Personal data protection policy
1. Objectives and Content of the Policy
1.1. Under this Personal Data Protection Policy (the Policy), Neterra EOOD, UIC 121039370 (Neterra), in its capacity as a controller, takes into account the privacy and the need to protect natural persons' data. In accordance with the legislation in force and the best practices, the company shall implement the necessary technical and organizational measures to ensure the protection of personal data.
1.2. The protection of personal data entrusted with Neterra is very important for the company and our business activities. It is very important for the success of our business. We recognize that the processing of personal data is always related to a specific reason and should be carried out in compliance with clear rules. That is why we shall make our best endeavors and take responsibility to protect the personal data provided by our partners, customers or subcontractors and shall not allow unauthorized access, unauthorized or malicious use, loss or erasure of information.
1.3. The personal data required for performing Neterra's activities shall be collected and processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 April 95/46, as well as the applicable national or EU law.
1.4. This Policy provides systematised information to the end-users - natural persons on the reasons for and manner of processing their personal data.
1.5. The Policy Neterra adheres to in connection with the protection of personal data, in its capacity as controller or processor, is binding on all employees and representatives of Neterra. This Policy is also binding on Neterra's counterparties, who process personal data in connection with the performance of a specific contract, and they have given their informed consent to adhere to this Policy.
Within the meaning given by the applicable legislation and this Policy:
2.1. 'Personal data' means any information related to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.2. 'Special categories of personal data' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person's sex life or sexual orientation;
2.3. 'Basic data' means names, gender and age group, address (permanent address);
2.4. 'Data Subject' means any living natural person who is associated with specific personal data;
2.5. 'Network/Traffic Data' means data processed in an electronic communications network for the purpose of conveyance of signals, broadcast or electronic content exchange, including data used to track and identify the source and destination of the communication, location data and device type, generated in the context of the provision of electronic communications services as well as date, time, duration and type of communication, data on the usage of television services, etc.;
2.6. 'Consumption data' means aggregated data for the consumption of Neterra's services, including type of service, total number and duration of use;
2.7. 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.8. 'Controller' means any natural or legal person, public authority, agency or other authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
2.9. 'Processor' means a natural or legal person, public authority or other authority which processes personal data on behalf of the controller;
2.10. 'Consent of the data subject' means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
2.11. 'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
2.12. 'Detailed analysis' means an analysis method that allows the processing of large volumes of data through statistical models and algorithms and others, which involve the use of network and personal data as well as pseudonymising and anonymizing them for the purpose of retrieving information about trends and various statistical indicators;
2.13. 'Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2.14. 'Recipient' means a natural or legal person, public authority, agency or another authority, to which the personal data are disclosed, whether a third party or not. The public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
2.15. 'Third party' means a natural or legal person, public authority, agency or authority other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
2.16. 'Partners' means companies with which Neterra has entered into partnership agreements and which provide a variety of products and services.
3. Guarantees for lawful processing of the personal data
Neterra shall processes customer's personal data on one of the following grounds:
a) the Customer has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of the contract to which the Customer is a party or in order to take steps on Customer's request prior to entering into the contract;
c) processing is necessary for compliance with a legal obligation to which Neterra is subject;
d) processing is necessary for the purposes of Neterra's legitimate interests.
4. How are we going to use the personal data
4.1. For performance of a contract or in the context of pre-contractual relations with users
Neterra shall process identification data and other personal data in order to provide the services and products requested by customers, in order to perform its contractual and pre-contractual obligations to the customers as well as to exercise its rights under the concluded contracts. The processing of personal data shall be carried out for the purpose of:
a) identifying the Customer through all sales channels;
b) managing and executing customer requests for products or services, execution of contracts for sell of products and services;
c) drafting a contract proposal;
d) ensuring the technical maintenance of our networks in order to provide quality services;
e) any technical assistance for the maintenance of the provided services, including performing warranty and after-sales service of devices;
f) drafting proposals for distance contracts, sending pre-contractual and contractual information by courier services; servicing an opt-out;
g) preparing aggregated statistical information about Neterra's sales, services, customers, network traffic, location models, which we can also provide to third parties, etc.;
h) analysing customer history and preparing a user profile in order to determine an appropriate offer for the Customer;
i) identifying and/or preventing unlawful actions or actions contradicting Neterra's General Terms for the respective services;
j) processing by a processor upon entering into a contract, assignment, reporting, acceptance, payment.
