PRIVACY POLICY OF

„VESTMAN“ LTD

“VESTMAN” LTD (hereinafter referred to as “the Company” or “the Administrator”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data (General Data Protection Regulation). This policy aims to inform the persons whose personal data are collected about the scope, purposes, grounds, terms of data storage and the rights of the same persons in relation to the processing of their personal data.

1. Definitions.

“Personal Data” is any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person”.

“Processing of personal data”: any action or set of actions that the Company performs with respect to personal data by automatic or non-automatic means (such as collecting, recording, organizing, grouping, storing, adapting, updating or correcting, amending, restoring , consulting use, disclosure by transmission or provision, distribution, combination, blocking, deletion, destruction, etc.).

1. Personal data administrator.

“VESTMAN” LTD is a personal data administrator within the meaning of Regulation (EU) 2016/679 and in this capacity collects, records, stores, destroys or otherwise processes personal data.

We provide you with the following information regarding the administrator of your personal data:

Designation	„VESTMAN“ LTD
Unique identifier	115500254
Address	Povdiv, 47 „Iztochen“ bul.
Web page	Mebelpoint
E-mail	mebelpointeu@gmail.com
Telephone	0878326010

III. Basis and purposes for processing and storing your personal data.

The company collects and processes the personal data of the following categories of persons:

• Workers and employees of the Administrator;
• Persons with whom the Company has concluded civil contracts;
• Individuals who applied for a job with the Administrator;
• Natural persons – counterparties of the Company, as well as the representatives or proxies of the representatives of counterparties – legal entities;
• Persons – visitors to the Company’s sites;
• Data for persons using the contact form on the Company’s website.

1. The company collects and processes personal data for its workers and employees, namely: first name, last name and last name; EGN; Address; contact phone number and/or email address; data related to the qualification of the worker (language proficiency certificates), data on the validity of a motor vehicle driving license; professional experience – previous employment, including position held, duration, duties; information for children up to 3 years old; information related to leave according to labor legislation – birth of a child, marriage, death of a loved one; information on the criminal history, including convictions and punishments only of workers who hold accounting positions or other positions where the position or profession held is incompatible due to an imposed penalty; information related to the exercise of employment – amendments to the employment contract, duties, working hours, vacations, violation of work rules, imposed disciplinary penalties; Financial information – bank account, information on liens, if any; health data: state of health, TELK decisions, medical certificates, hospital sheets;

The administrator processes personal data on the following grounds:

– Compliance with a legal obligation that applies to the Administrator in the field of tax, insurance and labor law – art. 6, par. 1, letter “c” of the Regulation;

– The processing is necessary for the conclusion and execution of an employment contract to which the data subject is a party – Art. 6, par. 1, letter “b” of the Regulation;

– With regard to the processing of data on the health status of the company’s employees, the relevant special ground is described in Article 9, paragraph 2, letter “b” of the Regulation, namely: “The processing is necessary for the purposes of fulfilling the obligations and exercising of the special rights of the controller or the data subject under labor law and social security and social protection law, to the extent permitted by Union law иor the law of a Member State, or pursuant to a collective agreement in accordance with the law of a Member State, which provides for appropriate safeguards for the fundamental rights and interests of the data subject’.

The personal data in the Register are collected by the persons with whom the employment contract is concluded. The personal data is transmitted by the data subject to the Administrator and/or to an external accounting firm that is the Processor of the personal data

2. The company collects and processes the personal data of the persons with whom a civil contract has been concluded.

The administrator collects and processes the following personal data: name, surname and surname, Personal Identification Number, address, telephone and/or contact email.

The administrator collects and processes the personal data of these persons on the following grounds:

– Compliance with legal obligations that apply to the administrator in the field of tax and social security law – Art. 6, par. 1, letter “c” of the Regulation;

– The processing is necessary for the performance of a contract to which the data subject is a party – Art. 6, par. 1, letter “b” of the Regulation;

The personal data in the Register are collected by the persons with whom a civil contract is concluded. The personal data is transmitted by the data subject to the Administrator and/or to an external accounting firm that is the Processor of the personal data.

