Mandatory information about the rights of individuals with regard to the protection of their personal data
General information
The Municipal Foundation Plovdiv 2019 (hereinafter referred to as the Administrator or the Foundation) executes its operations in accordance with the Protection of Personal Data Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The information presented herein is aimed at providing guidance about all the aspects of the Foundation’s processing of your personal data and about your rights with regard to this data processing.
Information about the Foundation processing your personal data:
Name: Municipal Foundation Plovdiv 2019
EIK/BULSTAT No: 176182033
Seat and address: Plovdiv, 2 Rayko Daskalov Str.
Correspondence address: Plovdiv, 2 Rayko Daskalov Str.
Phone: 032 632970
E-mail: info@plovdiv2019.eu
Website: https://plovdiv2019.eu/bg
Information about the competent body overseeing the protection of personal data:
Name: Commission for Personal Data Protection
Seat and address: 2 Prof. Tsvetan Lazarov Str, Sofia 1592, Bulgaria
Correspondence address: 2 Prof. Tsvetan Lazarov Str, Sofia 1592, Bulgaria
Phone: 02 915 3 518
Website: www.cpdp.bg
I. Reasons for the collection, processing and storage of your personal data
Article 1. The Administrator collects and processes your personal data in connection with your use of the website https://plovdiv2019.eu/bg, the entry into contracts with the Foundation pursuant to Article 1, para 1 of the Regulation (EU) 2016/679 (GDPR), and, more specifically:
• Following your explicit consent.
• For the purpose of the Administrator’s execution of its obligations under a contract entered into with you.
• For the purpose of observing a legal obligation applied with regard to the Administrator.
• For the purposes of protection of legitimate interests of the Administrator or a third party.
II. Aims and principles that apply to the collection, processing and storage of your personal data
Article 2. (1) The Foundation collects and processes the personal data which you have submitted to us in connection with your use of the website https://plovdiv2019.eu/bg, and the entry into contracts with the Foundation, inclusive of the following purposes:
• The presentation before the public and the debating of project proposals submitted under open calls for inclusion into the art programme of Plovdiv – European Capital of Culture 2019.
• The presentation before the public of events and initiatives organized in conjunction with you and/or supported by you and included into the programme of Plovdiv – European Capital of Culture 2019.
• Individual information of a party to the contract.
• Accounting purposes.
• Statistical purposes.
• Protection of information.
• The execution of a contract for the funding of a project from the art programme of Plovdiv – European Capital of Culture 2019.
• The participation in events and trainings organized by the Foundation.
• The participation in games, raffles, and ad campaigns meant to popularize the activities of the Foundation and/or the Plovdiv – 2019 project.
• The sending of an information bulletin you have subscribed to.
(2) In the processing of your personal data, we adhere to the following principles:
• Conformity to the law, acting in good faith, transparency.
• Limitation of the purposes of data processing.
• Correspondence with the purposes of data processing and minimization of the volume of collected data.
• Accuracy and up-to-dateness of data.
• Limitation of the storage of data with regard to the accomplishment of goals.
• Integrity and confidentiality of data processing and guarantee of a sufficient level of security of personal data.
(3) During the processing and storage of personal data, the Administrator may process and store personal data for the purpose of protecting its own legitimate interests with regard to:
• The discharge of its obligations to the State Financial Inspection Agency, the Audit Office, the Public Procurement Agency, the National Revenue Agency, the Ministry of the Interior, the Municipality of Plovdiv and other state and municipal bodies.
III. Types of personal data which the Foundation collects, processes and stores
Article 3. The Foundation uses the personal data you have provided to perform the following operations:
• Entry into and execution of contracts. The purpose of this operation is the entry into and the execution of contracts and the administration thereof. In separate cases, the purpose of the operation may also be the protection of legitimate interests of the Foundation with regard to the execution of the contract. Considering the limited scope of the personal data collected and the fact that part of it comes from public sources, no impact assessment is necessary for the current operation.
• Sending of an information bulletin. The purpose of this operation is the administration of the process of sending information bulletins for the organization and development of the Plovdiv - European Capital of Culture 2019 project to partners who have expressed their wish to receive information bulletins. Considering the limited scope of the personal data collected and the fact that part of it comes from public sources, no impact assessment is necessary for the current operation.
• The announcement before the public of projects supported and funded by the Foundation and featured in the programme of the Plovdiv - European Capital of Culture 2019 project. The purpose of this operation is the administration of the process of public announcement of the programme of Plovdiv -- European Capital of Culture 2019, as well as of the people involved in its implementation. Considering the fact that part of the personal data comes from public sources, no impact assessment is necessary for the current operation.
• Registration of participants in events, training workshops and the sending of information or prizes. The purpose of this operation is the administration of the process of registration of participants in events and games, as well as the sending of prizes from games past. Considering the limited scope of the personal data collected and the fact that part of it comes from public sources, no impact assessment is necessary for the current operation.
Article 4. (1) To execute its activities, the Administrator processes the following categories of personal data and information:
• ID-related data: three names, personal ID number, citizenship, address.
• Contact data: email address, stationary/mobile phone number.
• Data related to the person’s rights with regard to the contracting party – lawful agent, proxy, an employee.
• Data related to the execution of services, orders and contracts: three names, personal ID number, address, ID document data, phone number, email address.
• For telephone communication: name.
• For the registration for bulletins/newsletters or the filling out of a contact form on our websites: given name, family name, email address.
• Other information such as preferred method and language of communication.
(2) The Administrator does not collect or process personal data that relates to the divulgence of a person’s:
• Race or ethnicity.
