Privacy

Privacy

PERSONAL DATA

We, „Annabela“ OOD, a company registered in the Republic of Bulgaria, with registered office and management address: Bulgaria, Pernik, 1 Silistra Street; with EIK 113553128, we have created this Personal Data Protection Policy, in accordance with the responsibility we bear when processing the personal data we collect from or for „You“. For example, we collect your personal data when entering into a sales contract at our stores or remotely, as well as upon delivery of the ordered goods or when you register and use our website, for marketing and advertising purposes, profiling, participation in games, promotions and raffles organized by us and for any other purposes not prohibited by law. As we are located in the European Union, we process your personal data in accordance with applicable European laws and other data protection legislation.

This Personal Data Policy is related to the General Terms and Conditions of „Annabella“ OOD, but is not part of them. It aims to explain to users what personal data we process in accordance with the Regulation and in connection with the fulfillment of our mutual obligations, as well as why and how we process it, including when it is necessary to disclose personal data to third parties. It also provides information about the rights that you, our customers and users, have in connection with the processing of personal data by „Annabella“ OOD.

This Personal Data Policy applies to the personal data that Anabela Ltd. collects and processes in connection with the products provided by the company. It does not apply when users visit the „Annabella“ OOD website without registering. In such cases, the collection and processing of personal data will be carried out in accordance with the cookie policy.

1. DEFINITIONS

„Regulation“ – General Data Protection Regulation 2016/679 of April 27, 2016, replaces Data Protection Directive 95/46/EC . It has direct effect and implies a change in the legislation of the member countries in the field of personal data protection. Its purpose is to protect the „rights and freedoms“ of individuals and to ensure that personal data is not processed without their knowledge and, where possible, is processed with their consent.

“Personal Data” – any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;

“Special categories of personal data” – personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data relating to health or data concerning a natural person’s sex life or sexual orientation.

“Processing” – means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording , organizing, structuring, storing, adapting or changing, retrieving, consulting, using, disclosing by transmission, distribution or otherwise making the data available, arranging or combining, limiting, erasing or destroying;

„Administrator“ – any natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of this processing are determined by EU law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State;

„Data subject“ – any living natural person who is the subject of the personal data stored by the Administrator.

“Consent of the data subject” – any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly affirming an action that expresses his consent for the personal data related to him to be processed;

“Child” – The Common Regulation defines a child as anyone under the age of 16 although this may be reduced to 13 by Member State law . The processing of a child’s personal data is only lawful if a parent or guardian has given consent. The administrator makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.

„Profiling“ – any form of automated processing of personal data consisting in the use of personal data to assess certain personal aspects related to physical individual, and in particular to analyze or predict aspects relating to the performance of that individual’s professional duties, his economic situation, health, personal preferences, interests, reliability, behavior, location or movement;

“Personal Data Security Breach” – a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;

“Principal place of establishment” – the seat of the controller in the EU will be the place where it makes the main decisions about the purpose and means of its activities data processing. In relation to the personal data processor, its main place of establishment in the EU will be its administrative centre.

„Recipient“ – a natural or legal person, public authority, agency or other structure to which the personal data is disclosed, regardless of whether it is a third party or no. At the same time, public authorities that may receive personal data within the framework of a specific investigation in accordance with Union law or the law of a Member State are not considered „recipients“; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;

„Third party“ – any natural or legal person, public authority, agency or other body other than the data subject, controller, processor and the persons who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data;

1. PURPOSE OF COLLECTION AND HOW AND WHAT PERSONAL DATA DO WE PROCESS?

We will use your personal data for the purposes described below. We do not collect or process more or other types of personal data than we need to fulfill the respective purposes. We will use the personal data only as indicated in this policy, unless you have given us express consent for another type of use of your personal data. If we intend to use your personal data, which we process with your consent, for purposes other than those specified in the consent in question, we will notify you in advance, and in cases where the processing is based on your consent, we will use your personal data for different purposes only with your permission.

