Mandatory Information on the Rights of Individuals Regarding Personal Data Protection

Information about the company processing your data:
Name: ATRA 96 Ltd.
Registered office and address: Plovdiv, Antim I St. No. 22
Phone: 032956137
Email: shop@atra-bg.com
Website: www.atra-bg.com

Information about the competent supervisory authority for personal data protection:
Name: Commission for Personal Data Protection
Registered office and address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg

ATRA 96 Ltd. (hereinafter referred to as the “Administrator” or the “Company”) conducts its activities in compliance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of such data. This information aims to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.

Grounds for Collecting, Processing, and Storing Your Personal Data
Art. 1. The Administrator collects and processes your personal data in connection with the use of the online store www.atra-bg.com and the conclusion of contracts with the company based on Article 6, Paragraph 1 of Regulation (EU) 2016/679 (GDPR), specifically based on the following grounds:

• Explicit consent obtained from you as a customer;
• Performance of the Administrator’s obligations under a contract with you;
• Compliance with a legal obligation applicable to the Administrator;
• For the purposes of the legitimate interests of the Administrator or a third party.

Purposes and Principles for Collecting, Processing, and Storing Your Personal Data
Art. 2. (1) We collect and process the personal data you provide to us in connection with the use of the online store and the conclusion of a contract with the company, including for the following purposes:

• Creating a profile and providing full functionality when using the online store;
• Conclusion and execution of a distance contract;
• Identification of a party to the contract;
• Accounting purposes;
• Statistical purposes;
• Protection of information security;
• Ensuring the fulfillment of the contract for the provision of the respective service;
• Sending a newsletter if you have expressed a desire to receive one.

(2) We adhere to the following principles when processing your personal data:

• Lawfulness, fairness, and transparency;
• Purpose limitation;
• Data minimization, ensuring relevance to processing purposes;
• Accuracy and up-to-date status of data;
• Storage limitation in view of achieving the intended purposes;
• Integrity and confidentiality of processing, ensuring an appropriate level of personal data security.

(3) When processing and storing personal data, the Administrator may process and store data to protect its legitimate interests, including:

• Fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior, and other state and municipal authorities.

Types of Personal Data Collected, Processed, and Stored by Our Company
Art. 3. (1) The company performs the following operations with the personal data you provide for the following purposes:
User registration in the online store and execution of a distance sales contract – The purpose of this operation is to create a profile for using the online store to purchase goods and to provide contact details for the delivery of purchased goods. Registration and account creation for using the online store is not a mandatory step, and the service is largely available without creating an account.
Impact assessment conclusion: Based on the impact assessment conducted, the operation “User registration in the online store and execution of a distance sales contract” is permissible and provides sufficient guarantees for the protection of data subjects’ rights and legitimate interests in accordance with GDPR requirements.

Conclusion and execution of a commercial transaction with a client or partner – The purpose of this operation is to conclude and execute a contract with a commercial partner or client and administer it. Given the limited scope of collected personal data and the fact that some of them are obtained from publicly accessible sources, conducting an impact assessment is not required.

Sending an informational newsletter (newsletter) – The purpose of this operation is to administer the process of sending newsletters to customers who have expressed a desire to receive them. Given the limited scope of collected personal data, conducting an impact assessment is not required.

Exercising the right of withdrawal or making a complaint – The purpose of this operation is to administer the process of exercising the customer’s right of withdrawal or complaint. Given the limited scope of collected personal data, conducting an impact assessment is not required.

(2) The Administrator processes the following categories of personal data and information for the following purposes and based on the following grounds:

Your identifying data (email, name, etc.)
Purpose for data collection:
Contacting the user and sending information to them;
For user registration in the online store;
For sending an informational newsletter.
Legal basis for processing your personal data – By accepting the general terms and registering in the online store or placing an order without registration, or by concluding a written contract, a contractual relationship is established between the Administrator and you, based on which we process your personal data – Art. 6, para. 1, (b) GDPR. Your data for sending an informational newsletter is processed based on your explicit consent – Art. 6, para. 1, (a) GDPR.

