.8. Rights related to automated decision-making, including
profiling: the data subject has the right not to be subject to a decision based
solely on automated processing, including profiling, which gives rise to legal
consequences for the data subject or similarly significantly affects him;
11.1.9. Withdraw of consent: the data subject has the right to withdraw
his consent at any time in case he has given it without affecting the
processing up to that point. Where consent has been given for direct marketing
purposes, the data subject may opt-out of receiving newsletters at any time by
clicking on the "unsubscribe" link in email messages sent by us or by
changing the settings of their mobile application. If the data subject has
provided access to his location through the mobile device in order to find
electric vehicles in the vicinity, he can change the settings thus selected;
11.1.10. Lodging a complaint: If the data subject believes that any of
his rights have been violated, he has the right to file a complaint with us
and/or with the supervisory body Commission for Personal Data Protection - https://www.cpdp.bg/.
11.2. Requests may be submitted by the data subject or a person
authorized by the data subject, with the Data Controller taking measures to
confirm the identity of the data subject for the purpose of data protection.
The administrator is obliged to process the requests of the data subjects,
specified in items 10.1.2 - 10.1.9 hereof, are exercised within the terms set
in the GDPR.
11.3. The
aforementioned terms specified in the GDPR are as follows:
Request from the data subject |
Period |
Right to information |
When the data is collected (if the data is provided by the Data Subject) or within one month (if the data is not provided by the Data Subject) |
Right of access |
One month |
Right to update |
One month |
Right to erasure |
No undue delay |
Right to restriction of data processing |
No undue delay |
Right to data portability |
One month |
Right to object |
After receiving an objection |
Rights related to automated decision-making, including profiling |
It is not specified |
11.4. The Data Controller has the right
to reasonably deny the Data Subject the exercise of his rights or impose a
reasonable fee under the conditions provided for in Article 12, paragraph 5,
letter “b” of the GDPR.
12.1. According to the GDPR, in cases where the main activities of the
Data Controller consist of processing operations that require regular and
systematic monitoring of Data Subjects on a large scale or when the main
activities of the Data Controller or the Processor consist of large-scale processing
of special categories of personal data , the presence of a Data Protection
Officer is mandatory.
12.2. The rights and obligations of the Data Protection Officer are
described in detail in the GDPR, the annexes to the Policy, job descriptions,
if the position is held by an employee of the Data Controller, or in the
service contract, if the position of Data Protection Officer is held by an
external service provider.
12.3. In general, the duties of the Officer include being responsible
for the proper implementation of the Data Controller's personal data protection
policy in accordance with the standards and requirements of the applicable
legislation, participating in raising awareness and training of employees
processing personal data, conducting the relevant audits, reports data
processing risks, reacts to data security violations, assists the supervisory
authority for personal data protection and data subjects in exercising their
rights, keeps a register of processing activities, etc. tasks assigned to him
by the Data Controller, insofar as they do not conflict with his duties as a
data protection officer.
12.4. In view of the above-mentioned criteria and the activities carried
out by the Administrator, the latter decides to appoint a Data Protection Officer
with the following contact e-mail: privacy@spark.bg, with whom the data subjects can contact in case of questions regarding
this notification and requests to exercise their rights.
13.1. If the Data Controller's employees having the right to access the
data notice or are notified of data security violations (inaction or actions by
persons that may lead to or have led to a risk to data security), they should
notify immediately the Data Protection Officer and your immediate supervisor.
13.2. Taking into account the risk factors for breach of data security,
the degree of impact of the breach, damages and consequences, following the
relevant internal procedures, the Data Controller makes decisions on the
necessary measures to remedy the breach of data security and its consequences
and to notify the Commission for the protection of visible data and for the
persons concerned if there is a high risk to their rights and freedoms.
14.1. The organizational and technical data security measures
implemented by the Data Controller ensure a level of security that corresponds
to the nature of the data processed by the Data Controler and the risk of data
processing, including, but not limited to, the measures specified in this
section.
14.2. Personal data security measures include the following:
14.2.1. Administrative (establishing a procedure for the security of
documents and computer data and their archives and organization of work in
various spheres of activity, mandatory training of personal data protection
personnel currently employed and upon leaving work / dismissal, duties on
confidentiality and prohibition of disclosure of personal data, procedure for
providing access to data, etc.);
14.2.2. Technical and software protection (administration of servers,
information systems and databases, workplace support, protection of operating
systems, monitoring (control) of user access, protection from computer viruses,
etc.);
14.2.3. Administration of information systems and databases, job
support, protection of operating systems, protection from computer viruses,
etc.;
14.2.4. Protections for communication and computer networks (technical
and software measures for coding and transmission of data for general use,
applications, Personal Data, filtering of unwanted data packets, etc.).
14.3. The above-mentioned measures for the protection of personal data
ensure: 1) storage equipment for copies of operating systems and databases,
control of the storage of copying equipment; 2) technology for continuous work
with data (processing); 3) strategy for restoring the functioning of systems in
emergency cases (management of uncertainties); 4) unique user identification
and password system; 5) physical (logical) separation of the application
testing environment from the processes in operational mode; 6) registered data
use and data privacy.
14.4. The Data Controller should introduce a procedure for the recovery
of Personal Data in case of accidental loss of Data. The administrator makes
backup copies of the data available in the system. Data is retrieved according
to the internal procedure using Amazon Web Services software from the backup
equipment libraries. In all cases, data archives are stored without prejudice
to the data storage period specified in the Policy.
14.5. The Data Controller applies other measures guaranteeing the security
of personal data:
14.5.1. VPN technology is used to remotely connect to the
Administrator's internal network, and a digital certificate is used to identify
the user;
14.5.2. Access to personal data through organizational and technical
data security measures that register and control efforts to register and
acquire rights are subject to due control;
14.5.3. The following records are kept when entering the database by the
persons who are granted the right to process personal data: login identifier,
date, time, duration, result of the entry (successful, unsuccessful). The above
records are kept for at least 1 (one) year;
14.5.4. It is necessary to ensure the security of the premises where
Personal Data are stored (access to the relevant premises only by authorized
persons, locking, etc.);
14.5.5. Requests to search the personal data provided must be aimed at
identifying the person and verifying the validity of his driver's license;
14.5.6. Efforts must be made to ensure the use of security protocols
and/or passwords when providing personal data via external data transmission
networks;
14.5.7. It is necessary to ensure control over the security of personal
data on external data carriers and e-mail and their deletion after use of
Personal Data by transferring them to databases;
14.5.8 Urgent personal data recovery actions (when and who performed
personal data recovery actions by automatic and non-automatic means) are
recorded;
14.5.9. It is necessary to ensure that the testing of information
systems is not carried out with real personal data, except in cases where
organizational and technical measures for the protection of personal data are
used, guaranteeing real security of personal data;
14.5.10. Personal data in portable computers, if the latter are not used
in the data transmission network of the Data Controller should be protected by
appropriate measures appropriate to the risk of processing.
14.6. Data Controller implements appropriate technical and
organizational measures ensuring standardized processing of personal data that
is necessary for the specific purpose of data processing. The above obligation
applies to the corresponding amount of Personal Data collected, the scope of
their processing, the period of storage of Personal Data and the accessibility
of Personal Data.
15.1.
You can contact us with questions related to this policy and / or data
protection in general using the following contact details: Email:
privacy@spark.bg
Phone number: 00 359 2 419
3476
16.1. The policy is revised annually at the initiative of the
administrator and / or in case of changes in the legal acts regulating the
processing of personal data.
16.2 The policy and amendments to it come into force from the date of
their approval and publication on the Data Controller's website.