General data protection regulation policy

“Cooolbox” AD, UIC: 115100705, management address: Plovdiv, postal code 4000, Eastern District, 1A “Arch. Kamen Petkov” Street, “Lime Tree” Business Building, floor 1, official website: https://www.cooolbox.bg, Data Protection Officer contact: tel. 0800 45 845, email: [email protected], hereinafter referred to as “Cooolbox” or “the Company”, is the Data Controller, processing personal data on its own behalf in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “Regulation”), Directive 2002/58/EC (the “Directive”) of the European Parliament and of the Council, the Electronic Communications Act, the Personal Data Protection Act of Bulgaria, and any other applicable law of the European Union and the Republic of Bulgaria.

Cooolbox will apply Cooolbox will apply this policy to the processing and protection of the personal data of subjects – physical persons – current and potential users of Cooolbox services, including sole traders, and/or their authorized representatives; physical persons – legal representatives of legal entities – current and potential users of Cooolbox services; visitors to the web pages cooolbox.bg, coool.tv, including registered natural persons in the self-service portal my.cooolbox.bg, and individuals using the mobile application coool.tv;

With this policy Cooolbox establishes, under the terms of transparency and prior notification, the principles, objectives, rules and rights of the entities in the observance and safeguarding of which the company accordingly processes personal data of the listed individuals (data subject) in accordance with the aforementioned regulations.

Third-party personal data processors, other administrators or third parties who may have legitimate access to personal data via Cooolbox will be required to familiarize themselves with and comply with this policy as well as the relevant provisions of the Regulation and Domestic law of the Republic of Bulgaria, including the secondary legislation for the implementation of the latter.

1. What is the content of the basic concepts used in this policy
   
   The concepts used in this policy and those listed here will have the following meaning:
   • personal data means any information relating to an identified or identifiable physical person (data subject) having the status of current or potential Consumer of the Cooolbox and/or a status of their authorized representative; or representing legal entities – current and potential clients of the Cooolbox services; and/or a registered physical person in the electronic self-service portal my.cooolbox.bg; and/or a visitor of the web pages cooolbox.bg; my.cooolbox.bg; and/or visitors of the websites cooolbox.bg and coool.tvor an individual who has activated the coool.tv.
   • processing means any operation or set of operations which is performed on personal data or on sets of personal data by automated or other means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction;
   • restriction of processing means the marking of stored personal data with the purpose of limiting their processing in the future; 
   • controller means the physical or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
   • personal data processor means a physical or a legal person, public authority, agency or other body which processes personal data on behalf of the controller; 
   • recipient means a physical or a legal person, public authority, agency or another body to which the personal data are disclosed, whether that recipient is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the law of the Union or the law of the Republic of Bulgaria, shall not be regarded as recipients; 
   • third party means a physical or a legal person, public authority, agency or body other than the data subject, controller, processor and the persons who, under the direct authority of the controller or the personal data processor, are authorized to process personal data;
   • consent of the data subject means any freely expressed, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 
   • child according to the Regulation is any individual under the age of 16, although age may be reduced to 13 by the domestic law. The processing of personal data of a child is legal only if the parent or a trustee has given his/her consent. In such cases the Controller shall make reasonable efforts to verify that the holder of the parental responsibility for the child has given or has been authorized to give his/her consent;
   • profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a physical person, in particular to analyse or predict aspects concerning that natural person’s performance, interests, behavior, location or movement;
   • personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
   • cookies means a packet of information sent from a web server to the Internet browser on a computer or other terminal used by the user and then returned from the same browser upon request when the Internet access to the server has sent the cookies used by Cooolbox or a third party; 
     
2. What are the basic principles when processing personal data by Cooolbox
   
   Cooolbox performs processing of personal data in accordance with the following principles:
   • The processing of personal data is done legally, in good faith and in a transparent manner with regard to the data subject;
     
   • Processing is done only for the purposes specifically defined and explicitly set forth in this policy, and further processing of the data of the subject is not allowed in a way incompatible with those purposes;
     
