Regulation (EC) 2016/679 — protection of individuals with regard to the processing of personal data and on the free movement of such data.

WHAT IS THE PURPOSE OF THE REGULATION?

It allows European Union (EU) citizens to better control their personal data. It also modernizes and unifies the rules, allowing businesses to cut red tape and benefit from increased consumer confidence.

The General Data Protection Regulation (GDPR) is part of the EU's data protection reform package, along with the Police and Criminal Justice Data Protection Directive.

KEY ASPECTS

Citizens' Rights

• GDPR strengthens existing rights, provides for new rights and provides citizens with greater control over their personal data. This includes:
• easier access to their data — including providing more information about data processing and ensuring that this information is available in a clear and understandable way;
• a new right to data portability — which makes it easier to transfer personal data between service providers;
• clarification of the right to erasure ("right to be forgotten") — when an individual no longer wishes their data to be processed and there is no legitimate reason to keep it, the data will be deleted;
• the right to know when personal data has been subject to an external intrusion — companies and organizations will have to inform individuals promptly of serious data breaches. They will also need to notify the relevant data protection supervisory authority.

Enterprise Rules

• GDPR aims to create business opportunities and stimulate innovation through a number of steps including:
• a single set of EU-wide rules — it is estimated that a single, EU-wide data protection law would save €2.3 billion per year;
• a data protection officer responsible for data protection will be designated by public authorities and enterprises that process data on a large scale;
• one stop shop - businesses will only contact a single supervisory authority (in the EU country where they are primarily established);
• EU rules for non-EU companies — companies that are established outside the EU must apply the same rules when offering services or goods, or monitoring the behavior of individuals within the EU;
• rules to encourage innovation — ensuring that data protection safeguards are built intoproducts and services from the earliest stage of their development (data protection by design and by default);
• privacy-promoting techniques such as pseudonymization (where identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (where data is coded in such a way that only authorized entities can decipher it read);
• elimination of notifications - the new data protection rules will remove most notification obligations and the costs associated with them. One of the objectives of the data protection regulation is to remove obstacles to the free movement of personal data within the EU. This will facilitate the expansion of enterprises;
• impact assessments — businesses will need to carry out impact assessments where data processing may result in a high risk to the rights and freedoms of individuals;
• accounting — SMEs are not required to keep an account of processing activities, unless the processing is not regular or is likely to result in a risk to the rights and freedoms of the data subject.

We are committed to protecting your privacy and are committed to protecting your personal data. The privacy statement provides you with information about how we manage your personal data, your privacy rights and how the law protects you. Please read this statement before using our services.

In the Privacy Policy:

“Services” - all products, services, content, features, technologies or functions and all related websites and applications offered by us.

“Platform” – website/e-store, mobile application, or other online properties through which we offer our services.

"Personal data" - all data that contains identifying information (name, EIC, address, phone number, email, etc.).

"Data controller" - a person or company that determines the purposes or means of personal data processing.

1. About us:

The administrator of your personal data for the purposes of our services is Pen Silhouette OOD, a limited liability company with an address in the city of Plovdiv, Kapitan Raicho St. 55, which provides its services according togeneral conditions of the pensiluet.com e-store (hereinafter referred to as "We", "Us" or "Our" in the Privacy Policy). This company is the controller of personal data in relation to the services it offers. Contact details are specified in point 13.

<p>

2. What data about you we collect and use:

2.1.1. Data provided through direct interactions.

 Registration and other user profile information

When you register or use the order form without registration to use our Services or purchase products offered by us, we may collect the following information about you:

• If you register an account in the electronic store pensiluet.com: Your name, surname, username, email, address;
• If you shop without registration in the electronic store pensiluet.com: Your name/name of the organization and EIC of the same/, surname, phone number, email, address;

2.1.2. Information we collect automatically when you use our Services

When you access our Platform or use our Services, we automatically collect the following information about you:

Device Information

• We collect device specific information such as operating system, version, unique identifiers. For example, the name of the mobile network you are using.

