Policy for Personal Data Protection
FAVICO OOD /Ltd./, UIC 204603720, with its address at: 120, Borisova Str., Ent. B, Floor 5, Rousse, hereinafter referred to as "Andyvil", applies in its trade relations with the Customers the present General Terms and Conditions
Andyvil, as a Personal Data Controller, collects and processes certain information about natural persons.
This information may apply to users visiting https://andyvil.com, customers and other natural persons with whom Andyvil has a relation.
I. Legal basis
This Policy for Personal Data Protection is issued on the basis of the Personal Data Protection Act and its by-laws as amended ("Bulgarian Legislation") and the General Data Protection Regulation (EU) 2016/679 (the "GDPR").
The Bulgarian legislation and the GDPR provide rules on how organizations, including Andyvil, must collect, process and store personal data. These rules are applied by Andyvil whether data processed electronically, on paper or on other media is concerned.
Personal data is collected and used reasonably, stored securely, and Andyvil takes the necessary measures to avoid unlawful disclosure or submission to third parties.
Andyvil is familiar with the Personal Data Protection Act (PDPA) and follows its principles, namely:
- Personal data are processed in a lawful, conscientious and transparent manner;
- Personal data are collected for specific and legitimate purposes;
- Personal data are not processed further in a manner inconsistent with these purposes;
- Personal data required by Andyvil from the users are appropriate, limited and relevant to the purposes for which they are processed, namely data required for order processing, delivery notification and subsequent delivery;
- Personal data are accurate and, if necessary, kept up-to-date;
- Personal data are kept in a form that permits identification of the persons concerned for no longer than is necessary for the purposes for which the personal data are processed;
- Personal data are processed in a way that ensures an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying technical measures appropriate to an online store.
II. Policy Objectives
This Policy aims at Andyvil:
- Complying with the applicable legislation on personal data and follow best practice;
- Establishing the mechanisms for keeping, maintaining and protecting the accounting registers;
- Establishing the responsibilities of officials handling personal data and / or persons having access to personal data and working under the direction of personal data processors, their liability for non-performance of such obligations;
- Protecting the rights of consumers, staff and customers;
- Finding out how to store and protect the personal data of individuals;
- Establishing the necessary technical and organizational measures to protect personal data from unauthorized processing (accidental or unlawful destruction, accidental loss, unauthorized access, alteration or dissemination, and any other unlawful forms of processing of personal data);
- Being protected in the presence of risk of violations.
This Policy applies to the processing of personal data of consumers and customers as described in the electronic reporting registers established in accordance with this Policy, the Bulgarian Legislation and Art. 30 of the GDPR ("Registry of Processing Activities").
IV. Personal Data Collection
Data categories and subjects
"Personal data" means any information relating to an identifiable natural person or an identifiable natural person who can be identified ("Data subject"), namely:
Andyvil collects personal data with respect to the following categories of persons:
- Natural persons who visit https://andyvil.com;
- Natural persons who shop online at https://andyvil.com;
- Natural persons who have user accounts on https://andyvil.com;
- Natural persons who are interested in receiving information services - newsletters, guides, etc. - persons who register for the use of an online shop.
Purpose of data collection
Andyvil collects personal data for the performance of the following purposes:
- To carry out activities related to the conclusion, existence, modification and termination of contractual relations, including for:
- Preparation of any documents;
- Contacting contact persons by telephone, email, fax or any other lawful means;
- Delivery and / or acceptance of goods / services, communication in connection with the provision and / or receipt of goods / services and the provision of related customer service;
- Accounting in performance of contracts under which the Controller is a party;
- Processing payments in relation to the contracts signed by Andyvil;
- Sending important information to data subjects regarding changes to Andyvil's policies, terms and conditions and / or other administrative information;
- For marketing purposes - subject to the explicit consent of the data subjects;
- For statistical purposes.
The personal data of each person are provided voluntarily by the persons themselves and are collected by Andyvil in fulfillment of a statutory obligation in connection with the conclusion of a contract and / or fulfillment of the obligations under a contract under the provisions of the Electronic Commerce Act, the Commerce Act, the Accounting Act, Obligations and Contracts Act, the Value Added Tax Act, etc., and the terms and conditions stated in a trade agreement with the respective client through: paper - written documents (including PoAs, contracts, disturbing notes, bank information, etc.), by e-mail - provided in connection with the execution of a commercial contract and / or through filling out a registration form. Natural persons are notified of the provisions of this Policy in advance or at the time of receiving their data.