   • Cooolbox minimizes the processed personal data, that is, only those personal data which are appropriate, related to and limited to what is necessary in relation to the purposes for which they are being processed;
     
   • Accuracy of the processed personal data, that is to say, the processed personal data should be accurate and up-to-date, and for that purpose Cooolbox takes reasonable steps and procedures to ensure the timely erasure and/or correction of inaccurate personal data, taking into account the purposes of processing;
     
   • Storage of personal data in a form that permits identification of data subject for a period no longer than the necessary for the purposes for which the personal data are processed;
     
   • Processing of personal data in a manner that ensures an appropriate level of security of personal data, including protection against unlawful processing and/or accidental loss and/or damage and/or destruction, in connection with which Cooolbox applies appropriate technical and organizational measures;
     
   • Cooperating with Cooolbox in exercising the rights of data subjects and ensuring communication with them without unnecessary delay in this regard;
     
   • Cooolbox should be able at any time to identify to the competent supervisors the adherence to the above principles, the current policy and the applicable data protection legislation on their own behalf.
3. For what purposes does Cooolbox process personal data 
   
   Cooolbox processes personal data on the following grounds and for the following established purposes:
   1. Cooolbox, on a legal basis, respectively a contract or expressed consent of the data subject, respectively based on the legitimate interests of the controller, performs processing of personal data of individuals with the purpose of: identifying the subject of personal data in pre-contractual relationships; exploring the technical capabilities of providing electronic communication services to the data subject; identifying the data subject when concluding individual contracts for the provision of electronic communication services; execution of obligations under individual contracts and the WEU applicable to them, and the secondary legislation on the implementation of the latter; notifying the consumer in relation to the fulfillment of obligations under WEU and the implementing regulations; fulfillment of other Cooolbox obligations arising out of the individual agreement concluded, respectively by the applicable WEU and the other applicable internal and European law in the field of telecommunications and free Internet access; including for the purpose of – judicial protection and enforcement of Cooolbox rights; 
      
   2. Cooolbox, based on the expressed consent of the data subject, respectively on the basis of a concluded individual contract with the end user, performs processing of personal data of individuals with the purpose of registering, respectively activating, managing and using a profile in the electronic portal for self-service my.cooolbox.bg carried out according to the general terms and conditions of the company for the use of the portal, the latter published properly on the www.cooolbox.bg page in the General Terms and Conditions sub-section;
   3. Cooolbox on a legal basis – WEU, performs traffic data processing in the provision of fixed internet access services, fixed telephony and e-mail; in accordance with the requirements of the same normative act for the purposes of national security and/or detection and investigation of serious crimes, including for the purpose of preventing serious crimes in the framework of the operative search activity under Chapter Nine of the Anti-Corruption Act to take away the illegally acquired property. 
      
   4. Cooolbox, on the basis of laws and regulations of domestic law, carries out the processing of personal data in order to fulfill the obligations assigned to it by the same legal acts, such as: keeping accurate and substantiated accounting and merchant books; issuing of invoices and other primary accounting documents, subscription bills, detailed accounts, detailed reports for the provided services and others; 
      
   5. Cooolbox processes personal data for direct marketing purposes only on the basis of explicit consent of the data subject;
      
   6. Cooolbox, on the basis of the data subject’s explicit consent and/or the conclusion of a contract for the respective service, processes information relating to users – visitors of the websites cooolbox.bg and coool.tv, as well as the electronic self-service portal my.cooolbox.bg, through automated technologies, including the use of cookies, including third-party cookies, for the purposes of ensuring security in the use of the websites; enabling the optimal use of the functionalities and services provided therein; meeting the legitimate expectations of the user; performing statistical analyses regarding the use of the websites and the respective services; and carrying out marketing and advertising activities.
   7. Cooolbox may lawfully process personal data of data subjects for purposes other than those set out in the preceding sections only where such processing is not prohibited by law and provided that such other purposes have been determined in a transparent manner, the data subjects have been duly informed thereof, and a valid legal basis for the lawful processing of the personal data exists.
4. Types – categories of personal data processed by Cooolbox
   
