Personal Data Protection Policy of Damvent Ltd.

Damvent Ltd. is a company registered in the Trade Register at the Registry Agency with UIC 102905523, with headquarters and address of management: Burgas 8009, Todor Grudov St after П.Т.Г.М. The Company is an administrator of personal data, entered in the Register maintained by the Commission for Personal Data Protection in accordance with a Certificate N 289247 and as such has the right to collect and process personal data of the users in relation to the use of the Website and the provision of the offered services in compliance with the requirements of the legislation of the Republic of Bulgaria, as well as the applicable European legislation.

I. Purpose
The present policy contains the basic principles, rules and approaches for organizing and fulfilling of activities, related to collecting, processing, storing, communication, use and protection of personal data of the natural persons in Damvent Ltd.
This policy aims to ensure the fulfilment of the Personal Data Protection Act and the requirements of Regulation # 2016/679 of the EP within the frames of the business processes of the company.
II. Scope
All employees of Damvent Ltd. should apply the guidelines of this policy in their everyday work. This is of particular importance for the employees, working with personal data.
This policy shall be applied for the personal data of the employees of the company and for the personal data of any other natural persons, towards which Damvent Ltd. appears to be in the role of an administrator or processor.
III. Terms, definitions, abbreviations
In the text of this policy, there are a lot of terms and definitions used in the sense, in which they are used in the Personal Data Protection Act and Regulation # 2016/679 of the EP (article 4).
IV. How do we collect your personal data?
Damvent Ltd. processes your personal data, among other things, at the following occasions:
• If you contact us directly, for example via our website, in order to request information for our products and services.
• If you are buying a product and/or a service directly from us.
• If you answer in our direct marketing campaigns, for example through filling in an answer card or uploading data online on our website.
• If your personal data have been transferred to us from other third parties.
• If other business partners fulfil an allowed transfer of your personal data towards us.
• If we have acquired with the personal data from different sources (For example: information websites).

If you shall provide information on behalf of another person, you have to make sure that this person is aware of this privacy policy, before presenting the information.
If you are under the age of 16, please do not provide us with any of your information, unless if you do not have the permission of a parent or guardian to do that. If a parent or a legal representative knows that his/her child has provided us his/her personal data, he/she should immediately inform us. If we find out that a person under the age of 16 had provided us with any personal data, we shall immediately destroy this information, unless an explicit consent had been given by the parent or the guardian in order to process the personal data of the child for certain purposes.
We ask for your cooperation in order to keep your information up-to-date by informing us for any change that you may have in your personal data.

V. What kind of information could be collected from you?
The following types of information related to you could be collected via different services and information channels, described in this Policy for personal data protection:
• Personal data – “Personal data” means any information, related to the identification of a natural person or natural person that could be identified (“data subject” or “user”); natural person, that could be identified, is a person, that could be directly or indirectly identified, and in particular via an identifier such as name, identification number, location data, online identifier or according to one or more features, specific for the physical, physiological, genetic, intellectual and mental, economic, cultural or social identity of this natural person.
• Contractors data – name, company name, address, telephone number, e-mail address, website, fax number, contact person/s.
• Contact data - name, form of address, initials, address, telephone number, e-mail address, fax number.
• Information about the client’s history – inquiries received, offers sent, signed confirmation of an order, contracts, handing-over records, protocols for safekeeping, data for purchase of the equipment (for example: series number, technical boards, etc.), including a model, configuration, date of purchase, date of order, date of delivery, final owner of the equipment and its location (if it has been purchased with the aim to sell it to a third person), information for warranty, information for fulfilment of servicing or any other type of services, data for purchasing of spare parts, history of claims, protocols for fulfilled start or servicing, data for clients’ satisfaction, data collected from the visit of sales representative (for example: data in relation to planning and fulfilment of future projects).
• Using the website – We shall process your personal information due to different technical, administrative and operational reasons, such as for example: in order to guarantee that the content has been represented in the most effective way for you and for your device, so that we can improve the website, including its functionality, for website administration, for internal operations, including troubleshooting and technical problems, data analysis, tests, researches, statistical purposes and inquires, for advertisement and marketing, including profiled marketing purposes, so that we could provide content, which could be of greater interest for you, and as a part of our efforts to maintain our website to be safe and secure.
• “Cookies” and social networks - Our website uses "cookies", in order to distinguish you from the other users of the website. This helps us in providing one pleasant visit to our website, and at the same time it allows us to improve the website. The processing is based on your consent, expressed in our website or via the settings of your browser. For detailed information about the "cookies" that we use, about the period and the purposes that we use them for, you can see our Policy for "cookies" at Our website may include functionalities for the social networks and networks, such as for example: a button for Facebook, Twitter, LinkedIn or YouTube. These functionalities could collect information about you, such as for example, an IP address and websites that you visit and to activate a "cookie", in order to set the functionality in a proper way. Information processing, via the interaction with these functionalities, is governed by the rules of the privacy policy of the company, that provides functionality.

