Privacy Policy

Effective as from 25 May 2018

This privacy notice provides information on how your personal data is processed when you use services and/or buy products from or for the benefit of a company or companies from the group of Nedelya Confectioneries. Dear clients, contractors and partners, we hereby inform you how we from PUOCA "DELIVERY NEDELYA", BULSTAT Code: 177328594, City of Sofia, 5, Blaga Vest Street, Accoutable person: Zdravko Georgiev Minchev, as an operator of Nedelya Confectioneries, we collect, store and use your personal data that you provide to us or which we have otherwise received or created and which are related to you. It is in your interest to take the time to aware yourself with this Policy. We have complied with this Privacy Policy (the “Notification”) with the General Data Protection Regulation (GDPR) 2016/679 (the “Regulation”), in force as of 25 May 2015. According to the Regulation and the Bulgarian Personal Data Protection Act (PDPA), you, as an individual, are the subject of personal data. We are the administrator of your personal data we process. Our credentials as an administrator and how to contact us are listed at the end of this document. From the Notification you will learn: What personal data we collect Who we share your personal information with How we collect and use your personal information Transfer of personal data outside Bulgaria How long do we store your personal data? How secure your personal data is What rights do you have? What is important to know when exercising your rights Children's personal information How will we notify you about changes to the content of this Notification How to contact us WHAT PERSONAL DATA WE COLLECT When you address us to order our products (whether at our site, via the internet at www.nedelya.com or by phone), participate in games organized by us, apply for our franchise program, apply to work with us, ask questions or claim your rights, we may receive from you or ask you to provide us with certain information about yourself. This information may include: • Your names – so we know who you are; • email address – so we can send you a message about your order, delivery parameters, winnings from our games, ask questions or complain, etc. You may ask not to receive more emails from us by clicking on the [Unsubscribe] link located at the bottom of the email that we sent you or by sending us your email to us at [gdpr @ nedelya .com] • your residence address in order to be able to fulfil your order for delivery of our products or to contact you by mail (if this is your preference); • mobile or other phone number – so we can call or send you SMS with regard to your order; • if you have registered an account with us (for example, via our web site www.nedelya.com): additional details such as your birthday, your password and certain preferences, online order history. If you link to this account with your Facebook account or other social media: further information about your contacts, friends, what you like and what you do not like if you decide to share such information with us through the settings of your social media accounts. • information that you like or dislike information from your posts that you make on our pages on social networks; • technical information about your device you open our web pages with, IP address when visiting our pages – in order to be able to provide you with the best possible service through our web pages; • Cookies – like most of the websites you visit, we also use cookies; more information about this can be obtained from our cookie policy, which is described below. • Your voice data – when you call our call center and the call is recorded; • Your video image – when visiting our confectioneries where video surveillance takes place; • Your PIN – when you want us to issue a purchase invoice; • any other information you voluntarily provide to us. We know that this information may look more, but we use it all in order to be as satisfied as possible with our services. When processing your personal data for the purposes of selling our products, securing the security of our confectioneries, and fulfilling our regulatory obligations, this processing is required to meet these goals. Without this data, we could not provide the relevant services. For example, if you do not provide us with your name and address, we could not deliver products of Nedelya. In other cases, when collecting your personal information, we will let you know whether the data is needed and what the consequences are if you refuse. HOW WE RECEIVE AND USE YOUR PERSONAL DATA We briefly gave you introduction above on why we need to collect each of your specified categories of personal information. Here are some more details about what we do with the information you provide us. Firstly, we process your personal data on the following legal basis: • in connection with and for the performance of a contract we conclude with you (including in oral form regarding the purchase of our products); or • to fulfil our obligations following a statutory instrument, for example in relation to obligations under the Accountancy Act and the Tax-Insurance Procedure Code or when providing information to judicial and other public authorities; or • our legitimate interest unless your advantage or your fundamental rights and freedoms prevail. Examples of our legitimate interest are improving security in our confectioneries (for which we do CCTV), improving service quality (for example, recording the conversations with clients from our call center), keeping correspondence with clients and third parties about their queries or in order to offer them our products; • Your explicitly informed consent in some cases, for example, by registering on our websites or agreeing to keep your data you have provided to us by phone (for example, when ordering products from Nedelya) or to use cookies; your consent may be withdrawn at any time, and we will no longer process your data subject to