   Depending on the specific grounds for and purposes of processing set out in Section 3, Cooolbox processes the following types and categories of personal data either simultaneously or separately, subject to the following principles in Section 2:
   1. For the purposes set out in Section 3:
      • Full name, PIN or personal number of a foreigner, and for sole traders and identification code, seat, management address, telephone number and/or e-mail address; 
      • Full name, PIN, address and other details of a representative specified in the document by which a user has authorized him/her to represent him/her in front of Сooolbox, respectively full name, PIN or personal number of a foreigner – legal representative of a legal entity;
      • Client number; 
      • IP address;
      • The identification code of the end technical device on which the coool.tv application is installed and used to access the service. coool.tv;
      • Traffic data necessary for charging and formation of invoices and detailed accounts of users as well as for proving their reliability, namely: calling and dialing subscriber numbers; beginning and ending of the call with time and date; the type of the service provided; the type of connection or the zones – time zones and territorial zones, necessary to determine the value of the service;
      • Subscriber data necessary for preparing subscriber accounts and proving their authenticity – names, PIN, personal identification number issued by NRA for tax purposes, address, identification code, seat and address of management for sole trader;
        
   2. For the purposes set in Point (ii) of Section 3, Cooolbox processes the following personal data
      • email address;
      • Client number;
      • personal ID number or foreign ID; date of birth; identification code for sole proprietors; 
        
   3. For the purposes set in Point (iii) of Section 3, Cooolbox processes traffic data listed in Article 251 (b) of the WEU in conjunction with Article 251 (i) of the WEU, namely: 
      • tracking and identifying the source of the connection;
      • identifying the direction of the connection when providing the services specified;
      • identifying the date, time and duration of the link;
      • identifying the type of the link;
      • identifying the user's end-to-end electronic communication device or what is presented as his/her end device;
        
   4. For the purposes set in Point (iv) of Section 3, Cooolbox processes the following personal data:
      • Full name;
      • tax ID;
      • address;
      • Client number; 
        
   5. For the purposes set in Point (v) of Section 3, Cooolbox processes the following personal data:
      • Full name;
      • Client number; 
      • address;
      • phone;
      • email address; 
        
   6. For the purposes set in Point (VI) of Section 3, Cooolbox automatically processes the following personal data:
      • When visiting the websites cooolbox.bg, coool.tv and my.cooolbox.bg Cooolbox, as well as third-party partners, perform automated collection and processing of data, including through the use of cookies and other tools, collecting and analyzing information about various data, such as IP address; data about the device used; browser data; session identifier; location; statistical information regarding user behavior and activities on the relevant web page and when using a specific service; as well as other data – detailed in the Cookie Policy.
      • For the most part, the data in question is anonymous, meaning it is used in a form that does not allow the identification of a specific natural person, or such identification is practically impossible. However, the data is used for ensuring the successful session of the respective user on the websites, seamless use of their functionalities, securing the connection and protecting against abuse, ensuring continuity and improving the service, analyzing and compiling statistics on user behavior, as well as for personalization and targeted advertising.
      • To the extent that the automated collection of data, combined with unique identifiers, including some of the cookies used by Cooolbox or third parties, allows for profiling and/or identification of natural persons, Cooolbox will treat such data as personal data.
      • For more information regarding cookies and the cases in which Cooolbox uses them, including cookies and other technologies of third-party partners, please refer to the Cookie Policy, duly published on the official website of the company cooolbox.bg.
        
        Most browsers used to access the Internet are set to accept cookies by default. Nevertheless, if the user does not wish for cookies to be stored on their computer or other device used to access the Internet, they can limit them by changing the settings of their browser or by deleting them. Depending on the browser, the steps and actions to achieve these options may vary. Additional information and guidance on how the user can manage and control cookies can be found at: https://www.aboutcookies.org/how-to-control-cookies/,and regarding how to delete cookies already stored by the browser on their device, at: https://www.aboutcookies.org/how-to-delete-cookies/; as well as in the Cookie Policy, duly published on the official website of the company: cooolbox.bg.
      • In all cases, and notwithstanding the above, the user has the right to withdraw their consent for the use/acceptance of cookies in the same manner and with the same ease as they provided it. To this end, Cooolbox provides the possibility to withdraw consent electronically. See more about this option in the Cookie Policy, duly published on the official website of the company cooolbox.bg. 
        