V. Legitimate interests pursued by Andyvil
With relation to processing of data of managers and contractors:
The processing of the data is done on the grounds of a legitimate interest and in connection with the conclusion, existence, modification and termination of commercial and civil contracts in the application and fulfillment of the legal requirements of the Electronic Commerce Act, the Commerce Act, the Social Security Code, the Tax Insurance Procedure Code, the Insurance Code, the Personal Income Taxes Act, the Accountancy Act, the Obligations and Contracts Act, etc.
VI. Transparency. Rights of individuals whose data are processed by Andyvil
Transparency and conditions for individuals of exercising their rights
Andyvil provides information to the persons in a concise, transparent, comprehensible and easily accessible form, in clear and simple language.
Andyvil seeks to ensure that individuals are aware of personal data processing by it and that individuals fully understand and are fully aware of the processing in accordance with requirements of the GDPR and the Bulgarian legislation.
Andyvil provides information to individuals in writing or otherwise, including, where appropriate, by electronic means. If the person so requested, the information may be given orally, provided that the identity of the person is proved by other means.
Andyvil provides information free of charge to any person about the action taken in connection with a request concerning their right of access, correction, erasure, limitation of processing, portability, objection and automated decision making, without undue delay, and in any event within one month of receipt of the request.
If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. Andyvil shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where a person submits a request by electronic means, the information shall, if possible, be provided by electronic means, unless the person has requested otherwise.
If Andyvil does not act on the request, Andyvil shall notify the person without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking legal protection.
Where the person's claims are manifestly unfounded or excessive, in particular because of their repeatability, Andyvil may either:
- impose a reasonable fee, taking into account the administrative costs of providing the information or communication or undertaking the requested actions,
- or refuse to act on the request.
Right of the individuals of access
Every person has the right to obtain from Andyvil a confirmation that personal data related to him / her are being processed and, if so, to access the data and the following information:
- The purpose of the processing;
- The relevant categories of personal data;
- The recipients or categories of recipients to whom personal data (including third countries or international organizations) are or will be disclosed;
- Where possible, the period for which the data will be stored and, if that is not possible, the criteria used to determine that period;
- The existence of a right to require Andyvil to correct or delete personal data or to restrict the processing of personal data relating to the persons concerned or to object to such processing;
- The right to complain to the Commission for the protection of personal data;
- Where personal data are not collected by the persons themselves, any available information on the source of the data;
- The existence of automated decision making, including profiling, and at least in these cases, essential information about the logic used, as well as the meaning and foreseeable consequences of such processing for the individuals.
Andyvil provides the person with a copy of the personal data that is being processed. For additional copies requested by individuals, Andyvil may impose a reasonable fee based on administrative costs. Where a person submits a request by electronic means, the information shall, if possible, be provided in widely used electronic form, unless the person has requested otherwise.
Right of correction
Any person whose data is processed by Andyvil has the right to ask Andyvil to correct inaccurate personal data relating to him / her, without undue delay. Given the purpose of the processing, the person has the right to complete incomplete personal data.
Right to delete (right “to be forgotten”)
Any person whose data is processed by Andyvil has the right to ask Andyvil to delete the personal data related to him / her, without undue delay and Andyvil has the obligation to delete personal data without undue delay when:
- Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- The person withdraws his / her consent on which the processing of the data is based and no other legal basis for the processing exists;
- The person objects to the processing and there are no legitimate grounds for the processing that would prevail;
- Personal data has been tampered with;
- Personal data must be deleted in order to comply with a legal obligation applying to the Controller;
When Andyvil has made the personal data available to the public and is required under the previous paragraph to erase personal data, it shall, taking into account available technology and enforcement costs, take reasonable steps, including technical measures, inform the data processors that the person concerned has requested the deletion by these controllers of any links, copies or replicas of his or her personal data.
