Privacy Policy
We at Bagso International Ltd. are committed to the confidentiality, security and protection of our clients' personal data and would like you to be aware of how we collect, use and process your personal data. We process your personal data in accordance with the principles of lawfulness and transparency.
Information about the Administrator who processes and stores your data:
Name: Bagso International Ltd.
UIC/BULSTAT: BG207491479
Headquarters and management address: Gabrovo, 22 Hristo Konkilev Street
Correspondence address: Gabrovo, 22 Hristo Konkilev Street
Phone: +359 52 870 022
Email: support@bagsotalia.bg
Website: https://bagsotalia.bg/
Information about the competent supervisory authority for personal data protection:
Name: Personal Data Protection Commission
Headquarters and management address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Phone: 02 915 3 518
Website: www.cpdp.bg
Concepts used
- “Personal data” - any information relating to an identified or identifiable living natural person. Individual data which, when collected together, can lead to the identification of a specific person also constitute personal data. For example, such are: first and last name, home address, email address, identity card number, location data, Internet Protocol (IP) address.
- “Website”/ “site” - a separate location on the global Internet network, accessible through its unified address (URL) via HTTP, HTTPS or other standardized protocol and containing files, programs, text, sound, picture, image or other materials and resources.
- "Processing" - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Controller" - a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the controller or the specific criteria for his determination may be laid down in Union law or Member State law
- "Pseudonomization" - the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that it is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
General information
Art.1 This Privacy Policy applies to the Personal Data that We Process when you interact with our website located at Bagso.bg regardless of whether you use a computer, mobile phone, tablet, TV, home appliance or other device to access our services.
(2) This Privacy Policy may be amended at any time in the event of changes in applicable laws, as well as in the case of changes in the way your Personal Data is processed. The current version of the Privacy Policy will always be available on this page, and at the end of it you will find the date of the last update. We may notify you in the event that the changes made significantly affect your rights.
(3) The processing of Personal Data will always be in accordance with the General Data Protection Regulation 2016/679 (the “Regulation”). For the purposes of this Privacy Policy, the terms “personal data”, “data subject”, “processing”, “third party”, “data subject’s consent” have the same meaning as provided by the European legislator when implementing the Regulation.
Data we process
Art.2 (1) You do not need to provide Personal Data to use our Website, but if you wish to use certain of our services through our website, the Processing of Personal Data may become necessary.
(2) We collect the following Personal Data that you provide to us while using our Website:
First and last name - In order to individualize the person registering in the online store, for the purposes of fulfilling the distance purchase contract, exercising consumer rights, etc., establishing contact via the communication form, etc.
Delivery address - In order for the goods subject to the distance sales contract to reach the final recipient who has ordered them through the online store
Telephone number - For the purpose of contacting a user who has concluded a distance purchase contract, sending notifications about a delivered shipment, as well as in view of the requirements of the forwarders who perform the delivery service of the requested goods.
E-mail - For the purpose of communicating by email, sending verification upon registration, changing access data to the user's profile itself, etc.
Other personal data provided by you - For the purpose of fulfilling the distance purchase contract,
(3) In addition, if you give your prior consent, we collect information about your use of our Website – this is done through so-called cookies. The information could include time and frequency of visits to the website, browser type, operating system type, network and IP address information, and more. For more information about cookies and how you can manage them, visit our Cookie Policy.
Purposes of processing
Art.3 (1) We use your Personal Data only for specific purposes, previously indicated at the time of collection and after your explicit Consent (where Consent is the legal basis for processing), or for additional compatible purposes in accordance with the law.
(2) The purposes for which we process your Personal Data are:
- to respond to your inquiries submitted through our contact form;
- for the performance of contracts concluded remotely and the dispatch of products that you order through our website;
- to provide effective service to our customers and to improve the content and functionality of our website;
- to improve the quality of our services;
- to contact you to provide you with newsletters, special offers, useful tips, updates and information that we think will be of interest to you;
- to contact you with information regarding the use of our website;
- to ask for your opinion about our products and services;
- for the purposes of our marketing and advertising activities;
- for the purposes of accounting reporting to government authorities.
- for any other purpose in accordance with this Privacy Policy or for which we have obtained your specific Consent.
(3) When processing your personal data, we adhere to the following principles:
- Legality, good faith and transparency;
- Limitation of the purposes of processing;
- Minimizing data in accordance with the objectives;
- Storage limitation in order to achieve the objectives;
- Accuracy and timeliness of data;
- Integrity and confidentiality of processing and ensuring their security;
Provision of Personal Data to third parties
Art.4 (1) Your Personal Data may be provided to third parties only on condition that they undertake the same obligations to ensure adequate levels of protection as provided for in the Regulation.