5. Deadlines for storing and processing of personal data by Cooolbox. Destruction of personal data
   
   Cooolbox stores personal data on hard copy and/or in electronic format. In addition, Cooolbox uses and maintains automated database processing systems that use document management and archiving. Storage, as a type of processing, is performed by Cooolbox by applying appropriate technical and organizational measures to ensure secure and effective protection of personal data. 
   
   However, Cooolbox will not store personal data for a period, longer than the necessary, set in this policy in order to achieve the set goals for which data was collected.
   In certain cases, Cooolbox may store data for a longer period than the one established in this policy only if personal data are processed for purposes of archiving, for purposes of public interest, scientific or historical research and for statistical purposes, and only when applying appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.
   
   Once the deadlines have expired, personal data will be destroyed by ensuring data protection and by applying appropriate technical or organizational measures.
   The duration of data storage by Cooolbox is as follows: 
   1. For the purposes set in Point (i) of Section 3, Cooolbox keeps personal data under Point (i) of Section 4 for the period up to the conclusion of an individual contract with the user as well as for the duration of the individual contract, but no more than the expiry of the prescribed limitation periods for the fulfillment of the financial obligations incurred between the parties, regardless of the dissolution/termination of the contract, except for those personal data mentioned in the said Point, which should be kept for a longer period according to the current legislation and compliance with other processing goals established by Cooolbox;
   2. For the purposes established in Paragraph (ii) of Section 3, Cooolbox stores personal data by Point (ii) of Section 4, in due course, as follows:
      • Until the cancellation of a user profile as a result of the subject’s right to be forgotten, unless there is another reason for processing or a purpose for which a longer storage period is foreseen;
      • Until the cancellation of a registered profile by Cooolbox, in the event of non-confirmation within the set time, in accordance with the applicable terms and conditions for using the portal my.cooolbox.bg;
      • Until the cancellation of a registered account by Cooolbox, in the event that it is not activated within the specified period, in accordance with the applicable general terms and conditions for using the portal my.cooolbox.bg
   3. For the purposes set in Point (iii) of Section 3, Cooolbox keeps traffic data under Point (iii) of Section 4 for a period of 6 (six) months;
   4. For the purposes set in Point (iv) of Section 3, Cooolbox holds personal data under Point (iv) of Section 4 for a period of 10 (ten) years starting on January 1 of the year following the relevant reporting period, through which these data were collected/generated;
   5. For the purposes set in Point (v) of Section 3, Cooolbox stores personal data under Point (v) of Section 4, within the period up to the withdrawal of the data subject's consent to process personal data, unless otherwise stated legal basis for processing, and in particular storing the same data, is available;
   6. For the purposes set out in Point (VI) of Section 3, Cooolbox stores the data referred to in Point (VI) of Section 4 for the durations specified in the Cookie Policy. 
      
      Information regarding the lifespan of the cookies used by Cooolbox is provided in the Cookie Policy, duly published on the official website of the company cooolbox.bg.
      
6. Who are third parties – recipients to whom personal data processed by Cooolbox may be provided
   
   Cooolbox may legally provide accordingly processed personal data, in the capacity of controller of the data, to another person outside their organization – “processor” who process the personal data on behalf of the controller.
   
