This site has limited support for your browser. We recommend switching to Edge, Chrome, Safari, or Firefox.

New drops every week

Free shipping over €250

Use coupon code WELCOME10 for 10% off your first order.

Cart 0

Congratulations! Your order qualifies for free shipping You are 200 лв away from free shipping.
No more products available for purchase

Products
Pair with
Is this a gift?
Subtotal Free
Shipping, taxes, and discount codes are calculated at checkout
  • American Express
  • Apple Pay
  • Google Pay
  • Mastercard
  • Visa

Your Cart is Empty

New Arrivals
All Bags
DESIGNERS
Authenticity
Our story

PRIVACY AND COOKIE POLICY

1. GENERAL PROVISIONS

Information about the personal data administrator: Relux Room OOD is a company registered in the Commercial Register of the Registry Agency with UIC 207471423, with registered office and management address: Sofia, 6 Nikola Vaptsarov Blvd., 2nd floor, represented by Teodora Yordanova

2. We process your personal data on the following grounds:
- A distance contract concluded between us and you, in order to fulfill our obligations under it;
- Explicit consent from you – the purpose is specified for each specific case;
- In case of a statutory obligation

3. In the following paragraphs you will find information about the processing of your personal data depending on the basis on which we process it.

4. The company is a personal data controller, processing personal data in connection with its activities and only determining the purposes and means of their processing.

5. The Data Protection Officer is: Antoana Bakalova, email: gdpr@reluxeroom.com

6. This privacy and cookie policy (the "Policy") provides information about the personal data that the Company processes and about the terms and conditions under which individuals whose personal data are processed exercise their rights.

7. In relation to this Policy, the following expressions have the following meanings:
"personal data" means any information relating to an identified or identifiable natural person ("data subject");

"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, dissemination or otherwise making available, restriction, erasure or destruction;

"restriction of processing" means the marking of stored personal data with the aim of restricting their processing in the future;

"pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be associated with a specific data subject;

"personal data register" means any structured set of personal data, access to which is carried out according to a certain arrangement or criterion;

"controller" means a natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data;

"processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"recipient" means a natural or legal person or other entity to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as "recipients"; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;

"third party" means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;

"data subject's consent" means any freely given and informed indication of the data subject's wishes by which he or she signifies agreement to personal data relating to him or her being processed;
"personal data breach" means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data;
"supervisory authority" means an independent public authority established by a Member State pursuant to Article 51 of the General Data Protection Regulation.

8. The principles related to the processing of personal data are:

principle of lawfulness, fairness and transparency of personal data processing - the collection of personal data must be within the limits of what is necessary. The information is collected in a lawful and objective manner;

principle of data minimization, as well as limitation of purposes and storage – personal data must not be used for purposes other than those for which they were collected, except with the consent of the individual or in cases expressly provided for by law. Personal data must be stored for a period no longer than is necessary for the purposes for which the personal data are processed;

principle of accuracy – personal data must be precise, accurate, complete and up-to-date, to the extent necessary for the purposes for which they are processed;
principle of integrity and confidentiality – personal data must be processed in a manner that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

9. Personal data of the customers-individuals of the Company's e-store are processed in the "CLIENTS" and "Sellers" registers.

CUSTOMER SUBREGISTER

10. The "CUSTOMER" sub-register refers to buyers, as well as returns from buyers, and the following categories of personal data are processed:

The user's IBAN – for the return of relevant amounts in the event of complaints and/or cancellation of the contract.
- telephone;
- address;
- first and last name;
- email;
- IP address – location, country;
- User order number.

(2) The data under 10. (1) are processed on the basis of Art. 6, para. 1, letter b) of the GDPR and for the purpose and performance of the distance contract concluded between the Company and a consumer within the meaning of DIRECTIVE 2011/83/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council, as well as for the purposes of concluding the same. The data are also processed for the purpose of fulfilling the Company's obligations arising from the Bulgarian Accounting Act, which is available on the following website: https://www.minfin.bg/en/998?p=1

(3) The data are also processed for the purpose of marketing activities, only after explicit consent for processing for the purpose of marketing activities has been provided. The consent under the transitional sentence is provided in electronic form by marking on the home page of the Company's website or from the user's profile in the "Settings" menu a selection of the relevant types of cookies. The consent provided under this provision may be withdrawn by a user at any time by marking on the home page of the Company's website or from his profile in the "Settings" menu.

