PERSONAL DATA PROTECTION POLICY OF E&M WATCHES AND JEWELLERY LTD

Approved by Mrs Mariya Tepelikyan, Manager

by Order No…/… , in effect from 25  May 2018

INTRODUCTION

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) will take effect on 25 May 2018 and will change the existing legal regime of protection and free movement of personal data.
  • As an organization seated in the territory of the Republic of Bulgaria and processing dataof EU citizens, E&M Watches and Jewellery Ltd., entered in the Commercial Register kept by the Registry Agency to the Ministry of Justice of the Republic of Bulgaria under UIC: 175200441, having its seat and registered address in the city of Sofia, Strelbishte,  15, Tvardishki prohod Str. (hereinafter referred to as the “Organization”) has a number of obligations related to the processing of personal data and their free movement.
  • For the purposes of the fulfilment of the obligations provided for by the GDPR, its implementing and interpreting acts as well as the applicable requirements of the European and national legislation on data protection, the Organization approves this Personal Data Protection Policy (the “Company Policy”).

DEFINITIONS

  • Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal number, a permanent or a current address, an IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Special categories of personal data – personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade-union memberships, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data on health status or data for the sex life or sexual orientation of the natural person. The Organization does not process special categories of personal data except in cases where such an obligation arises from the applicable law.
  • Controller – under this policy, a data controller is the Organization in the cases where it, alone or jointly, determines the purposes and means of the processing of personal data.
  • Data subject means any natural person to whom the personal data processed by the Organization relate. These are the clients and employees of the Organization, the job applicants and the recipients of advertising and other marketing communications by electronic means, related with the goods and services offered by the Organization.
  • Processing – any operation or set of operations carried out with personal data or with a set of personal data by automated or other means such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or another way in which the data become available, arrangement or combination, restriction, erasure or destruction; personal data processed by the Organization shall not be kept for longer than is necessary and in any case for no longer than as indicated in the Personal Data Storage Policy.
  • Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The controller reports to the supervisory authority and – where appropriate – to the data subjects for any breaches of security in accordance with the procedure laid down in the Personal Data Breach Notification Procedure.
  • Consent of the data subject – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies consent to the processing of personal data relating to him or her for the purpose of receiving advertising and marketing communications relating to the goods and services offered by the Organization by electronic means;
  • Child means any person under the age of 16 or such lower age determined by the applicable law. The processing of personal data of a child is lawful only if the consent of the parent or guardian has been received.
  • Applicable law means the GDPR, its implementing and interpreting acts and all other national acts and European regulations applicable in respect of the processing by the Organization which are relevant to the protection and free movement of personal data.
  • Supervisory authority means the Personal Data Protection Commission (PDPC) or any other authority determined pursuant to the applicable law.

Declarations

  • The Organization undertakes to comply with all legal acts of the EU and of the Republic of Bulgaria on the protection of personal data and to protect and promote the exercise of the rights of the subjects whose data it collects and processes.
  • This Company Policy, together with the associated procedures and standards, is aimed at securing mechanisms for legal compliance and ensuring observance of the GDPR.
  • The applicable law and the Company Policy, together with the appendices thereto, apply to all activities related to the processing of personal data by the Organization.
  • The data protection officer reviews each new process which is due to be implemented and which involves the processing of personal data as well as all activities of processing at least once every two years with a view to any changes in the ongoing processes related to the processing of personal data.
  • The Company Policy applies to all employees and representatives of the Organization as well as to its counterparties and others processing personal data such as system administrators and IT support companies, owners of external servers, suppliers, tour operators and outsourced bookkeeping companies. Any breach of the applicable law or of the Company Policy will be considered according to the disciplinary policy of the Organization.
  • Counterparties and all third parties which work with or for the controller and which have or can have access to personal data must be obliged to comply with the Company Policy, including through an agreement for the processing of personal data – a legal act within the meaning of Article 28(3) of the GDPR imposing obligations which are not less burdensome than those undertaken by the Organization in this Company Policy. The Organization reserves the right to verify the fulfilment of the criteria for the processing of personal data by third parties and by its counterparties.
  • Any processing of personal data should be carried out in accordance with the principles of data protection under the provisions of Article 5 of the GDPR. The Company Policy ensures compliance with these principles.