User Data and Login Data

• We will save your login data to the Platform (registration date, username, email, date of last successful login)

• Data generated by users when browsing web pages
• We collect information about your activity on our Platform, which includes the browsers from which you access our Platform, date and time of visit,

Cookies and similar technologies

• We use "cookies" to manage user sessions, to store your selection of preferences related to the language used. "Cookies" are small text files transferred from a web server to your device's hard drive. Cookies can be used to collect the date and time of website visit, web browsing history, your preferences and your username. You can set your browser to refuse all or some cookies or to warn you when websites you visit set or access cookies. Please note that if you disable or decline cookies, some parts of our Services / Platform may become unavailable or may not function properly..

2.1.3. Data from third parties or from publicly available sources

We receive your personal data from various third parties [ and public sources], cawho is listed below:

1. Specific technical data and information about the use of the Services by analytics providers such as Google;
2. from ad networks such as;

iii.from search information providers such as;

2.1.4. We do not collect personal data that:

• reveal racial or ethnic origin;
• reveal political, religious or philosophical beliefs;
• disclose membership in political parties or organizations, associations with religious, philosophical, political or trade union objectives;
• relate to health, sex life or the human genome;

3. Do we collect information from children?

Our Services are not intended for persons under the age of 18, and we do not knowingly collect personal data from persons under the age of 18. If we learn that a person under 18 has provided us with personal data, we will delete it immediately.

4. Need to process your personal information?

We will only use your information and personal data where the law allows us to. We will most often use your personal data in the following circumstances:

• When we have to fulfill the contract we have concluded or are about to conclude with you.
• When we process and fulfill your order and ship it
• When necessary to protect your legitimate interests to improve our services and provide you with a safe and secure Platform.
• When we are required to comply with a legal or regulatory obligation.

Under certain circumstances, we may process your personal data based on your consent. If we do, we will notify you of the purpose and category of personal data to be processed at the time we seek your consent. Below we set out a description of the ways in which we use your personal data [and the legal grounds we rely on to do so. We also identify what our legitimate interests are].

4.1 To provide access to users and provision of Services through our Platform.

• If you use your username to access, we use your first name, last name, and email address to identify you as a user and provide access to our Platform.
• If you shop without registration, we use your first name, last name, EIC, phone number and address to confirm, process and fulfill your order
• The above log data is used by us to provide ourServices in accordance with the General Terms and Conditions.
• We use your email address and mobile number to process your orders and advise you about our Services and products that may be of interest to you.

We process the above information for the accurate performance of our contract with you and based on our legitimate interest in conducting sales activity to offer you services that may be of interest to you.

4.2. To provide you with a safe and secure Platform.

We use your mobile number, username data to administer and secure the Platform (including troubleshooting, data analysis, testing, fraud prevention, system maintenance, support, reporting and data acceptance).

p>

We process the above information for the full and accurate performance of our joint contract, to improve our Services and, based on our legitimate interest, to prevent fraud.

5. How will we notify you of changes to the Privacy Policy?

We may update this Privacy Policy from time to time. We will post the changes on this page and notify you by email or through the Platform. If you do not agree with the changes made, you have the right to delete your profile by selecting "My profile", "Login" - "profile editing".

6. User Rights

In certain circumstances, you have rights under data protection law.

If you wish to exercise any of the rights listed, please contact us using the contact form:

Right to request access to your personal data (commonly referred to as a "data subject access request"). This gives you the opportunity to obtain a copy of your personal data that we hold and to check that it is being lawfully processed.

Right to request rectification of the personal data we hold about you. We reserve the right to verify the accuracy of any new data you provide to us.

Right to request restriction of processing of your personal data. This gives you the opportunity to contact us with a request to stop processing your personal data in the following cases:

a) if you want us to prove the accuracy of the data;

b) when you believe that our use of the data is unlawful;

c) when you require us to store the data, even if we no longer need it, as you need to establish in order to exercise or prove your claims; or

d) when you have objected to the use of your data, but must checkm whether we have legal grounds to use them.

