Privacy notice of Brandly Collective

Information about the Data controller:

Legal name „Brandly Collective” Ltd UIN 202024062

Seat and registered office: 7 “Boris Arsov” Str., 1st fl., 1700 Sofia, Bulgaria
Address of correspondence: 7 “Boris Arsov” Str., 1st fl., 1700 Sofia, Bulgaria

E-mail:
office@brandlycollective.com

Website:
https://brandlycollective.com/

Information about the Supervisory authority: Legal name:Commission for personal data protection

Seat and registered office:2 Prof. “Tsvetan Lazarov” Blvd., Sofia 1592, Bulgaria

Address of correspondence:2 Prof. “Tsvetan Lazarov” Blvd., Sofia 1592, Bulgaria

Telephone:+3592/91-53-518 Website:www.cpdp.bg

“Brandly Collective” Ltd (hereinafter referred to as “The Company” or “Brandly Collective”) carries out its activity in accordance with the Law on personal data protection and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This document is meant to provide you with detailed information on the types of personal data we use, the ways we process it, your rights regarding your personal data and other relevant information. “Brandly Collective” collects and processes personal data in its capacity of Processor pursuant to a mandate given by Controllers as well as in the capacity of a Controller for the operations described down below.

The basis for the collection, processing and storage of your personal data

Art. 1. The Company collects and processes your personal data under Art. 6, para. 1, Regulation (EU) 2016/679, and in particular under the following:

Obtained explicit consent from you as a client;
Performance of The Company’s obligations under a Contract with you;
Processing is necessary for compliance with a legal obligation to which The Company is subject;
To take steps at your request for the conclusion of a contract if you are applying for a job with us.


Objectives and principles in the course of collection, processing and storage of your personal data

Art. 2. (1) Brandly Collective shall collect and process the personal data you provide to us in connection with the conclusion of a contract with the Company, the use of our site https://brandlycollective.com/, performance of online campaigns, including for the following purposes:

individualisation of a party to a contract;
accounting purposes;statistical purposes;
protection of information security;
securing the performance of the contract for provision of the service concerned.

(2) We adhere to the following Principles in the course of processing of your personal data: lawfulness, fairness and transparency; purpose limitation of the processing personal data; data minimization; accuracy; storage limitation; integrity and confidentiality.

(3) In the course of processing and storage of personal data, The Company is entitled to process and keep personal data for the purposes of protection of its legitimate interests and performance of its legal obligations towards state authorities.

What kind of data might we collect, process and keep

Art. 3. The Company carries out the following operations with the personal data you provide for the following purposes: Conclusion and execution of a labour or freelance agreement - the purpose of this operation shall be to conduct a selection and recruitment of personnel or freelancers, as well as the conclusion and execution of the labour contract by the Company. Taking into consideration the limited scope of natural persons whose data is processed and the limited amount of the collected personal data, carrying out an impact assessment is not necessary for the current operation. Conclusion and execution of a commercial transaction or contract with a client or partner – the purpose of the operation is conclusion and execution of a contract with a commercial partner or client and ensures its administration. In some cases, the purpose of the operation may also be to protect the legitimate interests of the company in executing the operation. Taking into consideration the limitеd scope of the collected data and the fact that some of the data is collected by publicly accessible sources, carrying out an impact assessment is not necessary for the current operation. Organising and conducting online campaign for a client – the purpose of the operation is contacting the owner through e-mail for sending awards or information about the campaign; identifying the subject of the data as a participant in the event; Giving an opportunity for participating in the online campaign using its functionalities – games, raffles and other; Sending an inquiry or a request from natural person about the use of products or services and receiving feedback from him in that regard. In the relationships with its clients, the Company is processing data as a data processor which are assigned to him by the clients for processing. This is also applicable when carrying out campaigns, lending pages, marketing activities, games, websites, facebook groups and pages, etc. In this case the Company undertakes preliminary actions to ensure your personal data are processed legally and pursuant to the rules of GDPR and follows the exact instructions of the client (data administrator) when processing the data. After a certain activity is completed, the Company delivers the data to the client (data administrator) and deletes it from its own database. Moderating replies – the purpose of this operation is to contact the user via telephone or email for the purposes of identifying the natural person as inquirer and sending a response to a request. Taking into consideration the limitеd scope of the collected data carrying out an impact assessment is not necessary for the current.

Art. 4. (1) The Controller processes the following categories of personal data for the purposes and on the grounds described in this Privacy notice:

Personalizing data: (we process your personal data that you have provided us with your biography for the purposes of conducting a selection and recruitment of personnel or freelancers);

Purpose for collecting the data:

1) Identification of the candidate;
2) Contacting and communicating with the candidate;
3) Selection of the candidate.

Ground for processing your personal data – processing your personal data is necessary for the purposes of performance of a contract to which the data subject is a party, or for undertaking steps, requested by the data subject before a contract is concluded - Art. 6, para. 1, letter (b) GDPR.