• Political, religious or philosophical convictions or membership in trade unions.
• Genetic and biometric data, data about the person’s health state, or data about the person’s sex life or sexual orientation.
(3) Personal data is collected by the Administrator from the persons the data pertains to.
(4) The Foundation does not do automated data-based decision making.
(5) The Foundation neither collects nor processes data about persons aged 16 or less unless their parents or legal guardians have given their express consent.
IV. Timeframes for the collection of your personal data
Article 5. The Administrator stores your personal data for the term stated in the applicable legal documents. If such a term is not stated, your data will be destroyed after the purposes for which it was collected have been accomplished.
Article 6. The Administrator will notify you in case the term of storage of your data needs to be extended for the purpose of extending a legal obligation or in the pursuit of legitimate interests of the Administrator.
V. Submission of your personal data for processing
Article 7. (1) The Administrator may, using its own judgement, submit part of or all your personal data to data-processing third parties to ensure the accomplishment of the purposes of processing which you have consented to, provided the terms of Regulation (ЕС) 2016/679 (GDPR) are adhered to.
(2) The Administrator will notify you in case it intends to submit part of or all of your personal data to third parties or international organisations.
VI. Your rights in the collection, processing and storage of your personal data
Withdrawal of consent for the processing of your personal data
Article 8. (1) If you do not want the Foundation to continue to process all or part of the personal data for a particular purpose or for all purposes of the data processing, you may withdraw your consent for processing the data at any moment. You do this by filing a request.
Right to access
Article 9. (1) You have the right to request and be given confirmation from the Administrator about whether any personal data related to you is being processed.
(2) You have the right to be granted access to the data related to you, as well as to information related to the collection, processing and storage of your personal data.
(3) Upon your request, the Administrator will provide you with a copy of the personal data related to you which is being processed. The Administrator will provide the information in electronic or other appropriate form.
(4) The granting of access to the data is free; however, the Administrator reserves the right to charge an administrative fee in case of repeated or excessive requests.
Right to correction or completion
Article 10. You may correct or complete inaccurate or incomplete personal data related to you. You do this by filing a request to the Administrator.
Right of deletion (Right to be forgotten)
Article 11. (1) You may request that the Administrator delete part or all personal data related to you, and the Administrator will be obliged to delete this data without unnecessary delay when any of the following grounds is present:
• The personal data is no longer necessary for the purposes for which it was collected, or it was processed in a different manner.
• You have withdrawn your consent on which the processing of data is based and no other legal foundation exists for the processing of the data.
• You have lodged an objection against the processing of the personal data related to you, including for the purposes of direct marketing, and no overriding legal foundations exist for the processing of the data.
• The personal data was processed in violation of the law.
• The personal data must be deleted for the purpose of the observance of a legal obligation within the EU law or the law of a member state which applies to the Administrator.
• The personal data was collected in connection with the offering of services of the information society.
(2) The Administrator will not be obliged to delete the personal data if it stores and processes it:
• For the exercise of the right of freedom of expression and the right to information.
• For the observation of a legal obligation which requires processing provided for in the law of the EU or the law of a member state which applies to the Administrator; for the execution of a task which is of public interest; or during the exercise of official powers granted to the Administrator.
• For reasons of public interest in the field of public health.
• For the purposes of archiving in the public interest, for scientific or historical research, or for statistical purposes.
• For the ascertainment, exercise or the protection of legal claims.
(3) In case of your exercising the right to be forgotten, the Foundation will delete all your data with the exception of information which is necessary for the ascertainment of the fact that your right to be forgotten has been exercised.
(4) To exercise your right to be forgotten, you send the Administrator a request via email.
(5) The Administrator may require that you verify your identity and your identity with the person to whom the data relates.
(6) The Administrator will not delete data which it has the legal obligation to store, including for the purpose of protecting itself against legal claims or for asserting its rights.
Right to limitation
Article 12. You have the right to request that the Administrator limit the processing of data related to you when:
• You contest the accuracy of the personal data. You request the limitation of data processing for a period which will allow the Administrator to check the accuracy of the data.
• The processing is illegal, but you do not want your personal data to be deleted: You want only that its use be limited.
• The Administrator no longer needs the personal data for the purposes of the processing, but you request the data for the ascertainment, exercise or protection of your legal claims.
• You have contested the processing of the data while waiting for a check whether the Administrator’s legal grounds override your interests.
Right to data transfer
Article 13. (1) You may at any time withdraw or receive in machine-readable form the data related to you which is being stored and processed in connection with the use of services provided by the Administrator. You do this by sending a request via email.
(2) You may request that the Administrator directly transfer your personal data to an administrator of your choosing, provided this is technically feasible.
Right to information
Article 14. You may request that the Administrator inform you about all the recipients who have been given access to your personal data for which correction, deletion or limitation of processing had been requested. The Administrator may refuse to provide this information if that would not be possible or if it would require disproportionate effort.
Right to protest
Article 15. You may protest at any moment the processing of your personal data by the Administrator, which relates to you, including if the data is being processed for the purposes of profiling or direct marketing.
Your rights in case of breach of security of your personal data
Article 16. (1) In case the Administrator ascertains a violation of the security of your personal data which might cause substantial risk to your rights and freedoms, it will notify you about the violation without undue delay, as well as notify you about the measures that have been taken or are about to be taken.
(2) The Administrator will not be obliged to notify you if:
• It has taken appropriate technical and organizational measures to protect the data which has been affected by the violation of security.
• It has subsequently taken measures which guarantee that the violation will not lead to a substantial risk to your rights.
• The notification would require disproportionate effort.