Right to request erasure of your personal data. This right enables you to contact us with a request to delete or remove your personal data when there is no valid reason for us to continue processing it. In addition, you have the right to request that we delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where you suspect that we may have processed your information inconsistently with the law requirements or when we are required to delete your personal data to comply with legal requirements. Please note that for certain purposes we may be legally required to retain your personal data (see section 10).

Right to object to the processing of your personal data when it is based on a legitimate interest (or that of a third party) and there is a basis for your specific interests which leads you to object to the processing of your personal data on this basis , considering that the processing violates your fundamental rights and freedoms. You have the right to object when we process your personal data for direct marketing purposes. In certain cases, we may demonstrate that we have compelling legitimate grounds to process information about you, which overrides your right to object.

Right to request the transfer of your personal data to you or to a third party. We will provide you, or a designated third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you have originally given us your consent to use or that we have used to enter into a contract with you.

You have the right to withdraw your consent to the processing of your personal data at any time. This does not affect the lawfulness of processing that we have already carried out on the basis of your prior consent.

No fee is usually required: You have no obligation to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. We may refuse to fulfill your request in these circumstances.

Response Time: We will do our best to respond to any legitimate request within one week of its submission. It may take us longer than the advertised time if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated. In addition, you have the right to lodge a complaint at any time with the Data Protection Commission as set out in section 13. Before filing a complaint with the Data Protection Commissiondata, we would like to learn about your grounds for complaint and claims and do our best to resolve them. Please contact us using the contact form.

7. Communications and Marketing

We will contact you via email or phone call in connection with our Services / Platform to confirm your order or registration and for other communications regarding our Services. Because it is imperative that we provide you with such communications, you may not be provided with an opportunity to opt out of receiving them.

In case you have a problem changing the settings, please contact us via the contact form.

8. Who do we share your data with?

We may share your personal data with the parties listed below for the purposes set out above in section 4.

Courier Companies: for dispatching the shipments requested by our users, we use the services of the following courier companies:

• Econt Express OOD - general conditions of the courier company< /li>
• Speedy AD - general conditions of the courier company
• Any other courier or transport company chosen by you to deliver the order!

Law enforcement, regulators and others: We may disclose your personal data to law enforcement, governmental or public authorities and other similar third parties in order to comply with any legal or regulatory requirements. We may disclose your personal data when such disclosure is necessary for the establishment, exercise or defense of legal claims, whether in legal proceedings or in an administrative or out-of-court proceeding. In these cases, we are not obliged to inform users about the disclosure of their personal data to public authorities.

9. Where do we store your data and for what period of time?

The data we collect about you will be stored and processed both inside and outside the EEA on secure servers to ensure the best possible user experience for users.

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for purposes of compliance with legal, accounting or reporting requirements.

To determine the appropriate retention period for your personal data, we consider the amount, nature and sensitivitythe security of your personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

In case you have any questions about the storage period of your personal data, please contact us via contact form.

10. Technical and organizational measures for processing security

All information we receive about you is stored on secure servers and we have implemented technical and organizational measures that are appropriate and necessary to protect your personal data. We continually evaluate the security of our network and the fitness of our internal information security program, which is designed to: (a) help protect your data from accidental or unlawful loss, access or disclosure; (b) identify reasonably foreseeable security risks to our platform c) minimize security risks, including through risk assessment and regular testing

Please note that despite the measures we take to protect your data, the transfer of data over the Internet or other open networks is never completely secure and there is a risk that your personal data may become accessible to unauthorized third parties.

p>

11. Links to Third Party Sites

The Platform may contain links to third-party websites or applications. If you click on any of these links, please note that each has its own privacy policy. We do not control these websites/apps and are not responsible for their policies. When you leave the Platform, we encourage you to read the privacy notice of each website you visit.

12. Contact

For further information or to exercise your rights, please check your profile / privacy settings or contact our Privacy Department using our contact form.

For local matters related to the protection of personal data, your local supervisory authority is:

Personal Data Protection Commission

Address: Sofia, 1592 Tsvetan Lazarov Blvd. 2

Tel. +359 2 915 3580, +359 2 915 3525

http://www.cpdp.bg