Privacy Policy | Secret SPA

CICRET SPA Ltd (“theAdministrator“, “theCompany” or “CICRET SPA“), UIC: BG206657791 , with address. Sofia, Ovcha Kupel district, ul. “+359877 335 533 and email address: secret.spa.sofia@gmail.com

Information on the competent data protection supervisory authority:

Name: Commission for Personal Data Protection
Registered office and registered address. Registered office and registered office: 1592 Sofia Blvd. “1592, Proff. No. 2 Tsvetan Lazarov
Address for correspondence. Address for correspondence. “1592, Proff. No. 2 Tsvetan Lazarov
Phone: 02 915 3 518
Website: www.cpdp.bg

The Controller carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 01 October 2015 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.

Grounds for collecting, processing and storing your personal data
Art. 1. The controller collects and processes your personal data in connection with the use of the website https://www.secretspa.bg/, the conclusion of contractswith the company on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:

Explicit consent obtained from you as a customer;
Performance of the Administrator’s obligations under a contract with you;
Compliance with a legal obligation applicable to the Administrator;
For the purposes of the legitimate interests of the Controller or a third party.

Purposes and principles of collecting, processing and storing your personal data
Art. 2. (1) We collect and process the personal data you provide to us in connection with your use of the https://www.secretspa.bg/ website and entering into a contract with the company, including for the following purposes:

Arranging a consultation;
Individualization of a party to the contract;
Accounting purposes;
Information Security Protection;
Ensuring the performance of the contract for the provision of the relevant service;
Marketing objectives.

(2) We comply with the following principles when processing your personal data:

legality, fairness and transparency;
limitation of the purposes of processing;
relevance to the purposes of the processing and minimisation of the data collected;
data accuracy and timeliness;
limitation of storage to achieve the objectives;
integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.

(3) In processing and storing personal data, the Controller may process and store personal data in order to protect its following legitimate interests:

fulfilling its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities.

What types of personal data are collected, processed and stored by our company
Art. 3. The Company shall carry out the following operations with the personal data provided by you for the following purposes:

Conclusion and execution of a commercial transaction with a customer or partner – the purpose of this operation is the conclusion and execution of a contract with a commercial partner or customer and its administration. Given the limited scope of the personal data collected and the fact that some of it is collected from publicly available sources, conducting an impact assessment is not necessary.
Arranging the consultation – the purpose of this operation is to provide contact details in order to arrange the consultation desired by the client. Given the limited scope of the personal data collected, conducting an impact assessment is not necessary to carry out an impact assessment of the operation.
Sending informational messages, special offers and promotions, etc. (by email, Viber, SMS or other provider) – the purpose of this activity is to administer the process of sending messages to customers that relate to service improvements or changes, special offers, promotions, subscription cards, etc. Given the limited scope of the personal data collected, an impact assessment of the operation is not necessary.
Art. 4. (1) The controller shall process the following categories of personal data and information for the following purposes and on the following grounds:Consultation request data (name, surname, telephone, e-mail)
Purpose for which the data is collected:
Receiving the user’s contacts in order to provide feedback for arranging a consultation and/or booking.
Grounds for processing your personal data – Your data for sending the newsletter is processed on the basis of your explicit consent – Art. 1 (a) GDPR.

Other data processed by the Administrator – When registering for the newsletter, the Administrator collects data on the IP address used.
Purpose for which the data is collected:
Localization of the interface.
Grounds for data processing – The IP address is collected on the basis of the legitimate interests of the controller – Art. 1 (f) of the GDPR;

Your details for issuing an invoice to a natural person (SSN)
Purpose for which the data is collected:
Issuing an invoice for services rendered.
Grounds for processing your personal data – Art. 1 (b) GDPR.

(2) The controller shall not collect or process personal data relating to the following:

reveal racial or ethnic origin;
reveal political, religious or philosophical beliefs, or trade union membership;
genetic and biometric data, health data or data on sex life or sexual orientation.

(3) Personal data are collected by the Controller from the persons to whom they relate.
(4) The Company shall not carry out automated decision-making with data.

Period of storage of your personal data
Art. 5. (1) The controller shall store your personal data for a period no longer than the withdrawal of consent to processing. The controller shall take the necessary care to erase and destroy all your data without undue delay or to anonymize them (i.e. to put them in a form that does not reveal your identity).
(2) The Controller shall keep your personal data provided in connection with a consultation/booking request for a period of 5 years for the purpose of defending the Controller’s legal interests in the event of legal or administrative disputes, and the accounting documents shall be kept for the relevant statutory period.
(3) The Controller shall notify you in the event that the data retention period needs to be extended in order to comply with a legal obligation or in view of the legitimate interests of the Controller or otherwise.
Art. 6. The Controller shall store the personal data of the legal representatives of its business partners for the duration of the performance of the contract, in order to comply with the legitimate interests and legal obligations of the Controller, which may exceed the duration of the concluded contract.

