Privacy Policy for Clients of 'BENDWIRE' Ltd.

'BENDWIRE' Ltd. processes your personal data with maximum security in relation to the contractual relationship between you and the company, and in accordance with the regulatory obligations arising from its activities.

'BENDWIRE' Ltd. collects and processes personal data only in compliance with the requirements of local and European legislation. The processing of data is connected to a specific purpose and cannot be carried out without limitation.

For the purposes and grounds of personal data processing, 'BENDWIRE' Ltd. acts as a data controller. In this role, 'BENDWIRE' Ltd. is committed to implementing technical and organizational measures to ensure the protection of personal information.

This Privacy Policy contains information regarding the purposes, grounds, and methods of processing, the categories of personal data being processed, the categories of recipients to whom it may be disclosed, as well as the rights you have concerning the processing of your personal data.

Please review the contents of this policy carefully, as it is necessary for the provision of our services.

Relevance and Changes to the Policy

In order to implement the most current protective measures and to comply with applicable legislation, we will regularly update this Privacy Policy. We encourage you to review the current version of this Privacy Policy regularly to stay informed about how we care for the protection of the personal data we process.

This Privacy Policy was adopted on October 30, 2024.

I. Controller’s information

'BENDWIRE' Ltd., UIC 207167675, with registered office and management address in Stara Zagora, Boulevard 'Novozagorsko Shose', U.P. No. 59006 (after METRO), email: info@bendwire.net, privacy@plastifil.ch, part of 'Plastifil Holding' SA, Switzerland.

II. Information Regarding the Competent Supervisory Authority

1. Name: Commission for Personal Data Protection

2. Headquarters and Management Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592

3. Correspondence Information: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592

4. Phone: +359 02 915 3 518

5. Email: kzld@government.bg, kzld@cpdp.bg

6. Website: www.cpdp.bg

III. Objectives and Scope of the Data Protection Policy

This policy follows the territorial and material scope of Regulation (EU) 2016/679 and adopts its main objectives. It applies to all our employees and the employees of 'PLASTIFIL HOLDING' SA when we act as joint controllers.

'BENDWIRE' Ltd. requires the collection and processing of personal data to carry out its activities lawfully, purposefully, and effectively. This applies to the personal data of customers and visitors to the production facility.

IV. Categories of Personal Data, Purposes, and Processing Grounds


'BENDWIRE' Ltd. processes various categories of personal data of different subjects based on specific grounds, in accordance with pursued objectives. In compliance with Article 13 and Article 14 of Regulation (EU) 2016/679 and the principles of lawfulness, fairness, transparency, and data subjects' rights, this section outlines the necessary information to facilitate individuals' understanding and awareness regarding their personal data.

1. Categories of personal data provided by the data subject personally or through information submitted via the feedback website – an individual, are as follows:

Data related to physical identity

• Name and surname;

• Personal Identification Number (when issuing invoices to individuals) or date of birth (for foreign individuals).;

• Contacts: email, address, and phone number;

• Address: permanent or current;

• IP address (by using the website).


Data related to economic identity

• Banking information: bank card number/account for payments;

• Profiles from payment systems such as PayPal/Epay/Revolut, etc.

2. The data processing serves the following purposes, reflecting the grounds for their processing

The personal data received from the subject – a natural person will be used for the purposes of providing our services, in fulfillment of contractual relations, legal obligations applicable to the controller, as well as for the protection of legitimate interests, namely:

• Visit the Production Facility;

• Buying our products;

• Financial and accounting reporting.

• Taking actions upon request from the data subject to exercise their rights under Regulation (EU) 2016/679.

• Marketing purposes.

• Performing other functions delegated by law or contractual relationships.

The processing of the specified categories of personal data provided by you is based on:

• Article 6, Paragraph 1, Letter "b" of Regulation (EU) 2016/679 – execution of a contract to which you (the data subject) are a party, as well as taking steps at the request of the data subject prior to entering into a contract.

• Article 6, Paragraph 1, Letter "f" of Regulation (EU) 2016/679 – protection of legitimate interests.

• Processing part of your data related to your physical identity, namely names and email, for direct marketing purposes, will only be carried out based on your freely given, specific, informed, and unambiguous consent, as per Article 6, Paragraph 1, Letter "a" of Regulation (EU) 2016/679.

