TABLE OF CONTENTS:
Introduction
1. Who is responsible for your personal data? Identity and contact details of the data controllers.
2. Role and contact details of the data protection officer (DPO)
3. Purposes of the processing for which the personal data are intended. Legal basis for the processing
4. Other companies and individuals receiving your information
5. Period for which the personal data will be stored / criteria used to determine that period
6. Your rights under GDPR:
6.1. Access to your personal data
6.2. Rectification of your personal data
6.3. Erasure of personal data
6.4. Restriction of the data processing
6.5. Objection against the data processing
6.6. Data portability
6.7. The right to withdraw you consent for data processing
7. How to exercise you rights under GDPR
8. Supervisory authority and your rights to lodge a complaint
9. Is there a statutory or contractual obligation to provide us with your personal data?
10. Automated decision-making
11. Transferring personal data to a country outside the EU
12. Final provisions
INTRODUCTION
We care about your privacy and we take our obligations under GDPR seriously.
Below in this Privacy Policy, you can find detailed information about how we collect, process and use the data which you provide us.
This Privacy Policy is designed to help you understand what rights you have in connection with your personal data, including how to contact us or make a complaint.
Data processing is carried out with appropriate safeguards and in accordance with the fundamental principles of data protection legislation, and in particular – in accordance with the requirements of the General Data Protection Regulation – GDPR (officially named Regulation (EU) 2016/679 of the European Parliament and of the Council).
This Privacy Policy applies to NJ Global Ltd and Biotrade Cosmeceuticals Ltd. (operating the commercial activities under the trademark “Biotrade Cosmeceuticals”), also jointly referred to throughout this privacy policy as “Biotrade”, “we”, “us” or “our”.
SECTION 1.
WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA? IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLERS
Data controllers of the personal information, collected through our webshop and other communication channels, are:
1. NJ Global Ltd, a company incorporated and existing under the legislation of the Republic Bulgaria (EU), registered under company number 204823481, having its seat and management address in the City of Sofia, post code 1797, 24 Vartopo Str.
2. Biotrade Cosmeceuticals Ltd., a company incorporated and existing under the legislation of the Republic Bulgaria (EU), registered under company number 204785746, having its seat and management address in the City of Sofia, post code 1797, 24 Vartopo Str.
These are the companies, operating the commercial activities under the trademark “Biotrade Cosmeceuticals”, including the purchases of products through this website.
We are the data controllers of your personal data.
As data controllers, we are responsible for processing and storing your data in a fair, transparent, and secure manner, taking into account your best interest.
If you have any specific concerns or questions regarding your personal data, or if you would like to exercise any of your rights under GDPR, feel free to contact us at the following email address: [email protected] , or by regular mail – at 24 Vartopo Str., 1797 Sofia, Bulgaria.
SECTION 2.
ROLE AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)
Our Data Protection Officer /DPO/ supports us in achieving lawfulness, transparency and security in the processing of your personal data and helps us keep up-to-date with the requirements of data protection legislation.
Name and contact details of our Data Protection Officer can be found on our website, in section “Contact us”.
SECTION 3.
PURPOSES OF THE PROCESSING FOR WHICH THE PERSONAL DATA ARE INTENDED. LEGAL BASIS FOR THE PROCESSING
3.1. Data processing in relation to the online purchases
By ordering a product from our website, you (as a consumer), conclude with us (as a trader), a contract for sale of goods. This contract is concluded electronically and in the form of “distance contract”, i.e. a contract, concluded without the simultaneous physical presence of the trader and the consumer at the same place, when signing the contract.
The main purpose for which we collect and use your personal data, is to make the execution of this distance contract possible – including to organize the payment and the delivery of the products you order and communicating with you about your order.
For this purpose, we collect the following categories of personal data: name, shipping address, payment information and contact details: email address and telephone number.
Personal data under this p. 3.1. is being processed on the legal grounds of point (b) of Article 6 (1) GDPR – data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
3.2. Customer support, including advice on the suitability of certain products
In the course of communication with our customer support agents, you may provide us with additional information, which may be needed in order to get help with choosing the right product. Such additional data may be: description of your skin condition and type, information about certain health issues with your skin, or your photographs, sent to us through Facebook, Instagram or other communication channels.
The categories of data described under this p. 3.2. and any other personal information disclosed to us in relation to this p. 3.2., will be used by us strictly for the purpose described herein, i.e. in order to provide to you the requested additional information, support or advise.
Personal data under this p. 3.2., falling into the category of data concerning one’s health, are treated as special category of data in the sense of Article 9 of GDPR. In order to lawfully collect and otherwise process health data, we need your explicit consent, as per point (a) of Article 9 (2) GDPR. This explicit consent will be obtained from you individually for each situation where health data is provided to us, regardless of its form (eg. written descriptions /explanations. emails, chat, photos sharing etc.).
