Privacy Policy for
"Journey Through Bulgarian Heritage – You Have 681 Reasons"
Welcome to the privacy policy of „Journey Through Bulgarian Heritage – You Have 681 Reasons“!
Protecting your data is important to both you and us. This Privacy Policy explains why and how we will process your personal data when you use it to participate in „Journey Through Bulgarian Heritage – You Have 681 Reasons,“ referred to hereafter as the „Campaign“. This Privacy Policy applies solely to the processing of data during the campaign by UPASS AD, including the use of the website at the following domains: www.681prichini.bg and www.681reasons.bg (referred to as the „Website“ or „Webpage“).
Personal Data „Data“ or „Personal Data“ means any information related to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This data protection policy contains information on how we process your data when you interact with us through this Website and when you:
- Fill out the required information to participate in the Campaign;
- Send an inquiry;
- Interact with us in any other way;
Your data is processed by UPASS AD, registered in the Commercial Register at the Registry Agency with UIC 207327088 („UPASS“). As a data controller, UPASS adheres to the following principles:
- Personal data is processed only when there is a legal basis for processing;
- Personal data is processed solely for specific and clearly defined purposes;
- Only the minimum amount of data necessary to achieve the purposes mentioned above is processed;
UPASS takes reasonable measures to keep personal data accurate and up to date and to delete it promptly once the processing purpose is no longer applicable, except where archiving obligations apply to UPASS;
- Personal data is processed in a manner that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures;
- The controller is responsible for and must be able to demonstrate compliance with the principles outlined above.
- The controller collects personal data for the purposes of identifying and communicating with participants, fulfilling legal obligations of the controller, and preventing, detecting, and investigating any types of violations and abuses committed through unauthorized participation in the Campaign, which may harm the interests of UPASS, its partners, or other persons.
- This policy contains the main principles and procedures for collecting, processing, and storing the personal data of participants in the Campaign, developed, maintained, and provided by the Controller. Before participating in „Journey Through Bulgarian Heritage – You Have 681 Reasons,“ you must carefully read and understand this policy. During registration, you will have the opportunity to consent to the processing of your data by the Controller. Providing such consent binds you to the terms of this Policy.
- A data subject is not entitled to participate in the Campaign if they have not read and/or do not accept the Policy. Therefore, the Controller requires participants’ consent to the Policy. If a participant does not agree with the Policy or a relevant part of it, they are not permitted to register for participation in the Campaign.
- To give consent for data processing and accept this Policy, clients must be at least 18 years old or of legal age according to the law of the country of their citizenship. The Controller may require data to identify clients to determine if they are of legal age at the time of providing consent.
Data Controller The data controller of the personal data processed under this privacy policy is: UPASS AD, UIC: BG207327088, with its registered office and management address at Bulgaria, Sofia, Sredets District, Dobromir Khriz, 3 (hereinafter referred to as the „Controller“ or „We“).
Processing of Personal Data Processing personal data refers to any operations performed on personal data. Examples include (but are not limited to) collection, recording, organization, structuring, storage, modification, consultation, use, disclosure, combination, deletion, and destruction of data. Before requiring consent for data processing, the Controller provides the data subjects with the following information:
- The data identifying the controller and contact details, and where applicable, those of the controller’s representative;
- Contact details of the data protection officer, where applicable;
- The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;
- The types and categories of personal data for which consent is requested;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the intention of the controller to transfer the data to a third country or an international organization, and the existence or absence of a Commission decision on the adequate level of protection or, in the case of data transfers according to Article 46 or 47 or Article 49(1)(2), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they are available.
- Data is stored for the periods specified for each type of personal data provided in this Policy. Storage is conducted in accordance with the procedures outlined in the Policy.
- Notwithstanding the provisions of the Policy, the Controller has the right to provide personal data to public authorities when the data is requested by these authorities in the exercise of their powers (e.g., the police, investigative authorities, the prosecution, or the court for the purposes of administrative, civil, or criminal proceedings as evidence or in other cases established by law).
Privacy Policy This refers to this privacy policy and its future amendments. „Journey Through Bulgarian Heritage – You Have 681 Reasons“ (hereinafter referred to as the „Campaign“) is a campaign aimed at inspiring locals and tourists to rediscover the spirit of Bulgaria, promoting cultural and historical sites in Bulgaria, urban tourism, and the digitization of the tourism sector, bringing numerous benefits and developing tourism in Bulgaria to a higher level. „User,“ „Participant“ refers to anyone who registers to participate in the Campaign. „Participants“ refers collectively to all individuals who decide to join the campaign.
CATEGORIES OF PERSONS TO WHOM WE DISCLOSE PERSONAL DATA
Processors of Personal Data Processors of personal data are individuals who process personal data on behalf of and as instructed by UPASS AD based on a written agreement. They are not allowed to process the provided personal data for purposes other than performing the work assigned to them.
Examples of Personal Data Processors Partners who require personal data to process and send the prizes to the winning participants.
HOW WE COLLECT PERSONAL DATA In connection with participation in the Campaign, UPASS AD collects user data through the registration form they fill out.
Data directly collected from you includes:
- Data provided during registration for participation;
- Contact or inquiry data;
Automatically generated data includes:
- Data on visited sites and purchased tickets;
- Data on participation in the Campaign;
- Traffic data when using the platform to fulfill the conditions set in the Campaign;
Categories of Personal Data Processed Under This Policy The personal data we process under this policy includes:
User Data
- To participate in the Campaign, a user must fill out a registration form, which includes: • Names • Email • Phone
Traffic Data Data we collect based on visits to the Website. This includes information that shows: • The number of visits; • The time spent on the Website; • The number of participants; • The number of clicks on individual sections that have this option; • The way traffic is generated to the Website.