4.2. For the performance of regulatory obligations
Neterra shall process the identification data, traffic data, location data, customers invoicing data and other personal data in order to comply with obligations that are provided for under a regulation, including but not limited to:
a) obligations to provide information to the Communications Regulation Commission or third parties, as defined in the Electronic Communications Act;
b) fulfilment of obligations related to distance selling provided for in the Consumer Protection Act;
c) providing information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act;
d) providing information to the Commission for Personal Data Protection in connection with obligations provided for in the regulatory framework on protection of personal data - the Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc.;
e) obligations provided for in the Accounting Act and the Tax and Social Insurance Procedure Code and other related regulations in connection with the keeping of correct and lawful accounting;
f) providing information to the court and third parties in the course of court proceedings in accordance with the requirements of procedural and substantive regulations applicable to the proceedings;
g) age verification for online shopping.
4.3. With customer's consent
4.3.1. In some cases, Neterra shall process the personal data only with the prior written consent of the Customer. Such explicit consent from the Customer shall only be necessary if Neterra requires data that are more than the minimum data required for the conclusion and performance of the contract. The consent is a separate ground for the processing of personal data and the purpose of processing shall be specified therein and shall not overlap with the other purposes listed in this Policy.
4.3.2. The given consents may be withdrawn at any time. The withdrawal of the consent shall not affect the performance of Neterra's contractual obligations. If the Customer withdraws his/her consent to the processing of personal data for some or all of the purposes described above, Neterra shall not use the personal data and information for the relevant activities as of the moment of withdrawal. The withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal.
4.3.3. When consent to the processing has been given, this consent shall apply to all products and services used by the Customer.
4.4. Considering the company's legitimate interest
Neterra shall use basic customer data to prepare customer invoices considering the company's legitimate interest in order to perform a basic analysis of the data and to adapt the offered services and products to the Customer's individual needs, as well as to offer new services.
4.5. Processing of anonymised data
Neterra shall process customers' traffic data for statistical purposes. This means performing analyses in which the results shall be summarized and the data used shall be anonymous. It is impossible to identify a specific person and data related to him/her through this information.
5. What types of data does Neterra process
5.1. basic data (identification data): full name, personal identification number or personal number of foreigner, permanent address;
5.2. traffic data (network data) data necessary for the provision of electronic communications services, for billing; data for preparation of customer invoices, as well as for proving their authenticity; data which are being processed in the electronic communications networks for determining the geographic location of the electronic communication end device;
5.3. other data: information on the type and contents of the contractual relationship, as well as any other information relating to the contractual relationship, including:
5.3.1. information on the inquiries/orders for troubleshooting, petitions, applications, complaints;
5.3.2. other feedback we receive from the customers;
5.3.3. personal contact details - contact address, phone number and contact information (email, phone number), gender, age group;
5.3.4. preferences for the services we provide to the customers;
5.3.5. credit or debit card information, bank account number or other bank and payment information related to the payments made to Neterra;
5.3.6. other information such as:
a) customer number, code or other identifier created by Neterra for identification of customers/users;
b) data provided through the company's websites and mobile applications;
c) information about the electronic communication end device used, the type of the device, the operating system used, the IP address when visiting our website;
d) demographics, household information when the customers agree to participate in our surveys, prize draws, or other feedback they provide us with in connection with the products and services used;
e) other personal data provided by the customers or by a third party upon conclusion or within the duration of a contract with Neterra.
5.4. When we process the data for identification of the Customer and his/her traffic data as well as the other described data for the purposes of providing products and services, for their payment, for the fulfillment of requests/orders for services as well as to fulfil our statutory obligations, this processing shall be mandatory for the achievement of these objectives. We would not be able to perform the respective activities without these data.