(4) If explicit consent is provided in electronic form by marking on the home page of the Company's website or from "Settings" by a user for the processing of his personal data for the purpose of marketing activities, the user agrees that the data specified in (1) will be processed for the purpose of offering goods and services to the user by email, by telephone, at his address and/or through a newsletter sent by email, a survey for the purpose of researching the goods offered, as well as for conducting business analyses, tracking user behavior, the preferences of the latter, as well as advertising products and services offered by the administrator.

(5) The Company does not have access to card data, as well as to the authentication data when paying with a credit or debit card and does not register or store them in any way. The Company uses certified external providers of these services.

(6) If explicit consent is provided by a user to the processing of his personal data for the purpose of marketing activities through the use of cookies, the user agrees that the data specified in (1) will be processed for the purpose of tracking his behavior, the latter's preferences, as well as advertising.

(7) The data under (1) may be processed on the basis of Art. 6, para. 1, letter f) of the GDPR for the purpose of identifying a user-subject of personal data upon activation of personal or other vouchers for discounts and reductions, upon performance of the distance contract concluded between the Company and a user within the meaning of DIRECTIVE 2011/83/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council


11. (1) Personal data in the SUBREGISTER "CUSTOMER" are processed on an electronic medium.

(2) Personal data under Art. 6, para. 2 of the Policy are collected by the users themselves in specially developed software for orders and are stored in electronic form on a server rented by the Company, located in the cloud with services provided by Shopify, on servers provided through Amazon and Google services, for a period of 10 years, starting from January 1 of the year following the year of the occurrence of the relevant legal relationship, on the basis of Art. 12, para. 1, item 2 of the Bulgarian Accountancy Act, which is available on the following website: https://www.minfin.bg/en/998?p=1 . After the expiration of the storage period and provided that there are no documents subject to transfer to the State Archives of the Republic of Bulgaria, all data carriers from the register are destroyed by an appropriate method, incl. and deletion of backup electronic copies.

(3) Personal data under Art. 6, para. 3 (with the exception of IP address) of the Policy are collected by the users themselves in the specially developed ordering software and are stored for the periods specified below in this Policy.

12. (1) The administrator assigns the processing of personal data in the sub-register SUB-REGISTER "CUSTOMER" to persons appointed under an employment relationship. The rights and obligations of the individual persons processing the data are specified in the relevant job description.
 
(2) The administrator provides a minimum amount of personal data for the purposes of courier services for the performance of a contract for such services to licensed courier companies in the relevant country of the user's location.

(3) Access to personal data of a person from the sub-register SUB-REGISTER "CUSTOMERS" is granted to third parties upon order of a competent European law enforcement authority, court and/or on the basis of a specific regulatory act.

13. (1) For the purposes of providing virtual telephony or "cloud" telephony services (Cloud based VoIP telephony) and recording all telephone conversations and messages exchanged between the Company and the users, and on the basis of a contractual relationship between the Company and a licensed provider of the aforementioned services, the Administrator may disclose a minimum amount of personal data from this Policy to the provider of the virtual or "cloud" telephony that will be used.

(2) The data under para. 1 shall be stored in electronic format on the provider's servers in compliance with the requirements of the applicable EU and EEA legislation regarding the protection of personal data. The term for storing the data by the processor under para. 1 shall be up to 6 (six) months.

14. (1) For the purposes of implementing a ticketing system at the "Customer Center/Customer Service" department, including recording electronic messages from and to users and on the basis of a concluded contract with such a subject matter, the Administrator assigns the processing of personal data under Art. 6 of this Policy to a processor.

(2) The data under para. 1 shall be stored in electronic format on servers located in the cloud – EU and USA and in compliance with the requirements of the applicable EU legislation regarding the protection of personal data, based on standard contractual clauses. The term for storing the data by the processor under para. 1 shall be up to 6 months

15. (1) Upon explicit consent provided by a user, namely - in electronic form by marking the Company's website, users receive messages about promotions, campaigns or sales of certain goods via a newsletter received by email or receive such information by telephone, their behavior on the site and their preferences are studied.

