Mandatory information

Mandatory information on data subject rights regarding personal data protection

 

Information about the company processing your data:

 

Name: Time For Me Ltd.

UIC/BULSTAT: 201615285

Registered office and management address: Sofia, Maestro Kanev St. 78, entrance B

Correspondence address: Sofia, Maestro Kanev St. 78, entrance B

Telephone: +359879598297

E-mail: info@aimmencare.com

Website: aimmencare.com

 

Information about the competent supervisory authority for personal data protection

 

Name: Commission for Personal Data Protection

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg

 

Time For Me Ltd. (hereinafter for short the “Controller” or the “Company”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information aims to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.

Grounds for collecting, processing and storing your personal data

 

Art. 1. The Controller collects and processes your personal data in connection with the use of the online store aimmencare.com and the conclusion of contracts with the Company on the basis of Art. 6, para. 1 of Regulation (EU) 2016/679 (GDPR), in particular on the following grounds:

  • Explicit consent received from you as a customer;
  • Performance of the Controller’s obligations under a contract with you;
  • Compliance with a legal obligation applicable to the Controller;
  • For the purposes of the legitimate interests of the Controller or of a third party;

 

Purposes and principles in collecting, processing and storing your personal data

 

Art. 2. (1) We collect and process the personal data that you provide to us in connection with the use of the online store and the conclusion of a contract with the Company, including for the following purposes:

  • creating a profile and providing full functionality when using the online store;
  • concluding and performing a distance contract;
  • identification of the party to the contract;
  • accounting purposes;
  • statistical purposes;
  • protection of information security;
  • ensuring the performance of the contract for provision of the respective service;
  • sending a newsletter where you have expressed such a wish;

(2) We observe the following principles when processing your personal data:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation, relevant and limited to what is necessary in relation to the purposes of processing;
  • accuracy and up-to-dateness of data;
  • storage limitation with a view to achieving the purposes;
  • integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.

(3) When processing and storing personal data, the Controller may process and store personal data in order to protect the following legitimate interests:

  • performance of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.

 

What types of personal data our Company collects, processes and stores

 

Art. 3. (1) The Company performs the following operations with the personal data provided by you for the following purposes:

  • Registration of a user in the online store and execution of a distance purchase–sale contract – the purpose of this operation is to create a profile for using the online store to purchase goods and to provide contact details for delivery of purchased goods. Registration and creation of a profile for using the online store is not a mandatory step for using the service and it is largely accessible even without creating a profile.
    Conclusion from the impact assessment: Based on the impact assessment carried out, the operation “Registration of a user in the online store and execution of a distance purchase–sale contract” is permissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the GDPR requirements.
  • Conclusion and execution of a commercial transaction with a customer or partner – the purpose of this operation is to conclude and perform a contract with a commercial partner or customer and to administer it. Given the limited scope of personal data collected and the fact that part of it is collected from publicly accessible sources, an impact assessment of the operation is not required.
  • Sending a newsletter – the purpose of this operation is to administer the process of sending newsletters to customers who have requested to receive them. Given the limited scope of personal data collected, an impact assessment of the operation is not required.
  • Exercising the right of withdrawal or making a complaint – the purpose of this operation is to administer the process of exercising the right of withdrawal or complaint by the customer. Given the limited scope of personal data collected, an impact assessment of the operation is not required.

(2) The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:

  • Your identifying data (email address, name, etc.)
    • Purpose for which the data are collected: 1) To contact the user and send information to them; 2) for the purpose of registering a user in the online store; and 3) for sending a newsletter.
    • Grounds for processing your personal data – By accepting the general terms and registering in the online store or placing an order without registration, or upon conclusion of a written contract, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data – Art. 6, para. 1, letter (b) GDPR. Your data for sending a newsletter are processed on the basis of your explicit consent – Art. 6, para. 1, letter (a) GDPR.
  • Data for performing delivery (names, phone, address, etc.)
    • Purpose for which the data are collected: Performance of the Controller’s obligations under a purchase–sale and delivery contract for purchased goods.
    • Grounds for processing your personal data – By accepting the general terms and registering in the online store or placing an order without registration, or upon conclusion of a written contract, a contractual relationship is created between the Controller and you, on the basis of which we process your personal data – Art. 6, para. 1, letter (b) GDPR.
  • Additional data provided by you – If you wish to complete your profile, you may fill in data such as first name, last name, phone number.
    • Purpose for which the data are collected: Completing information about the user in their account.
    • Grounds for processing the data: You have given explicit consent for your personal data to be processed for one or more specific purposes – Art. 6, para. 1, letter (a) GDPR at the time of registration in the online store. Providing these data is not mandatory for registration in the online store.