   Cooolbox will use only third parties – “processors” who provide sufficient guarantees for implementing appropriate technical and organizational measures in such manner that the processing will meet the requirements of this Regulation and the applicable law of the Republic of Bulgaria. Cooolbox ensures that the personal data processing by a processor will be carried out only on the basis of documented instructions from the controller, i. e. Cooolbox. The relationships between Cooolbox and the processor shall be governed by a contract or by an agreement to an existing contract, which regulates: the data subjects, affected by the processing; the nature and the objectives of the processing; the duration of the processing; the types and categories of personal data – the subject-matter of processing; the rights, obligations and responsibilities of the controller, respectively, those of the processor, as well as the other obligations and responsibilities of the parties. 
   1. On the basis of concluded contract/agreement, according to the current Regulation and the PDPA, the processors on behalf of “Cooolbox” LLC might be:
      • persons engaged in: accounting services and/or legal protection and assistance services and/or other advisory services assigned by Cooolbox;
      • persons engaged in courier services assigned by Cooolbox;
      • persons engaged in IT services related to websites development and maintenance assigned by Cooolbox;
      • persons providing payment services in accordance with the Law of Payment Services and Payment Systems assigned by Cooolbox;
      • persons providing direct marketing services, on condition that the data subject has given his/her consent fot the processing of the data for the purposes of the direct marketing;
      • persons providing notification/information services for sending notifications/messages, including via electronic messages (SMS, e-mail) to Cooolbox users;
      • persons providing hosting services;
      • a person - personal data processor included as such in any of the listed above data processors but subject to the provisions of the current legislation;
        
        Cooolbox may provide lawful access to personal data, in their capacity of controller of the latter, to another person outside their organization – “controller of personal data” who processes those data on their own behalf and on their own account. 
        Access to personal data in these cases is performed in order to fulfill administrative obligations of c Cooolbox, to enforce their procedural duty, to protect rights and exercise procedural rights related to it, fulfilling obligations aroused from a legal act under the current law and/or on the basis of a contract.
   2. Persons receiving access to personal data via Cooolbox and processing those data on their own behalf as controllers may be:
      • administrative bodies, agencies, committees and other public authorities and bodies in connection with the implementation of administrative – legal and regulatory obligations of Cooolbox;
      • the pre-trial authorities and/or the Courts regarding the implementing of procedural obligations and/or the exercise of procedural rights of Cooolbox, provided in the current legislation of the Union and the Republic of Bulgaria; 
      • state or private enforcement agents, in the exercise of the Cooolbox procedural rights, provided in the current legislation of the Union and the Republic of Bulgaria;
      • undertakings providing electronic communication services in relation with carrying out of Cooolbox obligations on the interconnection of the Cooolbox network with the one of the undertaking concerned, respectively in relation with the implementing of obligations in the portability procedures of geographic and non-geographic telephone numbers;
      • undertakings providing public electronic communication services, including universal service, related to the implementing of Cooolbox obligations to provide data for the compilation of telephone directories;
      • persons, providing services related to the direct marketing but only with the consent of the data subject;
      • persons, providing services related to website traffic analysis managed by Cooolbox but only with the consent of the data subject;
      • third parties – private legal successors of Cooolbox, such as assignees of receivables for Cooolbox debtors; 
      • trading companies – universal legal successors of Cooolbox, on the basis of a respective restructuring of cooolbox;
        
7. What are the personal data sources – subject-matter of processing by Cooolbox
   
   For achieving the corresponding objectives set out in Section 3 of this policy, Cooolbox collects and stores data primarily from the subjects of the latter, such as: names, address, e-mail address, telephone, IP address, identifiers for tax purposes, etc.; as well as personal data, generated by the company itself, related to their electronic communications services such as: client number, phone number, IP address, etc.
   
   However, Cooolbox may collect data listed in this policy and only for the purposes of publicly available sources established in it, for the exercise of judicial protection of its rights, respectively, of collecting its receivables, namely from:
   
   Coolbox may also collect Personal Data listed in this Policy from publicly accessible sources, solely for the purposes specified herein, including the establishment, exercise or defence of legal claims and the recovery of receivables, including but not limited to:
   • Commercial Register and register of NPLE to the Registry Agency – www.registryagency.bg  and www.brra.bg; 
   • Property register to the Registry Agency – www.registryagency.bg and www.icadastre.bg ; 
   • Central Register of Special Pledges at the Ministry of Justice – www.justice.government.bg ;
   • BULSTAT register at the Registry Agency – www.registryagency.bg, www.bulstat.bg;
   • Central Register of Debtors to the Chamber of Private Enforcement Agents – https://newregistry.bcpea.org ;
   • Registers to relevant Courts and State Executive Offices to them;
   • Other publicly available sources;
     
8. What are the rights of the personal data subjects
   
   Cooolbox will process personal data of the respective data subjects, assisting in exercising their rights and communicating without undue delay, within the time limits provided by the Regulation or the PDPA. 
   
