Personal Data Protection

PRIVACY POLICY

With reference to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), enforced onto the territories of all Member States on the 25th of May 2018,Philly Vibe AD has the capacity of ADMINISTRATOR of the data of its employees, contractors, contractors under civil contracts, customers and other individuals whose data is being processed and stored by the Company.
“Data” is any information which directly identifies or is capable of identifying an individual.
“Data subject”is an individual who can be identified directly or indirectly by an identification/name, identification number, location data, online identification or feature(s) specific for the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity.
Philly Vibe AD keeps registers related to the subjects’ data which is processed and stored within appropriate terms. The Company has developed appropriate policies and internal rules and has undertaken the necessary technical and organizational measures to guarantee the protection of data of its customers, employees, contractors and other individuals- data subjects.
Philly Vibe AD complies with the GDPR (Regulation (EU) 2016/679) and shall process data of data subjects only under the terms and conditions enlisted in the GDPR.
According to GDPR the grounds for data processing are:

  • Consent of the data subject- individual consent is given  for each purpose;
  • Completion of contract;
  • Legal obligation;
  • Protection of vital interests of the subject or a third person;
  • Public interest purpose;
  • Legal interests, pursued by the administrator or a third party.

Data are processed only in relation to specific purpose and when the latter is completed or it drops off, the administrator shall not have the right to keep data. The data have to be stored for the shortest time period possible. This period has to be adjusted with the reasons for which the administrator processes data, as well as with all legal obligations for data processing for a certain time frame (for example national labor and tax laws or laws for fight against fraud which require from the administrator to store the data of its employees for a certain time period, duration of the product’s warranty etc.).
Philly Vibe AD complies with the rights of data subjects, enlisted in GDPR regarding personal data protection and precisely: right of information- during the individuals’(data subjects) data collection they have to be explicitly informed at least of:  who the data administrator shall  be; for what purpose shall their data be used; categories of personal date; legal grounds of their data processing; for how long shall the data be kept; who else can obtain them; whether their data shall be transferred to a recipient outside EU; the data subjects have to be informed of their right to obtain a copy of the data (personal data access right); right to correct the data; right to delete (right to be forgotten); right of objection before the administrator, right of the subjects to file a complaint with the Supervising authority (the Commission for personal data protection) when they consider that their rights are violated; right to withdraw their consent at any time ; right to request “human interference” in the event of automatic decision making; right to object against data processing through video surveillance; right to object against direct marketing.
Manner of exercising the data subjects’ rights:

  • Right of information and access to personal data: Upon request for data access you have the right to obtain a copy of your personal data. That however, does not mean that you have to obtain a copy of the documents which include the data, but that the administrator has to provide you the data in a comprehensible form- for example if codes are used, a key to these codes shall be provided so that the subject can comprehend. The access requests should be prepared in written/electronic form as a request in free form (you can use blanks from the administrator) and  addressed to the Data protection officer at the enlisted in the request contact details- registered address, e-mail or recommended with return receipt at the postal address. The request is to include all details of the subject, type of data and any other information which can assist the administrator to locate and identify your personal data. The administrator may request additional information in order to specify the data or the processed activities to which the request is addressed.Access can be granted to archived data but not to deleted data. The administrator provides response to the request within a term of 1 (one) month starting from the receipt date. Please, bear in mind that the administrator has the right to refuse access to your data in certain occasions (for example if it is not clear for which data is required access or if it is not clear who filed the request, as well as when it is a matter of national and public interest) as in all cases the administrator has to motivate the refusal. In the event of refusal you have the right to file a complaint with the Supervising authority for data protection (for example if the data are encrypted).
  • Right to correct the data which are inaccurate or outdated (for example, correction can be requested when the name, address or other information regarding the data subject is incorrect or whena change has occurred in the already provided information). For this purpose you have to file a separate request in free form (you can use blanks from the administrator; please, turn to the Data protection officer enlisted in the present declaration), addressed to the Data protection officer of the administrator. In the request, you should enlist the data that is to be corrected, as well as your current data. If the administrator refuses to amend the data, he has to explain the grounds of the refusal by informing you of your right to file a complaint with the Supervising authorityfor data protection (Commission for personal data protection).
  • Right to limit data processing this does not mean deletion of data but that the administrator can store data and the purposes for which the data are being stored are strictly limited.Limitation shall be allowed on the following occasions:

(i) When you reckon that your data are not correct, as in this case the limitation is for a term during which the administrator shall verify the accuracy of the data;
(ii) When the data processing is unlawful however you do not wish for the data to be deleted, but rather their usage to be limited;
(iii) When the administrator does not need your data anymore for the purpose of the processing, but you, as a data subject, require the data to establish, exercise or protect legal claims;
(iv) When you have objected to the processing upon expecting a verification whether the legal grounds of the administrator have advantage over your interests.
For the purpose, if one of the conditions listed in this Section C) is present, you should file a request in free form (you can use blanks from the administrator; please, turn to the Data protection officer enlisted in the present declaration), addressed to the Data protection officer of the administrator. If the administrator refuses to limit your data, he has to do so explicitly and in written form, by relying on the legitimate reason for the refusal.
4) Right to request your data to be deleted without necessary delay i.e. the administrator shall erase your data from all systems and records where they are stored, and is to notify all third parties/data administrators to whom he has provided the data.
Request for deletion can be filed on the following grounds:
(i) Personal data are no longer necessary for the purposes for which they were collected.
(ii) When you have withdrawn your consent;
(iii) When you have objected to the processing when the latter is unlawful;
(iv) When the data have to be deleted for the purpose of preserving a legal obligation under EU law or the law of a Member State which is applicable to the administrator;
(v) When the data have been collected in relation to providing services to the information society.
For the purpose you have to file a request in free form (you can use blanks from the administrator; please, turn to the Data protection officer enlisted in the present declaration), addressed to the Data protection officer of the administrator at the enlisted contact details.
The administrator may refuse to delete the data on the following grounds:
A) Exercising the right of free speech and the right of information;
B)  Compliance with a legal obligation by the administrator or for completion of a task of public interest, or exercising official powers which are provided to the administrator;
C) Reasons of public interest in thefield of public health;
D) For the purpose of archiving in public interest, for scientific or historical researches or for statistical purposes, as far as there is probability for the deletion to make impossible or to severely threaten the achievement of the processing’s purposes; or to establish, exercise or protect a legal.
If the administrator refuses to delete the data, he has to explain the reasons for that by notifying you of your right to file a complaint with the Supervising authority (Commission for personal data protection).
5) Right to object to data processing at any time. The objection should be addressed to the administrator at the enlisted contact details. The objection should include the grounds related to your case, on the basis of which you object to the processing. Your right to oppose to direct marketing is absolute (i.e. you do not need to point out grounds for the objection)  After receiving the objection, the administrator shall terminate the data processing unless convincing legal grounds for the processing are provided which have advantage before your interests or to exercise legal claims. If the administrator overrules the objection he has to explain the reasons behind the decision by informing you of your right to file a complaint with the Supervising authority (Commission for personal data protection).
6) Right to complain against data processing or non-compliance with the rights of subjects with relation to data protection before the competent supervising authority. Contact details of the supervising authority: Commission for personal data protection: City of Sofia 1592, Blvd. Prof. Tsvetan Lazarov №2, https://www.cpdp.bg.
7) When there is a risk of data security breach, the administrator is obliged to notify of the nature of the breach and what measures were taken to eliminate it, as well as whether the Supervising authority had been notified.
Upon each data processing Philly Vibe AD provides to the subjects clear and detailed messages (under the form of Privacy Declarations) which contain information regarding what purpose, for what term and in what way the Company collects and processes their personal data; all details of the administrator and the Data protection officer appointed by him; contact details of the administrator; other recipients to whom personal data is revealed;  the rights of the subjects and the practical means for their exercise. It is stated that he data shall be collected for specific and legal purposes and shall not be processed by means which are incompatible with these reasons.
On the website www.pizzalab.bgyou can find hyperlinks to Facebook, Instagram, and Youtube. If you are using Facebook, we kindly ask you to have in mind that the data administrator outside USA or Canada is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2,  Ireland. If the user clicks on the Facebook button at our website the social network keeps this information which links the personal Facebook profile of the user. The guidance for personal data protection is published at https://facebook.com/about/privacy.
YouTube is property of YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA and is subsidiary of Google Inc. During a download of video content, YouTube and Google obtain information which specific subpage has been visited by the user, as this information is being associated with the according profile in YouTube.The provisions of YouTube for data protection can be found athttps://www.google.com/intl/bg/policies/privacy/.
If you are using Instagram, more information related to data protection can be found at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy. Instagram is property of Instagram LLC, 1 Hacker Way 14, Menlo Park, California, USA.
For protection of the data subjects and to guarantee the security of personal data Philly Vibe AD has implemented appropriate technical and organizational measures.
In the event of personal data breach, the administrator Philly Vibe shall make a specific risk assessment and in specified by GDPR cases shall inform of the breach the Commission for personal data protection, as well as the data subject.
Any information related to their rights or other matters related to personal data protection, can be obtained by the subjects upon reaching the Data protection officer appointed by Philly Vibe AD via the following contact details: dpo@pizzalab.bg, registered address: City of Sofia, Blvd. Tsarigradsko Shose  № 115з, The Mall, level 2, Pizza Lab.
Contact details of the Commission for personal data protection: City of Sofia 1592, Blvd. Prof. Tsvetan Lazarov №2, https://www.cpdp.bg.