Transfer of your personal data for processing
Art. 7. (1) The controller may, at its own discretion, transfer some or all of your personal data to processors for the fulfilment of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The controller shall notify you in the event of an intention to transfer some or all of your personal data to third countries or international organisations.

Your rights in the collection, processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Art. 8. (1) If you do not wish all or part of your personal data to continue to be processed by the Company for any or all of the processing purposes, you may at any time withdraw your consent to the processing by sending a free text request to the following email address: secret.spa.sofia@gmail.com
(2) The controller may ask you to verify your identity and identity with the data subject.

Right of access
Art. 9. (1) You have the right to request and obtain confirmation from the Controller as to whether personal data relating to you are being processed.
(2) You have the right to access the data relating to you and the information concerning the collection, processing and storage of your personal data.
(3) The controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.
(4) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetition or excessive requests.

Right to rectification or completion
Art. 10. You may correct or complete inaccurate or incomplete personal data by making a request to the Controller.

Right to erasure (“being forgotten”)
Art. 11. (1) You have the right to ask the Controller to erase some or all of the personal data relating to you, and the Controller has the obligation to erase them without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
You withdraw your consent on which the processing is based and there is no other legal basis for the processing;
You object to the processing of personal data relating to you, including for direct marketing purposes, and there are no legitimate grounds for the processing that override;
personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Controller is subject;
personal data have been collected in connection with the provision of information society services.

(2) The controller is not obliged to erase the personal data if it stores and processes them:

to exercise the right to freedom of expression and the right to information;
to comply with a legal obligation requiring processing under EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
for public health reasons;
for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
for the establishment, exercise or defence of legal claims.

(3) In the event that you exercise your right to be forgotten, the Company will delete all of your data except for the following information:

information that is necessary to certify that your right to be forgotten has been exercised.

(4) In order to exercise your right to be forgotten, you need to submit a request to the following email address: secret.spa.sofia@gmail.com
(5) The controller may ask you to verify your identity and identity with the person to whom the data relate.
(6) The controller shall not delete the data which it has a legal obligation to store, including for the purpose of defending legal claims made against it or proving its rights.

Right to restriction
Art. 12. You have the right to require the Controller to restrict the processing of data relating to you where:

contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
the processing is unlawful, but you do not wish the personal data to be erased, but only for its use to be restricted;
The controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims;
You have objected to processing pending verification that the legitimate grounds of the Controller override your interests.

Right to portability
Art. 13. (1) You may, at any time, retrieve the data stored and processed about you in connection with the use of the services of CICRET SPA Ltd, by email request.

(2) You may request the Controller to transfer your personal data directly to a controller designated by you, where this is technically feasible.

Right to receive information
Art. 14. You may request the Controller to inform you of any recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested has been disclosed. The controller may refuse to provide this information if it would be impossible or would require a disproportionate effort.

Right to object
Art. 15. You may object at any time to the processing of personal data concerning you by the Controller, including if processed for profiling or direct marketing purposes.

Your rights in the event of a personal data breach
Art. 16. (1) If the Data Controller identifies a breach of the security of your personal data which may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the breach and of the measures taken or to be taken.
(2) The controller is not obliged to notify you if:

has taken appropriate technical and organisational measures to protect the data affected by the security breach;
has subsequently taken measures to ensure that the infringement will not result in a high risk to your rights;
notification would require a disproportionate effort.

Art. 19. In the event of a violation of your rights under the foregoing or applicable data protection law, you have the right to file a complaint with the Personal Data Protection Commission as follows:

Name: Commission for Personal Data Protection
Headquarters and registered office. Headquarters and registered office. “1595 1592 Prof.
Address for correspondence. Address and address for correspondence Sofia 1592, bul. “Prof. Lazarovaza”, 1592 1992.
02 915 3 518
Website: www.cpdp.bg

Art. 20. You may exercise all your rights concerning the protection of your personal data by making your requests in any form that contains a statement to that effect and identifies you as the data holder.

Art. 21. If the consent relates to a transfer, the Controller shall describe the possible risks of the transfer of the data to third countries in the absence of an adequate protection solution and appropriate means of protection.