Data for delivery execution (names, phone number, address, etc.)
Purpose for data collection: Fulfillment of the administrator’s obligations under a sales contract and delivery of purchased goods.

Legal basis for processing your personal data – By accepting the general terms and registering in the online store or placing an order without registration, or by concluding a written contract, a contractual relationship is established between the Administrator and you, based on which we process your personal data – Art. 6, para. 1, (b) GDPR.

Additional data provided by you – If you wish to supplement your profile, you can enter your name, surname, and phone number.
Purpose for data collection: Supplementing user information in their account.

Legal basis for data processing: You have provided explicit consent for processing your personal data for one or more specific purposes – Art. 6, para. 1, (a) GDPR at the time of registration in the online store. Providing these data is not mandatory for registration in the online store.

(3) The Administrator does not collect or process personal data related to:

Racial or ethnic origin;
Political, religious, or philosophical beliefs, or membership in trade unions;
Genetic and biometric data, health data, or data on sexual life or sexual orientation.
(4) Personal data are collected by the Administrator from the individuals to whom they relate.

(5) The company does not perform automated decision-making with data.
Art. 7.
The Administrator stores the personal data of the legal representatives of its business partners for the duration of the contract, in order to comply with the legitimate interests and legal obligations of the Administrator. This period may exceed the duration of the concluded contract.

Transfer of Your Personal Data for Processing
Art. 8. (1)
The Administrator may, at its own discretion, transfer part or all of your personal data to data processors for the purposes of processing, to which you have agreed, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Administrator will inform you in case of an intention to transfer part or all of your personal data to third countries or international organizations.

Your Rights Regarding the Collection, Processing, and Storage of Your Personal Data
Withdrawal of Consent for Processing Your Personal Data
Art. 9. (1)
If you do not wish for your personal data to be processed for marketing purposes and for receiving newsletters, you may withdraw your consent for processing at any time by completing the consent withdrawal form in Appendix No. 1 or by submitting a request in free-text form and sending it to us via email.

(2) Once we receive your request, we will send you an email to the address you provided for receiving newsletters and marketing messages, with detailed instructions for verifying your identity as a newsletter recipient and a data subject whose consent is being withdrawn.

(3) The withdrawal of consent does not affect the lawfulness of the processing of personal data carried out by the Administrator up to that moment.

Right of Access
Art. 10. (1)
You have the right to request and obtain confirmation from the Administrator as to whether your personal data is being processed by submitting a free-text request via email.

(2) You have the right to access your personal data, as well as information regarding the collection, processing, and storage of your personal data.

(3) Upon receiving your request, we will send you an email to the address you used for registration or for placing orders in the online store, with detailed instructions for verifying your identity as the data subject requesting access.

(4) After completing the verification in accordance with paragraph (3), the Administrator will provide you, upon request, with a copy of the processed personal data concerning you, in electronic or other appropriate formats.

(5) Access to the data is free of charge; however, the Administrator reserves the right to impose an administrative fee in cases of repeated or excessive requests.

Right to Rectification or Completion
Art. 11. (1)
You may correct or complete inaccurate or incomplete personal data related to you at any time using the “Edit Profile” option.

(2) You may also correct or complete inaccurate or incomplete personal data directly through your profile on the website or by submitting a request to the Administrator via email using the form in Appendix No. 4 or by sending a free-text request.