(2) The persons processing the data for the purpose of performing the actions under para. 1 are also Shopify's automatic software, Clavio email campaign software, as well as persons appointed under an employment relationship with the Company. The rights and obligations for processing the data under the previous sentence are regulated in the job descriptions of the persons.
 
16. (1) Marketing activities related to the analysis of user behavior and advertising upon explicit consent, namely in electronic form by marking in the bar at the bottom of the home page of the Company's website or from "Cookie Settings" of this Policy are also carried out by processing data that do not allow the identification of a natural person (e.g. name, surname, phone number, address, etc.), but through the user's activity through the relevant browser through so-called cookies or advertising banners, which contains the following data: events related to the activity of the Company's website (number of pages viewed on the website, products viewed on the website, searches on the Company's website); information related to the user's device (device type, operating system and version); approximate location extracted from the IP address.

(2) The activities under para. 1 are carried out through the so-called "cookies", which are used by the Company or by third parties - partners of the Company. Cookies are small packets of information sent from the pages of the website to the browser of a user and are stored on his device. In addition to "cookies", in some cases the Company may also use pixel tags or other similar technologies. Pixel tags are miniature images that can be included in the sites, services, applications and messages of the Company, which usually function together with "cookies". All these technologies are referred to as "cookies" in this Privacy Policy and Cookies.

(3) The Company uses two types of cookies: necessary and functional.

(4) For the processing of data under para. 1 through cookies and advertising banners, the user must provide his/her explicit consent to the use of cookies. The provision and withdrawal of consent does not apply to the use of necessary cookies, since without them the Company's website cannot function for technical reasons. If a user does not agree with them, he/she should close the Company's website.

17. If explicit consent is provided by a user in electronic form, by filling in the details of the debit or credit card for payments, the full volume of data about the User's card will be stored and processed by an external operator of banking and financial services licensed to the company - STRIPE or another, which is also the actual administrator of the received data about the user's card. The user may at any time withdraw his consent to the processing of his card data by contacting the operator and requesting deletion, according to the latter's rules, available on its official website.

18. Necessary cookies ensure the functioning of the site by providing the ability to log in to the profile of a relevant user on the site and to process orders placed, view old orders, returns and other essential functions of the website.

19. (1) Functional cookies collect information about the preferences, interests and behavior of users of the site. This allows the Company to personalize the content and products offered. Through these cookies, the Company receives information on how to make the site more convenient for users and make their stay on the site more pleasant. Functional cookies are of two main types - analytical and advertising.

(2) Analytical cookies collect statistical information about site traffic, such as the number of visits, the popularity of pages, traffic sources, time spent on and exiting the site. the way in which users use traffic sources, so that we can assess and improve the effectiveness of our site. The data that cookies collect is completely anonymized and users cannot be identified through them. The company collects information through analytical cookies in order to improve the user experience of the site.

3) Advertising cookies are created by companies with which the Company works to improve the effectiveness of its advertising campaigns. Through them, the Company receives information about user interests in order to display advertisements relevant to users.

(4) The analytical and advertising cookies that the Company uses - its own and those of third-party partners - are the following:

Shopify

The website, including all data collected through it, is located (hosted) on a server of "Shopify Inc". Here - https://www.shopify.com/legal/privacy you can see complete information about the company and its privacy policy.

Google Analytics

We use Google Analytics to collect statistical information about Website Users, such as the website from which you came to our Website, the country you are in, your language, online behavior, the browser you use, the network, etc. This information does not include personal data and you cannot be identified through it. We collect the said data to analyze what type of Users use the Website and how they use it, which helps us personalize the Service.
You can opt out of the use of your data by Google Analytics using the Google Analytics opt-out browser add-on for the Google Analytics JavaScript (ga.js, analytics.js, dc.js). If you would like to opt out, please download and install the add-on for your web browser.
By agreeing to use our service, you express your explicit consent to our use of Google Analytics on the Website, including Display Advertising, and you declare that you have been given the opportunity to opt out of Google Analytics.