Principles of Data Protection

Personal data are processed lawfully, in good faith and in a transparent manner

  • Lawful – personal data are processed only subject to the existence of a valid basis.
  • In good faith – the Organization provides the data subjects with all information for the processing and protection of their data as applicable. This applies regardless of whether the personal data are obtained directly from the data subject or from other sources.
  • In a transparent manner. The transparency requirement includes rules on provision to data subjects of the information referred to in Articles 12-14 in the form of a Notice of Personal Data Processing. They are drawn up in an intelligible and accessible form, in a clear and simple language, and include at least:
    • the data that identify the Organization;
    • the contact information of the data protection officer;
    • the purposes and the legal grounds for the processing of personal data:
    • the period of personal data storage;
    • the existence of the rights to require access, rectification, erasure or objection against the processing and the conditions relating to the exercise of these rights;
    • the categories of personal data processed;
    • the recipients or categories of recipients of personal data;
    • any additional information that is necessary to ensure processing in good faith.

Personal data may be collected only for specific, explicit and legitimate purposes.

Personal data must be appropriate, related and limited to what is necessary for processing.

Personal data must be accurate and be kept up to date, as every effort is made to ensure timely erasure or rectification

The data controller must be able to demonstrate compliance with the other principles of the GDPR (“accountability”)

The data kept by the Organization must be reviewed and updated as necessary. Data will not be stored if it cannot be reasonably assumed that they are accurate. All forms used to collect personal data include a declaration by the subjects that the data provided are accurate and up-to-date. In the event of significant changes, with a view to maintaining their accuracy and timeliness, the data subjects will notify the Organization.

Personal data must be stored in a form which permits identification of the data subject for a period not longer than necessary. Personal data shall be stored in accordance with the storage periods laid down in the Personal Data Storage Policy, after the expiry of which the data will be destroyed in a secure manner. When data is stored after that date, they will be anonymised, pseudonymised and/or reduced to a minimum in order to maintain the identity of the data subject in the case of a personal data breach.

Personal data must be processed in a manner that ensures an adequate level of security.

In the determination of the appropriate level of security, the Organization takes into account the extent of any damage or loss that may be caused to the persons if there is a personal data breach, the consequences of the infringement and the possible impairment of goodwill.

The Organization applies the following organizational measures for the protection of the data:

  • training of the employees on how to protect data within the Organization;
  • measures which take into account the reliability of the employees;
  • inclusion of provisions on the protection of data in employment and civil law contracts;
  • monitoring of the personnel for compliance with the data protection rules;
  • adoption of a clean desk policy;
  • restricting the use of portable electronic devices outside the workplace;
  • adoption of rules for passwords allowing individual identification of each employee having access on a “need-to-know” basis;
  • implementation of security activity, registered access through chip cards and video surveillance in the offices of the Organization.

Rights of Data Subjects

Data subjects have the right:

  • to submit requests for access and information on the data stored for them and to whom the latter have been disclosed, and to obtain a copy of the stored personal data in a structured, widely used and machine-readable format;
  • to prevent processing which may cause damage to them by filing an objection;
  • to withdraw their consent and/or to request suspension of the processing of their data for marketing purposes, including for the reference and the classification of the Organization;
  • to seek compensation for actual damages caused due to a breach of the applicable law on the part of the Organization;
  • to take actions to rectify, block, erase or destroy inaccurate data;
  • to report to the Supervisory Authority at any time regardless of what has been envisaged in the Company Policy.

The Organization facilitates the exercise of the rights of data subjects in accordance with the procedure laid down in the Data Subject Request Procedure.

Responsibilities and roles of the employees pursuant to the GDPR

  1. All persons who perform management or supervisory functions in the Organization are responsible for the development and promotion of good practices for the processing of personal data.
  1. The data protection officer carries out general oversight for compliance with the applicable law and is entitled to receive any necessary assistance on the part of the employees of the Organization.
  1. Compliance with the data protection legislation is the responsibility of each and all employees who process personal data.
  1. The training procedure sets out specific requirements for the awareness of employees in connection with their roles and responsibilities pursuant to the GDPR.
  1. Employees are responsible to ensure that:
    • all personal data relating to them and/or provided by them to the Organization are accurate and up-to-date;
    • all personal data provided to them by the relevant data subject in connection with the fulfilment of their respective responsibilities are accurate and up-to-date.

Data protection officer

  1. The data protection officer in the Organization is designated by order of the Manager.
  1. The data protection officer designated pursuant to item 1:
  • oversees compliance with the GDPR and with other acts of the applicable law as well as the Company Policy, the appendices thereto and with the other rules relating to the protection and the processing of personal data, including raising the awareness of employees of the Organization;
  • cooperates with the Supervisory Authority, including addressing questions, queries, opinions and notifying a personal data breach;
  • cooperates with the data subjects, including in the exercise of their rights under the GDPR, the consideration of applications for the exercise of rights and communication of a personal data breach;
  • is responsible for the carrying out of preliminary and ongoing checks on the necessity of carrying out a data protection risk assessment and, where necessary, an impact assessment;
  • gives recommendations and opinions and renders cooperation of any other nature on compliance and on ensuring accountability for compliance with the applicable law.