Data for conclusion of a contract with a client or a partner – legal entity: (names of the legal representatives of legal persons and names and PIN of other representatives of legal entities)

Purpose for collecting the data:

1) Identifying the natural person as a legal representative of the company or a trader for the purposes of concluding and executing of a contract as well as drafting tax and accounting documents;

2) Identifying the legal representative.

Ground for processing your personal data – processing your personal data is for the purposes of performance of a contract to which the data subject is a party or for undertaking steps, requested by the data subject before а contract is concluded - Art. 6, para. 1, letter (b) GDPR.

Data for conclusion of a contract with a client or a partner – natural person: (names, PIN, address, phone number, e-mail address)

Purpose for collecting the data:
1) Identifying the person as a party to the contract;
2) Contacting the client/partner;
3) Execution of the contract.

Ground for processing your personal data – processing your personal data is for the purposes of performance of a contract to which the data subject is a party or for undertaking steps, requested by the data subject before а contract is concluded - Art. 6, para. 1, letter (b) GDPR.

Data necessary for sending a response to an inquiry: (your name, e-mail address)

Purpose for collecting the data:
1) Identifying the sender of the inquiry;
2) Sending a response to the inquiry.

Ground for processing your personal data – the data shall be collected on the basis of the legitimate interests of the Controller – Art. 6, para. 1, letter (b) GDPR.

Data commonly collected and processed by Brandly Collective due to a client assignment when conducting an online campaign: (names of the natural person, e-mail, social networks profile, address, phone number)

Purpose for collecting the data:
The objectives of the processing are defined by the data controller – client of Brandly Collective;

Ground for processing your personal data: The data is processed on the basis of a concluded Contract for processing personal data pursuant to Ar. 28 of Regulation (EU) 2016/679 between Brandly Collective as processor of the personal data and the client of the company, due to whose assignment the online campaign is conducted as a data controller;
Data: IP address – improving security of the service and interface localization, statistical and marketing research;

Purpose for collecting the data:
The Company is processing personal data for IP address of a natural person consumer for the purpose of improving the security of the service and identifying the consumer as a person, using the services from Bulgaria or another country.

Ground for processing your personal data: The IP address is collected without the ability of identifying a particular natural person, meaning that the data is collected anonymously, on the basis of the legitimate interests of the administrator – Art. 6, para. 1, letter (b) GDPR. Collecting of this data is necessary for the technical functioning of the website.

(2) The Company doesn’t collect and process personal data, that refers to:

revealing racial or ethnic origin;
revealing political opinions, religious or philosophical beliefs, or trade union membership;
genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, except for provided under Art. 9, para. 2 GDPR purposes.

(3) Personal data is collected by the Company from the persons it refers to or from their legal representative.

(4) The company is not carrying out automated decision making with data.

(5) The Company does not collect and process data of persons under the age of 14 years, except with the express consent of a parent or legal representative.

Duration of personal data storage

Art. 5. (1) Brandly Collective keeps your personal data you have provided to us for the entire duration of the job offer, but for a period no longer than 6 months from the final completion of the recruitment and selection procedures. Upon the expiration of that period, the Company will take the necessary care to erase and destroy all your data without undue delay or to anonymize (to bring it in a form that does not reveal your personality) unless you do not expressly agree that your data will continue to be stored and processed for the future.

(2) In case a non-selected job candidate has provided original or certified copies of documents, certifying physical and mental fitness, qualification, professional experience or other circumstances, the Company returns to the job candidate these documents in a 6 months period from the final completion of the recruitment and selection procedures.

(3) The company keeps the personal data of its clients and business partners for 5 years after termination of the contract or longer in order to preserve the legitimate interest of the Company and fulfil its legal obligations to state authorities and institutions. Data incorporated in tax and accounting documents shall be kept for the time limit prescribed by the law.

(4) The company keeps personal data of individuals who had sent requests until one year from the last communication with the inquirer has expired.

(5) The Controller informs you in case that the period for the storage of the personal data is necessary to be extended in regard to performing legal obligation or in regard with the legitimate interests of the Company or other.

Transmission of your personal data for processing

Art. 6. (1) The Controller is allowed on its own decision to transmit all or part of your personal data to processors for the performance of the purposes of processing, with which you have agreed, with respect to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Company informs you in case of intention to transmit part or all of your personal data to third countries or international organization.

Your rights in the course of collection, processing and storage of your personal data

Withdrawal of the consent

Art. 7. (1) If you no longer wish your personal data to be processed for all or specific purposes, you may at any time withdraw your consent by sending a request in free text or by filling in the form of Appendix No 1.

(2) The Controller may ask you to verify your identity and identify yourself with the person to whom the data relates by requesting you to present an ID documents in the Company’s office in front of our employee or another appropriate manner.