the withdrawn consent. We use your personal information for one or more of the following purposes: • to provide you with the products we offer and that you have requested; • to provide you with information about our products, including marketing messages, through the communication channels you have chosen (phone, SMS, email); • to contact you when you ask us a question or request a product offer or you have a question about an additional service, or notify you of important changes to our terms of service or our internal policies or security breaches the data; • to carry out our business in accordance with the applicable accounting, tax and other laws, professional norms and rules, including by responding to requests from competent state bodies; • to improve the services we provide to you, including for internal purposes such as audits, analyses, and surveys to help us improve our business [or to monitor and analyse the trends and use of our services] and to improve the design and content of the Internet our pages and to best suit your preferences and the devices you use; • in relation to legal claims as set out in the section How long do we store your personal data as well as for purposes outlined elsewhere in this Notice. We will periodically update the above-mentioned sample list in response to our business development and changing legal requirements. We will notify you if we would like or need to use your personal data for purposes and in a manner significantly different from what we have informed you about and if necessary we will seek your consent. WHO SHOULD SHARE YOUR PERSONAL DATA WITH In the course of our activity, we may need to share your personal data with any of the following: • our professional consultants and auditors; • persons who, by virtue of a legal act, have the power to request the provision of information, including personal data such as courts, prosecutors, various regulatory bodies such as the Consumer Protection Commission, the Personal Data Protection Commission, protection of national security and public order; • our suppliers or business partners, with the help of which we provide our services (including companies that support our websites, hardware and software, advertising agencies, postal operators); • our franchise partners operating under the Nedelya brand (according to regulatory requirements and contractual rules and only to the extent necessary and only to employees of these companies who really need to have your personal information to fulfil their obligations). Also, please bear in mind that our web pages may contain links to other such pages that are not owned and operated by us. We can not control or assume responsibility for the processing of personal data or the content of these other sites. We strongly recommend that you get aware yourself of the privacy policies and information on any website that collects personal information. This Notice only applies to personal information that Nedelya collects for you through web pages or otherwise. In any case, we enter into written agreements with the companies we work with, requiring them to take the necessary steps to ensure that your personal information is protected. We will only transfer to our contractors the information they need to provide us with the agreed services without allowing them to use your information for their own purposes. We will not provide your personal data to third parties to send unsolicited marketing communications to you unless you have given the necessary consent. If you receive unsolicited commercial communications from the companies we work with, please let us know at the following email address [gdpr@nedelya.com]. TRANSFER OF PERSONAL DATA OUTSIDE BULGARIA We may transfer and store your personal data in other Member States of the European Economic Area. An adequate level of personal data protection is ensured in the territory of these countries, in accordance with the standards of the Regulation. As the Nedelya brand is offered globally, it may be necessary to transfer your personal information to persons operating under these trademarks that are registered in the United States or in another country outside of the European Economic Area. If we need to do so, we will take due care to have adequate safeguards to protect your personal data, for example, we will transfer the data in accordance with EC-approved standard contractual clauses governing transfers of certain data between us and other companies, we will require your consent or we will use other grounds permitted by applicable law. If you would like more information on the specific safeguards that have been applied to your personal data transferred, please contact our Data Protection Officer whose contact details are listed at the end of this Notice in the How to Contact with us. HOW LONG DO WE STORE YOUR PERSONAL DATA? We have an internal policy that determines how long we store your personal data. It is built mainly on the basis of the type of information we collect and the purposes for which we collect it. In principle, we store your personal data for as long as is necessary for the purposes of the processing for which the data were collected and for any other permissible and related purpose or expiration of a legally defined period (for example, for storing and processing accounting data and for tax control – 11 years). It is our legitimate interest to keep certain personal information until the expiry of the limitation period for claiming (5 years). We will not delete or anonymize your personal data if it is necessary for pending court or administrative proceedings or proceedings to deal with your complaint before us. HOW SECURE YOUR PERSONAL DATA IS We highly value your privacy and we take very seriously the personal data security measures we have collected and stored. We use a variety of physical, electronic and organizational measures appropriate to the sensitivity of the information we support to protect the personal data you