Right of processing restriction
Any person whose data are processed by Andyvil is entitled to require Andyvil to restrict the processing when one of the following applies:
- The accuracy of personal data is disputed by the person for a period which allows Andyvil to verify the accuracy of the personal data;
- Processing is illegal, but the data subject does not want to delete the personal data, and instead requires a limitation of its use;
- Andyvil no longer needs personal data for the purpose of processing, but the data subject requests them for the establishment, exercising or protection of legal claims;
- The data subject has objected to the treatment pending verification that Andyvil's legitimate grounds prevail over the interests of the data subject.
Where processing is limited pursuant to the above paragraph, such data are processed, except for their storage, only with the consent of the data subject or for the establishment, exercising or protection of legal claims or for the protection of the rights of another individual or for important reasons of public interest.
When a data subject requests a limitation of processing, Andyvil informs him / her before the revocation of the processing restriction was lifted.
Obligation to notify when correcting or deleting personal data or restricting processing
Andyvil reports any correction, deletion, or limitation of processing of any recipient to whom personal data has been disclosed, unless this is impracticable or requires disproportionate effort. Andyvil informs the data subject about these recipients if the data subject so requests.
Right to data portability
The data subject has the right to receive the personal data concerning him / her which he / she has provided to Andyvil in a structured, widely used and machine readable format and has the right to transfer these data to another controller without obstruction by Andyvil when the processing is based on consent in relation to certain objectives or a contractual obligation of the subject, or on taking steps prior to entering into a contract, and processing is done in an automated manner.
When exercising his / her right of portability, the data subject is entitled to receive a direct transfer of personal data from one controller to another where this is technically feasible.
Right of objection
The data subject may, at any time and on grounds relating to his / her particular situation, object to the processing of personal data relating to him / her (when processing is necessary for the performance of a task of public interest or in the exercise of official powers of Andyvil, or processing is for purposes of the legitimate interests of Andyvil or a third party), including profiling. Andyvil shall discontinue the processing of personal data unless it can demonstrate that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercising or protection of legal claims.
When processing personal data for direct marketing purposes, the data subject shall be entitled at any time to object to the processing of personal data relating to him / her for this type of marketing, including profiling, insofar as it relates to direct marketing. When the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes is terminated.
At the latest at the time of first contact with the data subject, he / she is expressly informed of the existence of the right under the preceding paragraphs, which shall be presented to him / her in a clear manner and separate from any other information.
VII. Technical and organizational measures of data protection
Data protection of a hard copy and an electronic medium from unauthorized access, damage, loss or destruction is ensured through a series of internally regulated technical and organizational measures.
VIII. Transfer of personal data
Andyvil does not and will not transfer personal data to countries outside the European Union.
IX. For how long your personal data are stored
The length of time that your personal data are stored depends on the processing purposes for which they were collected:
Personal data processed for the purpose of concluding / amending and executing a contract for the delivery of ordered goods - no more than 2 years.
Personal data processed for the purpose of issuing accounting / financial records for tax and social security controls, including but not limited to - invoices, debit notes, credit notes, delivery reports, service contracts, are kept for at least 5 years after the expiration of the limitation period, unless the applicable law provides for a longer period.
X. Policy of "cookies"
What are cookies and why are they used?
Cookies are small text files for temporarily storing information about user actions, preferences, or other activity when visiting a website. They are retained on the computer or mobile device used by the user for a certain amount of time, depending on their type.
Cookies help make the website more user-friendly as it saves users the need to set their preferences each time they visit the site or switch from one page to another.
Cookies allow the website to function seamlessly, track down irregularities, and identify opportunities to optimize the way it provides information and communicates with users.
Types of cookies
The site uses one or more of the following types of cookies depending on their degree of necessity:
Cookies required by the system
These are cookies without which site operation is impossible or put at a high risk.
This includes cookies for navigation on the website, saving filled in information when passing between the different steps as well as on login or registration.
Needed by the system are also cookies that provide control over the security of the connection and the protection against unwanted external interference.
This type of cookie is often referred to as temporary or session because they are temporarily stored and disappear after the browser session is closed.
This category of cookies serves to make it easier for the user to use the website and to take into account individual user preferences.
Feature cookies include device-recognition cookies, preset language and font preference, and more.
This type of cookies can be stored for a long time on the device; they can be used in more than one session of the browser and are called permanent.
As a user, you have the ability to control cookies used, delete cookies saved on your device, and disable cookies usage in the future. Keep in mind that blocking cookies will affect the way the website works and may cause malfunctions of the site.