Right to Erasure (“Right to be Forgotten”)
Art. 12. (1)
You have the right to request that the Administrator erase part or all of your personal data, and the Administrator is obliged to delete it without undue delay if one of the following grounds applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
You withdraw your consent on which the data processing is based, and there is no other legal basis for the processing;
You object to the processing of your personal data, including for direct marketing purposes, and there are no overriding legitimate grounds for processing;
The personal data has been unlawfully processed;
The personal data must be deleted to comply with a legal obligation under EU or Member State law applicable to the Administrator;
The personal data was collected in connection with the provision of information society services.
(2) The Administrator is not obliged to erase personal data if it is necessary for:

Exercising the right to freedom of expression and information;
Compliance with a legal obligation requiring processing, provided for under EU or Member State law applicable to the Administrator, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Administrator;
Reasons of public interest in the field of public health;
Archiving in the public interest, scientific or historical research, or statistical purposes;
Establishing, exercising, or defending legal claims.
(3) To exercise your right to be forgotten, you must send an email request for the deletion of your personal data processed by the Administrator, by completing the form in Appendix No. 2 or by submitting a free-text request. The Administrator will then send an email to the address you used for registration or for placing orders in the online store, with detailed instructions for verifying your identity as a user of the store and as the data subject requesting deletion.

(4) Once we verify the identity of the person submitting the request and the individual to whom the data pertains, in accordance with the instructions sent to you, we will delete all data that we process about you, as per paragraph (3).

(5) If you have placed an order that is still being processed, the earliest you can request to be “forgotten” is upon the successful completion of the order.
Right to Restriction

Article 13. You have the right to request the Controller to restrict the processing of your personal data by sending a free-text request via email in the following cases:

You contest the accuracy of your personal data for a period that allows the Controller to verify its accuracy.
The processing is unlawful, but you do not wish for the personal data to be deleted, only for its use to be restricted.
The Controller no longer requires the personal data for processing purposes, but you need it for the establishment, exercise, or defense of legal claims.
You have objected to the processing, pending verification of whether the Controller’s legitimate grounds override your interests.
(2) Upon receiving your request, we will send an email to the address you used for registration or purchases in the online store, providing detailed instructions for verifying your identity as a store user and data subject for whom the restriction request has been submitted.

(3) Upon successful verification under paragraph 2, the Company will suspend the processing of your data but will not remove any publications you have made in the online store, if applicable.

Right to Data Portability

Article 14. (1) If you have consented to the processing of your personal data, if the processing is necessary for the performance of a contract with the Controller, or if your data is processed automatically, you may:

Request the Controller to provide your personal data in a readable format so that you can transfer it to another Controller.
Request the Controller to directly transfer your personal data to a specified Controller, where technically feasible.
(2) You can exercise the right to data portability by sending a completed form according to Annex No. 3 or a free-text request via email. The Controller will then send an email to the address used for registration or purchases in the online store, providing detailed instructions for verifying your identity as a store user and data subject for whom the portability request has been submitted.

(3) Upon successful verification under paragraph 2, the Company will send your processed data in XML format to the specified email address.

Right to Receive Information

Article 15. You may request the Controller to inform you about all recipients to whom your personal data—subject to a request for rectification, deletion, or processing restriction—has been disclosed. The Controller may refuse to provide this information if it is impossible or requires disproportionate effort.

Right to Object

Article 16. You may object at any time to the processing of personal data concerning you by the Controller, including for profiling or direct marketing purposes.

Your Rights in Case of a Personal Data Security Breach

Article 17. (1) If the Controller identifies a personal data security breach that may pose a high risk to your rights and freedoms, you will be notified without undue delay about the breach and the measures taken or planned.

(2) The Controller is not required to notify you if:

Appropriate technical and organizational measures have been implemented to protect the affected data.
Subsequent measures have been taken to ensure that the breach will not result in a high risk to your rights.
Notification would require disproportionate effort.
Entities to Whom Your Personal Data is Provided

Article 18. (1) To process your personal data and provide the service in its full functionality while considering your interests, the Controller may share your data with the following entities acting as data processors:

Data Processor
Purpose of Data Processing

(2) The data processors comply with all legal and security requirements regarding the processing and storage of your personal data.
Article 19. Data Transfers to Third Countries
The Controller does not transfer your data to third countries.