give us from unauthorized access, use or disclosure. For example, we encrypt communications using SSL, encrypt storage information, have firewalls, access control tools, billing, and so on. We have adopted policies and procedures and have appointed a Data Protection Officer. We require our suppliers and partners who have access to your personal data to use appropriate measures to ensure the protection and confidentiality of your personal data. However, you are also responsible for protecting your password and username that you have access to our website. Unfortunately, the transmission of information over the Internet or over the phone may not be entirely secure despite the measures we have taken. Therefore, please keep in mind that the transmission of your personal information via the Internet or by telephone is at your own risk. WHAT RIGHTS DO YOU HAVE With respect to your personal data, you have certain rights with respect to us as provided by the Regulation and other applicable legislation. Sometimes certain rights may arise and be exercised only on certain grounds for processing your personal data; your other rights are subject to certain limitations and exceptions under the law. If you do not understand how we handle your personal information or have any questions, please contact our Data Protection Officer, whose contact details are listed at the end of this Notice in the How to Contact Us section. Under applicable law, you have the following rights: • Right to access personal data related to you • Right to object to the processing of your personal data • The right to request rectification of inaccurate personal data related to you • The right to ask for the deletion of your personal data (the “right to be forgotten”) • Right to request limitation of the processing of personal data relating to you • The right to receive the personal data you have provided to us and which concern you and reuse them by transferring them to another administrator (the “portability right”) • You have the right to complain to the competent supervisory authority or to the court in case your rights are violated or you have been harmed by the unlawful processing of your personal data. When processing is based on your consent, you have the right to withdraw your consent to the processing of your personal data at any time without prejudice to the lawfulness of the processing based on your consent before it is withdrawn. ACCESS TO YOUR PERSONAL DATA You have the right to request: • information on whether data relating to you are being processed, information for the purpose of such processing, the categories of data and the recipients or categories of recipients to whom the data is disclosed; • a message in comprehensible form containing your personal data being processed, as well as any available information about their source. If you have requested, we will provide you with access to the personal data that is being processed in the form of a copy thereof. The copy is free of charge for you. If you request additional copies, we can set a reasonable fee to cover our administrative costs of preparing them. If you have submitted the request by electronic means, we will, if possible, provide you with the information in widely used electronic form, unless you have requested otherwise from us. We do not perform automated decision-making for our customers as a result of automated processing of their personal data. If we do not process your personal data, we will notify you. If we reject your request for a copy of the data, we will set out the reasons for that decision. The exercise of your right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property, in particular the copyright to protect the software. If we consider that there is reason to expect such a negative impact, we may reasonably restrict part of the information we provide to you so that it does not reach us. If we process a large amount of information about you, we may ask you to specify the information or processing activities that are relevant to your request. This will help us to get better and faster, and you will get the data you need. IF YOU OBJECT AGAINST USING AND STORING YOUR PERSONAL DATA You may at any time: • object against the processing of your personal data, if there is a legal basis for that; when the objection is well founded, we will discontinue the processing of your data; • object against the processing of your personal data for the purposes of direct marketing (ie when we make suggestions by telephone, email or mail on our own initiative). If you hav objected to the processing of your personal data based on our legitimate interest or the legitimate interest of a third party (or profiling, if we do so and we will notify you), we may continue processing despite your objection if we can prove that there are convincing legal grounds for processing that have priority over your interests, rights and freedoms, or for the establishment, exercise or protection of legal claims. In the event that data related to you are used for direct marketing purposes, you may, at no cost and at any time, object to processing for this type of marketing (which could include profiling as far as direct marketing is concerned) and we we will stop processing. If you do not wish to receive information and offers about our products, please let us know in writing to us at [gdpr@nedelya.com] or the address at the end of this Notice in the How to Contact Us section, by specifying your name and address/email address. Alternatively, you can claim your refusal to receive unsolicited commercial messages by clicking on the [Unsubscribe] link located at the bottom of each email. RECTIFICATION AND UPDATING YOUR PERSONAL DATA In case we process incomplete or erroneous data, you are entitled at any time to request: • to delete, rectify or block your personal data, the processing of which does not meet the requirements of the law; • to notify third parties to whom your personal information