PERSONAL DATA PROTECTION /PRIVACY/ POLICY
OF FIRST ESTATES OOD
1. Introduction
1.1. Identification of the data controller
“First Estates” OOD (First Estates, the Company, the Controller) is a trade company, registered in the Company Register with the Registry Agency, with UIC 202967885, having its seat and management address in Sofia, 27A Moskovska Str., floor 1.
The Company is managed and represented by the Managing Director Pascal Duffy.
The Company provides professional intermediation services in real estate deals.
You can contact us through the following communication channels, whatever is most convenient for you:
Telephone: 0700 15 15 1
e-mail: office@first.bg
LinkedIn: https://www.linkedin.com/company/first-estates/
Facebook: https://www.facebook.com/firstestatesbg/
Instagram: https://www.instagram.com/firstestatesagency/
The website of First Estates is: www.first.bg
1.2. Purpose of the Privacy Policy
This Privacy Policy ("Policy") applies to the entire business activity of First Estates. The policy concerns the processing of personal data, regardless of the way we received them - by signing a contract, by registering on our electronic page or otherwise.
First Estates makes every effort to protect your personal data to the fullest extent possible. Your security and the privacy of your personal life are of utmost importance to us.
In this Policy, we aim to explain in a clear and understandable way why and how we process your personal information and how we protect it.
1.3. Definitions
What does "personal data" mean?
"Personal data" means any information that identifies a particular individual or relates to an identifiable individual.
What does “processing of personal data” mean?
The processing of personal data is any action taken with personal data - for example, collection, recording, use, sorting, destruction, etc.
What does "Data Controller" mean?
A personal data administrator is any person who determines the purposes and means of processing personal data.
What does "Personal Data Processor" mean?
Personal data processing is any person who processes personal data on behalf of an administrator.
What does “Supervisory authority" mean?
Supervisory Authority is an independent public authority responsible for the enforcement of data protection legislation. In Bulgaria this is the Commission for Personal Data Protection (CPDP) - www.cpdp.bg
1.4. Personal Data Processing Principles
We process your personal data in compliance with the applicable law - in a lawful, conscientious and transparent manner.
For all personal data we process, there is a reason.
We collect a minimum amount of personal data limited to the purposes for which they are needed. We keep them in due time by destroying them in accordance with applicable law.
The data are accurate and up to date, and all measures are taken to ensure timely erasure or correction, if necessary.
We implement and apply all necessary technical and organizational measures to prevent a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to your personal data.
We provide you with information about your rights that you have with the processing of your personal information.
We are able to demonstrate to you that we adhere to the above-described basic principles of our work with personal data.
2. How and why we process personal data?
The processing of personal data is closely related to our commercial activity and compliance with applicable legislation, for example, legislation regulating real estate transactions, money laundering prevention, accounting, labor and social security legislation, and others.
We also process personal data for the purpose of developing our business - to develop new products and services that we can offer to our clients, to develop marketing and advertising activities, to explore our customers' requirements to create new products that we can offer them. In this way, we strive to expand our market share, to increase the quality of our services and the satisfaction of you - our customers.
We process personal data on several legal bases and for several purposes:
2.1. For execution of a contract or in view of pre-contractual relations
We process personal data when concluding the contracts on the basis of which we provide our services in order to fulfill our obligations under these contracts relating to the conclusion of real estate transactions and to use our rights under these contracts.
The processing of personal data is carried out in order to:
• identifying the customer;
• establishing the client's requirements regarding the services to be provided, as well as the real estate transaction they want to conclude;
• preparing a service offer and a draft contract;
• preparing and sending an invoice for payment of the services the customer has used;
• ensuring full service, as well as collecting the due amounts for the services used;
• collection of information and documents necessary for real estate due diligence and real estate deals;
• negotiations on real estate transactions;
• preparation of documents relating to real estate transactions.
2.2. For execution of statutory obligations
We process the personal data of our co-contractors in order to comply with obligations that are provided in a statutory instrument, for example:
• Customer identification obligation imputed to us under the Anti-Money Laundering Act;
• obligations under the Consumer Protection Act< Accountancy Act, Labour Code, etc.;
• providing information to competent authorities where such disclosure is required by law;
• Obligations stipulated in the Accountancy Act and the Tax and Social Insurance Procedure Code and other related normative acts in relation to the keeping of correct and lawful accounting;
• obligations to provide information to the court and third parties in the course of proceedings before a court, in accordance with the requirements of procedural and substantive legal acts applicable to the proceedings.
2.3. Under your consent
In some cases, we process your personal data only upon your prior written consent. Consent is a separate ground for processing of your personal data and the purpose of the processing is specified therein and is not covered by the objectives listed in this policy.
For example, we may process personal data based on consent, for the purpose of using the functionality of our site, for sending targeted advertising and marketing materials, and more.
The consent submitted may be withdrawn at any time. If you withdraw your consent to the processing of personal data for any of the purposes for which you have given consent, First Estates will discontinue the use of your personal data for that particular purpose. Withdrawal of consent does not affect the lawfulness of consent-based processing prior to its withdrawal.
2.4. In view of our legitimate interest
We may process personal data in view of our legitimate interest, such as protecting our rights and interests in administrative or judicial proceedings.
Processing of anonymized data
We process personal data for static purposes, that is, for analyzes where the results are only generalizing and therefore the data is anonymous - for example, in order to present the movement of large groups of people. Identifying a specific person from this information is impossible.
