1. INTRODUCTION

Welcome to https://www.sb-academy.gr/ (“Website” or “Internet page”), which was prepared in the benefit of and on the order of SB-ACADEMY STUDY IN BULGARIA, with Unique Identification Code: 205674236, with registered office and address of administration: city of Plovdiv, avenue. “Sixth September” 144, contact phone number: 00306950799715.

By using this Internet site you agree to the terms of collection, use and disclosure of your personal data in accordance with this CONFIDENTIALITY POLICY.

Please read this privacy policy carefully before using this Website and if you have any questions about this policy, please contact us at 00306950799715 or office@sb-academy.gr If you do not agree to any of the terms of this privacy policy you should not use this Website.

Responsible Processing data processing personal data

SB-ACADEMY STUDY IN BULGARIA (hereinafter referred to as the “Personal Data Controller”) is a limited liability company with Unique Identification Code: 205674236, with registered office and management address: the city of Plovdiv, avenue. “Sixth September” 144 contact telephone number: 00306950799715 Website: https://www.sb-academy.gr.

Supervisory authority:

Personal Data Protection Committee

PO Box. Address : Sofia City, P.O. Box 1592, avenue. “Prof. Tsvetan Lazarov” 2

Contact details: 02/915 35 18; 02/915 35 15; 02/915 35 19; kzld@cpdp.bg, www.cpdp.bg

  1. OBJECTIVES AND SCOPE APPLICATION OF POLICY CONFIDENTIALITY POLICY

1.1 The Personal Data Controller understands the reasons of the visitors of the Website regarding the protection of personal data and is committed to protect their personal data by applying all the requirements for the protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. With this Confidentiality Policy, the Controller takes into account the physical integrity of the personality of natural persons and makes the necessary efforts to protect the personal data of natural persons against unlawful processing by implementing technical and organizational measures for the protection of personal data, which measures are in accordance with modern technological achievements and ensure a level of protection, which corresponds to the risks, relevant to the processing of personal data.

1.2 Subject to this Confidentiality Policy and pursuant to Regulation (EU) 2016/679, the Supplier provides information regarding:

– the purposes and scope of the Confidentiality Policy,

– personal data collected and processed by the Supplier,

– purposes of processing personal data,

– a time limit for the storage of personal data,

– the mandatory and prior nature of the provision of personal data,

– processing of personal data,

– protection of personal data,

– recipients or categories of recipients to whom the data may be disclosed,

– rights of natural persons,

– the order of exercise of the rights,

– the right to object,

– keys, tools and content from other companies,

– amendments to the Confidentiality Policy.

III. definitions

2.1 For the purposes of Regulation (EU) 2016/679 and this Policy, the definitions посочените термини имат следното значение:

  1. Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the data subject;
  2. Processing of personal data meansany operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. Restriction of processing means the marking of stored personal data with a view to restricting their processing in the future.
  4. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects relating to the job performance, financial situation, health, personal preferences, interests, interests, reliability, behaviour, location or movements of that natural person.
  5. Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his or her appointment may be provided for by Union or Member State law.
  6. Processor means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
  7. Recipient means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as ‘recipients’; the processing of such data by those public authorities shall be carried out in accordance with the applicable data protection rules, depending on the purposes of the processing.
  8. Third party means a natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and persons who, under the direct supervision of the controller or the processor, are authorised to process personal data.
  9. Consent of the data subject is any freely given, specific, explicit and informed indication of intent by which the data subject signifies his or her agreement, by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.
  10. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
  11. Principles by from Processing of personal data

3.1 The Controller shall follow the following principles when processing personal data relating to natural persons, namely:

  • lawfulness, fairness and transparency – Personal data are processed lawfully and fairly and in a transparent manner in relation to the data subject,
  • Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes,
  • data minimisation – Personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed,
  • Accuracy – Personal data is accurate and, where necessary, updated,
  • limitation of the storage period – Personal data shall be kept in a form which permits the identification of data subjects only for the period necessary for the purposes of the processing of the personal data
  • integrity and confidentiality – Personal data are processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures;
  1. DATA PERSONNEL CHARACTER, COLLECTED AND PROCESSED BY RESPONSIBLE PROCESSING

А. Processing of special categories of personal data (“sensitive data”)

4.1 The Data Controller does not collect and does not process special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of unambiguous identification of a person, data concerning health or data concerning the sexual life of a natural person or sexual orientation. Natural persons should not provide such sensitive data to the Controller. In the event that a natural person intentionally provides such sensitive data to the Controller, the Controller shall be obliged to delete such data immediately.

