In the data protection information set out below, we inform you about the processing of personal information carried out by KPNC OOD (“Administrator”) in accordance with the General Data Protection Regulation (“GDPR”). Our information on data protection applies to the following websites, applications and other services and activities (hereinafter collectively referred to as “Services”): www.kpnc-stone.com.

Please read our data protection information carefully. If you have any questions or comments about our data protection information, contact us at data, contact us at office@kpnc-stone.com

Consent to the processing of personal data. Ways of collecting personal data
Processing of personal data:

– when the processing is necessary for the performance of a contract to which the data subject is a party, or

– to take steps at the request of the data subject before entering into a contract;

– when the processing is necessary for compliance with a legal obligation that applies to the administrator

– the consent of the subjects of personal data

– all other cases which according to the General Data Protection Regulation are recognized as lawful.

– Consent to the processing of personal data of the subjects of personal data should be freely expressed (not given under pressure or threat of adverse consequences), specific (separate consent for each specifically defined purpose), informed (given on the basis of full, accurate and easily understandable information), unambiguous (not derived or assumed on the basis of other statements or actions of the person whose personal data is processed); given by active action: by express statement or clear affirmative action, incl. online.

– Consent to the processing of personal data by the Administrator is not bound by prior conditions and does not lead to adverse consequences for the person if he refuses to provide it or if he subsequently withdraws it. In these cases, however, it is possible that the subjects of personal data may not be able to use the full range of services provided by the Company, for which the Company notifies them (depending on the specific case).

– In order to comply with the principle of accountability of personal data controllers, the consent of personal data subjects is documented in order to prove its existence.

– Any person whose personal data is processed by the Administrator based on his consent has the right to withdraw his consent at any time.

– The personal data that is processed by the Administrator is received directly from the subjects of personal data, based on their documented consent, meeting the requirements of para. 1 above, or indirectly – through public registers, public information, information from the state, etc. authorities and any other lawful means of collecting information.

Minimum information:

– the data that identify the Administrator and the coordinates for contacting him;

– the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;

– the legitimate interests pursued by the Administrator or by a third party;

– the recipients or categories of recipients of the personal data, if any, the transfer of personal data;

– the period for which the personal data will be stored, and if this is impossible, the criteria used to determine this period;

– the existence of a right to request from the controller access to personal data, correction or deletion of personal data or restriction of the processing of personal data related to the data subject, or the right to object to the processing, as well as the right to data portability ;

– the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before it is withdrawn;

– the right to appeal to a supervisory authority;

– whether the provision of personal data is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences if this data is not provided;

– the existence of automated decision-making, including profiling, as well as the meaning and intended consequences of this processing for the data subject.

Purposes for using personal data
Personal data is processed for the following purposes:

– Carrying out sales and after-sales service for the company’s customers (warranty and post-warranty service);

– Marketing and advertising of the company’s activities, sending an online newsletter;

– Conclusion and management of employment contracts and civil contracts for the provision of services by individuals;

– Conclusion of contracts for the provision of goods and/or services to which the Company is a party;

– Carrying out any other actions that are within the scope of the Company’s activity, with or without concluding a written contract.

Provision of personal data
Statutory obligations.

– Personal data is provided ex officio after a justified request and permission from the responsible employees processing the personal data by filling in a control sheet, which indicates the person who received the personal data and the purpose, and for data stored on an electronic medium through ensured software traceability.

– Individuals have the right to access their personal data, including to be “forgotten”, for which they submit a written application to a “specialist – information data processing”, who is assigned by these rules to be a personal data processor, in this number and electronically, in person or through an authorized person. Submitting the application is free.

– The application contains the name of the person and other data that identify him, a description of the request, preferred form of providing access to personal data, signature, date and address of the correspondence; power of attorney – when the application is submitted by an authorized person. The application is filed in the administrator’s general incoming register.

– Applications are accepted at the email address: office@kpnc-stone.com.