(2) It is also possible that your Personal Data may be transferred to third parties acting on our behalf for further processing in accordance with the purposes for which it was originally collected or to be lawfully Processed in another way, such as delivery of ordered goods, hosting services, evaluation of the usefulness of this website, marketing, data management or technical support.
(3) In accordance with paragraph 2, users should note that as of 23.01.2023, our company transfers their personal data to BigArena EOOD (UIC: 204072747), in connection with the fulfillment of the obligation to forward and transfer possession of the ordered goods. The personal data we provide are explicitly specified in Article 2, paragraph 2, items 1-3 of this document.
(4) When transferring personal data to third parties, the company implements appropriate technical and organizational measures to guarantee the rights of users and the protection of personal data. The administrator selects only third parties that have taken the necessary guarantees to protect the personal data provided to them and, in view of the existing risks, to ensure the appropriate level of security, including where appropriate:
- pseudonymization and encryption of personal data;
- ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ability to promptly restore the availability and access to personal data in the event of a physical or technical incident;
- a process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to ensure the security of processing.
(5) The personal data we collect from you may be processed, accessed and stored outside the European Union in countries with a lower level of protection of Personal Data than that provided for in the Regulation. In case we provide your Personal Data to external companies in other jurisdictions, we will ensure that such transfers of Personal Data are protected by appropriate safeguards provided for in the Regulation, such as standard data protection clauses. You have the right to request a copy of the available standard data protection clauses on the basis of which we transfer your Personal Data to such countries. Where the risk to the protection of your Personal Data is very low, we may rely on your informed consent for such transfers.
(6) The Administrator provides personal data to third parties if required to do so by applicable law, court order, subpoena or government act; if we believe in good faith that disclosure is necessary to protect legal rights, protect your safety or that of others; as part of a criminal or other legal investigation or proceeding in the Republic of Bulgaria or abroad.
(7) We do not transfer, sell or exchange your Personal Data to third parties, except with your express consent.
(8) It is possible to provide analytical data to third parties based on the use of cookies. If you would like to find out more about the cookies we use, please visit Cookie Policy (here is a hyperlink to the Cookie Policy).
Legal basis for processing
Art.5 (1) We process your personal data with a view to the availability of voluntary consent and on the basis of Article 6, paragraph 1, b.a) of Regulation (EU) 2016/679.
(2) In case the processing of Personal Data is necessary for the performance of a contract to which you are a party, the processing is based on Article 6, paragraph 1, point b) of the Regulation.
(3) In case we, as the Controller, have a legal obligation under which the Processing of Personal Data is necessary, such as for the fulfillment of tax obligations, the processing is based on Article 6, paragraph 1, point (c) of Regulation (EU) 2016/679.
(4) Processing that does not fall under the legal grounds mentioned above but is necessary for the legitimate interests of our company, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, is based on Article 6(1)(b) of Regulation (EU) 2016/679. In this case, the legitimate interest is to carry out our business for the benefit of our customers, employees and partners.
Personal data retention periods. Data security.
Art.6 (1) Your Personal Data will be stored only for the period necessary to fulfill the purposes for which they were collected. Upon fulfillment of the relevant purposes, the stored data will be deleted or anonymized.
(2) Your personal data is stored for the period of our contractual relationship and for a certain period thereafter, imposed by legal obligations.
(3) Where there are no other grounds for us to retain (part of) your Personal Data, you may request the deletion of the information about you. For more information, see the section "Your rights"
Art.7 (1) The Administrator shall use the most appropriate organizational, technical and administrative measures to protect Personal Data. For this purpose, all legal and technical measures for the protection of Personal Data shall be applied in accordance with Article 32 of Regulation 2016/679, as well as taking into account the latest technological developments.
(2) Despite all measures taken to protect information, the Administrator is not liable in the event of a leak of personal data as a result of a cyberattack or other force majeure circumstance beyond its direct control and for which it cannot be held responsible.
Rights of users whose personal data is processed.
Art. 8. Each user has the right to access personal information, as well as whether we process your Personal Data and the ways in which we process them, including the purposes of processing, types of data, recipients of data, your rights, etc. If you wish to exercise the right of access, you can contact us at any time.
Art.9 When the processing of your Personal Data occurs in an automated manner based on your Consent or on the basis of a contractual agreement, you have the right to receive a copy of your data in a structured, commonly used and machine-readable format, transferred to you or to another party. To exercise your right to data portability, you should fill out the form according to Appendix No. 3 and send it to the specified contacts.
