Details of the company processing your data:

  • Name:
  • Unique ID Code/BULSTAT: 
  • Registered office and principal place of business:
  • Mailing address:
  • Telephone:
  • E-mail: 
  • Website:

Details of the competent data protection supervisory authority

  • Name: Commission for Personal Data Protection 
  • Registered office and principal place of business: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. 
  • Mailing address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. 
  • Telephone : 02 915 3 518 
  • Website: www.cpdp.bg

https://arinala.com/ (Hereinafter referred to as the “Controller” or the “Company”) operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.   

Grounds for collecting, processing and storing your personal data

Art. 1. The Controller collects and processes your personal data in connection with the use of the Internet site https://arinala.com/ and the conclusion of contracts with the company pursuant to Art. 6, para. 1 Regulation (EU) 2016/679 ( GDPR ), and in particular on the following basis:

  • Explicit consent received by you as a customer;
  • Fulfilment of the Controller’s obligations under a contract with you;
  • For the purposes of the legitimate interests of the Controller or of a third party;

Purposes and principles for the collection, processing and storage of your personal data

Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the online store and conclusion of a contract with the Company, including for the following purposes:

  • creating an account and providing full functionality when using the online store;
  • conclusion and performance of a contract remotely;
  • individualization of a party to the contract;
  • accounting purposes;
  • statistical purposes;
  • protection of information security;
  • ensuring the performance of the contract for the provision of the service concerned;
  • sending a newsletter if expressly desired by you;

(2) We comply with the following principles when processing your personal data:

  • lawfulness, fairness, and transparency;
  • purpose limitation;
  • compatibility with the purposes of the processing and minimisation of the data collected;
  • accuracy and timeliness of the data;
  • storage limitation in order to achieve the purposes;
  • integrity and confidentiality of the processing and ensuring an appropriate level of security of the personal data.

(3) In the processing and storage of personal data the Controller may process and store the personal data in order to protect its following legitimate interests:

  • fulfilment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.

What types of personal data does our company collect, process and store

Art. 3. (1) The Company performs the following operations with the personal data provided by you as customers for the following purposes:

  • Closing and executing a commercial transaction with a client or partner – the purpose of this operation is to enter into and perform a contract with a commercial partner or client and to administer it. Given the limited scope of the personal data collected and the fact that some of them are collected from publicly available sources, an impact assessment is not required to carry out an impact assessment of the operation.
  • Sending newsletters – the purpose of this operation is to administer the process of sending newsletters to customers who have stated that they wish to receive them.
  • Exercising the right of refusal or claim – the purpose of this operation is to administer the process of exercising the customer’s right of refusal or claim by the customer. Given the limited scope of the personal data collected and the fact that some of them are collected from publicly available sources, an impact assessment is not required to carry out an impact assessment of the operation.

(2) The Controller collects and processes personal data that relate to the following:

  • Your identifying data (e-mail, name, etc.)
  • Purpose for which the data is collected: 1) Making contact with the user and sending information to them, 2) for the purposes of signing up a user on the online store, and 3) sending a newsletter.
  • Grounds for processing of your personal data – By accepting the general conditions and by signing up on the online store or placing an order without registration, or by entering into a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data – Art. 6, para. 1(b) GDPR . The data you send a newsletter processed an your explicit consent – art. 6, para. 1 (a) GDPR .
  • Contact details for deliveries (names, Telephone, address, etc.)
  • Purpose for which the data is collected: Fulfilment of obligations of the Controller under a contract for purchase and delivery of purchased goods.
  • Grounds for processing of your personal data – By accepting the general conditions and by signing up on the online store or placing an order without registration, or by entering into a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data – Art. 6, para. 1(b) GDPR.
  • Additional data provided by you – If you want to complete your account, you can fill in your name, surname, Telephone number.
  • Purpose for which the data is collected: Completion of the information relating to the user in his user account.
  • Grounds for data processing: You have given your explicit consent for the processing of your personal data for one or more specific purposes – Art 6, para. 1 (a) GDPR at the time of registration in the online store. Providing this information is not required for registration in the online store.

(3) The Controller does not collect or process personal data, which relate to the following:

  • racial or ethnic origin;
  • political, religious or philosophical beliefs, or trade union membership;
  • genetic and biometric data, health data or data on sexual life or sexual orientation.