3. What types of personal data we process?
Depending on the purpose, we may process different personal data, such as:
◦ three names or names according to an identity document;
◦ Identity document data;
◦ citizenship;
◦ a single citizen number or personal number of a foreigner or other identification number under the applicable law;
◦ permanent address and address for correspondence;
◦ marital status;
◦ telephone;
◦ Email;
◦ social network profile data;
◦ e-mail, letters;
◦ Bank account;
◦ preferences for the services we provide you;
◦ information about the used electronic communication device, the type of the device, the operating system used, the IP address when visiting our website.
When processing your personal data for the purpose of providing products and services, paying for them, and in order to fulfill our statutory obligations, such processing is required to meet these purposes. Without this data, we could not provide the relevant services. If you do not provide us with identification data, we will not be able to conclude a service contract with you.
First Estates does not process "sensitive data", such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, genetic data, biometric data to uniquely identify an individual, sexual life or sexual orientation of an individual.
4. How do we keep your personal data?
In order to ensure adequate protection of the personal data we process, we apply all the necessary organizational and technical measures provided by the applicable legislation, as well as good practices and technologies for data protection. The information is stored on our own server and in a database /CRM/, which is accessed by persons on a need-to know basis. Access is made by entering a username and password, with the provision of technological access to track access sessions. We have physical, electronic and procedural safeguards that comply with our legal obligations regarding the protection of personal data we process.
For the sake of maximum security when processing, transferring and storing your data, we may use additional security mechanisms, such as encryption, pseudonymisation, and more.
5. How do we process your personal data?
5.1. Terms for keeping personal data
We keep personal data within the deadlines, according to the applicable legislation.
When processing personal data on a contractual basis in order to provide our services, we store personal data for a period of 5 (five) years from the termination of the contractual relationship or the conclusion of the real estate transaction (whichever is the later) in accordance with the requirements of the Anti-Money Laundering Act.
Personal data processed in connection with the fulfillment of the requirements of the accounting and social security legislation are kept for a period of 50 (fifty) years /for payroll/ or other applicable term.
Personal data related to application for employment with us are kept for a period of 1 (one) year from the receipt of the data.
Please keep in mind that we will not delete or anonymize your personal data if it is necessary for pending court or administrative proceedings to which we are a party.
Your data can also be anonymized.
Anonymisation is an alternative to data deletion. In anonymization, any personal identifiable elements / elements that allow you to identify yourself are irrevocably deleted. Anonymized data is not legally obligatory for deletion because it does not constitute personal data.
5.2. When and why do we share your personal data?
We provide personal data to third parties only in cases where they have a legitimate interest or the right to receive such data.
The categories of persons to whom we may provide personal data include:
• A counter party to a real estate deal, in which the client who submitted their personal data enters (for example, the seller's personal data is provided to the buyer of the property, together with the necessary documents and other information to execute the deal);
• Persons who provide external services to First Estates, such as accounting, hardware and software support, mobile operators - based on a contractual relationship with these suppliers;
• Persons working in cooperation with First Estate (First Appraisal OOD, as well as other subcontractors, commissioners, consultants and other persons) - on the basis of contractual relations with these persons;
• Authorities requiring the provision of personal data on a statutory basis.
We do not provide personal data to third parties before making sure that all technical and organizational measures are taken to protect this data by striving to carry out strict controls to meet this goal. In this case, we remain responsible for the confidentiality and security of your data.
6. Your rights in view of personal data processing
Right to information:
You have the right to request:
• information about whether data relating to you are being processed, information for the purposes of such processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;
• a message in an intelligible form containing your personal data being processed, as well as any available information about their source;
• Information about the logic of any automated processing of personal data relevant to you, in the case of automated solutions.
Right of correction:
In the event that we process incomplete or incorrect / mistaken data, you are entitled at any time to request:
• delete, correct, or block your personal data, the processing of which does not meet the requirements of the law;
• to notify third parties to whom personal information has been disclosed of any erasure, correction or blocking, except where this is impracticable or involves excessive effort.
Right of objection:
You may at any time:
• You object to the processing of your personal data if there is a legitimate reason for doing so; where the opposition is justified, the personal data of the individual concerned can no longer be processed;
• You object to the processing of your personal data for the purposes of direct marketing.
Right to Limit Processing:
You may request a limitation of the processing customizable data if:
• question the accuracy of the data for the period we must verify its accuracy; or
• the processing of the data is without legal basis, but instead of deleting it, you want their limited processing; or
• we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of legal claims; or
• You file an objection to processing the data, pending verification that the reasons for the controller are legal.
Data portability:
You may ask us to provide the personal data you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
• process the data under the contract and based on the declaration of consent that may be withdrawn or a contractual obligation and
• Processing is done automatically.
Right to appeal:
If you believe that we are violating the applicable legal framework, please contact us to clarify the matter. Of course, you have the right to file a complaint with the Personal Data Protection Commission. After May 25, 2018, you will be able to file a complaint with a regulatory body within the EU.
Updates and Policy changes
In order to apply the most up-to-date protection measures and to comply with current legislation, we will regularly update this Privacy Policy. We invite you to regularly review the current version of this Privacy Policy, to be constantly informed about how we take care of the protection of the personal data we collect.
This Privacy Policy has been updated for the last time on 18.05.2018 г.