5.5. The customers is obliged to take reasonable care necessary for the protection of his/her personal data when the latter have been provided to third parties other than Neterra.
6. Why and how we use automated algorithms
For the processing of customers' personal data, we shall use partially automated algorithms and methods to continually improve our products and services in order to adapt our products and services to the customers' needs in the best possible way or for calculation. This process is called profiling.
7. How do we protect our customers' personal data
7.1. In order to ensure adequate protection of the company' and customer' data, we implement all the necessary organizational and technical measures provided for in the applicable legislation as well as the best practices of international standards (ISO 27001: 2013, etc.).
7.2. The company has established rules for restricted and authorized access to data in order to prevent abuse and security breaches, it has designated a Data Protection Officer to support the personal data safeguard and security procedures.
7.3. For the purpose of maximum security during processing, transfer and storage of the personal data, we use additional data protection mechanisms such as encryption, pseudonymisation, etc.
8. When do we erase personal data
8.1. The use of personal data for the purposes related to the contractual relationship shall cease upon the termination of the contract but the data shall not be destroyed before the expiration of 1-year period after the termination of the contract or until the final settlement of all the financial relationships arising out of it; expiration of the regulatory obligations for storing the data, such as obligations under the Electronic Communications Act for storing and providing information for the purpose of detecting and investigating crimes (6 months); under the Accounting Act for the storage and processing of accounting data (11 years); expiration of the statutory time limitations for bringing claims (3 years for recurrent payment services and 5 years for the remaining services) under the Obligations and Contracts Act; obligations to provide information to the court, competent state bodies and others grounds provided for in legislation in force (5 years).
8.2. Neterra shall not erase or anonymize personal data if they are required for a pending court, administrative proceedings or proceedings on a Customer's complaint before the company.
8.3. The personal data can also be anonymized. The anonymization is an alternative to the erasure of the data. Upon anonymization, any personal identifiable element/elements that enable the identification of the customer shall be irreversibly erased. There is no regulatory obligation to erase anonymized data, as they do not constitute personal data.
9. When and why do we share personal data with third parties
9.1. Neterra shall not provide personal data to third parties before making sure that all technical and organizational measures for the protection of these data have been implemented by striving to carry out strict control to achieve this objective. In this case, Neterra shall remain responsible for the confidentiality and security of the personal data.
9.2. The categories of recipients to which we provide personal data, are the following:
9.2.1. persons processing data on behalf of Neterra:
9.2.2. collection and/or debt collection companies - debt collection agencies, credit agencies that service and collect claims through surety or other means;
9.2.3. postal operators - with a view to sending parcels containing contracts, supplemental agreements and other documents, where identity verification is required upon servicing;
9.2.4. distributors and agents of Neterra who act as representatives of the company in the sale of services and products;
9.2.5. Neterra's partners for the purpose of preparing a joint technical solution for the Customer's needs;
9.2.6. persons who have been assigned to maintain the equipment, software and hardware used for the processing of personal data and necessary for the construction of the service, for the provision of various accounting services, payment of services and products, technical support, etc.;
9.2.7. persons providing maintenance service of end devices; call centers that assist Neterra in the sale of products and services and customer service before and in the course of the duration of the contractual relationship;
9.2.8. installers - for installation or support for the provision of the service;
9.2.9. persons hired by Neterra under a freelance contract who assist the sales, logistics, delivery processes, etc.;
9.2.10. authorities, institutions and persons to whom we are obliged to provide personal data under the applicable law;
9.2.11. providers of electronic authentication services where a document related to the provision of a product or a service shall be signed with an electronic signature;
9.2.12. banks - for servicing of payments made by the customers;
9.2.13. security companies holding a license to perform private security activities - in connection with the processing of the video recordings from Neterra's sites and/or provision of the access regime at the sites of the company;
9.2.14. persons providing services for organizing, storing, indexing and destroying archives in paper and/or electronic form;
9.2.15. persons performing consulting services in various fields.