Β. Personal data, the which Located at Directly From natural persons

Personal data, the which Located at Directly From The of course persons, when The persons Connect by Him Responsible Edit via telephone

5.1 Natural persons provide personal data to the Controller when they connect to the Controller by telephone. The telephone contact with the Data Controller is available in the Data Controller’s identification details in this Privacy Policy and on the Website, where the contact details of the Data Controller are provided. When the individual connects with the Data Controller by telephone, the Data Controller collects and processes only the name and telephone number of the individual and in some cases the email address of the individual. These data are processed for the purposes of contacting the natural person. The processing of these personal data is necessary:

– for the realization of the legitimate interests of the Data Controller, which legitimate interests are answering the received telephone calls and sending e-mails, regarding questions received by telephone.

– for operations which precede the conclusion of a contract and are undertaken at the request of the natural person, in particular to provide more information on the services provided by the Data Controller in cases of possible conclusion of a contract with the natural person.

The Data Controller uses the services of the telephone service provider, which is located in the Republic of Greece.

Personal data, the which Located at Directly From The of course persons, when The persons Connect by Him Responsible Edit via e-mail

5.2 Natural persons provide personal data to the Controller when they connect to the Controller by e-mail. The email address of the Data Controller can be found in the Data Controller identification details in this Privacy Policy and on the Data Controller’s Website, where the contact details of the Data Controller are provided. When the person sends an email to the Data Controller, the Data Controller collects and processes the email address, as well as other information, which the person provides in the email, for example name, phone number, address. This information is processed for the purposes of contacting the individual and maintaining records. The processing of these personal data is necessary:

– for the realisation of the legitimate interests of the Data Controller, which legitimate interests are the response to the messages received and also the messages received.

– for operations which precede the conclusion of a contract and are undertaken at the request of the natural person, in particular to provide more information on the services provided by the Data Controller in cases of possible conclusion of a contract with the natural person.

The Data Controller uses the services of the provider of the email services to store the received emails on the provider’s server, which server is located in the Republic of Bulgaria.

Personal data collected directly from natural persons, where the persons connect with the Data Controller by means of sending a message using the Facebook platform

5.4 Natural persons provide personal data to the Controller when they connect to the Controller by sending a message using the Facebook platform, through the Facebook messaging service, accessible through the Controller’s Facebook Website: https://www.facebook.com/sbacademybg

When the person sends a message to the Controller using the Facebook platform, through the Facebook messaging service, the Controller collects and processes the name of the natural person and the other information that the person provides in the sent message. This information is processed for the purposes of communicating with the natural person and maintaining records.The processing of this personal information is necessary for the realization of the legitimate interests of the Data Controller, which legitimate interests are the response to the received messages and also the archiving of the received messages. The Data Controller uses the services of Facebook, an independent service provider located in the USA, to receive messages through the Facebook platform. This means that the data will be kept on Facebook’s server in the USA. For the transfer of data outside the European Economic Area, appropriate safeguards must be provided in accordance with Article 46 of Regulation (EU) 2016/679. Facebook certifies that it complies with the principles of the Privacy Shield in EU-US relations. Facebook has its own Privacy Policy and it is recommended that individuals familiarize themselves with it to obtain more information. Facebook’s Privacy Policy is published on the website: https://www.facebook.com/policy.php

  1. Personal Data of natural persons provided by third parties

6.1 The Controller does not usually receive personal data of natural persons from third parties. However, in some cases, if the Controller has reasonable grounds to suspect that a natural person is infringing intellectual property rights and other similar circumstances, the Controller may obtain personal data of the suspect from public registers, for example: Commercial Register, Register of registered trademarks, which is kept by the Patent Office of the Republic of Bulgaria and other similar. These data may be collected and processed for the purpose of bringing an infringement action against the infringer. The processing of personal data collected from public registers is necessary for the purposes of the legitimate interests of the Controller, which legitimate interests are to bring an action for infringement against the infringer and also on a lawful basis.