3. The company collects and processes the personal data of individuals who have applied for work with the Administrator.

The personal data that the Administrator collects are: first name, last name and last name; data related to the worker’s qualifications (certificates of language proficiency, professional or academic recommendation); certificate of proficiency in a foreign language; contact phone number and/or email address; professional experience – previous employment, including position held, duration, duties;

The company collects and processes the personal data of job applicants on the basis of Art. 6, par.1, letter “b” of the Regulation, namely: the processing is necessary to take steps at the request of the data subject before the conclusion of a contract.

The personal data collected are collected from the job candidates when they apply for a position announced by the Company, through the services of intermediaries for hiring workers (jobs.bg, zaplata.bg, etc.) or through the means of direct communication – email, by mail, in person at the Company’s office.

4. The administrator collects and processes the personal data of its counterparties – natural persons, as well as the representatives or proxies of the representatives of counterparties – legal entities.

The personal data collected and processed are: name, surname and surname; permanent and/or correspondence address; telephone; Email.

Personal data are collected and processed for the purpose of concluding and executing contracts with counterparties; accounting, as well as for tax purposes and with a view to carrying out extrajudicial and/or judicial collection of the amounts due and protecting the interests of the Administrator as a subject of private law, as well as with a view to exercising his contractual rights and obligations.

In the event that contracts are concluded by a proxy and a notarized power of attorney is presented, the following data are collected for the authorizer and the authorized person: name, surname, surname, personal identification number (date of birth), ID card number, date of issue.

The Administrator collects, processes and stores Personal Data of its counterparties on the following grounds:

– The processing is necessary for the performance of a contract to which the data subject is a party/the company represented by him is a party or to take steps at the request of the data subject before concluding a contract – Art. 6, par. 1, letter “b” of the Regulation;

– The processing is necessary to comply with a legal obligation that applies to the administrator, as the Company is obliged to collect certain data in fulfillment of the requirements of the Accounting Act, ЗЗД, ТЗ, ЗОП, etc. – Art. 6, par. 1, letter “c” of the Regulation;

The personal data in the Register are collected by the persons with whom they are a party to a contract. The personal data is transmitted by the data subject to the Administrator and/or to an external accounting firm that is the Processor of the personal data. Community Verified icon

5. The Company collects and processes data on the physical identity (physical appearance, characteristic external marks and human speech (speech)) of persons, visitors to the territory of the Administrator’s facilities, by means of video surveillance carried out directly by the Administrator on the territory of the Company’s facilities.

Personal data is collected for the purpose of: ensuring the security of the Administrator’s personnel and property; observance of public order by all persons located on the territory of the Company’s facilities; work process control and network and information security assurance; providing an opportunity for the assistance of the competent state authorities in case of need.

The Company collects, processes and stores the data regarding the physical identity of natural persons – visitors to the Company’s sites, on the basis of Article 6, Par. 1, Letter “e” of Regulation (EU) 2016/679 – “the processing is necessary for the purposes of the controller’s legitimate interests’, namely:

– guaranteeing the security of the employees and protection of the company’s property, including the prevention of possible criminal acts or notification by the administrator of such acts to the competent authorities;

– ensuring network and information security in the enterprise;

– achieving control of the work process and access to the workplace;

In accordance with the requirements of the law, warning signs have been placed for the ongoing video surveillance.

The administrator does not place cameras or other video surveillance equipment in rest rooms, sanitary and service rooms.

6. The Company collects and processes the personal data of individuals who correspond with the Administrator, using the contact form on the Company’s website.

The personal data collected are: first name, last name, last name and email. Community Verified icon

Personal data is collected for the purpose of:

– Carrying out full correspondence and addressing a reply to the author of the message.

– Taking steps in connection with the conclusion of a contract. Community Verified icon Feedback

The Company collects, processes and stores the personal data of individuals who wish to contact the Company through the contact form for the purpose of possibly concluding a contract, on the basis of Art. 6, par. 1, letter “b” of the Regulation, namely: “the processing is necessary to take steps at the request of the data subject before the conclusion of a contract.”