9.2.16. persons processing data on their own behalf:
a) assignees - parties to account receivable purchase agreements to which Neterra assigns (sells) outstanding liabilities;
b) competent authorities which by virtue of a regulation have the power to demand the provision of information, including personal data, such as courts, prosecutors, various supervisory authorities such as the Commission for Consumer Protection, the Communications Regulation Commission, the Commission for Personal Data Protection, bodies with national security and public order protection powers.
10. Rights of the customers in relation to the processing of their personal data
10.1. Right to information:
10.1.1. The customers have the right to request:
a) information on whether data relating to them are being processed, information on the purposes of that processing, on the categories of data and on the recipients or categories of recipients to whom the data are being disclosed;
b) a communication in comprehensible form containing the personal data being processed as well as any available information about their source;
c) information on the logic of any automated processing of personal data relating to the customers in the case of automated solutions.
10.2. Right to rectification:
10.2.1. In the event that we process incomplete or incorrect data, the customers have the right to request at any time:
a) that we erase, rectify or block their personal data, the processing of which does not meet the requirements of the law;
b) that we notify the third parties, to whom the customers' personal data have been disclosed, of any erasure, rectification or blocking, except where this is impossible or involves excessive efforts.
10.3. Right to object:
10.3.1. At any time the customers have the right to:
a) object to the processing of their personal data if there is a legitimate reason for doing so; where the objection is justified, the personal data of the natural person concerned can no longer be processed;
b) object to the processing of their personal data for the purposes of direct marketing.
10.4. Right to restriction of processing:
10.4.1. The customers may request a restriction of the processed identification data if:
a) they challenge the correctness of the data for the period in which Neterra should verify their correctness; or
b) the processing of data lacks legal basis, but instead of being erased, the customers have requested their limited processing; or
c) Neterra does not need these data (for the intended purpose), but the customers need them in order to identify, exercise or protect their legal claims; or
d) the customers have objected to the processing of the data pending investigation whether the reasons for the controller are lawful.
10.5. Right to data portability:
10.5.1. The customers have the right to receive personal data concerning them which they have provided to Neterra in a structured, commonly used electronic format and have the right to transmit those data to another controller where:
a) the processing of those data by Neterra is based on the explicit consent of the customer to data processing for a particular purpose and
b) the processing is carried out by automated means.
10.6. Right to complaint:
10.6.1. In the event that a Customer decides that Neterra is in breach of the applicable regulatory framework, we expect the Customer to contact us to clarify the matter.
10.6.2. The customer has the right to lodge a complaint with the Commission for Personal Data Protection. As 25 May 2018, the customers can also lodge a complaint with a supervisory authority within the European Union.
10.7. The applications for access to information or for rectification are to be submitted in person or by a person explicitly authorized by the Customer through a notarized power of attorney. An application may also be submitted electronically under the Electronic Document and Electronic Trust Services Act.
10.8. Neterra shall rule on the customer's request within 14 days of its submission. If a longer period to collect all the requested data is objectively required and this seriously impedes our activity, this period may be extended to 30 days. The decision on the complaint shall be motivated.
11. Provision of personal data by Neterra to Processor/s
11.1. In the course of performance of the contracts for the provision of services and/or products, Neterra may provide its partners and/or customers with personal data of its employees and/or representatives and/or personal data of its customers and partners or, respectively, of their employees, and/or representatives;
11.2. As a controller Neterra shall transfer to the processors all or some of the following categories of personal data:
a) Identification data of natural persons for the purposes of providing access to sites or other purposes relating to the performance of contractual relationship, such as: names, PIN, address, number and personal documents (passport, ID card, etc.), GPS coordinates, location data, IP address, log data, e-mail and contact phone number;
b) Other data where required by the subject matter of the contract concluded between the parties.
11.3. Neterra shall transfer the data to third parties (customers, partners, subcontractors, etc.) over a secure channel.
11.4. The assignment of the processing is made exclusively and solely on the territory of a Member State of the European Union (EU) or in a Member State of the European Economic Area (EEA). Any transfer of data to a country, which is not a Member State of the EU or EEA, requires the prior written consent of Neterra as a Controller.