Access is provided through:

– oral reference;

– written reference;

– review of the data by the person himself or someone authorized by him;

– provision of a copy of the requested information in electronic or paper form.

– Upon submission of a request to provide access, the representative of the administrator examines the application for access or orders the processor of personal data to provide the access requested by the person in the form preferred by the applicant. The deadline for considering the application and ruling on it is 14 days from the day of submission of the request, respectively 30 days when more time is needed to collect the personal data of the person, in view of possible difficulties in the activity of the administrator. The decision is communicated to the applicant in writing, in person against a signature or by mail with return receipt, and when the request is submitted by e-mail – to the specified e-mail address. When the data do not exist or cannot be provided on a certain legal basis, the applicant is denied access to them with a reasoned decision. The refusal to grant access can be appealed by the person to the authority and deadline specified in the letter.

– Only the personal data processors with the relevant access password have access to the personal data of the persons contained on a technical medium.

– In addition to the officials processing personal data, the access is also lawful to the officials directly involved in the preparation and verification of the legality of the documents of the persons – manager, chief accountant, lawyer, as well as to the persons carrying out technical accounting operations for the processing of the documents. Processors of personal data are obliged to provide them with access upon request from their side, for which accountability is maintained through ensured software traceability.

– Information about customers and counterparties is not taken outside the administrator’s building. No official or third party has the right to access the customer profiles and information, unless the same is required in a proper way by bodies of the judicial power (court, prosecutor’s office, investigative bodies, Ministry of Internal Affairs, NII). The access of these bodies to the personal data of individuals is lawful.

– The person’s consent is not required if the processing of his personal data is carried out only by or under the control of a competent state body for personal data related to the commission of crimes, administrative violations and unauthorized disabilities. Such persons are provided with access to personal data, and if necessary, they are provided with appropriate conditions for working in the company’s premises.

– The access of the revising state bodies is also legal, duly legitimized with relevant documents – written orders of the relevant body, which indicate the reason, the names of the persons, and for the purposes of their activity it is necessary to provide them with access to the personnel files of the staff.

– The administrator communicates his decision to grant or deny access to personal data for the relevant person to third parties within 30 days of submitting the request, resp. the request.

– When implementing a new software product for processing personal data, a special committee should be set up to test and verify the capabilities of the product with a view to complying with the requirements of EU Regulation 2016/679 and ensuring their maximum protection against unlawful access, loss, damage or destruction.

– Disciplinary sanctions are imposed under the Labor Code for non-fulfillment of the obligations attributed to the relevant officials under these regulations and under Regulation EU 2016/679, and when the non-fulfillment of the relevant obligation is found and established by an appropriate authority – as provided for in the Law on Protection of personal data and EU Regulation 2016/679 – administrative penalty – fine. If, as a result, the actions of the relevant official in the processing of personal data have resulted in damage to a third party, the latter may seek liability under general civil legislation or under criminal law, if the act constitutes a more serious act for which criminal liability is provided .

Notification of personal data breach
– Every employee processing personal data is obliged to monitor the security of the personal data entrusted to him.

– In the event of a violation of the security of personal data, the processing employee immediately notifies the manager of the company, and in his absence, the “specialist – information processing of data”.

– The manager and/or the “specialist – information processing of data” immediately form a commission consisting of – “specialist – information processing of data” with the administrator, a computer specialist and a legally competent lawyer, to take all necessary legal and factual actions to stop the violation, accordingly minimizing the damage of the violation.

– Within 72 hours from the detection of the violation, the committee appointed by the administrator notifies the Commission for the protection of personal data and prepares a written report to the manager on the nature and extent of the violation, as well as on the possible damages. Notification is not made if there is no possibility that the breach of personal data security will give rise to a claim for the rights of natural persons. The notification is made within 72 hours of becoming aware of the violation and contains the information according to EU Regulation 2016/679.