VI. Our purposes for the processing of your personal data
We shall process your personal data only to purse a legitimate purpose and we shall process your personal data only if:
• you have given your consent for this processing
• the processing is necessary for a contract fulfilment
• the processing is necessary for complying with a legal obligation, that we are a subject of
• the processing is necessary for the purposes of the legal interests, pursued by us or by third person, and this processing is not considered harmful in relation to you.

We shall process your personal data for the following purposes:
• to improve the quality of the products and services, manufactured and offered by us
• in order to present you information about the products and services, that you have ordered from us or you intent to order
• in order to sent you newsletter or other marketing materials, including surveys
• in order to administrate our business relations, as well as to lead negotiations and to conclude agreements
• in order to provide general customer support and service
• in order to receive users’ analysis and knowledge about the way in which the different services shall be used, including websites and applications, products, as well as for assessment and improvement of the same
• in order to communicate with you on various issues
• in order to fulfil investigations of reports and signals, submitted by you
• in order to keep any applicable laws.

VII. Transfer to third parties
Your personal data could be transferred to third parties, if there are any legal reasons for this transfer.
Your personal data could be shared with the following legal persons:
• Authorized partners and services of Damvent Ltd.
• Companies, providing services to the sales representative, such as IT support, consulting services, etc.
• Insurance companies
• Transportation companies
• Bank institutions – in relation to the fulfilment of specific contractual purposes
• Companies, providing products warranties
• Courier companies

Although we cannot guarantee that providing data via internet or a website is without any risk of cyber-attacks, we and our subcontractors and business partners are working hard, in order to maintain physical, electronic and procedural warranties for protecting your information in relation to the applicable requirements of data protection.

VIII. Principles for working with personal data
When working with personal data, Damvent Ltd. sticks to the following principles:
• Conformity with the law, conscientiousness and transparency - The personal data are processed in conformity with the law, in a conscientiousness and transparent manner in relation to the data subjects.
• Purposes limitation – The personal data is collected and/or processed only for specific, explicitly specified and legitimate purposes and are not processed further in a way that is not compatible with these purposes.
• Minimizing data – Only relevant personal data are being collected and processed, related to the purposes and limited to what is necessary in relation to the purposes for which they are processed.
• The personal data is kept accurate and up-to-date, in order to be suitable for achieving the purposes, for which they are processed.
• Storage limitation - The personal data is stored in a form, which allows identification of the data subject for a period, not longer than the necessary one for the respective purposes.
• Integrity and confidentiality - The personal data are collected, stored and processed at an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by implementing suitable technical and organizational measures.

The company shall implement in its work all the principles specified so far and shall maintain the necessary documents and records as an evidence for this.

