PERSONAL DATA PROCESSING POLICY

Grove Global Consult LTD is a company registered at the Commercial Register at the Registry Agency, Unified Identification Code 204729719, with registered office and business address: 126 Prof. Tsvetan Lazarov Boulevard, Sofia,
telephone:+359876218465; e-mail: office@groveglobalconsult.net

We process your personal data on the following grounds:

> A contract we have concluded with you, in order to perform our contractual obligations
> Your express consent – the purpose is noted in every case;
> Obligations set out in law.
You will find information about the processing of your personal data depending on
the grounds on which we process the data in the following paragraphs.

TO PERFORM A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS

We process your personal data in order to perform our contractual and pre-contractual obligations and exercise the rights provided for in the contracts concluded with you.
Purposes of processing:
> To establish your identity;
> To manage and perform your inquiries and to perform contracts;
> To prepare and send bills/invoices for the services you use from us;
> To store correspondence in relation to orders, inquiry processing, problem reporting, etc.
> To create a user account.
Based on the contracts concluded with you, we process information about the type and content of the contractual relations as well as any other information related to the contractual relations, including:
> Contact personal data – contact address, e-mail, telephone;
> Identification data – full name, personal number or foreigner’s number, permanent address;
> Data about the orders placed via the user account;
> E-mail, letters, information about your inquiries in order to remedy issues, complaints, requests, petitions;
> Information about credit or debit cards, bank account numbers or other bank and payment information in relation to the payments made.
The processing of the said personal data is obligatory for us in order to conclude a contract with your and perform it. We provide your personal data to third parties, for our main goal is to offer you quality, quick and comprehensive service.

We provide personal data to the following categories of recipients (administrators of personal data):
> Postal operators and courier services;
> Persons providing consulting services in different areas.
We delete any data gathered on these grounds 5 years after the termination of the contractual relations regardless of whether based on the expiry of the contract term, dissolution or other grounds. The term is determined by the 5-year statute of limitation for possible claims under a contract.

TO COMPLY WITH REGULATORY REQUIREMENTS

A law may set out an obligation for us to process your personal data. In such cases, we are under the obligation to perform the processing; for example:
> Obligations under the Measures against Money Laundering Act;
> Performance of obligations in relation to remote sales, out-of-shop sales, laid down in the Consumer Protection Act;
> Provision of information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act;
> Provision of information to the Personal Data Protection Commission in relation to obligations laid down in the regulatory framework for personal data protection;
> Obligations provided for in the Accountancy Act and the Tax and Social Insurance Procedure Code and other related statutory acts with regard to compliant accounting;
> Provision of information to the court and third parties in the course of judicial proceedings in line with the requirements of the statutory acts applicable to the proceedings;
> Establishing age in online sales.
We delete the data gathered in line with an obligation set out in law after the obligation to gather and store data has been fulfilled or no longer applies. For example:
> Pursuant to the Accountancy Act to store and process accounting data (11 years),
> Obligations to provide information to the court, competent government authorities and other grounds set out in the effective legislation (5 years).
> When a law provides for such an obligation, we may provide your personal data to the competent government authorities, individual or legal entity.

WITH YOUR CONSENT

We process your personal data on these grounds only with your express, unambiguous and voluntary consent. We will not envisage any consequences unfavorable to you if you refuse to have your personal data processed. Consent constitutes separate grounds for the processing of your personal data where the purpose of processing is indicated in it and does not overlap with the purposes listed in this policy. If you give us the relevant consent and until it is withdrawn or our contractual relations are terminated, we will prepare offers for products/services relevant to you.
Based on this, we only process the data for which you have provided your express consent. The specific data are determined in each case. Usually, the data include:
> E-mail;
> Telephone;
> Address;
> Names;
Based on this, we may provide your data to marketing agencies and third parties. Any consent given may be withdrawn at any time. The withdrawal of consent will not impact the performance of contractual obligations. If you withdraw your consent for the processing of personal data for any or all of the ways described above, we will not use your personal data and information for the above purposes. We delete the data gathered based on these grounds upon your request or 1 year after they were gathered initially.

PROCESSING OF ANONYMIZED DATA

We process your data for statistical purposes which means for analyses where the results are only summarized and, therefore, the data are anonymous. It is impossible to identify any person based on this information.
How we protect your personal data to ensure adequate protection of the data of the firm and our clients, we apply all necessary organizational and technical measures envisaged in the Personal Data Protection Act.
To ensure maximum safety in the processing, transfer and storage of your data, you may use additional protection mechanisms such as encryption, pseudonymization, etc

User rights

Every Site-User has all personal data protection rights under the Bulgarian legislation and European Union law. Every User has the right to:
> Information (in relation to the processing of their personal data by the administrator);
> Access to their own personal data;
> Rectification (if the data are incorrect);
> Erasure of their personal data (“right to be forgotten”);
> Restriction of the processing by administrator or processor of personal data;
> Transfer of personal data between administrators;
> Objection against the processing of their personal data;
> The data subject has the right not to be the object of a decision based solely on automated processing that includes profiling, which gives rise to legal consequences for the data subject or in a similar way impacts on them significantly;
> Right to judicial or administrative protection if the rights of the data subject have been breached.

The User may request deletion if any of the following is in place:
> The personal data are no longer needed for the purposes for which the data were gathered or processed in another way;
> The User withdraws their consent based on which the data are processed and there are no other legal grounds for the processing;
> The User objects against the processing of the data and there are no legal grounds for the processing which prevail;
> The personal data were processed unlawfully;
> The personal data need to be deleted in order to fulfill a legal obligation set out in Union law or the legislation of a Member State which applies to the administrator;
> The personal data were gathered in relation to the offering of information society services to children and the person bearing parental authority for the child gave the consent.

The User has the right to restrict the processing of their personal data by the administrator when:
> The User contests the accuracy of the personal data. In such a case, the restriction is for a term allowing the administrator to check the accuracy of the personal data;
> The processing is unlawful but the User does not wish for the personal data to be deleted but requests that the use of the data be restricted instead;
> The administrator does not need the personal data any more for the purposes of processing but the User requires the data in order to establish, exercise or protect legal claims;
> The User objects to the processing in expectation of a check if the legal grounds of the administrator prevail over the User’s interests

Right to transfer

The data subject has the right to obtain the personal data which relate to them and they provided to the administrator in a structured, widely used and appropriate for machine reading form, and has the right to transfer the data to another administrator without obstacles from the administrator to whom the personal data were provided when the processing is based on consent or contractual obligations and the processing takes places automatically. When exercising their right to data transfer, the data subject has the right to obtain the direct transfer of the personal data from one administrator to another, if technically possible.

Right to object

Users have the right to object to the administrator against the processing of their personal data. The personal data administrator is obligated to terminate the processing unless the administrator proves that there are convincing legislative grounds for the processing which prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims. In the event of objections against the processing of personal data for the purposes of direct marketing, the processing needs to be ceased immediately.

Complaint to the supervisory authority
Every User has the right to lodge a complaint against the unlawful processing of their personal data to the Personal Data Protection Commission or the competent court.