  1. Data, which is collected automatically

7.1 During the visiting on the Website, the . Editor automatically collects the following data:

  • Internet Protocol (IP) address of the device from which the natural person is contacting the platform (usually used to identify the country or city from which the natural person is contacting the platform,
  • Type of device from which the natural person makes contact with the platform (for example, computer, mobile phone, tablet, etc.),
  • Type of operating system,
  • Type of browser,
  • Specific actions, which the natural person undertakes, including the pages visited, the frequency and duration of visits to the Website,
  • Date and time of visit.
  1. Cookies

8.1 Individuals can obtain more information about how the Data Controller uses cookies by reading the Cookie Policy on:

Chrome, https://support.google.com/chrome/answer/95647?hl
Safari, http://support.apple.com/kb/ph5042
Explorer, http://windows.microsoft.com/es-es/windows7/how-to-manage-
cookies-in-internet-explorer-9
Firefox, https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-
websites-stored

https://policies.google.com/technologies/types

https://policies.google.com/technologies/ads

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

VII. PURPOSES, FOR THEY WHO EDITED BY TA PERSONNEL CONTACT

9.1 The Data Controller collects and processes the personal data of natural persons, which have been provided directly by them, only for the following purposes:

  • for the purpose of providing services which the Data Controller offers and the identification of natural persons (prospective and current customers),
  • to contact the natural person by e-mail, so that the Data Controller can answer the natural person’s question,
  • for the performance of contractual obligations, in which contract the natural person, to whom the items belong, is a party, as well as for actions, prior to the conclusion of the contract, according to his demand,
  • for the performance of the legal obligations of the Data Controller, in accordance with applicable law,
  • for a letter sent by post,
  • accounting purposes,
  • statistical purposes.

9.2 The Data Controller collects and processes the personal data of natural persons, which it collects by. automatically for the following purposes:

improving the effectiveness and functionality of the Website,

compiling anonymous statistics on how the Website has been used.

9.3 The Data Controller is not entitled to use the personal data of natural persons for purposes other than those stated in this section of this Personal Data Protection Policy.

VIII. RETENTION PERIOD OF PERSONAL DATA

10.1 Questions and correspondence via email, Facebook. The Data Controller retains the personal data and the received emails and Facebook messages for a period necessary to reply to the received messages and to satisfy the request of the natural person, as well as for a period of one year, two years after the response of the Data Controller.

10.2 Personal data about persons who have become customers of the Controller: The Controller shall retain the personal data of persons who have become customers of the Controller for a period of ten years, which period is legally established for the retention of customer invoices.

Ε. Criteria for determining the time limit for the retention of personal data

10.3 In other cases, which are not mentioned above, the Controller will retain the personal data of natural persons for no longer than necessary, taking into account the following criteria: – whether the Data Controller is obliged, in order to meet the legal deadline to continue processing the personal data of the natural person, – the purpose of retaining the personal data as at the moment, so and in the future, – whether between the Data Controller and the natural person there is a contract and the Data Controller is obliged to continue processing the personal data in order to perform its contractual obligations, – the purposes of uses of the personal data at the moment, so and in the future

  1. MANDATORY AND VOLUNTARY CHARACTER OF PROVIDER PERSONNEL DATA

11.1 The personal data, which are required from the natural persons, are compliant with the services, which are offered by the Data Controller and have a mandatory character. The provision of personal data by natural persons is voluntary.

  1. processing of personal data

12.1 The Controller processes the personal data of natural persons by means of a set of operations, which may be performed by automatic or non-automatic means.

12.2 the Data Controller processes the personal data of natural persons either autonomously or by outsourcing to a data processor in the name of the Data Controller, who is the company’s accountant, based in the Republic of Bulgaria.

  1. protection of personal data

13.1 The Controller undertakes the necessary technical and organisational measures to protect personal data from accidental or unlawful destruction, or accidental loss, unlawful interception, alteration or dissemination, as well as from other unlawful forms of processing, in particular:

– all personal information which the natural person provides to the Controller is kept on secure and trustworthy servers and files,

– when the natural person exercises the right of contact, the Data Controller shall verify the identity of the natural person before providing the information requested.

13.2 Full information on the technical and organisational measures undertaken by the Controller is available in the Directive on the personal data processing mechanism and their protection in the registers kept, which contain personal data in the Controller. Should you wish to receive full information on technical and organisational measures, please do not hesitate to contact us at 00306950799715 or office@sb-academy.gr.