Preservation and destruction of data

  1. The Organization does not store personal data in a form which allows identification of the data subject for a period longer than is necessary for the purposes for which the data have been originally collected.
  1. The Organization may continue to store personal data if the latter are processed solely for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes provided that the appropriate technical and organizational measures are implemented for the protection of the rights and freedoms of data subjects.
  2. Personal data must be destroyed in a secure manner in accordance with the GDPR – data are processed in an appropriate manner with the aim of maintaining security, thereby protecting the rights and freedoms of data subjects. Any destruction of data shall be carried out in accordance with the Data Storage Policy.

Disclosure of data to third parties

  1. The Organization shall not disclose to third parties any personal data, except in the following cases or where this is required by the applicable law.
  1. The Organization may share personal data within the Group of E&S WATCHES AND JEWELLERY LTD and provide them to service providers that help the Organization in the implementation of its activity, i.e. supply of products, authorization of payments, organization of events or distribution of electronic newsletters, maintenance, service and management of the platforms of the Organization, risk management, prevention of fraudulent acts and enhancement of confidence and safety.
  1. The Organization shares personal data outside the territory of the EU only in the event that the supervisory authority has confirmed the adequacy of the level of protection in the given country, or if the Organization can offer other appropriate measures for protection.
  2. All employees have the responsibility to ensure the necessary conditions for personal data processed in the framework of the processes for which they are responsible to be stored in a secure manner and not to be disclosed to a third party under any conditions, unless the latter has been authorised by the Organization and has not concluded an agreement under Art. 28(3) of the GDPR.
  1. All requests for provision of data must be accompanied by the appropriate documents and any disclosure must be authorised by the data protection officer.
  1. Employees undertake not to disclose personal data to unauthorised persons, such as their family members, friends, relatives, etc.

Distribution of electronic newsletters. E-marketing.

  1. The Organization processes personal data for the purpose of distributing electronic newsletters containing information on new products, events, initiatives and customized services in accordance with the interests and preferences of the data subjects solely on the basis of an active consent granted for the processing by data subjects who meet the criteria laid down in the applicable law.
  1. The Organization processes personal data for the purpose of sending personal invitations for events organized by it as well as sending corporate and marketing communications, including news and information relating to the Organization, gifts and catalogues, in accordance with the interests and preferences of the data subjects solely on the basis of an active consent granted for the processing by data subjects who meet the criteria laid down in the applicable law.
  1. In the cases referred to in items 1-2, data subjects may withdraw their consent at any time in a manner consistent with the procedure according to which consent has been given. In particular, the Organization provides an opportunity for a consent given electronically, to be withdrawn electronically.

Cookie Policy

  1. The Organization collects and processes personal data by automated means or indirectly – from third-party websites or from the social networks such as information related to the use of their own platforms, including the browser name and type of device used as well as technical data on how they have linked to the platforms, and any other information that is shared publicly in the social networks of third parties in accordance with the Cookie Policy.

Clean desk policy

  1. All personal data must be accessible only to persons who are in need of them on a “need-to-know” basis.
  1. All personal data must be treated with the highest degree of security and must be stored:
  • in a controlled-access room which is locked, and/or
  • in a locked drawer or cabinet, and/or
  • if they are in an electronic format, with a secure password or
  • on encrypted (portable) electronic media.
  1. Employees are obliged not to leave documents on their desks or on open shelves in proximity to them when they are not at their place of work for a longer period of time (over 20 min.). Secret and sensitive documents are not left unattended under any conditions.
  1. All drawers and cabinets of the bureau of the respective employee must be locked while the employee is outside the building and during non-working hours.
  1. Employees are obliged to always carry with them the keys of the offices, drawers, cabinets and other containers entrusted to them, in which documents are stored, or to keep them locked.
  1. At the end of the working day, employees shall clean their desks, turn off the lights and air conditioners and lock the doors of the offices, respectively activate the alarm of the office premises.

Video surveillance

  1. The records of the technical means by which the territory of the premises of the Organization is under surveillance shall be kept for the period specified in the Data Storage Policy. A legal basis for the implementation of video surveillance is the legitimate interest of the Organization to ensure the security of its employees and assets.
  1. Video surveillance is carried out only at the spots which are explicitly marked with a video surveillance notice and/or video surveillance stickers referring to the notice, without affecting the rights and dignity of the data subjects in any way (e.g., video surveillance is not carried out in toilets and kitchen premises).