(4) The personal data are collected by the Controller from the data subjects.

(5) The company shall not perform automated data decision-making.

Art. 4. (1) The company performs the following operations with those provided by you, as legal representatives or proxies of legal entities-trading partners, personal data for the following purposes:

  • Concluding and executing a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we process only the three names of the legal representative or the person authorized by the company. Conclusion from the impact assessment: Given the small number of individuals, whose data are processed and given the limited amount of personal data, which are collected, an impact assessment is not required for the current operation.

(2) Personal data is collected by the Controller from the data subjects and from the Commercial Register at the Registry Agency.

(3) The company does not perform automated data decision making.

Art. 5. The Controller can use the so-called “cookies” for the purpose of providing full functionality of the website, improving the user experience, statistical purposes, facilitated access, etc., which you agree to by using our website. You can control and/or delete the cookies at any time through the settings of your browser. Cookies do not constitute personal data and are not used to identify visitors and users of the e-shop.

Term of storage of your personal data

Art. 6. (1) The Controller stores your personal data for a period not longer than the existence of your account on the online store. After your account is deleted, the Controller takes the necessary care to delete and destroy all your data, without undue delay or to anonymise them (i.e. to convert them into such form that they cannot lead to your identification).

(2) The Controller processes your personal data, which you have provided when placing an order without registration on the online store until the order is closed, unless you have given your explicit consent when placing your order that your data be processed for the purpose of improving the service, providing recommended content for you, individual conditions, promotions, as well as for statistical purposes.

(3) The Controller stores your personal data provided in connection with online orders for a period of 5 years for the purposes of protecting the legal interests of the Controller in court or administrative disputes with users of the online store.

(4) The Controller notifies you, in case, that the data retention period needs to be extended in order to fulfil a regulatory obligation or in view of the legitimate interests of the Controller or otherwise.

(5) The Controller stores personal data, which the Controller is required to keep in accordance with the applicable legislation for the respective envisaged term, which may exceed the period of existence of your account in the online store or until the order is closed.

Art. 7. The Controller stores the personal data of the legal representatives of its business partners for the term of the contract, to comply with the legitimate interests and legal obligations of the Controller. This term may exceed the term of the concluded contract.

Transfer of your personal data for processing

Art. 8. (1) The Controller may, at its own discretion, transfer part or all of your personal data to personal data processors for the fulfilment of the processing purposes, to which you have agreed, subject to the requirements of the Regulation (EU) 2016/679 (GDPR).

(2) The Controller notifies you in case of intention to transfer part or all of your personal data to third countries or international organizations.

Your rights in respect of the collection, processing and storage of your personal data

Withdrawal of consent for the processing of your personal data

Art. 9. (1) If you do not want the personal data provided by you to be processed for marketing purposes and receiving a newsletter, you can withdraw your consent to the processing at any time, by filling in the withdrawal form contained in Annex No 1 or by request in a free format, and email it to us.

(2) Once we receive your request, we will send you to the email address, specified by you for receiving newsletters and advertisements, a letter with detailed instructions for your verification as a newsletter recipient and data subject, for which withdrawal of consent has been requested.

(3) Withdrawal of consent does not affect the lawfulness of the processing of personal data processed by the Controller prior to the withdrawal.

Right of access

Art. 10. (1) You have the right to request and receive confirmation from the Controller whether personal data concerning you are processed by sending a request in a free format by email.

(2) You have the right to access the data concerning you as well as to the information relating to the collection, the processing and storage of your personal data.

(3) Once we receive your request, we will send you to the email address, which you used to register or place an order on our online store, a letter with detailed instructions for your verification as the  data subject in respect of the data for which access is requested.

(4) Once the verification is completed, according to para 3, the Controller will provide you on request, with a copy of the processed personal data, related to you, in electronic or another appropriate form.

(5) Providing access to data is free of charge, but the Controller reserves the right to charge an administrative fee, in case of recurrence or excessiveness of the requests.

Right of rectification or completion

Art. 11. (1) You can rectify or complete any inaccurate or incomplete personal data concerning you at any time by filling in the form enclosed as Annex No 4.

(2) You may correct or complete inaccurate or incomplete personal data concerning you directly through your account on the website or by submitting a request to the Controller by email, using the form in Annex No 4 4 or by request in a free format.