Personal data under this p. 3.2., which does not qualify as health data, is being processed on the legal grounds of point (b) of Article 6 (1) GDPR /when necessary to facilitate the purchase/ and of point (f) of Article 6 (1). We believe we have the legitimate interest to expand our customer base by maintain high standards in our customer support, which includes having detailed discussions with our potential customers. This legitimate interest of ours mirrors the best interest of the client and also corresponds to his/her consumer right to information.
3.3. Email marketing of similar products
Your email address, presented to us in the context of a purchase of one or more of our products, may be used for the purposes of direct marketing our own similar products, in which case the legal bases for the processing would be legitimate interest in the sense of point (f) Article 6 (1) GDPR.
In the cases under this point, you will be clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of your electronic contact details when they are collected and on the occasion of each message, in case you had not initially refused such use.
We believe that this legitimate interest is well balanced against our customers’ interest to receive information about our new products, sales and special offers.
3.4. Other cases of marketing. Newsletter
You will use your contact details for the purposes of direct marketing (other than the one described above under p. 3.3.), only after obtaining your explicit consent. The same applies to the use of your email address for receiving Biotrade’s newsletter.
The legal basis for processing of your personal data in the events of this p. 3.4., is consent under point (a) Article 6 (1) GDPR.
By following the instructions in Sections 6 and 7 below, you can withdraw your consent for data processing at any time.
3.5. Creating a personal account on our website. Keeping record of your purchases
Entering and storing information on your personal profile on our website allows you to track your order, keep record of your past purchases and communicate with us
3.6. Internal Company Statistics
Some of the personal information in your profile, such as age, history of the purchases and location, may be used for the purposes of internal statistics in our company. We believe we have the legitimate interest to use this data for statistical purposes, which is important for assessment of our processes and for defining the future trends of our business development.
3.7. Communication with authorities
Your personal data may also be processed if a state authority required our cooperation in relation to various official proceedings, including court, administrative and investigation proceedings related to consumer claims and disputes, fraud etc.
3.8. Complaints, information requests and dispute resolutions
In addition, we will store the data related to your purchases and payments in order to make sure that this information is available in case of official proceedings such as civil litigation (e.g. if we are sued for damages), administrative and criminal investigations (e.g. if we are audited by the Revenue Agency), consumer claims, complaints and disputes etc.
The legal basis for the use of data for these purposes is our legitimate interest.
3.9. Security
Video surveillance on our business premises is conducted with the goal of ensuring our security from theft and other potential crimes, which we also qualify as our legitimate interests.
SECTION 4.
OTHER COMPANIES AND INDIVIDUALS RECEIVING YOUR INFORMATION
4.1. Payments
In order to process your payment, your payment data is shared with our money transfer service providers (bank and financial institutions among which: UniCredit Bulbank, Borika, PayPal, PaySera etc.).
When entering your payment card details in Biotrade’s webshop, the latter are received directly by the money transfer service providers. Our employees do not have access to the full payment information used in this payment operations – only partial and restricted information is viewable for your protection.
4.2. Deliveries
We would share any personal information in relation to your order with the courier company handling the delivery of your product.
Your name, contact and shipping data and order information are also transferred with the fulfilment center operating in the respective territory.
4.3. Official authorities
Your personal data may be transferred or made accessible to various state authorities /investigation and administrative authorities, tax authorities, court/ in relation to official proceedings, including court, administrative and investigation proceedings related to consumer claims and disputes, fraud etc.
4.4. Accounting firms and legal professionals/firms
Biotrade uses the professional services of non-related accounting company and external service provides for legal services. Personal data of our customers might be provided to these external services providers for the purposes of provision of the respective professional services, as well as for support and protection in ongoing court and administrative proceedings.
4.5. Providers of software services and cloud storage space
Certain providers of our software services, such as the provider of our ERP /CRM system, as well as our cloud store your personal data by our instruction and on our behalf (as data processors).
4.6. Security and video surveillance
Video surveillance recordings from our offices could be collected by or shared with a licensed private security company in strict compliance with the video surveillance legislation of Bulgaria.
* Except in the case of p. 4.5 above, Biotrade and the categories of recipients above act as a joint-controllers. Biotrade will be the point of contact for any information requests you might want to address to our partners – joint-controllers.
SECTION 5.
PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED / CRITERIA USED TO DETERMINE THAT PERIOD
The personal data, entered by you when creating your personal account in our webshop, is stored for indefinite period of time. You are in control with your personal data in your account and can easily edit, change or delete your personal details. You can request the termination of your account in our webshop anytime.
After your account has been terminated, we are going to erase all your personal data that we store for you in our webshop. However, the personal data from your account will be kept in our company’s archive for a period of extra 5 years, as from the date of your last purchase. Your data will be stored for the quoted extra period, for the event of possible court claims or administrative proceedings. The said 5-year period is the basic limitation period for filing court claims under Bulgarian legislation. We believe we have legitimate interest to store your data in order to ensure our protection in the course of possible court/consumer claims and similar cases.