IX. Rights of the data subjects
Damvent Ltd. shall provide rights of the data subjects during the fulfilment of its obligations as an administrator or processor of these data. These rights are the following:
1. Right of information
Damvent Ltd., in its role of an administrator of personal data, fulfils the following activities for informing the personal data subjects about:
• Their rights in relation to the data, by doing this before or at the moment of collecting of data or at subsequent change in the purposes of processing
• The purposes of processing and their legal grounds
• The recipients or the categories of recipients of personal data, if there are any
• Period for storing or criteria for determining this period
• Data and coordinates for contact about the issues concerning this personal data
2. Right of access
Damvent Ltd., in the role of an administrator, provides a confirmation to the subject whether his/her personal data are processed and if so, provides him/her an access to the data and the following information:
• The purposes of processing and its legal grounds
• Personal data categories
• Period for storing
• The existence of the right to request from the administrator to correct or delete any personal data or limitation of the processing of personal data, related to the data subject, or to make an objection against such processing
• The right to make a complaint in front of the supervising authority
• When the personal data are not collected from the data subject, any available information for their source
3. The right of deletion
Damvent Ltd., in its role of an administrator of personal data, provides the possibility for the data subject to request a deletion of the personal data related to him/her without any unnecessary delay.
Damvent Ltd. shall have the obligation to delete, without any unnecessary delay, the personal data, when one of the reasons specified below is applicable:
• It is no longer necessary for the purposes for which it has been collected
• The subject has withdrawn his/her consent (if he/she has given such)
• In case of objection for processing and proving the lack of legal grounds
• In processing that is not in conformity with the law
Upon deletion, Damvent Ltd., by taking into account the available technology and the implementation expenses, undertakes reasonable steps, including technical measures, in order to notify the administrators, the processors of personal data, that the data subject has requested the deletion of all links, copies or answers of this personal data by all administrators.
4. The right of data portability
Damvent Ltd. in its role of administrator of personal data, shall ensure data portability, when the conditions provided for this have been fulfilled (art.20, para.1 of the Regulation), by transferring, without incapacitation, the personal data of the subject in one structured, widely used and machine-readable format.
Damvent Ltd. can directly transfer the personal data to another administrator, when this is technically feasible.
5. The right of objection
Damvent Ltd., in its role of administrator of personal data, provides the possibility to the data subject at any time and on grounds, related to its specific situation, to provide an objection against personal data processing, related to him/her, including profiling.
Damvent Ltd. shall be obliged to terminate the personal data processing, unless there are convincing legal grounds existing for this processing, that take precedence over the interests, rights and freedoms of the data subject, or for establishing, exercising or protection of legal claims.
When personal data is processed for the purposes of direct marketing, the data subject has the right at any time to make an objection against personal data processing, related to him/her in connection with this type of marketing, which included and profiling, insofar it is related to the direct marketing.
When data subject objects against processing for the purposes of the direct marketing, the processing of the personal data for these purposes should be terminated.
6. Rights at the presence of automated decision-making, profiling
Damvent Ltd., in its role of an administrator, shall notify the subject (if he is really doing it) for the existence of automated decision-making, including profiling (art. 22 of the Regulation), as well as for any essential information related to the used logic, as well as the meaning and the predicted consequences from this processing for the data subject.
When the personal data are processed for the purposes of direct marketing, data subject shall have the right at any time to make an objection against this personal data processing, related to it in this type of marketing, which included profiling, insofar it is connected to the direct marketing.

X. Providing protection of the personal data
1. General conditions
Damvent Ltd. shall apply technical and organizational measures for ensuring the necessary level of personal data protection of the processed data.
The company shall provide a highly proven level of protection and guarantees for:
• The main properties of the information - confidentiality, integrity, availability
• Resistance of the system and services for processing – continuity, availability, reliability
• Maintaining the level of protection via regular testing, assessment and evaluation of the efficency of the technical and organizational measures
• Preventing unauthorized access to the personal data by implementation of adequate measures, where necessary – pseudonymization, encrypting, anonymity, randomization
Damvent Ltd. shall implement an effective method for risk evaluation of the rights and freedom of the data subjects during the processing of their personal data.
The main risks are directed towards:
• Accidental or illegal deletion of data
• Loss of data without the possibility to restore it
• Unauthorized or incorrect change of data
• Unauthorized disclosure or access to data
The company shall guarantee that its employees, processors of personal data, have the necessary qualification and experience in order to fulfil this processing in a secure manner and in compliance with the legal requirements and internal rules of the company.
The company shall maintain documents and records, providing and proving the compliance with the Regulation.

2. Actions in the event of breach of security
The company shall use automated means for observation of the activities under the data processing and timely identification of weaknesses, events and incidents related to their security. These means shall provide documentation of each breach of security of the personal data, including the specific data for it, the consequences, and the actions taken for dealing with it.
In the event of breach of security of the personal data, that could have a result in violating the rights and the freedoms of the data subjects, Damvent Ltd. shall notify the Commission for Personal Data Protection within 72 hours after breach has been detected.
In the event of breach of security of the personal data, Damvent Ltd. shall notify the respective administrator (if there is such) immediately after the breach has been detected.
When there is a possibility that this breach of the security of the personal data to result in a higher risk for the rights and the freedoms of the natural persons, Damvent Ltd. shall immediately perform:
• Objective assessment whether the preliminary taken measures for data protection shall guarantee that the privacy shall be preserved
• Taking subsequent measures, which guarantee, that there is no longer a possibility for realization of the higher risk for the rights and freedoms of the data subjects
• Evaluation of the efforts, necessary for notifying each one of the data subjects, affected by the breach
Depending on the results from the above described actions and complying with the requirements of the Regulation, shall undertake one of the following actions:
• Does not take actions for notifying the data subjects
• Immediately notifies the data subjects for the breach
• Makes a public announcement or takes a similar measure so that the data subjects to be effectively informed.