The Company collects, processes and stores the personal data of individuals who wish to contact the Company through the contact form, regardless of the conclusion of a contract, on the basis of Article 6, Par. 1, Letter “f” of Regulation (EU) 2016/679, namely: “the processing is necessary for the purposes of the legitimate interests of the controller”. In this case, the legitimate interests of the administrator can be determined as follows:

a) Providing feedback;

b) Improving the service for visitors to the Company’s website.

1. Principles for collecting and processing your personal data.

When processing your personal data, the Company observes the following principles:

• Legality, good faith and transparency;
• Limiting the purposes of processing;
• Relevance to the purposes of the processing and minimization of the data collected;
• Accuracy and timeliness of data;
• Limitation of storage in order to achieve the objectives;
• Integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.

1. Terms of storage of your personal data.

The terms of storage of personal data collected by the Administrator are determined as follows:

• The personal data of natural persons with whom a civil contract has been concluded and the personal data of counterparties – natural persons, as well as of the representatives or proxies of the representatives of the counterparties – legal entities, are stored by the Administrator for a period of up to 5 years, starting from the moment of termination of the contract.
• The personal data of the Administrator’s employees are stored as follows: for payrolls and remunerations – 50 years, for personal staff lists – 10 years; for labor records of workers and employees – 5 years after the termination of employment relations; for file registration diary – 5 years after completion; for applications and certificates for work and social security experience – 5 years, for a diary of issued new work books – 50 years after completion, for correspondence on personnel matters and payment of labor – 10 years after evaluation by an expert committee; for health records – 50 years;
• The personal data of individuals who have applied for a job with the Administrator are stored for the duration of the recruitment process and for up to 30 days after its termination, unless the applicant has agreed to their data being stored for applying for future or other open positions. After the recruitment process is completed, the job application of a person with whom no employment contract has been concluded will not be stored.

When, in a selection procedure, the Company has requested the submission of certified or notarized copies of documents certifying the candidate’s physical and mental fitness for work, the required qualification level and experience for the position held, the data subject who is not approved for appointment may to request within 30 days from the final completion of the selection procedure to receive back the submitted documents. In such a case, the Company returns the documents in the manner in which they were submitted.

• Personal data regarding the physical identity of natural persons (physical appearance, characteristic external marks and human speech) are stored for a period of 60 days, starting from the date of receipt of the data by means of video recording.
• The personal data of individuals, collected and processed in connection with electronic messages received by them through the contact form on the Company’s website, are stored until the purposes for which they were collected are achieved, but in any case for a period not longer than 3 months from receipt of personal data.

After the expiration of the storage periods, the Administrator shall take all necessary actions without undue delay to destroy the collected personal data in an appropriate manner.

1. Your rights in the collection, processing and storage of your personal data.

At any time while we are processing your personal data, you, as the data subject, have the following rights:

1. Right of access – You have the right to know what your personal data is being processed by the Company. The administrator provides you, upon request, a free copy of the processed personal data relating to you. When you submit a request by electronic means, the Administrator provides the information in a widely used electronic form.

2. Right to rectification – You have the right to request rectification of your data stored by the Administrator if it is inaccurate or incomplete.

3. Right to object – Regarding data that is processed on the basis of “legitimate interest”, you have the right at any time and on grounds related to your specific situation to object to the processing. In the event of such an objection, the Administrator is obliged to terminate the processing of your personal data, unless it proves that there are convincing legitimate grounds for the processing that take precedence over your interests, rights and freedoms or in the event that the data is processed for the establishment , the exercise or defense of legal claims.

4. Right to erasure (“right to be forgotten”) – You have the possibility to request the erasure of your personal data in the following cases:

• if the personal data are no longer necessary for the purposes for which they were collected;
• if the data subject exercises the right to object and there are no overriding legitimate grounds for the processing;
• if the processing was unlawful;
• if there is a statutory obligation of the administrator to delete the data.