Data for orders and purchases, made without setting up a personal account, shall also be stored for this extra 5-year period.
SECTION 6.
YOUR RIGHTS UNDER GDPR:
6.1. Access to your personal data
You have the right to obtain access to the personal data held about you by your request; you also have the right to request a copy of the personal data undergoing processing.
6.2. Rectification of your personal data
You have the right to ask for incorrect, inaccurate or incomplete personal data to be corrected;
Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
6.3. Erasure of personal data
The right to erasure of your personal data is also known as “the right to be forgotten”.
You have the right to request personal data to be erased when it’s no longer needed or if processing it is unlawful.
Please note that Art. 17 of GDPR outlines the cases where we are obliged to erase your data. In some cases we would need to keep your data, even if erasure has been requested /for example for the purposes compliance with a legal obligation which requires processing by European Union or Bulgarian Law/.
6.4. Restriction of the data processing
Under certain circumstances, you may have the right to request from us the restriction of processing your personal data. For example, you may exercise this right, when we no longer need your personal data for the purposes of the processing, but we still need to store it in our systems and use it for situations like exercise or defense of legal claims.
6.5. Objection against the data processing
Under certain circumstances, you may have the right to object against the processing of your personal data and we can be required to no longer process your personal data. You can exercise this right for example when we use your email address for direct marketing purposes – in such cases once you object, we will no longer be able to send you any marketing materials.
6.6. Data portability
Under certain circumstances you may have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format (i.e. in digital form) and you may have the right to request the transmission of those data to another entity without hindrance from us, if such transmission is technically feasible.
6.7. The right to withdraw you consent for data processing
When the processing of your personal data is based on your consent, you can withdraw your consent at any time without giving any reason to us. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
SECTION 7.
HOW TO EXERCISE YOUR RIGHTS UNDER GDPR
If you wish to exercise any of your data protection rights, you can contact us with a written request at [email protected] or by regular mail to 24 Vartopo Str., 1797 Sofia, Bulgaria.
You may also address your request to the DPO of the company at [email protected] . We will respond to your requests without undue delay and at the latest within 1 month.
Your written request under this Section can be filed on paper or electronically and should include:
- Your name;
- The email address by which you are registered in your personal account /optional, but highly recommendable/;
- Description of your request;
- Preferred communication channel /e.g. regular or electronic mail/;
- Signature /in case filed on paper/;
- Date of the request;
- Correspondence address;
- Power of Attorney – if filed on somebody else’s behalf.
* You may be asked to provide information to confirm your identity (such as clicking a verification link or providing a verification code) in order to exercise your rights.
SECTION 8.
SUPERVISORY AUTHORITY AND YOUR RIGHTS TO LODGE A COMPLAINT
Тhe Personal Data Protection Commission (PDPC) of the Republic of Bulgaria supervises how we handle your personal data. The PDCP is an independent government authority, which monitors the lawfulness of data processing activities.
All data subjects are entitled to bring a complaint before PDPC in regard to the processing of their personal – contact information and more about the procedure may be found at https://www.cpdp.bg/.
The above-quoted Bulgarian authority acts in its capacity as lead supervisory authority. In certain cases, complaints might also be lodged before the local supervisory authorities of other Member states.
SECTION 9.
IS THERE A STATUTORY OR CONTRACTUAL OBLIGATION TO PROVIDE US WITH YOUR PERSONAL DATA?
You provide us with your data voluntarily, by your own will and decision. Your personal data is necessary for completing the order and organizing the delivery of the purchased products.
SECTION 10.
AUTOMATED DECISION-MAKING
At this point, automated decision-making in the sense of GDPR is not part of any of our processes, related to your personal data.
SECTION 11.
TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EU
If the recipients of your data are located outside of the EU, we will provide appropriate safeguards that your data is processed with care and diligence that would be required of any EU-based recipient.
Such transfers will be subject to binding corporate rules, standard data protection clauses adopted by the EU Commission, and other data protection mechanism that take into account your rights.
In relation to various marketing activities, we may transfer your personal data to the following recipients outside of EU:
- The Rocket Science Group LLC, a company, incorporated and existing in the State of Georgia, operating the Mailchimp Platform, certified in compliance with the EU-U.S. Privacy Shield Framework
- Facebook Inc. – certified in compliance with the EU-U.S. Privacy Shield Framework
- Google LLC – certified in compliance with the EU-U.S. Privacy Shield Framework /applicable also to all 100% owned subsidiaries in the US/
- Twitter, Inc. – certified in compliance with the EU-U.S. Privacy Shield Framework
SECTION 12.
FINAL PROVISIONS
This amended and extended version of our Privacy Policy was adopted by resolution of our Managing Director on 18.11.2018 and corresponds to the EU data protection legislation effective on this date.
Data subjects will be notified by email for any changes of this Privacy Policy and will be able to object to any such changes. The changes can also be communicated to you when you visit our website.