top of page
20241025_214718.jpg

PERSONAL DATA PROTECTION POLICY

I. Introduction

This Personal Data Protection Policy (“Policy”) sets out the rules regarding the protection of the personal data of individuals using the website carpycast.com (“Platform”), owned by KARP-23 Ltd., registered in the Commercial Register and the Register of Non-Profit Legal Entities with the Registry Agency, with UIC 207875145, with its registered office and management address at 63 “Svilen Rusev” St., Bobov Dol, Bulgaria.

KARP-23 Ltd. fully complies with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (“Regulation”), effective as of 25 May 2018, as well as the Personal Data Protection Act (PDPA).

By using the website carpycast.com, you accept and agree to comply with this Personal Data Protection Policy, the Cookie Policy, and the Terms and Conditions of the Website.

II. Definitions

“Personal Data” means any information relating to a natural person (a “Data Subject”) who is identified or can be identified, directly or indirectly, by reference to an identifier such as a name, personal identification number, location data, gender, address, telephone number, online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing of Personal Data” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, restriction, erasure, or destruction.

“Data Subject” means any natural person who is a User of the Website.

“Website/Site” means the content of the domain carpycast.com and its subdomains.

III. Principles of Personal Data Protection

  1. Lawfulness, Fairness, and Transparency
    Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. Accordingly, KARP-23 Ltd. collects and processes your personal data solely for the purposes set out below:

  2. a) Management of your request

  3. i. On the basis of the contract concluded between you and us, we process information regarding the type and content of the contractual relationship, including:

  4. Contact personal data – full name, contact address, email address, telephone number

  5. Identification data – full name, personal identification number or foreigner’s personal number, permanent address

  6. Email correspondence, letters, information regarding your requests for problem resolution, complaints, petitions, and claims

  7. b) Retention of correspondence related to the reporting of issues and similar matters;

  8. c) Communication with the User and sending information to them;

  9. d) Compliance with statutory and regulatory obligations.

  10. Purpose Limitation
    Personal data must be collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. KARP-23 Ltd. collects and processes your personal data for the following purposes: creating a user profile and providing full functionality when using the Website.

  11. a) Statistical purposes;
    b) Information security protection;

  12. Data Minimization
    Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. KARP-23 Ltd., in its capacity as a Data Controller, applies anonymization or pseudonymization of personal data where possible in order to reduce risks to the affected data subjects.

  13. Accuracy
    Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data, considering the purposes for which they are processed, are erased or rectified without delay. KARP-23 Ltd. shall not be liable for incorrectly provided data by its Users.

  14. Storage Limitation
    KARP-23 Ltd. stores your personal data for no longer than the period until consent for processing is withdrawn. After deletion of your profile or successful completion of the service, the Controller takes the necessary steps to delete and destroy all your data without undue delay or to anonymize them (i.e., render them in a form that does not reveal your identity).

  15. Integrity and Confidentiality
    KARP-23 Ltd. processes your personal data in a manner that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical and organizational measures.

  16. Where required by law, we may provide your personal data to a competent public authority or to a natural or legal person.

IV. User Rights

Every User of the Website enjoys all rights for personal data protection in accordance with Bulgarian law and European Union law.

Right of Access
The right of access allows every User to obtain a copy of their personal data, as well as detailed information about whether their data is being processed lawfully. Each Data Subject has the right to know the following:

a) The purposes for which their personal data is being used
b) The categories of personal data processed
c) Whether the company has shared the data with third parties, and if so, who those parties are
d) All sources from which the company obtained their personal data
e) The retention period for their data
f) Other rights they have against the company, including the right to correct their data, delete their data (under certain circumstances), or restrict or object to the use of their data
g) If the company uses their data in automated decision-making (e.g., decisions made by AI or algorithms), meaningful information about the logic behind the algorithm, as well as the significance and consequences of such processing
h) Whether the data is transferred outside the European Union, and if so, what safeguards are in place to protect their data

Right to Erasure
The Data Subject has the right to request the deletion of their personal data without undue delay when any of the following grounds apply:

a) The personal data is no longer necessary for the purposes for which it was collected or processed
b) The Data Subject withdraws consent on which processing is based, and there is no other legal basis for processing
c) The Data Subject objects to processing under Article 21(1) GDPR and there are no overriding legitimate grounds, or objects under Article 21(2) GDPR
d) The personal data has been unlawfully processed
e) The personal data must be erased to comply with a legal obligation under EU or Member State law applicable to the controller
f) The personal data was collected in relation to the offering of information society services under Article 8(1) GDPR

Right to Data Portability
The Data Subject has the right to receive the personal data concerning them that they have provided, in a structured, commonly used, and machine-readable format, and to transfer those data to another controller without hindrance, when:

a) Processing is based on consent under Article 6(1)(a) or Article 9(2)(a) GDPR, or on a contract under Article 6(1)(b) GDPR
b) Processing is carried out by automated means

Right to Object
Users have the right to object to the processing of their personal data by the controller. The controller must cease processing unless it demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims. Objections to the processing of personal data for direct marketing purposes must be honored immediately.

V. Processing of Anonymized Data

We process your data for statistical purposes, meaning for analyses where the results are only aggregated, and therefore the data is anonymized. Identification of any individual from this information is impossible.

For Compliance with Legal Obligations
In some cases, the law may require us to process your personal data. In such instances, we are obliged to carry out processing, for example:

a) Obligations under the Anti-Money Laundering Act;
b) Fulfillment of obligations related to distance selling or sales outside commercial premises, as provided in the Consumer Protection Act;
c) Providing information to the Consumer Protection Commission or third parties as required under the Consumer Protection Act;
d) Providing information to the Personal Data Protection Commission in relation to obligations under data protection legislation;
e) Obligations under the Accounting Act, the Tax and Social Security Procedure Code, and other related regulations concerning lawful accounting;
f) Providing information to courts and third parties during judicial proceedings, in accordance with the applicable legal requirements;
g) Age verification for online purchases.

Retention Periods
Data collected in accordance with a legal obligation is deleted once the obligation to collect and store it has been fulfilled or has expired. For example:

a) Under the Accounting Act, accounting data is stored and processed for 11 years;
b) Obligations to provide information to courts, competent authorities, or other grounds specified by applicable law are retained for 5 years.

VI. Data Security

To ensure maximum security during the processing, transfer, and storage of your data, we may use additional protective measures such as encryption, pseudonymization, and others.

Guaranteeing the security and confidentiality of the personal data you entrust to us is our priority. Therefore, KARP-23 Ltd. implements all appropriate technical and organizational measures in accordance with applicable legal requirements, taking into account the nature of the personal data provided and the risks associated with its processing. These measures are designed to maintain data security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion, or unauthorized access to your data.

VII. Incident Reporting Procedure

Every User has the right to file a complaint regarding the unlawful processing of their personal data with the Commission for Personal Data Protection or with the competent court.

Name: Commission for Personal Data Protection
Registered Office and Management Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Correspondence Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Phone: +359 2 91 53 518
Website: www.cpdp.bg

VIII. Contact Information:

Every User may submit an inquiry or exercise their rights under this Personal Data Protection Policy via the following email address: carpycast@abv.bg and/or through the contact information provided in the “Contacts” section of the Website.

Date: 02.12.2024

[1] “Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Reference: GDPR Article 4

Frequently Asked Questions (FAQ)

Terms and Conditions

Contact

Personal Data Protection Policy

Cookie Policy

About Us

bottom of page