Art.10 You have the right to request correction of your Personal Data without undue delay if such data is inaccurate, as well as to have the data completed in case of incomplete information. You can correct your personal data directly in your Bagso.bg user panel or by contacting us at the contacts specified at the end of the Privacy Policy.
Art.11 (1) You have the right to request the deletion, or to delete yourself through the user panel, all personal data processed by us, at any time, in the following situations:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- You wish to withdraw your consent on which the processing of the data is based pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation and there is no other legal basis for the processing;
- You wish to object to the processing pursuant to Article 21(1) of the Data Protection Regulation and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the Regulation;
- Personal data has been processed unlawfully;
- The personal data must be erased for compliance with a legal obligation under European Union law or the law of a Member State to which the controller is subject;
- The personal data were collected in connection with the provision of information society services pursuant to Article 8(1) of the Regulation.
(2) Provided that we have provided your Personal Data to third parties, we undertake to take appropriate steps, including technical measures, to inform those third parties that you have requested the deletion of your data or copies or replicas of those personal data.
(3) The right to be forgotten cannot be exercised in the following situations:
- if you have an open order that has not yet been sent or has been partially sent;
- if you have an outstanding debt to us, regardless of the payment method;
- if you are suspected of abuse or have abused our services;
- if you have made a purchase, we will retain your personal data in connection with your transaction in accordance with legal obligations.
(4) The right to be forgotten can also be exercised by sending a form according to Appendix No. 2 to the Personal Data Administrator.
Art.12 Right to object to processing based on legitimate interest:
You have the right to object to the processing of your Personal Data based on our company's legitimate interest. We will stop processing your Personal Data unless we can demonstrate compelling legal grounds for doing so that override your interests and rights or due to legal claims.
Right to object to direct marketing:
Art.13 (1) You have the right to object to receiving marketing communications, including profiling and analysis for direct marketing purposes.
(2) You can opt out of direct marketing in the following ways:
- by following the instructions in each message received in your email;
- by editing the settings in your user panel;
Art.14 You have the right to request restriction of Processing when one of the following circumstances applies:
- if you claim that your Personal Data is inaccurate, we will restrict the Processing until the accuracy of the data has been verified.
- the processing is unlawful, but the data subject does not want the personal data to be erased, but instead requests the restriction of their use;
- if we no longer need your personal data for the purposes of the Processing, but they are necessary for the establishment, exercise or defense of legal claims;
- if you object to the Processing based on our legitimate interest, in which case we will restrict the Processing of the data pending the outcome of the verification of the legitimate grounds.
Art.15 (1) You have the right to withdraw your consent to the Processing of your Personal Data at any time, where such Processing is based on consent.
(2) The withdrawal of consent does not affect the lawfulness of the processing of personal data that the Administrator has carried out up to that point.
(6) To exercise the right to withdraw consent to the processing of personal information, you should fill out a form according to the template in Appendix No. 1 and send it to the specified contact addresses.
Art. 16 (1) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her, unless the decision: (1) is necessary for entering into, or the performance of, a contract between the data subject and a controller; or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent.
(2) For your information, the implementation of our activities does not require the making and application of automated decisions, including profiling.
Art.17 If you wish to exercise any of your legal rights, or need assistance in exercising them or have questions related to them, you can contact us at any time at the contacts listed at the end of the Privacy Policy.
Amendment to the Privacy Policy. Final Provisions.
Art.18 (1) The Administrator reserves the right to change and update the Privacy Policy, and users are informed of the changes through a message on the website, by sending an electronic message via email or by notification in the users' profile.
(2) The updated Privacy Policy shall apply to users if, after their publication on the website of the platform, the user does not declare within 14 days of their publication that he rejects them. In this case, if the user has an active account, the same will be deactivated and all personal data about him will be deleted.
Art.19 (1) If there is evidence that we are processing your Personal Data in an unlawful manner, you have the right to file a complaint with a supervisory authority in the European Union. The supervisory authority of the Republic of Bulgaria is:
Personal Data Protection Commission
Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
email: kzld@cpdp.bg
phone: 02/91-53-555
(2) As a data controller, we have a specially appointed Data Protection Officer in accordance with the requirements of Article 38 of the Regulation to ensure that your Personal Data will always be processed in an open, fair and lawful manner. You can contact our Data Protection Officer at +359 52 870 022
This Privacy Policy was adopted on 20.01.2023
Applications for exercising consumer rights:
Appendix No. 1 - Consent Withdrawal Form