Purpose of Processing Personal Data We use users’ personal data to register them for participation in the Campaign. Participation in the campaign is entirely voluntary but requires the collection of user data. For certain operations related to processing participants’ personal data in the Campaign, we may request their explicit consent. It is important to note that we do not perform activities involving automated decision-making based on profiling participants, which have legal consequences for them or similarly significantly affect them.
Processing for the Purposes of Contract Performance Data processing operations aim to provide users with the opportunity to register for participation in the Campaign and to fully benefit from it.
We Process Data to Maintain the Campaign Website To maintain the normal functioning of the Campaign Website and to address issues, it is necessary to process data on how users use it (traffic data).
The data we process for this purpose includes: • Data on the use of the Website; • Device data; • Traffic data.
We Process Data for Statistical and Analytical Purposes We process data on visited sites to understand the attendance and interest in each, which subsequently helps us with ideas and suggestions for their development.
Through the analysis of aggregated data: • We measure the number of users who visit and participate in the Campaign and thus obtain aggregated information; • We measure what actions users take on the Website; • We create marketing reports to guide the marketing performance of the Campaign.
RIGHTS OF DATA SUBJECTS The data subject has the right to exercise the following rights under the Regulation: Right to be informed – to receive information about what data related to them is processed by the Controller, for what purpose, for what period it is stored, and to whom it is provided; Right of access – to receive a copy of the personal data related to them processed by the Controller; Right to erasure, where one of the requirements of Article 17(1) of the Regulation is met; Right to rectification – to request the controller to rectify without undue delay inaccurate personal data related to them; Right to restriction of processing, in the cases described in Article 18(1) of the Regulation; Right to data portability – to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and to transfer those data to another controller; Right to object to the processing of personal data concerning them, which is based on Article 6(1)(d) or (e), including profiling based on these provisions; Right not to be subject to a decision based solely on automated processing.
Exercising the data subjects’ rights described above is free of charge. When a data subject’s requests are manifestly unfounded or excessive, particularly due to their repetitive nature, the Controller has the right to refuse to act on the request or to charge a reasonable fee, considering the administrative costs of providing the information or communication or taking the requested actions. Requests to exercise data subjects’ rights under the Regulation should be submitted to the data protection officer, or if one is not appointed, to the designated contact person. To verify the legitimacy of the request and to protect third parties’ personal data, the Controller may request names, PIN, and ID number of the data subject when submitting a request to exercise their rights under the Regulation for the purpose of identifying the data subject. These data are stored by the Controller for a period of 1 year from the submission of the respective request to exercise a right and may be used solely for the purpose of identifying the data subject in the event of a reported violation or abuse in connection with the submitted request. The Controller communicates any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The Controller informs the data subject about these recipients if the data subject requests it.
DATA PROTECTION OFFICER If a data protection officer is appointed, the Controller informs data subjects of this circumstance, providing contact details for the data protection officer. The data protection officer has the rights and obligations described in the Regulation and the Policy, as well as in the job description if the officer is an employee of the Controller or in the service agreement if the officer performs the duties under a service contract.
PERSONAL DATA BREACHES If the Controller’s employees with access to data notice security breaches (actions or inactions by individuals that may lead to or have led to a risk to data security), they must immediately notify the Controller and designated contact persons, as well as the data protection officer, if any. The Controller decides on the necessary measures to address the data security breach and its consequences and to notify affected individuals, where applicable, considering the risk factors for data security breaches, the degree of impact of the breach, possible damages, and consequences thereof. Where applicable, the Controller notifies the Data Protection Commission immediately, but no later than 72 hours after identifying the breach, specifying:
- A description of the nature of the personal data breach, including, if possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected personal data records;
- The contact person from whom more information can be obtained;
- A description of the possible consequences of the personal data breach;
- A description of the measures taken or proposed by the controller to address the personal data breach, including measures to mitigate any possible adverse effects.
In the cases mentioned above, the Controller notifies the affected data subjects of the personal data breach without undue delay but no later than one week after identifying the breach. When the circle of affected data subjects cannot be established, the Controller notifies those data subjects most likely to be affected by the breach. In the cases mentioned above, as well as when notifying affected data subjects would require disproportionate effort, the Controller makes a public announcement or takes another similar measure so that the data subjects are equally effectively informed.
CONTACT INFORMATION For more information on the personal data processed by the Controller, the Regulation, and the Policy, as well as for exercising the data subjects’ rights under the Regulation, the Controller designates the following contact person: Email: office@urbostudio.com, Phone: 0700 70 270
FINAL PROVISIONS The Policy may be amended by the Controller in the event of changes in the scope of processed data, purposes, and methods of processing, changes in regulations governing personal data processing, or for other reasons. The Policy and its amendments take effect from the date of their adoption and publication on the internet in a manner that makes them accessible to users of the Campaign. The Controller informs data subjects of any amendments to the Policy. Since the Policy is a unilateral act of the Controller, explicit consent may not be required. When the Policy amendment involves changes in the scope of processed data, purposes, or methods of processing, the Controller requires the data subjects’ prior consent. When processing is necessary to provide the Controller’s services through the Website, data subjects’ consent may be a mandatory condition for access provision. If data subjects believe that there is a violation of the personal data protection regulations, they may file a complaint with the Data Protection Commission. More information can be found at https://www.cpdp.bg/ The Controller is not responsible for the accuracy of the data provided by clients, does not perform checks in this regard, and does not guarantee the actual identity of the individuals who provided the data. In all cases of doubts by data subjects, established fraud, and/or abuse, they have the right to notify the Controller without affecting their rights to report to competent public authorities. Participants are responsible for any violations of others’ rights related to the protection of their personal data or other rights.