Privacy Policy

Privacy Policy

AERO PB OOD (Company, Controller) is aware of the need to apply adequate protection of personal data of data subjects, committing itself to respect privacy. This Privacy Notice (“Notice”) is designed to support data subjects understand how and for what purposes the Company processes, uses and protects personal data.

For the purposes of its activities, the Company processes personal data in strict accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (‘GDPR’), the Personal Data Protection Act and other applicable regulations and the Notice.

This Notice provides information on:

Definitions

Scope of this Privacy Notice

The data that identifies the Controller and its contact details

Categories of personal data

Data subjects whose personal data are processed

For what purposes is personal data processed

What is the legal basis the personal data processed on?

Recipients of personal data

Terms for personal data retention

Rights of data subjects and way of exercising them

Granting consent and withdrawing consent

Right to lodge a complaint to a supervisory authority

Measures for security of personal data

Definitions:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;

‘Controller’ means Aero PB OOD which, alone or jointly with others, determines the purposes and means of the processing of personal data;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Website’ means the website – www.aeropb.com

Scope of this Privacy Notice

This Privacy Notice applies to the relationship between Aero PB OOD on the one hand and data subjects who visit and use the Website, on the other. The Notice aims to inform data subjects about their rights in accordance with Art. 12 et seq. of Regulation (EU) 2016/679.

The data that identifies the Controller and its contact details

The personal data controller is “Aero PB” OOD with address: Sofia, Mladost district, residential complex Mladost 1A, 33 Alexander Malinov Blvd., office 205 e-mail: aeropb@aeropb.com; website – www.aeropb.com; tel.: +359 2434 9130.

Categories of personal data

The company processes the following categories of personal data, observing their accuracy:
• When sending messages through the Website:
Data subjects may send a message to the Controller through the contact form on the Website. In this case, the Controller shall process the following categories of personal data: names, email, phone number, IP address and message.

•   When posting comments under posts on the Website:

Data subjects are free to post their comments under publications on the Website. In these cases, they shall provide the following personal data: names, email and comment below the post.

•   When visiting the Website:

The data subjects are free to view the Company’s Website, in which case the Controller shall collect the IP address of the visitors of the Website.

•   Marketing goals:

The Controller may process personal data for marketing purposes, where applicable, for example by subscribing to a newsletter or by sending marketing messages. In this case, it shall collect from data subjects names, e-mail, telephone number.

The Controller’s website shall collect data in log files. This information shall be collected by visitors and users of the Website and contains the IP address, which browser is used, the operating system used, when the Website was visited and the pages visited. The data in the log files are processed by the Controller in order to achieve better functionality of the Website and provide services therein.

When personal data are provided by the data subject to the Personal Data Controller without legal grounds under Art. 6, paragraph 1 of Regulation (EU) 2016/679 or in contradiction with the principles under Art. 5 of the same Regulation, within one month of being aware the Company shall return them, and if this is impossible or requires disproportionately large efforts, shall delete or destroy them. Deletion and destruction shall be documented.

Data subjects whose personal data are processed

The controller shall process personal data of the following categories of data subjects:
• Visitors and users of the Website.

For what purposes is personal data processed

The controller shall process personal data for the following purposes:
• Processing of inquiries from data subjects in connection with the products and services offered by the Company;
• Marketing purposes;
• Administrative activities, including legal services and information services.

What is the legal basis the personal data processed on?

The company shall process personal data on the basis of the following legal grounds:
• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Recipients of personal data

The Company may share personal data of data subjects with the following categories of recipients:
• State institutions and bodies with sovereign powers, when by law the Controller is obliged to provide personal data, such as – the Ministry of Interior, the Prosecutor’s Office of the Republic of Bulgaria, the National Revenue Agency and others;
• Employees of the Controller who process personal data in accordance with the assigned official/labour functions according to the job description and employment contract;

The Company shall put in place appropriate technical and organizational measures to guarantee the rights and freedoms of data subjects in accordance with the principle of “integrity and confidentiality”. In particular, the controller shall select appropriate recipients who have taken the necessary guarantees to protect the personal data provided to them and, in view of the risks involved, to ensure the appropriate level of security, including where appropriate:
• Pseudonymization and encryption of personal data;
• Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The controller shall not transfer personal data provided to him by data subjects to third countries outside the European Union. The transfer of personal data in this case may be carried out in accordance with the rules of Chapter V of Regulation (EU) 2016/679.

Terms for personal data keeping

Aero PB OOD shall keep personal data in accordance with the principle of “storage limitation”. In particular, for the above purposes, the Company will keep:
• Personal data of data subjects who have sent a message through the contact form on the Website are stored in accordance with the purpose of the message;
• The personal data of data subjects who have published a comment under publications on the Website shall be kept until the deletion of the publication;
• The personal data of data subjects given on the basis of consent for marketing purposes shall be stored in due time until its withdrawal in a proper manner.

Rights of data subjects and way of exercising them

The data subjects, whose data are processed by the Controller, have:
• Right of access to personal data, including to receive a copy of them;
• Right to rectify inaccurate or incomplete personal data;
• Right to delete (“right to be forgotten”) their personal data;
• Right to restriction of processing;
• Right to data portability;
• Right to object.

The above rights may be exercised by sending an application in electronic form to aeropb@aeropb.com, signed with a qualified electronic signature in accordance with the Electronic Document and Electronic Signature Act. The rights may also be exercised by submitting a written application on the spot in the office of the Company.

Granting consent and withdrawing consent

The Company may request the consent of the data subjects as a lawful basis for the processing of personal data for one or more purposes. Consent must be a freely expressed, specific, informed and unambiguous indication of the will of the data subject.

Consent may be revoked at any time in the ways described above for the exercise of rights by data subjects.

Right to lodge a complaint to a supervisory authority

In accordance with the General Data Protection Regulation and the Personal Data Protection Act, data subjects have the right to lodge a complaint with the Commission for Personal Data Protection at: Sofia, 2, Prof. Tsvetan Lazarov blvd., or through the website: www.cpdp.bg.

Measures for security of personal data

The controller shall take the necessary measures for the security of personal data. All paper documents containing personal data shall be kept in locked cabinets in the offices of the Company, and only authorized persons shall have access to them. The Controller’s premises shall be equipped with alarm systems, which help to restrict unauthorized access to the data.

The access to the information systems of the Company shall be through unique user accounts and passwords for each employee. Staff members shall pass training immediately after being hired and shall fully respect the rules of confidentiality, with a ban on sharing personal data with unauthorized persons.