XII. RECIPIENTS, OF WHO THE PERSONNEL DATA CAN NE EXPLORE

14.1 The Controller has the right to disclose the processed personal data of the following categories of persons:

  • to natural persons to whom the data relate,
  • to persons, if provided for in legislative acts, for example, of state institutions (Curatorial Office, Patent Office, Trade Register and others),
  • to persons who process personal data, who provide services for the benefit of the Supplier’s business, for example, an accountant of the Data Controller and a courier, where these persons are obliged to respect confidentiality, and also these persons have provided sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing is carried out in accordance with the requirements of the Regulation and ensures protection of the rights of natural persons.

14.2 The Controller sells personal data provided by individuals to third parties.

XIII. RIGHTS PHYSICAL PERSONS

Right Access

15.1 The natural person has the right to obtain from the Data Controller confirmation whether personal data are processed, about him/her and if so to obtain access to the data – the respective categories of personal data.

Right correction

15.2 The natural person has the right to request the Controller to correct without undue delay any inaccurate personal data relating to him/her. Having regard to the purposes of the processing, the natural person has the right to have the incomplete personal data completed, including by means of a declaration.

Right erasure (right to “to oblivion”)

15.3 The natural person has the right to request the Controller to delete personal data relating to him/her without undue delay, while the Controller has the obligation to delete without undue delay the personal data when one of the grounds indicated in Article 17 of Regulation 2016/679 is applicable.

Right restriction of processing

15.4 The natural person has the right to request the Controller to restrict processing where one of the conditions indicated in Article 18 of Regulation 2016/679 applies. Where restriction of processing is implemented, such data shall be processed, with the exception of storage, only with the consent of the natural person or for the establishment, exercise or defence of legal claims or for the defence of the rights of another natural person or raises important grounds of public interest for the Union or a Member State. Where the natural person has requested a restriction of processing, the controller shall inform him or her before the restriction of processing is lifted.

Right portability of data

15.5 The natural person has the right to receive the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used and machine-readable format, where the processing is based on consent pursuant to or a contractual obligation and the processing is carried out in a standardised manner.

Right object

15.6 A natural person has the right, at any time and for reasons relating to his or her particular situation, to object to the processing of personal data concerning him or her. In accordance with Article 21, paragraph 4 of Regulation 2016/679, the natural person is explicitly warned of the existence of the right to object, which is clearly described and separate from any other information. To fulfil this obligation, more information on the right to object can be found in the section entitled “Right to object”.

Right recall of consent

15.7 The natural person has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent prior to its withdrawal. An individual may withdraw consent based on the order described in Section XIV of this Confidentiality Policy or by selecting the “unsubscribe” option when receiving the newsletter.

Rights during training of the profile

15.8 The natural person has the right not to be subject to a decision taken solely on the basis of individualised processing, including profiling, which produces legal effects concerning the data subject or significantly affects him or her in a similar way.

Right notification infringement of Security of data personal nature

15.9 Where a personal data breach is likely to create a high risk to the rights and freedoms of natural persons, the natural person must be notified without delay of the personal data breach.

Right judicial and administrative defence

Right Submit Complaint at supervisory authority

15.10 A natural person has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he or she has his or her habitual residence or place of work or the place of the alleged infringement, if the natural person considers that the processing of personal data concerning him or her infringes the provisions of the Regulation.

Right real judicial legal action against a supervisory authority

15.11 Every natural and legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning that person. Production proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

C: Right real judicial Right to effective judicial remedy Actual legal remedy in court against a controller or data processor personal personal data processing

15.12 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, an individual shall have the right to an effective judicial remedy if he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data which is in breach of the Regulation. Production proceedings against a Controller or processor of personal data brought before the courts of the Member State in which the Controller or processor of personal data have their establishment.

Right compensation for of existing damage

15.13 Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall be entitled to compensation from the Controller or the processor of personal data for the damage suffered. The production procedures relating to the exercise of the right to compensation brought before the courts of the Member State in which the Controller or processor of personal data have their establishment.

