DATA PROTECTION POLICY

(effective as of May 13, 2020, amended as per the Ordinance as of September 18, 2020)

of “BioCare Cosmetic” EOOD, UIC 205341502, with seat and registered office at 71 Slavyanska Str., 4th floor, office 10, Burgas, represented by Sonya Trendafilova Krasteva, in her capacity of Manager,
VAT number: BG205341502;
Email: dpo@natureproductlab.com;
(the “Data Controller”)
This Data Privacy Policy has been prepared and approved on the basis of the Bulgarian Law on Personal Data Protection (LPDP) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, effective as of 25 May 2018, and aims to acquaint you with the main moments related to the processing of your personal data. The Data Controller reserves the right to update this Data Privacy Policy, and its current version will be at your disposal at any time on the site of the e-shop.

I. DEFINITIONS

1. Data Controller:
means a legal person which alone or jointly with others determines the purposes and means of the processing of personal data;

2. Personal data:
means any information relating to an identified or identifiable natural person (the “Data Subject”) via an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

3. Processing:
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4. Data Processor:
means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller;

5. Recipient:
means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

6. Consent:
means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. PRINCIPLES

2.1 The main principles on which the Data Controller bases the processing of personal data are: (i) legality; (ii) good faith and transparency; (iii) minimizing data and limiting the purposes and retention period; (iv) accuracy; (v) integrity and confidentiality; (vi) accountability.

2.1.1 In order for the processing to be lawful, the Data Controller processes your personal data on the basis of your consent or on other legitimate grounds, when necessary in the context of a contract or with an expressed intention to conclude such.

2.1.2 The principle of good faith and transparency requires the Data Controller to ensure that all information and communication related to the processing of your personal data is easily accessible and understandable, using clear and unambiguous wording. This principle applies in particular to the information that you as a Data Subject receive about the identity of the Data Controller and the purposes of the processing, as well as to the additional information guaranteeing conscientious and transparent processing.

2.1.3 Compliance with the third principle, namely to minimize data and limit the purposes and period of storage by the Data Controller, is ensured by collecting only those data that are absolutely necessary for the purposes and activities of the Data Controller and compliance with the legal requirements for its exercise, as they are processed only for specific, explicitly stated and legitimate purposes, and are not processed in a way incompatible with these purposes, and are stored for a period not longer than necessary or provided by law.

2.1.4 The principle of accuracy requires that all personal data processed by the Data Controller be accurate and kept up to date, and for this purpose the Data Controller relies on you as a Data Subject, on your correctness and assistance. If it proves impossible to correct inaccurate personal data provided by you, the Data Controller shall delete them in a timely manner, taking into account the purposes for which they are processed.

2.1.5 In accordance with the principle of integrity and confidentiality, the Data Controller processes your personal data in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures.

2.1.6 The principle of accountability comes to ensure before you that everything the Data Controller does regarding your personal data is subject to control and it is responsible for it.

2.2 The Data Controller ensures that all persons involved in the personal data processed by it are familiar with the basic principles set out here, the content of this Policy, as well as the applicable legal requirements regarding the protection of personal data.

III. THE PERSONAL DATA WE PROCESS

3.1 The categories of personal data that are processed by the Data Controller depend on the registers that it maintains, on the specifics of its activity, as well as on the legal requirements for it, and for the different registers there are different categories of personal data.

3.1.1 For the register "Customers of an e-shop" (according to the definition of the applicable General Terms) these are only some or all of the data listed herein: name, surname, language, telephone, IP address, e-mail address, delivery address, billing data (if applicable), health data (if applicable); bank account (if applicable) and / or other related data as appropriate;

3.1.2 For the Register “Job Candidates”: name and surname, contact details (address, telephone number, e-mail address); social media addresses (as appropriate); nationality; age and/ or date of birth; photo (as appropriate); data on trainings, profession, professional experience and qualifications (previous employers, duration of work, powers, professional trainings, contact persons for recommendations and related data); competencies and personal skills (linguistic competencies, communication skills, organizational/ management skills); criminal record; health status; finance data; and/ or other related data as appropriate.

3.1.3 For the register "Personnel": name and surname, contact details (address, telephone number, e-mail address); nationality; data from the ID card or passport; photo (as appropriate); data on training, profession, professional experience and qualifications; competencies and personal skills; criminal record; health status; finance data; and/ or other related data as appropriate.