11.5. Neterra requires the Processors to maintain the appropriate technical and organizational measures for data protection in compliance with the regulatory requirements, including ensuring compliance with the personal data protection rules of its employees and all other persons with whom they have contractual relations.
11.6. Neterra requires the Processors to immediately notify of any cases of a personal data breach.
11.7. In the event that the Neterra as Controller is subject to inspection by a supervisory authority, there is a claim lodged by a data subject or a third party, or there are claims regarding the processing on the part of a Processor, Neterra shall require the relevant Processor to provide the necessary assistance until the full clarification the case, including the provision of all relevant information and documents relating to the case (including documents submitted by the data subject or which are in possession of the Processor).
12. Personal data provided to Neterra by another controller
12.1. Technical and organizational measures
12.1.1. In its capacity as a Processor, Neterra shall ensure the data protection in accordance with Article 5 para. 1 and 2, Article 28 para. 3 (c) and Article 32 of GDPR.
12.1.2. In its capacity as a Controller, Neterra shall maintain records of all processing activities by ensuring that each step of the processing can be traced, including to whom have the data been provided, when, what types of data, for what purpose and what are the Recipient's arrangements with third parties. Upon request, Neterra as Processor shall provide at any time the records to controllers or supervisory authorities.
12.2. Exercising the rights of a data subject (natural person)
12.2.1. As a Processor Neterra shall not rectify, erase or restrict the processing, it shall not take any decisions regarding a data subject exercising any other rights, which are being processed on behalf of the Controller. Neterra shall take such actions only upon written instructions of the Controller.
12.2.2. If a data subject contacts Neterra directly regarding any rectification, erasure of personal data, restriction of processing, or exercising other rights, Neterra, in its capacity as a Processor, shall immediately forward the data subject's request to the Controller.
12.3. Subcontracting the processing
12.3.1. As a Processor Neterra may subcontract the processing only after entering into appropriate and legally binding agreements with subcontractors and after taking appropriate measures to ensure the protection and security of the data to Controller. Neterra requires the subcontractors to assume duties identical to those of Neterra as a Processor.
12.4. Deleting and returning personal data
12.4.1. As a Processor Neterra shall not make any copies or duplicates of the data without the knowledge and permission of the Controller, except for backups if necessary to ensure organized processing, as well as the data necessary to comply with the regulatory requirements for storage of the personal data.
12.4.2. Upon termination of the contractual relationship between the parties or on the request by the part of the Controller, Neterra shall transfer to the Controller, or on the basis of prior consent, destroy any documents, results of the processing and use, as well as the sets of data related to the contracts, which are in its possession, in a manner consistent with the data protection requirements.
12.4.3. Neterra shall not return and/or destroy the data if there is a legal basis for their retention.
12.5. Control and responsibility
12.5.1. As а Processor Neterra shall enable the Controller to verify the compliance with obligation for legitimate processing. Neterra shall provide the Controller with the necessary information upon request, and where required shall demonstrate the implementation of the technical and organizational measures.
12.5.2. In the event that the Controller is subject to inspection by a supervisory authority, there is a claim lodged by a data subject or a third party, or there are claims regarding the processing on the part of Neterra as a Processor, Neterra shall provide full assistance to the Controller.
13. Updating and amending the Policy
In order to apply the most up-to-date protection measures and to comply with the legislation in force, we shall regularly update this Personal Data Protection Policy. If the changes we make are substantial, we can post a message on our websites about the changes made.
This Privacy and Data Protection Policy has entered in force as of 20.08.2018.
14. Contact details regarding the protection of the personal data
20A Andrey Saharov Blvd., 1784 Sofia
tel.: +359 2 975 1616, fax: +359 2 975 3436
Data Protection Officer: Nikolay Zhelev
Neterra's counterparties shall give declaration of consent by which they declare and undertake to adhere to this Policy and to promptly inform the Data Protection Officer pursuant to art. 14 regarding the personal data protection