XIV. order of exercise of rights

16.1 Natural persons shall exercise the right to withdraw their consent, the right of access, the right of erasure, the right of rectification, the right to restriction of processing, the right to data portability, the right to object and the rights against profiling, by submitting a written request to the Controller (or by post to the address indicated above in the identification of the Controller’s confidentiality policy or by sending an email), which must contain the following information:

  1. name, address and other data for the identification of the natural person concerned,
  2. a description of the application,
  3. signature, date of application and e-mail address.

16.2 The application must be submitted personally by the natural person. The Controller shall record the request of the natural person in a separate register.

16.3 When the natural person exercises his or her right of access to personal data concerning him or her, the Controller shall verify the identity of the natural person before responding to the request. This is necessary to minimise the risk of unlawful access to the data and identity theft. In case the Controller cannot identify the natural person from the collected personal data, then the Controller has the right to request a copy of the documents from which the natural person can be identified (for example, an identity card, driving licence, other documents containing personal data from which the natural person can be identified).

16.4 The Controller shall examine the request and provide the natural person with information on the operations undertaken in relation to the request within one month of receipt of the request. In case of necessity this period may be extended by a further two months, taking into account the complexity and number of requests.

16.5 The Controller shall inform the natural person of such an extension within one month of receipt of the request and of the reasons for the delay. If the natural person submits the request by electronic means, the information shall, if possible, be provided by electronic means, unless the natural person has requested otherwise.

16.6 If the Controller fails to act on the request of the natural person, the Controller shall inform the natural person without delay and no later than one month after receipt of the request, of the reasons for the failure to act and of the possibility of lodging a complaint with a supervisory authority and of seeking judicial remedy.

16.7 The Controller is obliged to notify any rectification, erasure or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this is impossible or requires disproportionate efforts. The controller shall inform the natural person of those recipients if the person so requests.

  1. Right object

17.1 A natural person has the right, at any time and for reasons relating to his or her particular situation, to object to the processing of personal data concerning him or her. In accordance with Article 21, paragraph 4 of Regulation 2016/679, the natural person is explicitly informed of the existence of the right to object, which is clearly described and separate from any other information. To fulfil this obligation, more information on the right to object will be provided in this section of this Confidentiality Policy.

17.2 The natural person has the right, at any time and on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her in cases where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or the processing is necessary for the purposes of the legitimate interests of the Controller or a third party, except where such interests are overridden by the interests or fundamental freedoms of the natural person, which require the protection of personal data and in particular where the natural person is a child. The Controller shall be obliged to stop processing the personal data unless he or she demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the natural person, or for the establishment, exercise or protection of legal claims. Natural persons shall exercise the right to object by submitting a written request to the Controller or by post to the address indicated above in the identification of the Controller of the confidentiality policy or by sending an e-mail.

17.3 Where personal data are processed for direct marketing purposes, the natural person has the right to object at any time to such processing of personal data concerning him or her for this type of marketing, which includes profiling to the extent that it is related to the marketing. Where the natural person objects to processing for direct marketing purposes, the processing of personal data for that purpose shall be interrupted. Natural persons exercise the right to object by submitting a written request to the Data Controller or by sending a mail to the address indicated above in the identification of the Data Controller’s confidentiality policy or by sending an e-mail stating that they do not wish to receive promotional communications.

XVI. INTERCONNECTIONS, TOOLS AND CONTENTS FROM OTHERS COMPANIES

18.1 the Website has buttons, tools or contents, which are linked to services of other companies, such as “Facebook” button, “Instagram” button and “YouTube” button. All Websites of these companies, which can be accessed through this Website, are independent and the Controller does not assume any liability for damages and losses, which arise as a result of using these websites. Individuals use these Websites at their own risk and it is recommended that they familiarize themselves with the respective Confidentiality Policy of the company in order to obtain more information.

XVII. AMENDMENTS TO THE CONFIDENTIALITY POLICY

19.1 This Confidentiality Policy may be updated at any time in the future. When this happens the amended Policy will be published on this Website with a new “Last Modified” date at the top of this Confidentiality Policy and will be effective from the date of publication. Therefore, it is recommended that you check this Confidentiality Policy from time to time to ensure that you are aware of all modifications. Your use of the Website after the published up-to-date Privacy Policy will be deemed to constitute your acceptance of the executed amendments.

XVIII. Contacts

20.1 Should you have any further questions about this Privacy Policy, please do not hesitate to contact us at 00306950799715 or office@sb-academy.gr.