– The person responsible for performing all actions and taking all necessary measures in case of violation of the security of personal data is the Manager of the Company. Depending on the specific case of breach of personal data security, the Manager takes appropriate measures to limit the damage and prevent further breach of data security. Without the list being exhaustive, such measures can be: provision of additional measures for physical and other security of the premises where personal data is stored, restriction of access to personal data of employees of the Company, implementation of electronic means of protection of electronic stored information – access passwords, anti-virus programs, cryptographic programs, etc. security measures of electronic spaces and systems.

– The administrator shall document any personal data security breach, including the facts related to the personal data security breach, its consequences and the actions taken to address it. The documentation is carried out in electronic form and is stored indefinitely, and upon request, it is provided to the supervisory authority.

– In the event of a breach of personal data security, when there is a possibility that the breach of personal data security will create a high risk for the rights and freedoms of natural persons, the Company shall notify the affected data subjects as quickly as possible. The notice is prepared in accordance with the requirements of the General Data Protection Regulation.
. A notification to affected personal data subjects is not sent if any of the following conditions are met:
. The administrator has taken appropriate technical and organizational protection measures and these measures have been implemented in relation to the personal data affected by the personal data breach, in particular the measures that make the personal data unintelligible to any person who does not have access authorization to them, such as encryption;
. The administrator has subsequently taken measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; and
. it would result in a disproportionate effort for the Administrator. In such a case, a public announcement or other similar measure is taken so that the data subjects are equally effectively informed

Your rights
– Overview

In addition to the right to withdraw your consent, you have the following rights, subject to the relevant legal requirements:

the right of access to your personal data stored by us (Article 15 of the GDPR), in particular you can request information on the purposes of the processing, the categories of personal data, the categories of recipients to whom your data is or will be disclosed, the stipulated period, for which will be stored, the source of your data if it is not directly obtained from you;

the right to correct inaccurate or complete incomplete data (Article 16 of the GDPR),
the right to erasure (Art. 17 GDPR) of your data stored with us (Article 17 GDPR), provided that the applicable requirements are met and in particular the legal or contractual storage periods or other legal obligations or rights to further storage by us,
the right to restrict the processing of your data (Article 18 of the GDPR), insofar as the accuracy of the data is disputed by you (for a period that allows us to verify the accuracy of the personal data); the processing is unlawful, but you refuse the deletion; we no longer need the data, but you nevertheless require it for the establishment, exercise or defense of legal claims, or pursuant to Article 21 of the GDPR you have objected to the processing (pending verification of whether our legitimate interests prevail over yours),
the right to data portability according to Article 20 of the GDPR, i.e. the right in the case of processing based on your consent (Article 6, paragraph 1, letter a) of the GDPR) or for the performance of the contract (Article 6, paragraph 1, letter b) of the GDPR), which is carried out in an automated way, to receive your data stored by us in a widely used, machine-readable format or request its transfer to another controller (the latter is possible where technically feasible),
You can exercise the above rights at office@kpnc-stone.com.

You also have the right to file a complaint with a supervisory authority. For this purpose, you can contact the supervisory authority at your usual place of residence or place of work, or our company headquarters.

Right to object – You have the right to object at any time to the processing of your personal data for advertising purposes (“Objection to Advertising”). In addition, you have the right to object to data processing for reasons arising from your specific situation, based on Article 6(1)(f) of the GDPR. We will then stop processing your data unless we demonstrate – in accordance with legal requirements – that there are compelling legal grounds for further processing that override your rights, or that the processing serves the establishment, exercise or defense of legal claims. You can assert your objection rights at office@kpnc-stone.com.

Right of Withdrawal – If we process data based on your consent, you have the right to withdraw that consent at any time. Your right of withdrawal does not change the lawfulness of the data processing carried out on the basis of the consent(s) until the withdrawal. You can generally assert your objection rights at office@kpnc-stone.com. You can fully or partially withdraw your consent to the use of cookies at any time, or the processing of your personal data.