Measures for protection of data processing information and network infrastructure

  1. The Organization ensures that it takes adequate measures for the protection of information and network infrastructure necessary for the continuance of activity in the event of a personal data breach.
  1. The measures for protection of the premises in which the network and information infrastructure of the Organization is located include in particular:
  • Measures to limit the access to the premises, including registered access through chip cards and/or physical security.
  • Video surveillance (CCTV);
  • Placement of fire detection sensors;
  • Presence of fire extinguishers in the premises.

Data backup copies

  1. The data in the information systems of the Organization are protected by means of a periodic saving of an electronic backup copy, daily and monthly.
  2. The key elements of the information infrastructure of the Organization is also protected by backup copies so that in the event of infringement resulting from malware software, the Organization will be able to continue its data processing activities.
  3. The Organization ensures that the periods for storage of data backup copies do not exceed those specified in the Storage Policy.
  4. Any backup copies which are no longer in use or which have become non-readable or unusable, will be deleted.

Remote data access

  1. For the processing of data, employees use the technical and information infrastructure available in the premises of the Organization.
  1. The Manager permits, at his/her own discretion, remote access to the data subject upon the filing of an application to that effect by the respective employee with a view to the performance of his/her duties.
  1. The Organization recognizes the following levels of remote access:
    • access to a business e-mail from a business mobile electronic device;
    • access to a business mail from a personal mobile or a stationary electronic device;
    • remote (VPN) access to a business mail and servers of the Organization from a mobile or a stationary electronic device.
  1. The authorisation of remote access includes an assessment whether such access complies with the applicable law, the Company Policy and the appendices thereto, and any other acts related to the processing and protection of data.
  1. When carrying out an assessment pursuant to item 2, the Manager is obliged to consult with the data protection officer in the event that the latter is a person other than the Manager.
  1. The devices through which the authorsed remote access to the data is carried out are subject to registration in a special register. The register of the devices is kept by the data protection officer.
 

List of appendices
Appendix No. 1 Data Storage Policy
Appendix No. 2 Standard for the Preparation of a Data Protection Impact Assessment
Appendix No. 3 Personal Data Breach Notification Procedure
Appendix No. 4 Procedure for Consideration of Applications for the Exercise of Rights of Data Subjects
Appendix No. 5 Employee Training Procedure
List of revisions
Version 1 Drawn up and adopted on 25 May 2018 in accordance with the General Data Protection Regulation

APPENDIX 1:

DATA STORAGE POLICY

 

Scope

All personal data processed by the Company are the subject of the data preservation requirements provided for in this policy. Data collected through the use of cookies by the Organization are the subject of the Cookie Policy.

Responsibilities

  1. Data owners are responsible for the collection, storage and destruction of personal data in accordance with the requirements of the applicable law, the Company Policy and the appendices thereto.
  1. Data owner is the officer responsible for the relevant set of personal data. In the event that the data have been entrusted to several employees, the data owner is the most senior among them.
Data subjects Storage period Point from which period starts to run Legal

basis

 Types of documents
Human resources 5 years The beginning of the financial year in which they have been drawn up Fulfilment of the employment or civil law contract All data and records from the employment dossier of the employee for which no statutory period applies (e.g. for payroll)
Job applicants 1 Staff recruitment campaign end date All documents submitted to the Company with regard to the staff recruitment campaign
Former

employees/

Employees

 50 years The month of January of the accounting period following the accounting period to which the documents relate Art. 12 of the Accountancy Act, Art. 38 of the Code of Tax and Insurance Protecture Data on salaries, data from payroll
Customers of services / suppliers 10 years The month of January of the accounting period following the accounting period to which the documents relate Art. 12 of the Accountancy Act, Art. 38 of the Code of Tax and Insurance Procedure Accounting records and financial statements, including documents on tax control, audits and subsequent financial inspections
  1. The Manager is responsible for:
  • the financial documents and records containing data of the Company’s employees;
  • documents relating to the implementation of marketing activities, including the provision of data to legal directorates and a reference;
  • documents relating to the exercise of and defense in legal claims.
  • video recordings and registers of access to the Company premises.
  1. The Manager may, at his/her discretion, delegate his/her responsibilities under item 3 to other employees.
A person who may file a claim against the Organization 5 years Art. 110-111 of the Obligations and Contracts Act All documents can be stored by the Company with a view to realize its defense against a potential claim
Persons engaged with marketing activities 2 years unless it is based on a consent which is not renewed The end of the marketing campaign or the granting of the relevant consent (concerning the distribution of electronic newsletters) Business communication with customers/documents relating to the popularity of the brand
Employees 30 days The video recording date Legitimate interest Video surveillance records
Suppliers/ counterparties/ persons having connection with transactions of the Companies 5 years The beginning of the year following the conclusion of the transaction or the termination of the relationship Art. 67(1) of the Measures Against Money Laundering Act Any documents and information in connection with the obligations arising from the Measures Against Money Laundering Act
  1. In the implementation of its activities under the GDPR, the data owners and the Manager shall consult with the data protection officer.
  1. The data protection officer is responsible for all documents related to the implementation of the GDPR.
Data subjects Storage period Point from which period starts to run Legal

basis

 Types of documents
Subjects who have filed an application under the GDPR 3 years Receipt of an application Requests by data subjects;