has been disclosed of any erasure, correction or blocking, except where this is impracticable or involves excessive effort. We rely on the accuracy of your personal information you provide to us. If this information changes, please let us know your current personal information at [gdpr@nedelya.com]. DELETION OF YOUR PERSONAL DATA You may request the deletion of your personal data if: • the data are no longer necessary for the purposes for which we have collected them; or • withdraw your consent to process your personal data (and there is no other legal basis for continuing processing); or • you object to us processing your data on our legitimate interest and we can not justify our more important legitimate reasons for processing; or • we process your personal data in violation of the Regulation and the applicable law; or • if under the applicable Bulgarian or European Union law we are obliged to delete your data. We may refuse to delete your data if we need it in connection with a legal claim in order to comply with our legal obligations as in other cases provided for in the Regulation. LIMITING THE PROCESSING OF YOUR PERSONAL DATA You may request that you limit your processed personal data if: • you dispute the accuracy of the data for the period we must verify their accuracy; or • the processing of the data is without legal basis, but instead of deleting it, you want their limited processing; or • you oppose that we process your data on our legitimate interest while we justify our right; • we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of your legal claims. Where processing of your personal data has been limited, we may still proceed with your explicit consent or the establishment, exercise or protection of legal claims or the protection of the rights of another individual or on important grounds of public interest for the European Union or its Member State. RIGHT OF DATA PORTABILITY You may ask us to provide your personal data in an organized, orderly, structured, generally accepted electronic format only if the following two conditions are met: • the processing of your personal data is done in an automated manner (i.e., this right does not apply to the processing of data in paper form); and • processing is based on (a) your consent, or (b) a contract to which you are a party, or to take steps upon your request prior to the conclusion of a contract. You should know that when you exercise the right of portability, this does not result in the deletion of your data from our systems. You will be able to continue to use our services even after the data portability operation. Data portability also does not affect the initial retention period that refers to transmitted data. You may exercise your remaining rights as listed in the legislation and listed here while we continue to process the data. RIGHT OF COMPLAINT If you believe that we are violating the applicable legal framework, please contact us to clarify the matter. Of course, you are also entitled to file a complaint immediately with a European Union supervisory authority where you live, work, or where the alleged violation of your rights has occurred. The Data Protection Supervisory Authority in Bulgaria is the Personal Data Protection Commission, 2, Tsvetan Lazarov blvd. Sofia, postal code 1592). You can seek protection of your rights by legal order. WHAT IT IS IMPORTANT TO KNOW IN THE EXERCISE OF YOUR RIGHTS How to Claim Your Rights To exercise your rights under the Regulation, you can e-mail us at [gdpr@nedelya.com] or send us your inquiry by mail or to bring it to us at the following address: [Sofia, 5, Blaga Vest str.]. Applications in connection with the exercise of your rights are generally submitted by you personally or by an explicitly authorized person. An application may also be made electronically, in accordance with the Electronic Document and Electronic Signature Act. When there are regulatory procedural rules in relation to the exercise of your rights (in the Personal Data Protection Act and other acts) they should also be respected. In what form will we respond? In the form in which they made a request to us – written in hard copy or in electronic form. When you request by electronic means, the information will be provided to you in widely used electronic form, unless you have requested otherwise. When will you get an answer? Within one month of receiving your request, we will provide you with information about what we have done on it. If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. If such an extension is necessary, we will notify you within one month of submitting your request, explaining to you why this extension is required. Doubts about your identity. When we have reasonable concerns about the identity of the individual submitting the request to us, we may request the provision of additional information necessary to verify the identity of the data subject. If we do not receive such information and we are unable to identify the data subject, we may refuse to take action on the basis of a request made to us to exercise any of the rights specified in this Notice. PERSONAL INFORMATION OF CHILDREN It is very important for us to protect the privacy of children and we are especially careful in communicating with children. We do not collect personal data from individuals under the age of 16 and in all cases we comply with the law. If you have not reached the specified age, you are allowed to access web pages only with the consent of your parents or guardians. We ask parents to regularly monitor and control the activity of their children on the Internet. If you are a parent and have concerns about the collection or use of personal information about your child, please contact us through the contact details listed in the How to Contact Us section. HOW WILL WE NOTIFY YOU ABOUT CHANGES TO THE CONTENT OF THIS NOTIFICATION We will notify you of any substantive changes in this document through our website and, if possible, in another