2.1. PURPOSE

We aim to process your personal data in good faith to fulfill our obligations in accordance with legal and other purposes as follows:

• establishing your identity through our sales channels;
• management and fulfillment of your requests for products, fulfillment of contractual obligations;
• preparation of a proposal for concluding a contract;
• providing you with the comprehensive service you need;
• preparation of proposals for the conclusion of distance and off-premises contracts, sending courier services with renegotiated information and the contract draft; service in case of refusal of a transaction, complaint or warranty/service service;
• notification of anything related to the products you purchase from us or will be interested in purchasing, sending various notifications, notification of problems, errors or to respond to requests, complaints, suggestions submitted by you;
• preparing analyzes and statistics for our sales and customers;
• analysis of customer history and preparation of a user profile with a view to determining a suitable offer for you;
• to protect and ensure the security and integrity of our network, you and our employees;
• detect and/or prevent illegal actions or actions contrary to our terms;
• evaluate and measure the effectiveness of our ads, as well as offer you advertising content that is adequate to your needs;

We process your personal data in order to comply with obligations stipulated in various legal acts, for example:

• fulfilment of obligations in relation to distance sales, off-premises sales, provided for in the Consumer Protection Act;
• providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
• provision of information to the Commission for the Protection of Personal Data in connection with obligations provided for in the legal framework for the protection of personal data – Personal Data Protection Act, Regulation (EU) 2016/679 of April 27, 2016, etc. ;
• obligations provided for in the Labor Code, the Accounting Act and the Tax and Insurance Procedural Code and other related legal acts, in connection with keeping correct and lawful accounting;
• providing information to the court and third parties, within the framework of proceedings before a court, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings;
• age verification when shopping online.

2.2. WHAT PERSONAL DATA WE PROCESS

• Identification data (three names, TIN or personal number of a foreigner, permanent address)
• Traffic data or aggregate consumption data;
• Data that is provided when concluding a contract;
• Data on orders, their execution, contractual obligations;
• Data for communication with customers or users (email, phone)

When we process your basic personal data and the described other data for the purposes of providing products, for their payment, to fulfill your requests for the purchase of goods, and in order to fulfill our statutory obligations, this processing is mandatory to fulfill these purposes. Without this data, we would not be able to provide the relevant services. If you do not provide us with identification data, we would not be able to enter into a contract with you for our products.

2.3. HOW WE PROCESS YOUR PERSONAL DATA

With your consent

In some cases, we process your personal data only after your prior written consent. Consent is a separate basis for processing your personal data and the purpose of the processing is specified in it.

Consents provided can be withdrawn at any time. The withdrawal of consent has no impact on the performance of the contractual obligations of „Annabella“ OOD. If you withdraw your consent to the processing of personal data for any or all of the ways provided for in it, „Annabella“ Ltd. will not use your personal data and information for the purposes defined above. Withdrawal of consent does not affect the lawfulness of processing based on consent given prior to its withdrawal.

We have a large portfolio of products on offer. When you give us consent to process data, that consent applies to all of our products that you have purchased. To withdraw the given consent, you only need to use the store network, our website or simply our contact details.

In view of our legitimate interest

These are goals related to the legitimate interests of „Annabella“ OOD and/or third parties. These goals include

• Ensuring the normal functioning and use of the Site by you and other users, maintenance and administration of the Services, resolution of disputes, detection and prevention of malicious actions;
• Detecting and resolving technical or functionality issues, developing and improving the Services.
• Communicating with you, including electronically, on important matters related to the Services.
• Accepting and processing received signals, complaints, requests and other correspondence;
• Enforcement and protection of the rights and legitimate interests of „Annabela“ OOD, including by court order, and assistance in the implementation and protection of the rights and legitimate interests of other users of the site and/or affected third parties.
li>

For these purposes it may be necessary to process some or all of the above categories.

1. CONSENT

Under „consent“ „Annabella“ OOD will understand any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses the consent his personal data to be processed. The data subject can withdraw their consent at any time.

„Annabela“ OOD understands by „consent“ only the cases in which the data subject has been informed about the planned processing and has expressed his consent and without any pressure being exerted on him. Consent obtained under duress or based on misleading information will not be a valid basis for processing personal data.