Complaints by data subjects;
Subjects who have filed applications under the GDPR 3 years Sending a reply to the data subject 1.  Replies to requests of data subjects;

2.  Replies to complaints of data subjects;
Customers – natural persons 3 years The date of the last processing of data based on the Notice Confidentiality Notices for customers of the Company
Customers and potential customers 3 years The date of the last processing of data based on a consent Forms of consent
All data subjects 3 years The date of the incident or the date on which the incident has become known Documents relating to personal data breaches

Notifications of breaches
Subjects whose personal data appear in the internal documents of the Companies 3 years The date from which the documents are no longer in force Policies, procedures and other internal documents relating to personal data

Periods of personal data storage

 

The necessary periods for storage of the individual categories of personal data are as follows:

Destruction of personal data

 

The data owner is responsible for the destruction of the data after the expiry of their period of storage. Destruction must be carried out within 30 days of the expiry of the period of storage in the following order:

  1. When the data owner establishes that the period for storage of the relevant document or records has expired, he/she notifies the data protection officer.
  1. The data protection officer checks whether there is a basis to continue storing the document.
  • If such basis is present, the data protection officer notes the new period of storage.
  • If there is no such basis, the data owner destroys the document or the archives of documents by drawing a record of data destruction in duplicate signed by him/her and by the data protection officer.
  1. Destruction is carried out as follows:
    • by shredding hard-copy documents containing personal data where their period of storage has expired, or
    • by erasing/deleting electronic documents and all their backups.
  1. In the event that destruction is made on the occasion of an application filed by the data subject for the exercise of the rights under the GDPR, after the destruction of the data, the senior management of the Companies ensures the destruction of all data copies by sending a prior notice to the data recipients for their destruction.

APPENDIX 2: Standard for the Preparation of a Data Protection Impact Assessment

Responsibilities

 

  1. The data protection officer is responsible for the conduct of regular and preliminary checks on the personal data protection in order to establish the need to carry out an impact assessment.
  1. Regular checks include a review of all processes in the Organization. Regular checks are carried out at least once every two years.
  1. Preliminary checks are carried out before the implementation of a new process in the Organization and cover only the relevant process.
  1. The relevant Data Owner and/or the Manager is responsible to inform the data protection officer of the launch of the new process.
  1. The data protection officer checks whether appropriate measures are applied to limit all risks identified in the data protection impact assessment and in the subsequent decision to proceed to the processing.
  1. The Manager is responsible for the implementation of the identified risk treatment solutions.

Procedure

 

To assess whether there is a need to carry out a data protection risk impact assessment, the data protection officer uses the following criteria for an acceptable data protection impact assessment and follows the likelihood and impact matrix.

Likelihood matrix
Likelihood 0 3 6 9
0 2 4 6
0 1 2 3
0 1 2 3
Impact
Risks to the rights and freedoms of the data subjects
Level of risk From To GDPR assessment
High 6 9 Highest unacceptable risk
Medium 3 5 Unacceptable risk
Low 1 2 Acceptable risk
Zero 0 0 No risk



Identifying data protection risks

  1. The data protection officer assesses the data protection risks for subjects for each processing activity by:
  • determining and describing the data protection risk for subjects;
  • using the criteria for assessment of the likelihood (1 – low, 2 – medium, and 3 – high) of the personal data breach risk;
  • using the criteria for assessment of the impact (0 – zero, 1 – low, 2 – medium, and 3 – high) of the risk if it materialises;
  1. In assessing the impact, the data protection officer takes into account the risks to the rights and freedoms of natural persons, resulting from processing; risks to the business and the objectives and the grounds for data processing.
  1. The data protection officer, together with the Manager, identifies the possible measures for the treatment of risks, the data owner who is competent to take the measures, and the deadline for implementation of the envisaged measures.
  1. The data protection officer, together with the Manager, determines the priority for treatment risks on the basis of the criteria referred to above.

Prior consultation (Article 36 of the GDPR)

 

  1. Where a data protection impact assessment indicates that the processing would result in a high risk to the rights and interests of data subjects, the Organization may through the data protection officer, consult the supervisory authority in a written, including in an electronic, form.
  1. When requesting consultation from the supervisory authority, the data protection officer provides information on:
  • the persons involved in data processing and their responsibilities;
  • the purposes of the planned processing;
  • measures to protect the rights and freedoms of the data subjects
  • a copy of the data protection impact assessment and any other information requested by the supervisory authority.