(3)The Controller does not collect and does not process personal data relating to the following:

  • revealing racial or ethnic origin;
  • revealing political opinions, religious or philosophical beliefs, or trade union membership;
  • genetic and biometric data, data concerning health, or data concerning a person’s sex life or sexual orientation.

(4) The personal data are collected by the Controller from the persons to whom they relate.

(5) The Company does not perform automated decision-making with data.

Art. 4. (1) The Company performs the following operations with the personal data provided by you as legal representatives or attorneys of legal entities – business partners, for the following purposes:

  • Conclusion and performance of a commercial transaction: For the conclusion and performance of a commercial transaction with a commercial company, we process only the three names of the legal representative or the person authorised by the company. Conclusion from the impact assessment: Given the small number of natural persons whose data are processed and the limited volume of personal data collected, an impact assessment is not required for this operation.

(2) The personal data are collected by the Controller from the persons to whom they relate and from the Commercial Register at the Registry Agency.

(3) The Company does not perform automated decision-making with data.

Art. 5. The Controller may use so-called “cookies” to provide full functionality of the website, to improve the user experience, for statistical purposes, easier access and others, which you agree to by using our website. You can control and/or delete cookies at any time via your browser settings. Cookies do not constitute personal data and are not used to identify visitors and users of the online store.

 

Period of storage of your personal data

 

Art. 6. (1) The Controller stores your personal data for a period no longer than the existence of your profile in the online store. After deleting your profile, the Controller takes the necessary care to delete and destroy all your data without undue delay or to anonymise them (i.e. to bring them into a form that does not reveal your identity).

(2) The Controller processes your personal data that you have provided when placing an order without registration in the online store until the completion of the order, unless you have given your explicit consent when placing the order for your data to be processed for the purposes of improving the service, providing recommended content for you, individual conditions, promotions, as well as for statistical purposes.

(3) The Controller stores your personal data provided in connection with made online orders for a period of 5 years for the purpose of protecting the Controller’s legal interests in court or administrative disputes with users of the online store.

(4) The Controller notifies you if the storage period of the data needs to be extended in order to fulfil a statutory obligation or in view of the Controller’s legitimate interests or other reasons.

(5) The Controller stores personal data which must be kept by virtue of applicable legislation for the respective period provided for, which may exceed the period of existence of your profile in the online store or the completion of the order.

Art. 7. The Controller stores the personal data of the legal representatives of its business partners for the term of performance of the contract, for compliance with the legitimate interests and legal obligations of the Controller, and this period may exceed the duration of the concluded contract.

 

Transfer of your personal data for processing

 

Art. 8. (1) The Controller may, at its own discretion, transfer part or all of your personal data to personal data processors for the purposes of processing for which you have given consent, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Controller will inform you in case of intention to transfer part or all of your personal data to third countries or international organisations.

 

Your rights in the collection, processing and storage of your personal data

 

Withdrawal of consent to the processing of your personal data

 

Art. 9. (1) If you do not wish the personal data you have provided to be processed for marketing purposes and for receiving a newsletter, you may at any time withdraw your consent to processing by completing the withdrawal form in Appendix No. 1 or by a free-text request and sending it to us by email.

(2) After receiving your request, we will send you an email to the address you have indicated for receiving newsletters and marketing messages with detailed instructions for verifying you as the newsletter recipient and data subject for whom consent withdrawal is requested.