   All listed rights of the data subjects will be exercised by a written application submitted by the entity or its authorized representative to Cooolbox, including electronically, with the minimum necessary content, required by the Personal Data Protection Act (PDPA).
   
   Data subjects have the following rights guaranteed by the Regulation and domestic legislation:
   • Right of access to personal data 
     
     The data subject has the right to access personal data related to him/her, and if this is so, to receive feedback from Cooolbox within a period since the date of receipt of the request and under the terms of the Regulation and the PDPA;
     
     
   • Right of correction of personal data
     
     The data subject has the right to correct the inaccurate personal data associated with him/her and to receive feedback from Cooolbox for the actions he/she has taken within a period since the receiving of the request and under the terms of the Regulation and the PDPA; 
     
     
   • Right to erasure (right of the subject “to be forgotten”)
     
     The data subject has the right to request from Cooolbox to delete the personal data associated with him/her and the controller has the obligation to delete them when any of the following legal bases is applicable:
     
     • the personal data are not necessary for the purposes established by Cooolbox, for which they were collected or otherwise processed;
     • the data subject's consent for their processing has been duly withdrawn, and at the time of the withdrawal there is no other legal ground for data processing by Cooolbox;
     • the data subject objects to the processing pursuant to Article 21Paragraph 1, exercises its right of object (of the Regulation (EU)) 2016/679 from 27.04.2016, in force since 25.05.2018. (the Regulation) and there are no legitimate grounds for the processing, having any priority, or the data subject objects to the processing pursuant to Article 21(2) of the same Regulation;
     • the personal data have been unlawfully processed; 
     • the personal data have to be erased for compliance with a legal obligation in Union or Member State law, or the law of the Republic of Bulgaria to which the controller is a subject; 
     • the personal data have been collected in relation to the offer of information society services referred to in Article 4(1) GDPR 
       
       Cooolbox shall inform the data subject about the actions taken by him regarding the exercise of this right within the time of receiving the request – the application and under the terms of the Regulation and the PDPA
       
       Cooolbox informs data subjects that the right to be forgotten is not an absolute subjective right and the controller may not allow a deletion request in any of the cases expressly provided for in  Article 17(3) of the Regulation, as well as in cases where the controller can prove that he is unable to identify the data subject who has exercised that right;
       
       
   • Right to restriction of personal data processing
     
     The data subject has the right to request from Cooolbox to obtain restriction of personal data processing when any of the following legal bases is applicable:
     
     
     • their accuracy is contested by the data subject, for a period enabling Cooolbox to verify the accuracy of the data;
     • the processing is unlawful, but the data subject opposes his/her erasure and instead requests the restriction of their use from Cooolbox;
     • Cooolbox no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
     • the data subject has objected before Cooolbox against the data processing pursuant to Article 21(1) of Regulation (EU) 2016/679, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
     When processing has been restricted on the occasion of duly exercising the right to limit processing, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another physical or legal person, or for reasons of important public interest of the Union or of a Member State. 
     
     When a data subject has obtained restriction of processing Cooolbox shall inform him/her before the restriction of processing is lifted. 
     
     In all cases Cooolbox shall inform the data subject about the exercised right to restriction, about the measures taken within the period since the receiving of the request – the application and the terms of the Regulation (EU) 2016/679 and the PDPA.
     