APPENDIX 3:
PERSONAL DATA BREACH NOTIFICATION PROCEDURE

  1. The data protection officer keeps and maintains a register of breaches of personal data processed by the controller. Entries in the said register are carried out by the data protection officer.
  1. The data protection officer is responsible for the protection of personal data processed by the controller.
  1. A personal data breach is present in all cases where:

3.1. a third party that does not have the right to access personal data processed and stored by the controller gains access to the personal data;

3.2. personal data are destroyed or partially erased as a result of an accidental event;

3.3. personal data are modified in an unauthorised manner;

3.4. personal data have been unsafe for an indefinite period of time;

3.5. in all cases where the security of data is at risk, including in the event of suspension of the fulfilment and/or the operation of measures adopted by the undertaking under the General Data Protection Regulation.

3.6. in other cases provided for by law.

A personal data breach can be established directly by the data protection officer based on reporting by the data processor, by the data subject or by a third party. The data protection officer is required to enter the circumstances of such infringement in the register of personal data breaches without delay.

  1. The data protection officer, through the controller, has the obligation to notify the Personal Data Protection Commission within 72 hours from becoming aware of a personal data breach. The Commission shall be notified by a written model notification accompanied by written evidence. The data protection officer is required to maintain contact with the Personal Data Protection Commission and to provide all information and evidence in connection with the infringement.
  1. The data protection officer renders the necessary assistance to the Commission, and in the case that the same has given a prescription for remedy of such personal data breaches, he/she ensures their implementation.
  1. The data protection officer may also notify in writing the affected data subject in the cases provided for in the GDPR. Notification shall be made by means of a standard message.
  1. The data protection officer shall immediately notify the data controller of the security breach and shall jointly with the controller take immediate measures to limit the consequences of the personal data breach as well as measures to suspend the operation of the factors which infringe the data security. Such measures shall be determined by the controller with the assistance of the data protection officer and may include: installation of additional technical means for physical security of the premises in which personal data are stored, repair and mounting of additional locking mechanisms; installation of computer antivirus programmes and other data protection programmes; restricting the access of certain persons to the locations of personal data storage by applying physical measures to suspend the access and by issuing an order for the suspension of the powers of access to such data, etc.
  1. The notification under item 7 shall be made by means of a standard message.
  1. The data protection officer shall carry out an assessment of the reasons that have led to the specific personal data breach and shall take measures to ensure future compliance with the Regulation.

APPENDIX No. 4 Procedure for Consideration of Applications for the Exercise of Rights of Data Subjects

Scope

This procedure covers the exercise of the rights of subjects in connection with the processing of data by the Organization, including the lodging of complaints against the processing and the order in which such complaints shall be examined.

Procedure

  1. On its platforms, the Organization provides information, including by making available, in whole or in part, the Company Data Protection Policy and its appendices, the notices of data processing and/or other information on the manner in which subjects can exercise the rights provided for in the GDPR.
  1. Subjects shall lodge a complaint/an application in a free form via email or by mail or by using the contact form published on the website of the Organization by specifying explicitly the relevant and/or the affected, in their opinion, right and shall provide information on their identity.
  1. All complaints and applications shall be addressed to the data protection officer who shall note in the Request Journal the date of their receipt and their file number.
  1. All complaints and applications shall be examined within one month from the date of receipt, unless their consideration involves a particular complexity, in which case the period may be extended by two months but not more than a total of three months from the date of receipt, provided that, within the one-month period, the subject has been informed of the delay and of the reasons that have caused such delay.
  1. In the event that the data protection officer rejects or fails to take action on any complaint or application within the time limit referred to in Paragraph 4, he/she shall list, in a clear and simple language, the reasons for such action. For this purpose, the data protection officer shall use the attached forms.
  1. In any communication with the data subject, the data protection officer shall inform the data subject of his/her right to lodge a complaint directly to the Supervisory Authority and to seek protection in court.

NOTICE OF CUSTOMER’S PERSONAL DATA PROCESSING

INTRODUCTION. 1

What are personal data and how we can collect them? 2

What types of personal data we collect?. 2

On what basis we can collect your personal data? 4

Processing of your personal data.. 4

For what purposes we use your personal data?. 4

For marketing and promotional purposes 4

For business purposes 5

For support purposes  5

In order to comply with the legal requirements 5

How long can your personal data be stored? 5

How we provide your data to third parties?. 5

Can we transfer your data outside the EU? 6

Your rights.. 6

What are your rights in respect of your personal data? 6

To whom you must refer if you have questions related to your data? 8

How we guarantee the safety of your personal data? 8

Changes in the Notice of Personal Data Processing 9

 

INTRODUCTION

We, E&S WATCHES AND JEWELLERY LTD, a limited liability company registered under UIC: 175200441 with the Commercial Register of the Republic of Bulgaria, having its seat and registered address in the city of Sofia, Triaditsa region, Strelbishte, 15, Tvardishki prohod Str., do hereby undertake to protect the personal data of our customers, while continuously seeking to improve the services that we offer.