For special categories of data, „Annabella“ OOD will request to obtain the express written consent of the data subjects, unless there is an alternative legal basis for processing. In most cases, consent to the processing of personal and special categories of data is routinely obtained from „Annabella“ OOD, using standard consent documents – e.g. when a new client signs a contract or during recruitment etc.

Annabela Ltd. does not collect or process personal data of children under 16 years of age or younger, except with parental consent in accordance with applicable local law. If we learn that a child’s personal data has been accidentally collected, we will promptly delete the data in question.

1. RIGHTS OF DATA SUBJECTS

You, as a data subject, have the following rights regarding the processing of data, as well as the data recorded about them:

• To make requests to confirm whether personal data relating to you is being processed and, if so, to obtain access to the data, as well as information on who the recipients of this data are.
• To request a copy of your personal data from the administrator;
• To ask the administrator to correct personal data when they are inaccurate and when they are no longer up-to-date;
• Require the administrator to delete personal data (right to be forgotten);
• To ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed.;
• To object to the processing of your personal data;
• To object to the processing of personal data relating to you for direct marketing purposes.
• Apply a complaint to a supervisory authority if you believe that any of the provisions of the Regulation has been violated;
• To request and be provided with personal data in a structured, widely used and machine-readable format;
• To withdraw your consent to the processing of personal data at any time with a separate request addressed to the administrator;
• Not to be the subject of automated decisions that significantly affect you, without the possibility of human intervention;
• Oppose automated profiling that occurs without your consent;

„Annabella“ OOD provides all the necessary conditions to guarantee the exercise of the rights by the data subject. Data subjects can make requests for access to data, have the right to submit complaints to „Annabella“ OOD, related to the processing of their personal data, the processing of a request from the data subject and an appeal by the data subject, regarding the manner of handling complaints.

A request to exercise the rights of the subjects of personal data can be submitted in the following way:

• By electronic means at the following email address info@en.anabela.bg;
• On site in one of the stores of „Annabella“ OOD with a written request;
• By mail to the address of our Central Office – „Annabela“ OOD: Bulgaria, Pernik, 1 „Silistra“ St. with a written request.

The request to exercise personal data rights should contain accurate information about:

• Name and social security number – so we can identify you;
• Address, telephone, e-mail – so that we can contact you and provide you with the best quality service;
• Description of the request – so that we know which of your rights you want to exercise;

„Annabela“ OOD provides information on the actions taken in connection with a request to exercise the rights of the subjects, within one month of receiving the request. If necessary, this term can be extended by another two months, taking into account the complexity and number of requests from a certain person. „Annabella“ Ltd. informs the person of any such extension within one month of receiving the request, indicating the reasons for the delay.

„Annabela“ OOD is not obliged to respond to a request in the event that it is unable to identify the data subject, the description of the request is not specified or it is not sent as provided in this Policy ways.

Annabela OOD may request the provision of additional information necessary to confirm the identity of the data subject when there are reasonable concerns regarding the identity of the natural person submitting request.

When the request is made by electronic means, the information shall be provided by electronic means whenever possible, unless the data subject has requested otherwise.

1. DATA SECURITY

„Annabela“ Ltd. takes a responsible approach to data security. We apply the appropriate and necessary level of protection and to this end we have developed effective physical, electronic and administrative procedures to protect the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to transmitted, stored or otherwise processed personal data. Our information security policy and related procedures meet international standards and are regularly reviewed and updated as necessary to meet our business needs, changes in technology and regulatory requirements. Access to your personal data is permitted only to those employees, service providers or persons related to „Anabela“ OOD on the basis of the need for information for official purposes or who need it for the performance of their official duties.