Provision of personal data to third parties.
Transfer of personal data

– The company provides the received personal data to third parties when this is necessary to fulfill its obligations towards the subjects of personal data. The company does not transfer personal data to other countries of the European Union or to third countries outside the European Union.

Personal data protection measures

– The administrator takes appropriate technical and organizational measures to ensure the security of the personal data processed by him, namely:

Physical protection;

Personal protection;

Documentary protection;

Protection of automated information systems and networks;

Cryptographic protection.

– The physical protection of personal data is ensured through a set of applicable technical and organizational measures to prevent unregulated access and protect the buildings and premises where personal data processing activities are carried out.

The main organizational measures for physical protection include:

determining the premises where personal data will be processed;

determining the organization of physical access.

Premises in which personal data will be processed are defined as all premises in which personal data is collected, processed and stored in view of the normal course of the work process in the Company. Access to them is physically limited and controlled – only for employees with a view to fulfilling their official duties and if their place of work or their job description allows access to the relevant register with personal data.

– The technical means used for the physical protection of personal data are in accordance with the current legislation and the level of impact of this data. All physical areas with paper and electronic records are restricted only to employees who must have access on a “Need to Know” basis in order to perform their job duties.

– All records and paper documents containing personal data are kept in locked cabinets, with access allowed only to authorized personnel.

– Access to systems processing personal data electronically is limited by unique user IDs and passwords, and electronic media, including servers, are adequately protected in access control areas.

– The main technical measures for physical protection include:

use of signaling and security equipment;

use of locks and locking mechanisms;

cabinets, metal boxes;

equipping the premises with fire alarm and fire extinguishing means.

– Documents containing personal data are stored in cabinets that must be locked. Keys to the cabinets are owned only by the persons specifically assigned (with an express order or by virtue of their official duties and job description).

– The equipment of the premises where personal data is collected, processed and stored includes: alarm and security equipment, locks to restrict access to authorized persons only; lockers and fire extinguishers.

– The main measures for personal protection of personal data are:

Obligation of employees to undergo training and familiarize themselves with the regulations in the field of personal data protection and the current internal rules, as the completed training and briefing with the rules for the protection of personal data is certified by a signature on the protocol for the briefing on the protection of personal data sample data;

Acquaintance and awareness of the dangers for personal data processed by the Administrator;

.Prohibition of sharing critical information (identifiers, access passwords, etc.) between staff and any other persons who are unauthorized;

.Declaration of consent to undertake an obligation not to distribute personal data.

.For personal data assessed with a higher degree of risk, such as sensitive personal data, the following additional measures also apply::

.Conducting specialized trainings for work and protection of personal data, in case the specifics of official duties require the same;

.Training of personnel to react to events threatening data security, in case the specifics of official duties require the same.

– The main measures for documentary protection of personal data are:

.Determining the registers to be maintained on paper;

Determination of the conditions for processing personal data – personal data are collected and processed only for a specific purpose, directly related to the fulfillment of legal obligations and/or the normal business activity of the Administrator, and the method of their storage takes into account the specific needs for processing and the physical carrier of the data;

.Regulation of access to personal data registers – access to personal data registers is limited and granted only to authorized employees, in accordance with the principle of “Need to know”;

Determination of storage periods – personal data are stored no longer than is necessary to fulfill the purpose for which they were collected or until the expiration of the period specified in the current legislation.

.Destruction procedures: Documents containing personal data, the storage periods of which have expired and are not necessary for the establishment, exercise or defense of legal claims, are destroyed in an appropriate and secure way (eg burning, shredding, electronic erasure and others fit-for-purpose methods tailored to the physical data carrier).