3.1.4 For the register "Counterparties" includes the personal data of the employees/ representatives of the legal entities or natural persons - contractors, which are provided as contact persons under certain contracts or in connection with the conclusion of such: name and surname, data from the ID card or passport (as appropriate); contact details (telephone number, e-mail address, business address), position, photo (as appropriate) and/ or other related data, if applicable.

3.2 The Data Controller does not collect copies of ID cards, passports, driver's licenses or other official identification documents. They are presented only to verify the accuracy of the personal data provided by you (as the case may be), after which they are returned.

3.3 The Data Controller receives your personal data in the following ways: (i) personally from you, when you apply for a job or through the site in case of expressed interest in the offered goods, by e-mail or contact numbers; (ii) from other sources, but only as supplementary information to that already provided voluntarily by you; and (iii) automatically through so-called cookies and other unique identifiers when you visit the e-shop website. You can read more about the latter in the Cookie Policy.

IV. GROUNDS FOR PROCESSING

4.1 Once provided, your personal data will be processed by the Data Controller (its authorized employees / representatives / contractors) on the following grounds of Regulation (EU) 2016/679: (i) Art. 6, para 1(a): “the Data Subject (in this case You) has given consent to the processing of his or her personal data for one or more specific purposes”; (ii) Art. 6, para 1(b): “the processing is necessary for the performance of a contract to which the Data Subject (in this case You) is party or in order to take steps at the request of the Data Subject prior to entering into a contract”; (iii) Art. 6, para 1(c) “the processing is necessary for compliance with a legal obligation to which the Data Controller is subject”; and (iv) Art. 6, para 1(e) “the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party”.

4.2 Your Consent shall be given by a clear affirmative act expressing your free, specific, explicit, informed and unambiguous consent to the processing of all your personal data by the Data Controller for the purposes set out in Section V below.

4.3 Your Consent may be given in the form of a written declaration, including electronically, or an oral declaration from which the Data Controller shall keep a record. For all Customers of the e-shop, the Consent is provided by ticking a special field, with which you also declare that you are familiar with this Data Privacy Policy and the General Terms of the Data Controller, accept them and agree to observe them unconditionally.

4.4 Please note that the products announced for sale on the website of the e-shop of the Data Controller are intended to treat certain medical problems, which is why very often in conversation with our representatives you voluntarily share your personal symptoms, which fall into the category of "data concerning health”, for the processing of which we need your explicit consent. Therefore, please note that by checking the box under the previous point, you also provide your explicit Consent to the processing of this category of your personal data by the Data Controller for the purposes set out in Section V below.

4.5 You have the right to withdraw your Consent at any time by one of the means described in Section X below. The withdrawal of the Consent shall not affect the lawfulness of the processing carried out on any of the other grounds listed in item 4.1 above.

4.6 When you have Consented to your personal data being processed by the Data Controller for direct marketing purposes, you have the right to object to this at any time in one of the ways described in Section X below. Upon receipt of your objection, the Data Controller shall cease the processing of your data for these purposes.

V. PURPOSES OF PROCESSING

5.1 Your personal data is processed by the Data Controller only for specific, explicitly stated and legitimate purposes. They vary according to the registers kept by the Data Controller.

5.1.1 For the register "Customers of an e-shop" (according to the definition of the applicable General Terms) the objectives are: public presentation of a demonstrative online product catalogue; research of preferences and interests for the purpose of recommendation and personalization; direct marketing; submission, acceptance and processing of orders for purchase of goods from the catalogue; assistance, including answering your questions in connection with your orders and/ or goods; sale of goods; participation in promotions, raffles and competitions; filling in and submitting questionnaires and quizzes; the execution of distance sales contracts; solving possible problems related to orders, purchased goods, etc .; return of goods; reimbursement of the value of the returned goods; the observance of legal obligations by the Data Controller, including arising from the tax and accounting legislation; the protection of the legitimate rights and interests of the Data Controller and third parties, in full balance with your fundamental rights and freedoms, including measures to protect the site and customers of the e-shop against cyberattacks; measures to prevent and detect attempted fraud, including the transmission of information to competent public authorities; measures to manage various other risks, as well as any other objectives compatible with the above.

5.1.2 For the register “Job Candidates” and the register “Personnel”, the objectives are: recruitment; the conclusion and performance of an employment or civil contract, including the performance of obligations established by law or by collective agreements; management, planning and organization of work; equality and diversity in the workplace, health and safety at work; the exercise and use on an individual or collective basis of the rights and benefits of employment; termination of employment or service; the observance of legal obligations by the Data Controller, including arising from the tax and accounting legislation; the protection of the legitimate rights and interests of the Data Controller and third parties, as well as any other objectives compatible with the above.