(3) Withdrawal of consent does not affect the merits of processing the personal data you provide until the withdrawal of the consent.

(4) The Company may continue to process some or all of your data if there is a legal obligation to do so or for the purpose of protecting its legitimate interests.

Right of access by the data subject.


Art. 8. (1) You have the right to obtain from the Company confirmation as to whether or not it is processing personal data concerning you.
(2) You have the right to obtain access to the personal data related to you, аs well as to the information regarding the collection, processing and storage of your personal data.

(3) The Company provides on your request, a copy of the processed personal data related to you in electronic or other suitable form.

(4) The provision of access to the personal data is free, but the Company keeps its right to charge administrative fee, in case of repeatability or excessiveness of the requests.

Right to rectification or completion

Art. 9. You could at any time rectify or complete inaccurate or incomplete information concerning you directly through your account or by sending us a request.

Right to erasure (“right to be forgotten”)

Art. 10. (1) You have the right to request from the Company to erase the personal data concerning you and the Company has the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
you object to the processing of personal data concerning you, including for the purposes of the direct marketing and there are no overriding legitimate grounds for the processing;the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; the personal data have been collected in relation to the offer of information society services.

(2) The Company is not obliged to erase the personal data if it collects and process them:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; for the establishment, exercise or defence of legal claims.

(3) In case you exercise your right to be forgotten, the Company will erase all your data, except for the following information: information, needed for certifying that you’ve exercised your right to be forgotten; technical information about the website’s functioning, which cannot be related to you in any way.

(4) You can exercise your right to erasure by filling and submitting the request form in Appendix 2 or by sending an e-mail to the Company.

(5) The company could require you to verify your identity and identify yourself with the person to whom the data relates.

(6) The Company does not erase the personal data which it has a legal obligation to store or which is necessary for proving its legitimate rights regarding claims against the Company.

Right to restriction of processing

Art. 11. You have the right to obtain from The Company restriction of processing where one of the following applies:
you contest the accuracy of the personal data, for a period enabling The Company to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the Company no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to processing pending the verification whether the legitimate grounds of the Company override those of yours

Right to data portability

Art. 12. (1) You have the right at any time to download or to receive in machine-readable form the personal data which are stored and processed in relation with the usage of the services of the Controller, by sending a request by e-mail.
(2) You can request your data to be provided by the Company directly to a controller, selected by you, when this is technically viable.

Right to receive information

Art. 13. You have the right to require The Company to inform you about all recipients, to whom your personal data, for which has been required rectification, erasure or restriction of processing, have been disclosed. The Company is allowed to refuse to provide this information if this is impossible or involves disproportionate effort.

Right to object

Art. 14. You have the right to object at any time to processing of personal data concerning you including processing for the purpose of profiling or direct marketing.

Your rights in case of personal data breach

Art. 15. (1) When the Company detects personal data breach, which is likely to result in a high risk to your rights and freedoms, The Company communicates the personal data breach to you without undue delay, as well as the measures taken or proposed to be taken by the Company.

(2) The Company is not obliged to inform you if: The Company has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach; The Company has taken subsequent measures which ensure that the high risk to your rights is no longer likely to materialize; it would involve disproportionate effort.

Persons provided with your personal data

Art. 16. (1) For the purpose of processing your personal data and executing the contract, the Company may provide your data to third parties processing personal data that comply with all legal and security requirements for the processing and storage of your personal data.

Art. 17. The company shall not transfer your data to third countries.

Art. 18. In case of violation of your rights according to this Privacy notice or the applicable law, you could file a complaint before the Commission for personal data protection:

Legal name: Commission for personal data protection

Seat and registered office: 2 Prof. “Tsvetan Lazarov” Blvd., Sofia 1592, Bulgaria

Address of correspondence: 2 Prof. “Tsvetan Lazarov” Blvd., Sofia 1592, Bulgaria

Telephone:+3592/91-53-518

Website: www.cpdp.bg

Art. 19. You could exercise all of your rights related to the processing of your personal data by using the exemplary forms of The Company, attached to the Privacy notice. Of course these forms are not obligatory and you can make your requests of any form, which contains statement for that and identifies you as a proprietor of the personal data.

Art. 20. If you consent to a transfer, the Company has to describe the possible risks regarding the transfer of data to third countries when there are no adequate means of protection.

Liability of Brandly Collective when the Company acts as a Processor

Art. 21. (1) Brandly Collective acts as a processor upon assignment by our client with respect to the personal data provided by your customers when organizing online campaigns or events as in no way sets the type of data, the methods and terms for their collection, processing and storage, purposes and grounds, as well as does not make any decisions for our client’s customers to whom you the client as a Controller.

(2) Brandly Collective shall be liable only for the following: complying with the client’s instructions for providing the service for which the Company has agreed pursuant to the contract with the client; collecting and processing personal data under the client’s assignment in compliance with our standards for the protection of personal data.

GDPR

GDPR