(3) Withdrawal of consent does not affect the lawfulness of processing of personal data carried out by the Controller up to that moment.

 

Right of access

 

Art. 10. (1) You have the right to request and receive from the Controller confirmation as to whether personal data concerning you are being processed by sending a free-text request by email.

(2) You have the right to access the data relating to you, as well as information relating to the collection, processing and storage of your personal data.

(3) After receiving your request, we will send an email to the address you used for registration or orders in the online store with detailed instructions for verifying you as the data subject requesting access.

(4) After verification under para. 3, the Controller will provide you upon request with a copy of the personal data being processed concerning you in electronic or other appropriate form.

(5) Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetitive or excessive requests.

 

Right to rectification or completion

 

Art. 11. (1) You may at any time correct or complete inaccurate or incomplete personal data relating to you via the “Edit profile” option.

(2) You may correct or complete inaccurate or incomplete personal data relating to you directly through your profile on the website or by sending a request to the Controller by email using the form in Appendix No. 4 or a free-text request.

 

Right to erasure (“to be forgotten”)

 

Art. 12. (1) You have the right to request from the Controller the erasure of part or all personal data concerning you, and the Controller has the obligation to erase them without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you withdraw your consent on which the processing is based and there is no other legal ground for the processing;
  • you object to the processing of personal data relating to you, including for direct marketing purposes, and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation under EU law or the law of a Member State which applies to the Controller;
  • the personal data have been collected in relation to the offer of information society services.

(2) The Controller is not obliged to erase the personal data if it stores and processes them:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing provided for in EU law or the law of the Member State applicable to the Controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • for the establishment, exercise or defence of legal claims.

(3) To exercise your right to be forgotten, you must send an email request for erasure of your personal data processed by the Controller by completing the form in Appendix No. 2 or a free-text request, after which the Controller will send you an email to the address you used for registration or orders in the online store with detailed instructions for verifying you as a store user and data subject for whom erasure is requested.

(4) After verifying the identity of the person making the request and the person to whom the data relate in accordance with the instructions sent to you, we will erase all data we process about you in accordance with para. 3.

(5) If you have an order that is being processed, the earliest time you can request to be “forgotten” is upon the successful completion of the order.

 

Right to restriction of processing

 

Art. 13. You have the right to request the Controller to restrict the processing of personal data concerning you by sending a free-text request by email, where:

  • you contest the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
  • the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
  • you have objected to processing pending verification whether the Controller’s legitimate grounds override your interests.

(2) After receiving your request, we will send you an email to the address you used for registration or orders in the online store with detailed instructions for verifying you as a store user and data subject for whom restriction of processing is requested.

(3) After verification under para. 2, the Company will stop processing your data but will not remove any publications you have made in the online store, if any.

 

Right to data portability

 

Art. 14. (1) If you have given consent for the processing of your personal data, or the processing is necessary for the performance of a contract with the Controller, or your data are processed by automated means, you may:

  • request that the Controller provide your personal data in a readable format and transfer them to another controller;
  • request that the Controller directly transfer your personal data to a controller specified by you, where technically feasible.

(2) You may exercise the right to portability by sending us by email the completed form under Appendix No. 3 or a free-text request, after which the Controller will send you an email to the address you used for registration or orders in the online store with detailed instructions for verifying you as a store user and data subject for whom portability is requested.

(3) After verification under para. 2, the Company will send to the email address specified by you the data it processes about you in XML format.

 

Right to receive information

 

Art. 15. You may request the Controller to inform you about all recipients to whom personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information where this would be impossible or would require disproportionate effort.

 

Right to object

 

Art. 16. You may object at any time to the processing of personal data concerning you by the Controller, including if they are processed for profiling or direct marketing purposes.

 

Your rights in case of a personal data security breach

 

Art. 17. (1) If the Controller detects a personal data security breach that may result in a high risk to your rights and freedoms, it will notify you without undue delay of the breach and of the measures that have been taken or are about to be taken.

(2) The Controller is not obliged to notify you if:

  • it has implemented appropriate technical and organisational protection measures with respect to the data affected by the breach;
  • it has taken subsequent measures to ensure that the high risk to your rights is no longer likely to materialise;
  • notification would involve disproportionate effort.