appropriate manner, so that you are always informed about changes in what personal data we collect, how we use it and under what circumstances we share with others. You may be asked to read and accept these changes before continuing access to our websites. If we would like to use your personal information for significantly different purposes and way to what we have told you, we will also send you a message to the email address you provided us. So you will have the choice whether or not you accept the changes in the use of your personal information. HOW TO CONTACT US Personal data controller is PUOCA "DELIVERY NEDELYA", Bulstat Code: 177328594, City of Sofia, 5, Blaga Vest Street, Accoutable person: Zdravko Georgiev Minchev. PUOCA “DELIVERY NEDELYA” has appointed Data Protection Officer Emilia Usova, email: [gdpr@nedelya.com] Please submit any questions, comments or requests regarding this Privacy Notice to the above mentioned coordinates. Cookie Policy Date of last update: 25.05.2018 How do we use cookies? These rules describe how PUOCA “DELIVERY NEDELYA" uses cookies and related files and technologies on the site, e.g. Local Shared Objects, also known as Flash cookies, web beacons, etc. They are called the generic cookie name (in English "Cookies"). What are Cookies? Cookies are small files of letters and numbers that are sent to your computer or mobile device when you visit a website and are stored on it. Cookies are stored in your browser's file directory. The next time you visit the same site, the browser reads cookies and transmits the information to the website or item that originally set cookies, so you do not have to re-enter your preferences to browse the site. Cookies can not be replicated as a code or used to distribute viruses and can not be accessed through your hardware (hard drive) by using them. To learn more about these technologies and how they work, please visit, for example www.allaboutcookies.org. How do we use cookies? We use cookies on the PUOCA “DELIVERY NEDELYA” website that are placed by us or third parties to provide you with an easier browse. In the next section, you will be able to review your cookie management options. PUOCA "DELIVERY NEDELYA" does not use cookies for any purpose other than those specified in this release. The Company does not use them to collect personal data for any purpose. We use cookies that are sessions (that run out after your session ends and the browser is closed) and permanent (stored on your computer or mobile device for a certain amount of time) and the following cookies: • Functional These cookies are essential to the functioning of our website and are key to making it easier for you to work with it. You can navigate without interruptions, as your chosen language and country will be remembered, and verification of certain parts of the domain will be retained. These cookies also retain products of potential interest when you are redirected to an operator site for a possible purchase. • To improve the site These cookies allow us to improve the website by collecting information on how it is used. We analyse data to determine, for example, the number of unique users reading an article (to know which materials are popular). We also are interested in where our content is accessed, so we know how to organize your site for optimal user convenience. We count clicks on "Like" and "Tweet" and track what content from our sites has been shared or used as a reference. • For Advertisements These cookies help us make the content as customizable as possible, such as displaying target banners or appropriate recommendations. We research what type of referral has been used to reach our site, such as an email campaign or link from a referral site, so we can calculate the performance of your promotions and ad campaigns. In the future, we may extend our promotion to joint promotions with others and allow them to place cookies on our website. Our website may also include items that set cookies on behalf of a third party, e.g. Facebook "Like" button or "Twitter", "Tweet" button. How can I manage cookies? You can view the available cookie management options in your browser. The browser may be used to manage cookies associated with basic features, site improvement, customization, and advertising. Different browsers use different ways to disable cookies, but they are usually found in the Tools or Options menu. You can also explore the browser help menu. In addition to managing cookies, browsers usually allow you to control cookie-like files, such as Local Shared Objects, by enabling your browser's privacy mode. PUOCA "DELIVERY 2018" uses third-party ad cookies to promote its products to other websites. You may choose not to receive certain third-party ad cookies through third-party cookie management sites such as AppNexus, Audience Science, DoubleClick, AdTech, AdOcean, Atlas, Criteo, Facebook, Google Analytics and Adobe Flash. Deactivating cookies may prevent you from using certain areas on the site. How long do we keep the information? This depends on the type of cookies. Session cookie expires when you close the browser. Permanent cookies, including Local Shared Objects (Flash cookies), generally have a validity of two months to several years. Other information In addition to collecting data through cookies, PUOCA "DELIVERY NEDELYA" collects other types of information as described in the DELIVERY 2018 Privacy Notice. It is possible that PUOCA "DELIVERY NEDELYA" will periodically change these rules. In the event of significant changes, at the beginning of this policy and on the homepage of this site, PUOCA “DELIVERY NEDELYA” will publish a message about this change. We recommend that you review these policies periodically to notify you about such changes. If you have additional questions, please contact us by writing to: gdpr@nedelya.com

By closing this message, you agree to the use of cookies on this device in accordance with our policies unless you have banned them.