However, the right to erasure does not apply in cases where the data is processed:

• to exercise the right to freedom of expression and the right to information;
• to comply with a legal obligation that requires processing provided for in Union or Member State law applicable to the controller or for the performance of a task in the public interest or in the exercise of official powers conferred on the controller;
• for reasons of public interest in the field of public health;
• for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes pursuant to Article 89(1) of Regulation (EU) 2016/679, insofar as the right to erasure is likely to make it impossible or seriously hinder the achievement of the objectives of this processing;
• for the establishment, exercise or defense of legal claims.

5. Right to limit processing – In certain circumstances, you can request the Administrator to limit (stop) the processing of your data. Such cases are the need to check the accuracy of the data, the basis for the processing or the legality of their processing.

You can exercise the rights under items 1-5 by submitting a request/objection to the Company in any form. The request/objection should contain a statement regarding the circumstance which your right you wish to exercise and should identify you as the data subject. For your convenience, you can use the application forms posted on the Company’s website for granting access, correction, deletion, etc.

VII. Measures for information security and protection of personal data

The administrator has taken appropriate technical and organizational measures to protect personal data, as follows:

• Software-technical – protection with user profiles with access passwords for each employee and worker and policies to maintain them, as well as other means of protection during the transfer of information, including reliable and secure identification and authentication of the sender and recipient of the information , ensuring confidentiality, integrity of transmitted information, virus protection, recovery copies for the period determined for the storage of data for each individual register, standard protection of operating systems, prohibited access to the information located on the server through remote access through internet, etc.;
• Physical – a system of measures for the protection of buildings, premises and facilities in which personal data is processed and stored and control over access to them, locks, separate cabinets, including cabinets with locks, video surveillance, equipment in the premises, meeting the needs, purposes and the level of impact of personal data processing;
• Organizational and administrative (documentary) – determination of the registers that will be maintained on electronic media, regulation of access to the registers, determination of storage terms and procedures for destruction of personal data; defining rules for archiving documents on both paper and electronic media; regular trainings of the responsible persons – employees of the Company on personal data protection issues, based on the legislation and practice in the field;
• Normative – provided in legal and by-laws, including the presence of consent to undertake an obligation not to distribute personal data by the persons who process it;
• Following the Privacy by design principle – the Company introduces, both at the time of determining the means of processing, including especially when developing new business models/business processes/products/work systems, and at the time of the processing itself, the appropriate, technical and organizational measures to protect personal data, including pseudonymization;
• Adherence to the de minimis principle – The Company limits the processing of personal data to those that are reasonably adequate and relevant to the specific applicable basis on which the processing is carried out and which corresponds to the business purposes of this processing. To the extent that personal data are not necessary for the basis and business purposes applicable to the specific processing, i.e. exceed them, the Company makes every effort to destroy such personal data.

VIII. Notification of changes to this policy

The administrator reserves the right to make amendments and additions to this Policy. When making changes to the Personal Data Protection Policy, they will be promptly reflected in it and made available to all interested parties on the official website – https://www.mebelpoint.eu

1. Use of cookies on the Administrator’s website

The Administrator’s website may use cookies. Cookies are small text files that are placed on the user’s personal computer by the visited website and are used to ensure more efficient functioning of the website.

The Administrator’s website may use cookies to improve functionality and to adapt the site to the specific needs of users.

The administrator may use the following cookies:

• Session cookies – temporary cookie files that are deleted when the browser is closed. When the browser is restarted and the user returns to the website that created this cookie, the website will treat the user as a new user.
• Persistent cookies – remain in the browser until they are manually deleted or until the user’s browser deletes them based on the duration period set in the cookie. These cookies recognize the user as a returning visitor.
• Necessary “cookies” – cookies necessary for the functioning of the Administrator’s website, enabling the user to move around the site and use its functions.

The browsers used to open the Administrator’s website allow the deletion of all cookies at any time. To do this, each user can refer to the auxiliary functions of the respective browser. These actions may result in individual features of the Administrator’s website no longer being available to the user.