The following additional measures apply to personal data assessed with a higher degree of risk:

.Control of access to registers, limiting access to staff or in limited cases to other specially authorized persons, in accordance with the principle of “Need to know” in order to fulfill their duties;

.Rules for reproduction and distribution, which allow the copying and distribution of personal data only in cases where this is necessary for legal needs, arises as a requirement of law and/or government authority, and to be provided only to persons to whom they are necessary in connection with the performance of assigned work. Unauthorized copying and distribution is subject to disciplinary sanctions and other measures if it constitutes another type of violation, apart from a violation of labor discipline.

– The protection of automated information systems and/or networks includes a set of applicable technical and organizational measures to prevent unregulated access to the systems and/or networks in which personal data is created, processed and stored. The main measures to protect automated information systems and/or networks processing personal data include:

.Identification and authentication through the use of unique user accounts and passwords for each person accessing the Administrator’s network and resources. The application of this measure aims to regulate levels of access and introduce access consistent with the “Need to Know” principle;

.Management of the registers, consistent with limiting access to the relevant register only to persons who are directly in charge and/or officially engaged in its keeping, maintenance and processing;

.Managing external links and/or connectivity, including:

.Defining the scope of internal networks: All local wired networks and/or point-to-point telecommunications connections that are under the control and administration of the Administrator are considered as internal networks. External networks are considered all networks, incl. and wireless networks, the Internet, Internet connections, network connections with third parties, network segments of hosting systems of third parties that are not under the administrative control of the Administrator.

.Regulation of access to the internal network: Only employees and/or persons specially authorized by the Manager have access to the internal network. Access to the network and processed personal data is provided with a view to fulfilling their direct official duties and is in accordance with the “Need to know” principle. The minimum security level required to access internal networks requires identification with a unique username and password.

.Administration of access to the internal network: Responsibilities related to the implementation of access administration are assigned to persons with the necessary qualifications. Responsibilities also include activities related to approving the installation of all network access devices, technologies and software, including switches, routers, wireless access points, network access points, Internet connections, connections to external networks and other devices , technologies and software that can allow access to the internal networks of the Administrator.

.Control of access to the internal network: Responsibilities related to the implementation of access control are assigned to persons with the necessary qualifications. They are obliged to take adequate measures to minimize the risk of unauthorized (physical and/or remote) access to the Administrator’s networks.

– Malware protection includes:

.the use of standard configurations for each computer and/or network platform, such that the system and, if possible, the application software is controlled, installed and maintained by persons authorized by the Manager.

.use of the built-in functionality of the operating system and/or hardware, which are set up only by persons authorized by the Administrator. Any modification and/or deactivation of the protection systems by unauthorized persons is prohibited.

.enabling automatic protection and scanning for malware and updating antivirus definitions. Users are prohibited from opting out of automatic software processes that update virus definitions.

.prohibition of data transfer from infected computers. If a computer system is suspected or found to be infected, the person working with it is obliged to notify the Manager and stop any work and/or sending of information from the infected computer (via external media, e-mail and/or other means of electronic exchange of information ). Until the malware is removed, the infected computer should be immediately isolated from internal networks.

– Policy on creation and maintenance of recovery backups, which regulates:

.The main purpose of archiving is related to the prevention of loss of information related to personal data, which would hinder the normal functioning of the Administrator’s activity.

.Method of archiving: the information should be archived in an appropriate way and on a medium, outside the specific physical computer, and allow the complete recovery of the data in the event of the destruction of their main medium.

.Responsibility for archiving rests with the person processing the personal data.

.The period of archiving should be in accordance with the current legislation.

.The storage of the archive should be in another physical room. All archives containing confidential and/or business information must be stored with physical access control.

.Main electronic data carriers are: internal hard disks, one-time and/or repeatedly rewritable external media (external hard disks, multiple-rewritable cards, memory tapes and other information carriers, one-time recordable carriers, etc.)

.Personal data in electronic form are stored according to the legally defined terms.

.Data that is no longer needed for the purposes of the Administrator and whose storage period has expired is destroyed (eg by cutting, shredding, burning or permanent deletion from electronic means).