5.1.3 For the register “Counterparties”, the objectives are: to take steps before concluding a contract; the conclusion and execution of contracts; the observance of legal obligations by the Data Controller, including arising from the tax and accounting legislation; the protection of the legitimate rights and interests of the Data Controller and third parties, as well as any other objectives compatible with the above.

5.2 The processing of personal data for purposes other than those for which they were originally collected is only permitted when the processing is compatible with the purposes for which they were originally collected. Processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes should be considered as compatible lawful processing operations.

VI. TERM FOR PROCESSING AND STORAGE

6.1 The period for which your personal data is processed is limited to a strict minimum. In order to ensure that the processing time of your personal data is no longer than necessary, the Data Controller should set deadlines for their periodic review and deletion, in case the law does not provide explicit deadlines for this.

6.2 The processing of your personal data will continue as follows: (i) in cases where you have filled in and submitted incorrect, incomplete or inaccurate data, and there is no way to be corrected or updated by the Data Controller, they will be deleted or destroyed within one (1) month as of their receipt; (ii) in cases where the processing is only on the basis of your Consent, until its withdrawal, but not later than the end of the month in which it was granted; (iii) in the case of Consent given for direct marketing, until the Data Controller has received your objection to the processing of personal data for this purpose; (iv) in cases where the processing is based on a signed contract - until the final settlement of the legal relationship between you and the Data Controller and five (5) years thereafter, except in cases of legal or enforcement proceedings, tax inspections and/ or audits, as well as when the protection of the legitimate interests of the Data Controller or third parties does not require a longer period. All these terms will be valid only on condition that laws or by-laws do not provide for longer ones.

6.3 Exceptions to the above rules have been introduced with regard to: (i) personal data of Job Candidates, whose processing period may not exceed six (6) months from the moment of final completion of the selection, respectively after the expiration of the deadlines for its appeal, unless the Candidate has given his/ her consent for a longer period; (ii) secondary documents containing personal data of the Job Candidates such as written materials, tests, minutes of conducted interviews, etc. in connection with the application may be kept for a period of up to three (3) years according to Art. 52 of the Law on Protection against Discrimination; (iii) the payrolls, as well as other documents proving the employment and insurance experience of the Data Controller's Personnel, shall be kept for a period of fifty (50) years in accordance with the requirements of the Accounting Law.

6.4 The Data Controller makes regular checks on the basis of personal data processed and stored by it, and on the basis of the rules contained herein, it proceeds with their deletion, destruction or anonymization for statistical or research purposes. With regard to personal data, for the storage of which special laws provide for longer periods, the Data Controller shall take technical and organizational measures for their archiving so that they are not subject to further processing and cannot be amended.

VII. TECHNICAL AND ORGANIZATIONAL PROTECTION MEASURES

7.1 The Data Controller undertakes to apply appropriate technical and organizational measures to ensure an appropriate level of security of your personal data. In assessing the appropriate level of security, account shall be taken of the risks associated with the processing, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

7.2 With regard to automated processing, the Data Controller shall apply measures aiming at:

7.2.1 control over access to equipment - to deny unauthorized persons access to the equipment used for personal data processing;

7.2.2 control of data carriers - to prevent reading, copying, modification or removal of data carriers by unauthorized persons;

7.2.3 control over storage - to prevent the entry of personal data by unauthorized persons, as well as the performance of checks, modification or deletion of stored personal data by unauthorized persons;

7.2.4 consumer control - to prevent the use of automated processing systems by unauthorized persons through the use of data transmission equipment;

7.2.5 control over access to data - to ensure that persons who are allowed to use an automated processing system have access only to the personal data covered by their access authorization;

7.2.6 control over communication - to ensure the possibility of verification and establishment of which persons have been or may be transferred personal data, or which persons have access to personal data through data transmission equipment;

7.2.7 control over data entry - to ensure the possibility for subsequent verification and establishment of what personal data have been entered into the automated processing systems, as well as when and by whom they were entered;

7.2.8 control over the transfer - to prevent the reading, copying, modification or deletion of personal data by unauthorized persons during the transfer of personal data or during the transfer of data carriers;

7.2.9 recovery - to ensure the possibility of recovery of the installed systems in case of failure of the functions of the systems;

7.2.10 reliability - to ensure the implementation of the functions of the system and the reporting of defects in the functions;

7.2.11 integrity - to ensure that the stored personal data is not damaged due to improper functioning of the system.