Article 20. Right to File a Complaint
If your rights under the above provisions or applicable data protection legislation are violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Headquarters and Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Correspondence Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Phone: +359 2 915 3 518
Website: www.cpdp.bg
Article 21. Exercising Your Rights
You can exercise all your rights related to personal data protection using the forms attached to this document. However, these forms are not mandatory, and you may submit your requests in any format that includes a statement of intent and identifies you as the data subject.

Article 22. Consent for Data Transfers
If consent is granted for data transfers, the Controller will describe the possible risks associated with transferring data to third countries in the absence of an adequacy decision and appropriate safeguards.

Appendix No. 1

Withdrawal of Consent for Data Processing

Your Name:* ………………………………………………………….

Your Email Used in the Online Store:* …………………….

Contact Information (Email)*: …………………….

To:

Name: ……………………………………………..

Company ID (EIK/BULSTAT): ……………………………………………..

Headquarters and Address: ……………………………………………..

Correspondence Address: ……………………………………………..

Phone: ……………………………………………..

Email: ……………………………………………..

Website: ……………………………………………..

I hereby withdraw my consent for processing my personal data for receiving newsletters, promotional messages, or other marketing materials. I acknowledge the terms of consent withdrawal in accordance with the Mandatory Information on Personal Data Protection Rights of the online store.

If your data protection rights are violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Headquarters and Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Correspondence Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Phone: +359 2 915 3 518
Website: www.cpdp.bg
Appendix No. 2 – Request to Be Forgotten (Data Deletion Request)
Your Name:* ……………………………………………..
Your Email Used for Registration or Orders in the Online Store:* ……………………………………………..
Contact Information (Email)*: ……………………………………………..

To:

Name: ……………………………………………..
Company ID (EIK/BULSTAT): ……………………………………………..
Headquarters and Address: ……………………………………………..
Correspondence Address: ……………………………………………..
Phone: ……………………………………………..
Email: ……………………………………………..
Website: ……………………………………………..
I request the deletion of all personal data related to me that you collect, process, and store in your databases.

I acknowledge that part or all of my personal data may continue to be processed and stored by the Controller to fulfill its legal obligations.

If your data protection rights are violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Headquarters and Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Correspondence Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Phone: +359 2 915 3 518
Website: www.cpdp.bg
Appendix No. 3 – Request for Data Portability
Your Name:* ……………………………………………..
Your Email Used for Registration or Orders in the Online Store:* ……………………………………………..
Contact Information (Email)*: ……………………………………………..

To:

Name: ……………………………………………..
Company ID (EIK/BULSTAT): ……………………………………………..
Headquarters and Address: ……………………………………………..
Correspondence Address: ……………………………………………..
Phone: ……………………………………………..
Email: ……………………………………………..
Website: ……………………………………………..
I request that all personal data related to me that you collect, process, and store be sent in XML format to:

Email: ……………………………………………..

Receiving Data Controller: ……………………………………………..

Name: ……………………………………………..
Identification Number (EIK, BULSTAT, Registration Number at CPDP): ……………………………………………..
Email: ……………………………………………..
If your data protection rights are violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Headquarters and Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Correspondence Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Phone: +359 2 915 3 518
Website: www.cpdp.bg
Appendix No. 4 – Request for Data Rectification
Your Name:* ……………………………………………..
Your Email Used for Registration or Orders in the Online Store:* ……………………………………………..
Contact Information (Email)*: ……………………………………………..

To:

Name: ……………………………………………..
Company ID (EIK/BULSTAT): ……………………………………………..
Headquarters and Address: ……………………………………………..
Correspondence Address: ……………………………………………..
Phone: ……………………………………………..
Email: ……………………………………………..
Website: ……………………………………………..
I request the correction of the following personal data related to me, which you collect, process, and store:

Data to be corrected: …………………………………………….

Corrected data should be as follows: ……………………………………………..

If your data protection rights are violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

Name: Commission for Personal Data Protection
Headquarters and Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Correspondence Address: 1592 Sofia, 2 “Prof. Tsvetan Lazarov” Blvd.
Phone: +359 2 915 3 518

Website: www.cpdp.bg