Facebook Pixel

We use Facebook Pixel to collect statistical information about site visits, which we need to improve the implementation of the Platform's mission by providing online services and information at the right time to people interested in them.
Here you can see complete information about the company and its privacy policy.

Klaviyo

Our e-mail newsletter, including the names and e-mail addresses of all subscribers registered in it, is located on Klaviyo's servers and is sent through them. We need to collect this data from users who explicitly provide it in order to be able to send the newsletter, which contains useful information and sometimes informs about products or services that subscribers can purchase. Each newsletter subscriber receives links contained in each newsletter letter that allow them to see what data about them we store in the Klaviyo system, as well as to delete it and stop receiving the newsletter. You can see full information about the company and its privacy policy here.
20. The use of websites and their cookies is a dynamic process that seeks to catch up and meet user behavior on the Internet. Therefore, at different times (campaigns, promotional periods, etc.), the Company may use the following websites and their cookies:

Google AdWords – a remarketing and behavioral targeting service provided by Google LLC., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. With this service, the Company's advertising activity is connected to the AdWords advertising network using cookies. Information about the use of this site, acquired through cookies, is transmitted to and stored by Google LLC., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (data processor) on servers located in the EU. Google LLC processes the data in compliance with the requirements of applicable EU legislation regarding the protection of personal data and on the basis of standard contractual clauses.
Facebook and Instagram - This application uses Social Plugins ("Plugins") of the social network facebook.com and instragam.com, which is operated by Facebook Inc., Menlo Park, California, USA. ("Facebook"). Plugins can be recognized by the Facebook logo (white "f" on a blue background or "thumbs up") or are marked with "Facebook Social Plugin".
When a user visits a website, their browser will immediately establish a direct connection with the Facebook servers. The content of this Plugin will be transmitted directly from Facebook to the user's browser, which will connect them to the website.
By connecting to these Plugins, Facebook receives information that the respective Company page or platform has been visited. If a user is logged in to their Facebook account, Facebook can assign this visit to their profile. If a user interacts with these Plugins (e.g. clicks the "Like" button or writes a comment), the corresponding information will be immediately transferred from their browser to Facebook and stored there. If the user is not logged in to Facebook, Facebook still has the possibility of determining their IP address and storing it.
These Facebook Plugins can be integrated by website operators into their own websites or platforms. By clicking on these Plugins, Facebook users can automatically leave a message on their Facebook profile that they like the information from the website operator's links. The Facebook Plugin connected to the website "communicates" with Facebook and sends the data to Facebook when the website is visited - even if the user has not clicked on the Plugins.
Through a so-called iFrame link, the browser loads an additional, smaller “page within the page” in addition to the page that is being started, which contains the respective Plugin. In the case of a Plugin belonging to Facebook, this iFrame link or the source text originates entirely from Facebook and cannot be controlled or processed by the Company.
If the user is not logged into Facebook or is not registered there at all, a cookie is still placed, which cannot be recognized and is valid for two years.
If the browser later reconnects to the social network server, the cookie is transferred and can help create a profile. For users who register later, a link to the information contained in the cookie is also possible.
If the user is logged into the current Facebook session, information about both the page and the cookie is transmitted - and it is possible that this session identification information can be assigned to the relevant account.
For information on rights and settings options for protecting personal data, the user should contact Facebook Inc. or follow Facebook's privacy instructions at the following address: https://www.facebook.com/policy.php .
 
With Add-ons, the user can block Facebook-Social-Plugins for your browser, for example using the “Facebook Blocker”. Facebook Inc. processes the data in compliance with the requirements of the applicable EU data protection law and on the basis of standard contractual clauses.

RTB House – a retargeting service, for analyzing the traffic to the Company's website and so-called retargeting technologies, offered for the Company's markets in Bulgaria, Romania and Greece by RTB House SA with business seat in Warsaw, Poland (postcode: 00-819) at Złota 61/101 (data processor). This technique allows Internet users who have already shown interest in the Company's store and its products to receive relevant advertising on the websites of the Company's partners. The use of this advertising approach is based on cookie technology and analysis of previous usage behavior. This form of advertising is fully pseudonymous and does not process data that allows the identification of a natural person. RTB House processes data in compliance with the requirements of applicable EU legislation regarding the protection of personal data and on the basis of standard contractual clauses.