7.3 Through measures under the previous point, the Data Controller shall ensure the protection of personal data at the design stage, taking into account the achievements of technical progress, implementation costs and the nature, scope, context and objectives of personal data processing, as well as risks to the rights and freedoms of individuals. persons during processing.

VIII. CATEGORIES OF RECIPIENTS

8.1 Depending on the case, we transfer or may give access to some of your personal data to the following categories of Recipients: (i) companies from the group to which the Data Controller belongs; (ii) partners and contractors; (iii) courier service providers; (iv) payment/ banking service providers (if applicable); (v) marketing service providers, including digital advertising agencies; (vi) market research service providers; (vii) IT and hosting service providers; (viii) other companies with which the Data Controller develops joint programs for the sale of its goods; (ix) public government bodies and organizations, where this is necessary in order to protect the legitimate interests of the Data Controller or third parties, or where it is provided for as a legal obligation.

8.2 The Data Controller currently stores your personal data on paper in special lockable cabinets in its offices or on servers in the Republic of Bulgaria. Given that the Data Controller carries out its trading activities in almost the entire European Union, your personal data may be processed, directly by the Data Controller or through its counterparties, in the territory of the country of your habitual place of residence.

8.3 The Data Controller may entrust the processing of personal data on its behalf only to Data Processors of personal data who provide sufficient guarantees that they will apply appropriate technical and organizational measures in such a way that the processing complies with legal requirements and ensures the protection of your rights. The relationships between the Data Controller and the Processor are regulated via contract, which regulates the subject and term of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the rights and obligations of the parties.

IX. YOUR RIGHTS AS A DATA SUBJECT

9.1 Right of access under Art. 55 LPDP and Art. 15 of Regulation (EU) 2016/679: You have the right to receive confirmation from the Data Controller whether it processes your personal data and, if so, to access them, as well as information about: (i) the data that identifies it; (ii) contact details of the Data Protection Officer; (iii) the categories of personal data processed; (iv) the personal data being processed and any available information on their origin; (v) the purposes and legal basis for the processing; (vi) recipients or categories of recipients, including in third countries or international organizations; (vii) the period for which the personal data will be stored or, if this is not possible, the criteria for determining that period; (viii) the existence of a right to require the Data Controller to access, correct or delete personal data or to restrict their processing; (ix) the right of appeal to the supervisory authority and contact details; and (x) other processing-relevant information.

9.2 Right to rectification under Art. 56 (1) of LPDP and Art. 16 of Regulation (EU) 2016/679: As a Data Subject you have the right to request the Data Controller to rectify your inaccurate personal data. Given the purpose of the processing, you have the right to request that incomplete personal data be completed, including by providing an additional application.

9.3 Right to erasure (“to be forgotten”) under Art. 56 (2) of LPDP and Art. 17 of Regulation (EU) 2016/679: You have the right to request the Data Controller to delete without undue delay the personal data that concern you, when they are no longer needed for the purposes for which they were collected and/ or processed; when you withdraw your consent, on which their processing is based and there is no other legal basis for it; when you object to their processing for the purposes of direct marketing and there are no legitimate grounds for processing to take precedence; when your personal data is processed in violation of the principles outlined above, or when it must be deleted in order to comply with a legal obligation for the Data Controller.

9.4 Right to restriction of processing in the hypotheses of Art. 56 (4) of LPDP and Art. 18, para 1 of Regulation (EU) 2016/679: The Data Controller restricts the processing of personal data without deleting them when: (i) the accuracy of the personal data is disputed by you as a Data Subject and this cannot be verified, or (ii) personal data must be kept for evidentiary purposes.

9.5 Right to data portability under Art. 20 of Regulation (EU) 2016/679: You have the right to receive the personal data that concern you and that you have provided to the Data Controller, in a structured, widely used and machine-readable format, as well as the right to transfer them to another controller, when the processing is based on consent - upon its withdrawal or on a contractual obligation and is performed in an automated manner. This right of yours cannot affect the rights and freedoms of others.

9.6 Right of objection under Art. 21 of Regulation (EU) 2016/679: If you have consented to the processing of your personal data for the purposes of direct marketing, you have the right to object to this processing at any time, including when it involves profiling. In any such case, the processing of your personal data for the purposes of direct marketing is suspended.