     
   • Right of the data subject to withdraw consent
     
     The personal data subject has the right to withdraw his consent if the processing is based on Article 6, Paragraph 1, letter a), or Article 6(1)(a) or Article 9(2)(a) of Regulation (EU) 2016/679. The right to withdraw consent shall be exercised at any time, without affecting the lawfulness of the processing based on consent before its withdrawal;
     
     
   • Right to personal data portability
     
     The personal data subject shall have the right to data portability, which means that he/she may ask the controller to obtain the personal data processed by the latter in a structured and machine-readable format to be transmitted to another controller, or ask Cooolbox to perform direct transfer of the data to this other controller, if this is technically feasible.
   • Right to Object
     
     Cooolbox informs the personal data subjects that, separately and independently of the other listed rights, they are entitled under Article 21 of Regulation (EU) 2016/679, at any time and on the grounds relating to their particular situation, of objection to the processing of personal data relating to them, which is based on Article 6i.e.: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority provided to the controller”; or letter f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except when interests or fundamental rights and freedoms of the data subject have priority over such interests, and they require protection of personal data, in particular when the data subject is a child.” In exercising of this right in such cases, Cooolbox terminates the processing of personal data unless it is proven that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.  
     
     When processing personal data for the purposes of direct marketing, the data subject is entitled at any time to object to the processing of personal data relating to him/her for this type of marketing, including profiling, insofar as it relates to direct marketing. When the data subject objects to processing for the purposes of direct marketing, the processing of personal data for these purposes shell be terminated. 
     
     In the context of the use of information society services, and irrespective of Directive 2002/58/EC, the data subject may exercise his/her right of objection by automated means using technical specifications. 
     
     When personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, Paragraph 1, the data subject may, on the basis of his/her particular situation, object to the processing of personal data relating to him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. 
     
     
   • The data subject shall have the right not to be subject of a decision based solely on automated processing, including profiling
     
     The data subject has the right not to be the subject of a decision based solely on automated processing, involving profiling, which produces legal consequences for him/her or similarly affects him/her significantly.
     
     
   • Right to information and assistance
     
     Cooolbox provides the data subject with information about the actions taken in connection with a request to exercise the rights of the subjects under  Articles 15–22 of Regulation (EU) 2016/679 without undue delay and in every case within 30 days of receipt of the request, unless the PDPA provides for a longer period. 
     
     When the data subject submits a request by electronic means, if possible, the information shall be provided by Cooolbox by electronic means, unless the data subject has explicitly requested otherwise. 
     
     
   • A fee determined by Cooolbox in the exercise of the listed rights. Refusal to cooperate
     
     Cooolbox provides the information free of charge. When requests by a data subject are manifestly unreasonable or excessive, in particular because of their repeatability, Cooolbox may impose a reasonable fee, taking into account the administrative costs of providing information or communication or undertaking the requested actions or may refuse to provide information. 
     
     
   • Right to lodge a complaint with a supervisory authority
     
     Without prejudice to the other rights of judicial protection, every personal data subject shall have the right to lodge a complaint, by filing a complaint to the Personal Data Protection Commission (CPDP) address: Sofia 1592, blvd. Professor Tsvetan Lazarov No 2(www.cpdp.bgto refer the matter to the same supervisory authority for a violation of the Regulation and/or the PDPA by Cooolbox, or a person processing data on his/her behalf. The appeal is filed within the forseen terms set in the PDPA.
     
     
   • Right to an effective judicial remedy
     
     Without prejudice to the right of appeal to the Surveillance Authority, each data subject concerned shall have the right to challenge/contest the actions/omissions by Cooolbox or the processor, whо processes on behalf of Cooolbox personal data, concerning him/her as unlawful, before the respective Administrative court in the area where the controller/processor is located. The appeal of the subject under this order is inadmissible if the same violation has a pending litigation before the CPDP or the latter has delivered a decision which has been appealed to the competent Administrative Court.
     
     
   • Right to compensation and liability
     
     Without prejudice to any other rights of defence, any data subject, who has suffered material and/or non-pecuniary damage resulting from an unlawful act or omission by Cooolbox and/or a processor on behalf of the latter, shall be entitled to compensation for all damages suffered.
     
     Coolbox shall be liable for damage caused by processing which infringes Regulation (EU) 2016/679 and/or the Bulgarian Personal Data Protection Act.
     