.Remote access to internal networks of the Administrator is not provided. The staff is not provided with remote Internet access to the electronic registers with personal data for the performance of their official duties.

.Prohibition of possession and use of hardware or software tools by personnel that could be used to compromise the security of information systems. This group also includes tools that facilitate copyright infringement, reveal secret passwords, identify security vulnerabilities, or decrypt encrypted files. The use of hardware or software that remotely monitors traffic on a network or operating computer is also prohibited. For unauthorized use of such tools, the employee is subject to disciplinary punishment, and if the violation is not only disciplinary or constitutes a crime – also according to the procedure provided for sanctioning this violation/crime.

– Measures related to creating a physical environment (environment) include physical access control (signal and security equipment, locks, metal grids and other applicable methods), creating a suitable working environment, incl. by maintaining appropriate temperature and humidity levels as well as a fire alarm system. They are aimed at providing an environment for normal functioning, protecting IT equipment from unauthorized access and controlling the risk of damage and destruction.

– In relation to personal data, measures related to cryptographic data protection through the standard cryptographic capabilities of operating systems, database management systems and communication equipment are also applied.

– The administrator implements adequate technical and administrative control measures (restriction of IP, physical location, unique username and password, setting all workstations in “automatic screen lock” mode when there is no activity for more than 30 seconds, etc.) , thus ensuring that only authorized employees gain access to the data to perform their assigned functions.

– The identification of the persons authorized to work with personal data must also include identification through a unique user account, which contains the user’s name and password, rights to access the system and use its resources.

– In order to increase the security of access to information, employees must change the passwords they use at a certain period, not longer than 3 months. In the event that the basis for access to personal data ceases, the rights of the relevant persons are suspended (including by deleting the account).

– The hardware used for storing and processing personal data meets modern requirements and allows guaranteeing a reasonable degree of fault tolerance, data backup and recovery capabilities and the working state of the environment.

– In case of need for repair of the computer equipment, its provision to the service organization is carried out without the devices on which personal data are stored.

– The administrator uses only copyrighted software. Installation and/or use of any other type of software with unsettled copyright is prohibited.

– Employees who are assigned to sign official correspondence with a qualified electronic signature (QES) do not have the right to provide their issued QES to third parties, resp. share your PIN with third parties.

Administrator of personal data” is “KPNC” Ltd., a company registered under the laws of the Republic of Bulgaria, with its headquarters and management address in Plovdiv district, Asenovgrad municipality, Asenovgrad town, “Hristo Botev”, №4 Tel: +359 888 934 011 represented by the managers of the company Petar Tashev and Krastyo Boyarov.

Processing personal data

– The processors of personal data” are officials from the administration of “KPNC” OOD, holding the following positions:

. Accountants;

. Managers;

. Seller-consultants;

. Consultants from the “Internet Sales” department;

Other provisions
– The control over the implementation of the present internal rules is entrusted to the manager of commercial affairs.

– The company keeps records of its personal data processing activities in accordance with Article 30 of EU Regulation 2016/679.

– The company does not process personal data that pose a high risk within the meaning of Regulation EU 2016/679, therefore it does not carry out an impact assessment in accordance with the requirements of the Regulation.

– The company does not perform profiling in the sense of the General Data Protection Regulation.

– These rules are issued on the basis of EU Regulation 2016/679 for an inspection of compliance with the rules for the protection of personal data and an assessment of the impact of EU Regulation 2016/679 on the activities of “KEPIENSI” OOD.

– The rules were adopted by the decision of the manager of the company dated 27.05.2018. and enter into force from the date of their adoption.

– Amendments and additions to these rules are made by the manager of the company.

– A copy of the Rules is available to employees and customers in the company’s administrative building.

– A copy of the Rules should be published on the company’s website.

These Internal Rules are in force from 15.02.2024.