Right to erasure (“right to be forgotten”)

Art. 12. (1) You have the right to request from the Controller the erasure of part or all of the personal data concerning you and the controller has the obligation to erase such personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw the consent on which the processing is based and where there is no other legal ground for the processing;
  • you object to the processing of your personal data, including for the purposes of direct marketing, and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services.

(2) The Controller is not obliged to erase the personal data to the extent that processing is necessary:

 

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; 
  • for the establishment, exercise or defence of legal claims.

(3) To exercise your right to be forgotten, you need to send an e-mail request for erasure of your personal data, which the Controller processes, by filling in the form in Annex No 2 or by submitting a request in a free format, then the Controller will send to the email, which you used to register or place orders on the online store, a letter with detailed instructions for your verification as a user of the online store and data subject in respect of the data covered by the request.

(4) Once we verify the identity of the person submitting the request and the person to whom the data relate in accordance with the instructions sent to you, we will erase all data concerning you that we process, in accordance with para. 3.

Right to restriction

Art. 13. You have the right to request from the Controller restriction of processing of your data, by sending us a request in a free format by email, where:

  • the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • you have objected to processing pending the verification whether the legitimate grounds of the Controller override your interests.

(2) Once we receive your request, we will send you to the email address, which you used to register or place orders on the online store, a letter with detailed instructions for your verification as a store user and data subject in respect of the data covered by the request for restriction of processing.

(3) After performing the verification in accordance with parа 2, the Company will stop processing your data, but will not remove any posts that you might have published on the online store, if any.

Right to data portability

Art. 14. (1) If you have given consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed automatically, you can:

  • request from the Controller to provide you with your personal data in a readable format so you can transmit them to another Controller;
  • request from the Controller to transmit your personal data directly to another Controller specified by you, where technically feasible.

(2) You can exercise the right to data portability by sending us by e-mail a completed form according to Annex No 3 or a request in a free format, then the Controller will send to the email, which you used to register or place orders on the online store, a letter with detailed instructions for your verification as user of the online store and the data subject in respect  of the personal data covered by the portability request.

(3) After performing the verification in accordance with para 2, the company will sent the data to the e-mail specified by you in XML format.

Right to obtain information

Art. 15. You can request from the Controller to inform you about all recipients to whom the personal data, for which rectification, erasure or restriction has been requested, have been disclosed. The Controller may refuse to provide this information where and insofar as the provision of such information proves impossible or would involve a disproportionate effort.

Right to object

Art. 16. You can object at any time to processing of personal data concerning you by the Controller, including if those data are processed for profiling or direct marketing purposes.

Your rights in the event of a personal data breach 

Art. 17. (1) If the Controller finds a personal data breach that is likely to result in a high risk to your rights and freedoms, the controller shall communicate to you the personal data breach and the measures taken or to be taken without undue delay. 

(2) The Controller is not obliged to notify you, if:

  • the Controller has implemented appropriate technical and organisational protection measures in respect of the personal data affected by the personal data breach;
  • the Controller has taken subsequent measures which ensure that the high risk to your rights and freedoms is no longer likely to materialise;
  • it would involve disproportionate effort. 

Art. 18. (1) For the purposes of processing your personal data and ensuring full functionality of the service and in view of your interests, the Controller may provide the data to the following data processors:

Data processor                     Purpose of the data processing

………………. none ……………………….      ……………………………. none ……………………………. 

(2) The data processors comply with all requirements regarding the lawfulness and security of the processing and storage of your personal data..

Art. 19. The Controller does not transmit your data to third countries.

Art. 20. In the event of a breach of your rights pursuant to the above legislation or the applicable personal data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:

  • Name: Commission for Personal Data Protection.
  • Registered office and principal place of business: 1592 Sofia,  2 Prof. Tsvetan Lazarov  Blvd.
  • Mailing address: 1592 Sofia,  2 Prof. Tsvetan Lazarov  Blvd.
  • Telephone: 02 915 3 518
  • Website: www.cpdp.bg

Art. 21. You can exercise all your rights regarding the protection of your personal data using the forms, attached to this information. Of course, these forms are optional and you can submit your requests in any form, which contains a statement to that effect and identifies you as the data owner.

Art. 22. If the consent relates to data transfer, the Controller shall describe the possible risks associated with the data transfer to third countries in the absence of an adequacy decision and appropriate safeguards.