This notice is intended to provide all the information relating to the processing of personal data that we receive through our online platforms or in the filling of a customer form in our boutiques or customer service centres, in the organization of events or by other forms of interaction.

The notice of personal data processing does not apply to personal data collected through the websites or the applications of third parties providing links to them or which are accessible from any platform of E&S WATCHES AND JEWELLERY LTD. We shall not be liable for the personal data protection policies and practices applied by the websites or the applications of third parties, except in cases where this is provided for in the national and the European legislation.

PERSONAL DATA COLLECTION

What are personal data and how we can collect them?

We collect personal data in different ways and under different circumstances, including:

  • During a visit to any of our platforms, upon registration on our websites or in completing our contact forms;
  • During a visit to any of our points of sale or offices;
  • During a purchase of any of our products or in the filing of an application at a customer service centre;
  • When contacting us by email or by phone;
  • When completing any forms in our boutiques, customer service centres or during events organized by us, including by filling a customer form in an electronic form or on paper;
  • Through any of our commercial and advertising partners.

What types of personal data we collect?

Depending on the purpose and the way you interact with us, we may collect your personal data such as:

  • Contact information (name, postal or email address and phone number);
  • Information supplied in connection with your purchases and transactions (information on your credit card and information required in connection with the Measures Against Money Laundering Act);
  • Other personal information, including information concerning your personal preferences and your personal and/or professional interests such as: date of birth, marital status, gender, nationality, data on past use of our products and the preferred means for connection with you, data on your professional status (office, company/employer, professional contact information), data on your interests (sports and entertainment) and on your lifestyle;
  • Information from our customer service centres (such as your orders placed in the centres, comments, reviews, claims and service history).

In addition, we may also collect other categories of personal data by automated means or indirectly – from the websites of third parties or from the social networks such as information related to the use of our own platforms, including the name of the browser and type of device used as well as technical data on how they have linked to our platforms, as well as any other information that you share publicly in the social networks of third parties and which is related to your communication with us. Please read our Cookie Policy to receive detailed information what cookies we use and how we use them.

We can also collect data such as video images obtained through the video surveillance systems in our boutiques, points of sale or offices. Video surveillance areas are always marked with a sticker. For more information, see our Notification of Video Surveillance.

 

On what basis we can collect your personal data?

We guarantee that your personal data will be processed by us only on condition that a valid legal basis is in place. Listed below are the legal grounds on the basis of which we process your your data:

  • Where the processing is necessary for the fulfilment of obligations envisaged by the legislation applicable to us, e.g. legislation against money laundering;
  • For theconclusion and fulfilment of a contract, e.g. for the purchase and sale of a product offered by us and/or the provision of a service;
  • For the protection of our legitimate interests,g. the data from the video surveillance is collected to ensure our security;
  • If you have unambiguously given your consent to the processing of your personal datain connection with one or several specific purposes, such as to get informed using our websites, to receive newsletters, to be contacted by us on the basis of a completed contact form.

 

PROCESSING OF YOUR PERSONAL DATA

For what purposes we use your personal data?

For marketing and promotional purposes:

  • To enable us to send you personal invitations to our events as well as to send corporate and marketing communications, including news and information from the world of E&S WATCHES AND JEWELLERY LTD, as well as gifts and catalogues, in accordance with your interests and preferences;
  • To enable us to send you electronic newsletters providing you the opportunity to be the first to learn about our new products, events, initiatives and personalized services in accordance with your interests and preferences.

FOR BUSINESS PURPOSES:

  • For the processing of your orders, purchases and shipments;
  • For the provision of services by the customer service centres.

For SUPPORT purposes:

  • To enable us to provide you information on the platforms, products and services of E&S WATCHES AND JEWELLERY LTD:
  • To enable us to reply to your inquiries;
  • To enable us to control, maintain and optimize our platforms, as well as to support them and ensure their security.

In order to comply with the legal requirements:

  • For the prevention of fraudulent and other prohibited or illegal acts and to guarantee the security and safety of the platforms, boutiques and offices of E&S WATCHES AND JEWELLERY LTD.
  • To comply with the requirements for financial and accounting reporting, as well as with the requirements of all other laws and regulations (e.g., obligations in connection with the Measures Against Money Laundering Act).