III. SUBREGISTER "SELLERS"

21. The "Sellers" sub-register processes personal data of individuals who offer their own items for sale to the Company, and the data is processed on a legal basis, in fulfillment of the Company's obligations arising from a regulatory act, namely: Obligations and Contracts Act, Accounting Act, Personal Income Tax Act, Corporate Income Tax Act.

22. (1) The following categories of personal data are processed in the "Sellers" sub-register:

- three names for citizens of the Republic of Bulgaria, respectively – two names for citizens of other countries;
- Personal Identification Number (PIN) for persons on the territory of the Republic of Bulgaria and date, month and year of birth for persons who are citizens of other countries;
- email;
- permanent/primary address;
- telephone;
- the tax identification numbers and the relevant Member State or partner jurisdiction, or in the absence of a number, the place of birth;
the VAT identification number, if any;
t- he identifier of the financial account to which the remuneration is paid or credited, unless the competent authority of the Member State or partner jurisdiction where the seller is resident has declared that it does not intend to use that identifier for the same purpose;
- the name of the holder of the financial account to which the consideration was paid or credited, where different from the name of the seller, as well as any other financial identification information with respect to that account holder;
- any Member State or partner jurisdiction in which the seller is resident;
- the Member State or Member States in which the seller has a place of business through which he carries out relevant activities in the European Union.
 
(2) The data under para. 1 are processed to achieve the goals of fulfilling a purchase and sale contract concluded between the Company and the seller, of obligations for the Company, provided for in the Bulgarian Obligations and Contracts Act, the Accountancy Act, the Personal Income Tax Act, the Obligations and Contracts Act and in the European regulatory acts.

23. (1) Personal data in the "Sellers" sub-register are processed on an electronic medium.
(2) Personal data under Art. 22 of the Policy are collected by the sellers themselves on the Company's website and are stored in electronic form on a Shopify Inc server for a period of 10 years, starting from January 1 of the year following the year of the occurrence of the relevant legal relationship, on the basis of Art. 12, para. 1, item 2 of the Bulgarian Accountancy Act.
24. (1) The Administrator assigns the processing of personal data under Art. 22, para. 1 of this Policy in the “Sellers” sub-register to persons appointed under an employment relationship. The rights and obligations of the persons processing the data are specified in the relevant job description.
(2) For the purposes of sending the goods from the seller to the Company, the Administrator provides a minimum amount of personal data on the basis of a courier service contract to licensed courier and postal service operators with headquarters in the EU.
(3) The recipient of data from the “Sellers” sub-register is the National Revenue Agency of the Republic of Bulgaria. In fulfillment of its legal obligations for tax and accounting reporting, under certain conditions the Company is obliged to report information on Sellers who have thirty or more sales (sales of a minimum of thirty items) or for whom the total amount of the paid or credited remuneration from sales exceeds EUR 2,000 (two thousand euros) per calendar year. Therefore, the Company may require these Sellers (including in advance) to submit a certain amount of additional data.
(4) Access to personal data of a person from the "Sellers" sub-register is provided to third parties - competent European authorities, a court and/or on the basis of a specific regulatory act.
 
IV. RIGHTS OF DATA SUBJECTS AND PROCEDURE FOR THEIR EXERCISE
25. Personal data subjects have the following rights regarding their personal data:
right to information;
right of access;
right to rectification;
right to data portability;
right to erasure (right to be forgotten);
right to request restriction of processing;
right to object to the processing of personal data;
the right of the subject not to be subject to a decision based solely on automated processing, including profiling.

26. (1) In connection with the above right, every natural person, a data subject, has the right to obtain information about the data controller and about the processing of his or her personal data. This information includes:
data identifying the controller, as well as his contact details, including the contact details of the data protection officer;
the purposes and legal basis for the processing;
the recipients or categories of recipients of the personal data, if any;
the controller's intention to transfer personal data to a third party (where applicable);
the period of storage of personal data;
the existence of automated decision-making, including profiling (if any);
information about all the rights that the subject has
the right to complain to the supervisory authority.

(2) The information under paragraph 1 shall not be provided if the data subject already has it.