A principle in our structure is that all employees/workers are responsible for ensuring the security of the storage of the data for which they are responsible and which „Annabela“ OOD holds, as well as, that the data is stored securely and is not disclosed under any circumstances to third parties, unless Annabella Ltd. has given such rights to that third party by entering into a confidentiality agreement/clause. In this regard, all personal data is available only to those who need it, and access can only be granted in accordance with established access control rules. All personal data is treated with utmost security and stored:

• in a private room with controlled access; and/or
• in a locked cabinet to which authorized lice have access; and/or
• a computerized system protected by a password in accordance with the internal requirements specified in the organizational and technical measures to control access to; and/or
• computer media that are protected in accordance with organizational and technical measures to control access to information.

Annabella Ltd. has established an organization to ensure that computer screens and terminals cannot be viewed by anyone other than authorized employees/employees of Annabella Ltd. All employees/employees are required to be trained and accept the relevant contractual clauses/declarations/rules to comply with organizational and technical access measures before being granted access to information of any kind. Personal data is deleted or destroyed only in accordance with internal data storage and destruction procedures.

In case of leakage of data containing personal data, „Annabela“ OOD will follow and comply with all applicable norms for notification in such cases.

1. STORAGE OF PERSONAL DATA

We will generally retain your personal data for as long as necessary to achieve the purposes set out in this Privacy Policy or to comply with legal requirements . We will delete the personal data we have collected from you if it is no longer necessary to achieve the purposes for which it was originally collected. However, we may be required to keep your personal data for a longer period due to regulatory requirements, for example:

• 1 (one) year – from the termination of the contract or until the final settlement of all financial obligations and expiry of the legally defined obligations to store data, such as obligations under the Electronic Communications Act and the Electronic Document and Electronic Authentication Services Act;< /li>
• 11 (eleven) years according to the Accounting Act for storage and processing of accounting data;
• 5 (five) years according to the Law on Obligations and Contracts (limitation periods for making claims);
• 5 (five) years according to obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation.

Please note that we will not delete or anonymize your personal data if it is necessary for pending judicial, administrative, arbitration, enforcement or complaint proceedings before us.

1. PROVIDING INFORMATION

„Annabela“ Ltd. strives not to provide your personal data to third parties, in any other way, except in the conditions described in this Policy and the hypotheses provided by law. However, in certain cases, if necessary, certain data will be sent to persons outside the EU/EEA, subject to the requirements of applicable legislation and described in this Personal Data Policy, such as:

• When disclosure of your personal data is duly requested by a competent public or judicial authority;
• When there is a decision of the Commission for the Protection of Personal Data or of the European Commission, according to which the respective country provides an adequate level of personal data protection;
• When an agreement has been concluded with the organization to which personal data is sent, containing the standard data protection clauses approved by the European Commission with Decision No. 2010/87/EU;
• When it is necessary to transfer data to an organization in the US, the transfer takes place to the extent that the Privacy Shield Framework Agreement with the US Department of Commerce is signed. The US Department of Commerce is responsible for managing and administering the Privacy Shield and ensuring that companies meet their commitments
• When necessary, we engage other companies and individuals to perform certain tasks on our behalf, supplementing our services, within the framework of data processing contracts;
• Change of ownership of – in the event of a merger, acquisition or sale of assets affecting the processing of personal data, you will be notified in advance;
• When we have received your express consent to transfer;

1. GENERAL POLICY INFORMATION

This Personal Data Policy may be changed or supplemented due to changes in the applicable Bulgarian or European legislation, at the initiative of „Annabela“ OOD or a competent authority.

„Annabella“ Ltd. will inform users about the amendments or additions to this Personal Data Policy by publishing the updated Personal Data Policy on the website of „Annabella“ Ltd. – www. en.anabela.bg.

It is recommended that users periodically check the most current version of this Personal Data Policy on the website of „Annabela“ OOD.

This Privacy Policy is current as of 01.12.2023 year.

1. CONTACT INFORMATION WITH ANABELLA OOD and PERSONAL DATA PROTECTION SUPERVISORY AUTHORITY

Please direct your data protection inquiries and any requests regarding the exercise of your legal rights to the Data Protection Information Department.

e-mail: info@en.anabela.bg
contact phone: 0700 50 508
address: Bulgaria, Pernik, 1 Silistra Street