How long can your personal data be stored?

The periods for which we store your personal data are specified in our Data Storage Policy. In cases where the basis for processing is your consent, we will store your data for a period of 2 years unless you renew your consent (for more information, see section “How to contact us”).

How we provide your data to third parties?

We will be able to share your data in the Group of E&S WATCHES AND JEWELLERY LTD and to provide them only to the following third parties:

  • Service providers that assist us in the implementation of our activity, i.e. supply of products, authorisation of payments, organisation of events or distribution of electronic newsletters, maintenance, service and management of our platforms, risk management, prevention of fraudulent acts and enhancement of confidence and safety;
  • Courts, regulatory authorities or other third parties, if this is required under the law or in connection with legal claims or proceedings, or for the fight against fraud.

We expect from all these third parties to submit the necessary security and confidentiality guarantees and to take the necessary organisational and technical measures in accordance with the applicable legislation. Our service providers will be able to process the personal data which we share with them only in accordance with and up to the limits specified in the Company Personal Data Protection Policy and our other documented instructions.

Can we transfer your data outside the EU?

When we share your personal data in connection with the circumstances described above, we can transfer them outside the territory of the EU. In all cases, such transfer of data shall take place only in the event that the competent bodies have confirmed the adequacy of the level of protection in the given country, or if we can offer other appropriate measures for protection. At your request, you can receive information on the appropriate measures (see section ‘How to contact us” below).

YOUR RIGHTS

What are your rights in respect of your data?

  • Right to access: You have the right to know what personal data have been collected for you and how they have been processed;
  • Right to rectification:You have the right to demand the rectification of inaccurate data;
  • Right to objection:You may at any time declare that you do not wish your personal data to be processed by automated means or transferred to third parties;
  • Right to be forgotten, especially if you have withdrawn your consent to the processing of your personal data. You have the right to withdraw your consent at any time in the order in which you have given your consent. This right is not absolute and may be applied only under certain circumstances;
  • Right to restriction of processing, meaning to restrict the manner of use of your personal data. This right is alternative to the right to be forgotten. This right is not absolute and may be applied only under certain circumstances;
  • Right to be informed by obtaining all the information concerning the processing of your data in a clear, accurate, complete and easily accessible form;
  • Right to data portability from one electronic processing system to another electronic processing system;
  • Right in connection with automated decision-making or profiling is inapplicable in so far as we do not carry out processes relating to profiling and automated decision-making;
  • Right to lodge a complaint at any time to the competent national authority – the Personal Data Protection Commission (PDPC).

These rights may be subject to exceptions or restrictions (e.g., when your data are processed for security purposes or stored in connection with legal or contractual obligations), taking into account the available technologies and the financial capacities for their implementation. Under certain circumstances, we may first need to verify your identity before we proceed to the processing of any request made by you in connection with the above rights.

 

To whom you must refer if you have questions related to your data?

If you wish to exercise any of the rights described above or if you have any questions or concerns related to this notification, please contact us:

  • By using the contact form available at: www………………………………;
  • By writing to the data protection officer of E&S WATCHES AND JEWELLERY LTD to the following email: … or to the following postal address: 1404 Sofia, Triaditsa region, Strelbishte residential district, 15, Tvardishki prohod Str.

 

How we guarantee the safety of your personal data?

We use the appropriate technical, organisational and administrative security measures to protect all personal data processed by us from loss, misuse, unauthorised access, disclosure, alteration or destruction. In particular, the measures we use are specified in our Company Personal Data Protection Policy.

However, regardless of the efforts we make to protect your personal data, we are not able to guarantee the safety of the information that you transmit via the platforms of E&S WATCHES AND JEWELLERY LTD., where such transfer is made on the Internet, via unprotected networks.

 

Note to children under the age of 16: We do not collect intentionally and we do not process (especially through our website) personal data from persons who are under the age of 16. If you are under the age of 16, ask any of your parents (or guardian) to register and/or to fill in the customer form instead of you. Please do not provide any of your data. If we establish or if we are informed that we have received your data by mistake, we will immediately erase them from our records.

 

Note to parents or other legal guardians: We will not process and will not collect intentionally any data from your children who are under the age of 16. If you are concerned that your child has registered on the website of E&S WATCHES AND JEWELLERY LTD or has provided personal data to us and you want them to be erased, please contact us in the manners mentioned above by providing us official documents confirming your status as a parent or legal guardian.

 

Changes in the NotiCE OF Personal Data PROCESSING

We reserve the right to amend this notice at any time. A notice of any significant change will be published on the platforms of E&S WATCHES AND JEWELLERY LTD.

Nevertheless, it is your personal responsibility to check for changes made in our Personal Data Protection Policy.