(3) When a request for information is made by a data subject, the Company, together with the data protection officer, shall carry out the necessary verification and provide a response with the required information within 14 (fourteen) days, but no later than 30 (thirty) days from the date of receipt of the request. If necessary, this period may be extended, taking into account the complexity and number of requests from a particular person. The Company shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. The request must contain identification of the person (three names and personal identification number for Bulgarian citizens, and for all other persons - citizens of other EU member states - names and date of birth), a description of the request, a preferred form for providing access to personal data, signature, date, email, correspondence address and power of attorney. The request is entered in a separate incoming register of the Company and can be submitted in one of the following ways: a) electronically to the following email: gdpr@reluxeroom.com b) on site at the Company's office at the registered address.

(4) The report shall be provided in one copy to the data subject free of charge. For additional copies requested by the data subject or in the event of excessive requests by the subject, especially due to their repetitive nature, the Company may charge a reasonable fee in the amount of the administrative costs incurred.

(5) When providing a copy of personal data, the Company may not disclose the following categories of data:

- personal data of third parties, unless they have expressed their explicit consent to this;
- data that constitutes a trade secret, intellectual property or confidential information;
- other information that is protected under applicable law.

(6) The validity and excessiveness of a given request is assessed separately for each case by the Company.

(7) In case of refusal to provide access to personal data, the Company shall justify its refusal and inform the data subject of his right to file a complaint with the supervisory authority.

27. (1) Data subjects may request that their personal data processed by the Company be corrected in the event that the latter are inaccurate or incomplete.
(2) Upon a satisfied request for correction of personal data, the Company shall notify the recipients of data to whom such data has been disclosed.
(3) The right under paragraph 1 shall be exercised by submitting a request pursuant to the procedure set out in Art.
28 (1) Every natural person, a subject of personal data, has the right to request the erasure of his or her data, the so-called "right to be forgotten", if one of the following conditions is met:
the personal data of the individual are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws his or her consent on which the processing of the data was based and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data has been processed unlawfully;
the personal data must be erased for compliance with a legal obligation under EU law or the law of a Member State to which the controller is subject;
the personal data were collected in connection with the provision of information society services to children and consent was given by the person with parental responsibility for the child.
(2) The right under paragraph 1 is exercised by submitting a request in accordance with the procedure described in this policy.
29. (1) Every natural person, a subject of personal data, has the right to restrict the processing of his or her personal data by the controller, but for this purpose specific conditions are necessary, including:
the accuracy of the personal data is contested by the data subject;
the processing is unlawful but the data subject does not wish the personal data to be erased but requests instead the restriction of their use;
the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
the data subject has objected to the processing pending verification of whether the legitimate grounds of the controller override the interests of the data subject.
(2) In the cases under paragraph 1, item 1, the restriction of processing shall be for a period that allows the administrator to verify the accuracy of the personal data.
(3) The right under paragraph 1 is exercised by submitting a request in accordance with the procedure described in this policy.
30. (1) Every natural person, a data subject, shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit or request the transmission of such data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means.
(2) The rights under paragraph 1 are exercised by submitting a request in accordance with the procedure described in this policy.
31. (1) The data subject has the right to object to the processing of his/her personal data by the Company if the data is processed on one of the following grounds:
 
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
the processing is necessary for purposes related to the legitimate interests of the Company or a third party;
data processing includes profiling.
(2) The administrator shall terminate the processing of personal data unless he proves that there are compelling legitimate grounds for its continuation which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

32 (1) Every natural person, a subject of personal data, has the right to be notified, and the Company is obliged to notify the subject, in the event of a breach of the security of his or her personal data and when there is a likelihood that this breach will result in a high risk to the rights and freedoms of the data subject.
(2) The notification under paragraph 1 shall be made without undue delay after its discovery and shall contain a description of the nature of the personal data breach, indicating the nature of the breach, the name and contact details of the data protection officer, the consequences of the breach and the measures taken by the Company to address the breach and to mitigate any adverse consequences.
33. In case of violation of your rights or the applicable legislation on personal data protection, you have the right to file a complaint with the Personal Data Protection Commission or the relevant Data Protection Authority in your country. More information can be found on the website of the CPDP: www.cpdp.bg.

Last updated: January 31, 2025.