 

Persons to whom your personal data are disclosed

 

Art. 18. (1) For the purposes of processing your personal data and providing the service in its full functionality and with regard to your interests, the Controller may provide the data to the following persons who are data processors:

 

Personal data processor         Purpose of personal data processing

 

………………………………………..         ……………………………………………………………

………………………………………..         ……………………………………………………………

………………………………………..         ……………………………………………………………

 

(2) The personal data processors comply with all requirements for lawfulness and security when processing and storing your personal data.

Art. 19. The Controller does not transfer your data to third countries.

Art. 20. In case your rights under the above or under the applicable personal data protection legislation are violated, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

 

Name: Commission for Personal Data Protection.

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg

 

Art. 21. You may exercise all your rights relating to the protection of your personal data through the forms attached to this information. Of course, these forms are not mandatory, and you may submit your requests in any form that contains a statement to that effect and identifies you as the data subject.

Art. 22. If the consent relates to a transfer, the Controller shall describe the possible risks associated with the transfer of data to third countries in the absence of a decision on adequate protection and appropriate safeguards.

Appendix No. 1

 

Form for withdrawal of consent for processing purposes

 

Your name*: …………………….

Your email used in the online store*: …………………….

Contact details (e-mail)*: …………………….

 

To

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and management address: …………………….

Correspondence address: …………………….

Telephone: …………………….

E-mail: …………………….

Website: …………………….

 

By this I withdraw my consent for processing of my personal data provided by me for the purposes of receiving newsletters, marketing messages or other marketing materials, and I am aware of the conditions for withdrawal of consent in accordance with the Mandatory information on data subject rights in personal data protection of the online store.

In case your rights under the above or under the applicable personal data protection legislation are violated, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

 

Name: Commission for Personal Data Protection.

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 2

 

Request “to be forgotten” – for erasure of personal data concerning me

 

Your name*: …………………….

Your email used for registration or orders in the online store*: …………………….

Contact details (e-mail)*: …………………….

 

To

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and management address: …………………….

Correspondence address: …………………….

Telephone: …………………….

E-mail: …………………….

Website: …………………….

 

Please erase from your databases all personal data which you collect, process and store, provided by me or by third parties related to me, according to the identification stated above.

I declare that I am aware that part or all of my personal data may continue to be processed and stored by the Controller for the purpose of fulfilling its legal obligations.

In case your rights under the above or under the applicable personal data protection legislation are violated, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

 

Name: Commission for Personal Data Protection.

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 3

 

Request for data portability

 

Your name*: …………………….

Your email used for registration or orders in the online store*: …………………….

Contact details (e-mail)*: …………………….

 

To

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and management address: …………………….

Correspondence address: …………………….

Telephone: …………………….

E-mail: …………………….

Website: …………………….

 

Please send in XML format all personal data concerning me, which are collected, processed and stored in your databases, to:

e-mail: …………………….

Controller receiving the data: …………………….

 

Name: …………………….

Identification number (UIC, BULSTAT, reg. No. in CPDP): …………………….

E-mail: …………………….

 

In case your rights under the above or under the applicable personal data protection legislation are violated, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

 

Name: Commission for Personal Data Protection.

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg

Appendix No. 4

 

Request for data rectification

 

Your name*: …………………….

Your email used for registration or orders in the online store*: …………………….

Contact details (e-mail)*: …………………….

 

To

Name: …………………….

UIC/BULSTAT: …………………….

Registered office and management address: …………………….

Correspondence address: …………………….

Telephone: …………………….

E-mail: …………………….

Website: …………………….

 

Please rectify the following personal data which you collect, process and store, provided by me or by third parties related to me, as follows:

Data to be rectified:

…………………………………………..

Please rectify them as follows:

…………………………………………..

In case your rights under the above or under the applicable personal data protection legislation are violated, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

 

Name: Commission for Personal Data Protection.

Registered office and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Telephone: 02 915 3 518

Website: www.cpdp.bg