9.7 Right under Art. 22 of Regulation (EU) 2016/679: You have the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for you and affects you significantly. In case you exercise this right, the Data Controller is obliged to apply appropriate measures to protect your rights, freedoms and legitimate interests, ensuring human intervention and giving you the right to express your point of view and challenge its decision. Currently, the Data Controller does not make profiling.

X. EXERCISE OF THE RIGHTS UNDER SECTION IX

10.1 As a Data Subject, you may exercise the rights under Section IX above by submitting a written application to the Data Controller. The application can be submitted by mail (at the address of the Data Controller or by e-mail), after you have identified yourself in an appropriate manner.

10.2 The application must contain: (i) name, surname, address of habitual residence, IP address (if applicable); (ii) a description of the request; (iii) a preferred form of obtaining information in the exercise of rights; (iv) signature, date of filing of the application and address for correspondence. When the Data Controller has reasonable concerns, he may request additional information needed to verify your identity.

10.3 The Data Controller satisfies your requests completely free of charge within two (2) months of receipt. The period may be extended by another (1) month when this is necessary due to the complexity or number of requests. Where requests from a Data Subject are manifestly unreasonable or excessive, in particular because of their recurrence, the Data Controller may: (i) charge a fee commensurate with the administrative costs of providing the information or correspondence, or of taking action on the request, or (ii) refuse to take action on the request.

.

10.4 Each time the Data Controller refuses to accept an application submitted by you for the exercise of the rights under Section IX above, you will receive a written refusal, as well as the reasons for it. In these and other cases, the Data Controller will also inform you of your right to appeal or seek a court redress.

XI. REGISTERS AND SYSTEM LOGS

11.1 The Data Controller shall maintain registers with the categories of personal data processing activities, which shall contain: (i) its name and contact details and those of the data protection officer; (ii) the purposes of the processing of personal data; (iii) the categories of Recipients to whom the personal data are or will be disclosed, including Recipients in third countries or international organizations; (iv) a description of the categories of Data Subjects and the categories of personal data; (v) information on whether profiling is performed; (vi) the categories of transfer of personal data to a third country or international organization (where applicable); (vii) the legal basis for the processing operations, including the transmission of data; (viii) the time limits allowed for the deletion of the various categories of personal data; (ix) where possible, a general description of the technical and organizational security measures it applies.

11.2 In the automated processing systems maintained by the Data Controller, system logs (logs) shall be kept for at least the following processing operations - collection, change, reports, disclosure, including transmission, combination and deletion. When making a reference, the logs must make it possible to establish the basis, date and time of these operations and, as far as possible, the identification of the person who made the reference or disclosed the personal data and the data identifying the Recipients of that personal data.

11.3 The Data Controller sets reasonable and appropriate retention periods, including archiving of the logs referred to in the previous point.

XII. NOTIFICATIONS

12.1 In the event of a breach of the security of your personal data, which is likely to pose a risk to your rights and freedoms, the Data Controller without undue delay, but not later than seventy-two (72) hours after learning of the breach, shall inform the Commission on Personal Data Protection thereof. Where the notification is submitted after this deadline, it shall also state the reasons for the delay.

12.2 The notification shall contain: (i) a description of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the name and contact details of the data protection officer or other contact point from which more information can be obtained; (iii) a description of the possible consequences of the personal data breach; (iv) a description of the measures taken or proposed by the Data Controller to deal with the personal data breach, including, where appropriate, measures to reduce any adverse effects.

12.3 When the breach of the security of your personal data is likely to lead to a high risk to your rights and freedoms, the Data Controller shall notify you of the breach no later than seven (7) days from its establishment. The notification shall contain a description of the infringement and at least the information and measures taken by it.

XIII. RIGHT TO FILE A CLAIM

13.1 In case of violation of your rights under LPDP and Regulation (EU) 2016/679 you have the right to refer to the Bulgarian Commission for Personal Data Protection at the address: 2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia, tel. + 359 2 9153518, e-mail: kzld@cpdp.bg, website: www.cpdp.bg, as a leading supervisory authority or contact the competent supervisory authority at your habitual place of residence within six (6) months as of the violation discovery, but not later than two (2) years from its occurrence.

13.3 In case of violation of your rights under LPDP and Regulation (EU) 2016/679 you have an additional opportunity to file a claim against the actions and acts of the Data Controller before the competent Bulgarian court under the Administrative Procedure Code. In this proceeding you can seek compensation for the damages suffered by you as a result of illegal processing of personal data by the Data Controller.

Please do not hesitate to contact the Data Controller in case you need assistance or clarification, want to exercise your legal rights or file a complaint.