We consider guaranteeing the right to the protection of personal data to be a fundamental commitment of the Association for Production, Storage and Trading of Electricity (APSTE), which is why we will use and invest all necessary means and efforts to process your data in full compliance with Regulation (EU) 2016/679 (“EU General Data Protection Regulation” or “GDPR”) and any other applicable Bulgarian legislation. As one of the key principles of this legal framework is transparency, we have prepared this document to inform you about how we collect, use, transfer and protect your personal data when you interact with us.
Who are we and how to contact us?
Association for Production, Storage and Trading of Electricity (APSTE), hereinafter referred to as “we”, UIC 205926677, with registered seat and management address at: 28 Hristo Botev Blvd., floor 4, Sofia 1000, Bulgaria.
As your opinions are always important to us and we are always willing to provide you with any additional information you may require in relation to the processing of your data, we encourage you to contact us at firstname.lastname@example.org.
Which categories of personal data do we process?
You voluntarily provide your personal data to the processor. The information we receive from you is as follows:
We do not collect or otherwise process sensitive data included in special categories of personal data in the General Data Protection Regulation. Furthermore, we do not want to collect or process data of individuals under the age of 16.
What are the purposes and grounds of the processing, respectively what data do we process for them?
We process your personal data on the following grounds:
– establish your identity;
– management and fulfilment of the contract;
– preparing and sending a bill/invoice for the services you use with us;
– collection of amounts due for services used;
– saving the correspondence regarding orders placed, processing requests, reporting problems, etc.
– notification of everything related to the services you use with us;
– customer history analysis;
– identifiable and/or preventable unlawful acts or acts contrary to our terms and conditions for the relevant services;
– measures to protect the website and users of the Resource-southeast.eu platform against cyber-attacks;
– measures to prevent and detect fraud attempts, including the transmission of information to competent public authorities;
– measures to manage various other risks.
For this purpose, we process the following personal data:
The processing of this data is mandatory in order for us to conclude the contract with you and fulfil it.
We provide personal data to the following personal data controllers:
– postal operators and courier companies;
– people who maintain software and hardware, used to process personal data and necessary for the company’s activities;
– people providing consultancy services in various fields.
We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We do not foresee any adverse consequences for you if you refuse the processing of personal data.
The consent is a separate basis for processing your personal data and the purpose of the processing is stated in it. If you give us the relevant consent and until it is withdrawn or any contractual relationships with us are terminated, we will provide your contact details to other participants in APSTE events and we will make product/service offers that are relevant to you.
Improving our services
We would always like to offer you the best experience. To do this we may use certain information about your behaviour, ask you to complete satisfaction surveys or conduct market research and surveys directly or with the help of partners.
We base these activities on your consent and with regard to our legitimate interests in conducting business, always ensuring that your fundamental rights and freedoms are not affected.
We would like you to always be aware of the best offers for the products/services you are interested in. In this respect, we can send you all kinds of messages via electronic messaging channels (e-mail / SMS / mobile push / webpush, etc.) that contain general and thematic information. We always ensure that this processing is carried out in compliance with your rights and freedoms, and that the decisions taken in relation to them do not give rise to any legal consequences for you and do not affect you in a similarly material way.
In certain situations, we may base our marketing activities on our legitimate interest in promoting and developing our business. In any case, when we use your information for our legitimate interests, we take care and take the necessary measures to ensure that your fundamental rights and freedoms are not affected. However, you may stop the processing of your personal data for marketing purposes at any time and we will respond to your request.
On this basis, we only process the data for which you have given us your explicit consent. The specific data is determined on a case-by-case basis. Typically these data is:
Provision of data to third parties
By giving your consent, you voluntarily agree to us sharing your personal data with other participants in APSTE events.
Withdrawal of consent
The consent given may be withdrawn at any time. The withdrawal of consent shall have no effect on the fulfilment of the contractual obligations. If you withdraw your consent to the processing of your personal data for any or all of the ways described above, we will not use your personal data and information for the above purposes. The withdrawal of consent does not affect the lawfulness of processing based on consent given prior to withdrawal.
How long do we keep your personal data?
We delete data collected on this basis at your request or 36 months after its initial collection. If you withdraw your consent, we will respond to that request by keeping certain information where required by the applicable law or legitimate interests.
The main reason for these types of processing is our legitimate interests related to the protection of our commercial activities, with the proviso that we guarantee that any measures we take ensure a balance between our interests and your fundamental rights and freedoms.
There may be a legal obligation for us to process your personal data. In these cases, we are obliged to carry out the processing in accordance with the regulations on measures against money laundering, personal data protection, accounting and tax legislation, legal proceedings, etc.
We delete the data collected pursuant to a legal obligation once the obligation to collect and store is fulfilled or no longer exists. Where we are legally obliged to do so, we may disclose your personal data to the competent government authorities or other persons.
Who do we send your personal data to?
If we are required to do so by law, or if it is necessary to protect our legitimate interests, we may also disclose certain personal data to public authorities.
We ensure that access to your data by private third-party entities is carried out in accordance with the legal provisions in the field of data protection and confidentiality of information on the basis of contracts concluded with them.
To which countries do we transfer your personal data?
We currently store and process your personal data in Bulgaria.
However, some of your personal data may be transferred to entities located within or outside the European Union, including countries for which the European Commission has not recognized an adequate level of data protection.
We will always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests. Transfers of data to service providers and other third parties will always be protected by contractual obligations and, where appropriate, other guarantees such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for protection of personal data transferred from the EU to the United States of America.
You can contact us at any time using the contact details set out above to find out which countries we transfer your data to and what safeguards we apply in relation to those data transfers.
How do we protect the security of your personal data?
We are committed to ensuring the security of personal data by implementing appropriate technical and organisational measures in compliance with industry standards.
We store your data on secure servers using the latest encryption algorithms and ensure backups are kept.
We use the Stripe payment service. All payment information is encrypted using SSL technology.
Despite the measures we implement to protect your personal data, we are aware that, in general, the transfer of information over the Internet or other public networks is not completely secure, and there is a risk that the data could be viewed and used by unauthorized third parties. We cannot accept responsibility for these vulnerabilities on systems not under our control.
What are your rights?
The General Data Protection Regulation recognises a number of rights in relation to your personal data. You can request access to your data, the correction of errors in our files, and/or object to the processing of your personal data. You may also exercise your right to lodge a complaint with the competent supervisory authority or with the courts. Depending on the case, you may also have the right to request the erasure of your personal data, the right to restrict the processing of your data and the right to data portability.
To exercise your rights, you can contact us using the contact details above. Please note the following if you wish to exercise these rights:
Identity. We take the privacy of all records containing personal data seriously. For this reason, we ask that you send us your requests regarding these records using our email address. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm it.
Charges. We will not charge a fee for exercising any rights in relation to your personal data, except where your request for access to information is unreasonable, repetitive or unnecessarily repetitive, in which case we will charge a reasonable amount. We will inform you of any applicable fees before we consider your request.
Deadline. We plan to respond to all valid requests within one month, unless the request is particularly complex, or if you have made multiple requests, in which case we will respond within a maximum of two months. We will let you know if we need more than one month. We may ask you to tell us exactly what you want to receive or what you are worried about. This will help us to act more quickly and shorten the time it takes to respond to your request.
Third Party Rights. We will not need to respond to a request if it adversely affects the rights and freedoms of other data subjects.