     The personal data processor on behalf of Cooolbox is personally liable to the personal data subject, when performing or not performing an act which is in violation of the provisions of the Regulation and of the PDPA specifically related to the duties of the data processor, or when performing an act which is in violation of Cooolbox lawful instructions, that is, against the latter or beyond them.
     
     When the same processing operation involves Cooolbox and the data processor on behalf of Cooolbox, they are jointly liable to the data subject for the damage caused.
     
9. Cooolbox and personal data security. Appropriate organizational measures for personal data protection
   
   Cooolbox, as a personal data controller, will apply appropriate and effective organizational and technical measures to protect personal data in order to comply with the Regulation and the PDPA, while at the same time the company bears the burden of proving that the processing of the personal data of the subjects is in compliance with the Regulation and the PDPA, as follows: implementation and effectiveness of the introduced organizational and technical measures.
   
   Cooolbox sets out the appropriate organizational and technical measures for the protection of personal data, both at the stage of defining the processing objectives, the types of processing and the means of processing, as well as the actual processing of the data, taking into account the specifics of their activity; personal data that are necessary at least to be collected and processed in the course of the activity and achievement of the identified processing objectives; state of the technics; the cost of introducing new technologies; the nature, scope, context and purposes of the processing of personal data; the risk of breaching the protection of personal data and its impact on the rights and freedoms of data subjects. 
   
   Cooolbox shall implement technical and organizational measures for ensuring that, by default, only those personal data which are necessary for any specifically established purpose of the processing are being processed. This obligation relates to the volume of personal data collected, the level of processing, the period of storage and their accessibility. In other words, such measures will ensure that by default, without the intervention of an individual, personal data processed by Cooolbox will not be available to an unlimited number of persons.
   
   When imposed by the Regulation or by the applicable Bulgarian legislation or by the Supervisory Body in the form of the Personal Data Protection Commission, Cooolbox determines appropriate organizational and technical protection measures after conducting a Risk Assessment of the impact of a treatment on the protection of personal data. 
   
   Impact assessment is a process for determining the level of risk of the impact of a data processing on the rights and freedoms of a particular individual or group of physical persons – the subject and the data processed, depending on the specific data, treatment objectives and the number of physical persons in the event of a breach of personal data protection. The risk to the rights and freedoms of physical persons, of different probability and severity, may arise from the processing of personal data which could lead to a breach of the protection of personal data; or when data subjects may be deprived of their rights and freedoms or deprived of the right to exercise control over their personal data; when processing sensitive personal data; when assessing personal aspects, in particular analysing or forecasting aspects relating to the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements in space, with the purpose of creating or using personal profiles; when processing personal data of vulnerable persons, especially children; or when processing involves a large volume of personal data and affects a large number of data subjects.
   
   The results of the assessment should be taken into account by Cooolbox, when determining the appropriate measures to prove that the processing of personal data complies with the requirements of the Regulation. When a data protection impact assessment indicates that processing operations lead to a high risk which Cooolbox cannot limit by appropriate organizational and technical measures in terms of available technologies and application costs, consultation with the supervisory body in the face of CPDP should be performed. 
   
   
10. Reporting security breach of personal data
    
    Immediately after finding a security breach of personal data Cooolbox must notify the supervisory authority in the form of CPDP for that breach without undue delay and, where feasible, but no later than 72 hours after being made aware of the violation unless Cooolbox is able to demonstrate in accordance with the accountability principle that the breach of personal data security is unlikely to lead to a risk for the rights and freedoms of physical persons. When such notification cannot be filed within 72 hours, it shall state the reasons for the delay and the information may be submitted in stages without undue further delay.
    
    When the personal data breach is likely to lead to a risk for the rights and freedoms of physical persons, the controller shall, without undue delay, notify the data subject for the personal data breach. 
    
    
11. Amendments and adjustments
    
    Cooolbox, in their capacity of a controller and in their endeavours to comply with personal data protection law in the course of and in connection with its commercial activities, may unilaterally amend or supplement this policy in a transparent manner by notifying the data subjects in an appropriate manner. 
    
    This policy is adopted by Cooolbox, as a controller, and its officers and shall enter into force on 25.05.2018.