3. 'BENDWIRE' Ltd. does not collect and process personal data solely for the identification that relates to the following:

• Reveal racial or ethnic origin

• Reveal political, religious, or philosophical beliefs or membership in trade unions

• Genetic data, data concerning sexual life or sexual orientation

4. The administrator does not collect and process personal data of minors.

5. This policy does not apply to the processing of personal data of the data subject – a natural person within the scope of their purely personal activities or activities related to their household.

V. Categories of recipients of personal data


'BENDWIRE' Ltd. may provide your personal data to 'PLASTIFIL HOLDING' SA (in its capacity as a Joint Controller) and third parties, with the primary goal of protecting your interests and security concerning the fulfillment of regulatory and contractual obligations or specific tasks. Your personal data will not be provided to third parties until it has been verified that all technical and organizational measures for data protection have been taken, with strict control exercised to ensure this objective is met. We ensure that, where applicable, your data is processed only according to the instructions given on behalf of the controller – 'BENDWIRE' Ltd.

1. Recipients of data, outside the controller, who:

Require information on a legal basis

• Government and municipal authorities, agencies, institutions, and other competent regulatory bodies, according to their powers (ministries, directorates, agencies, commissions, etc.).

• Judicial authorities (courts, prosecution, etc.).

• Regulatory bodies (Commission for Personal Data Protection, Commission for Protection of Competition, Financial Supervision Commission, etc.).

• Auditors and accreditation bodies.

• Experts, judicial executors.

Изискват предоставянето на информация на договорно основание

• Service providers (consultants, experts, accountants, evaluators, auditors, lawyers). Disclosure of data occurs only when there is a legitimate reason and based on a written agreement to ensure an adequate level of protection by the recipients.

• Banking and other payment institutions for the purpose of paying due amounts when necessary to verify your identity.

• Individuals entrusted with the maintenance of equipment, software, and hardware used for processing personal data necessary for the company's operations.

• Couriers.

• Capital owner of 'BENDWIRE' Ltd. – 'PLASTIFIL HOLDING' SA

2. Recipients of data within the controller

• Internal sharing among employees while fully complying with the adopted technical and organizational measures.

VI. Technical and organizational measures for data protection

To ensure adequate protection of the data of its clients and partners, 'BENDWIRE' Ltd. implements all necessary organizational and technical measures outlined in the Bulgarian Personal Data Protection Act and Regulation (EU) 2016/679, considering data protection in both the design phase and by default.

Protection of personal data in the design phase is expressed through appropriate technical and organizational measures introduced by 'BENDWIRE' Ltd. before the commencement of personal data processing (during the stage of defining the purposes and means of processing), ensuring their application throughout the data lifecycle. Suitable measures involve data encryption, implementing automated deadlines reporting functionalities, and automatic deletion upon expiration, among others.

Data protection is achieved by applying mechanisms that by default guarantee compliance with the following requirements:

• Only the minimum amount of personal data absolutely necessary to achieve the specific purpose is processed and operational procedures are carried out.

• Licensed software and certificates for electronic protection of systems and the internet website are used.

• Encrypted emails with paid, private domains are used. Sending documents containing personal data and classified information to public domain email addresses is not carried out.

• Only employees requiring the relevant information for the execution of their job responsibilities have access to personal data.

• Personal data is not shared with other employees unless required to perform their duties.

• Employees are required to handle data with increased attention and responsibility throughout their work. They are also expected not to leave their devices unattended.

• Documents related to personal data processing of subjects are not stored in the company's office. Information is entirely digital and stored in cloud systems, following the policies of cloud service providers. There is a legal obligation to store certain documents containing personal data in paper format, which is done in a specially designated cabinet with a locking mechanism.

• The connection to cloud services is conducted via an HTTPS access channel, and every employee in the company is familiar with computer and information security policies. When these policies are updated, every relevant employee is notified of the changes.

• For our internal operations and processing of clients data, we use cloud platforms that provide remote access with user-level permissions and strict data security policies.

• Data access is granted to specific employees through individual work accounts for the execution of particular tasks.

• Upon release from their responsibilities, an individual loses immediate access to all associated data.

• A password creation policy and user rights have been established.

• Employees undergo training for proper compliance with Regulation (EU) 2016/679 and the application of implemented technical and organizational measures and procedures.

• Data is stored for the minimum necessary duration to achieve the processing purposes, and after that period, it is deleted following appropriate rules and procedures.

• Data whose purpose for collection has expired is irreversibly destroyed with a deletion protocol.

• Any access, transmission, or sharing of data is permissible only when a valid legal basis is present (e.g., contract, data subject's consent, or our legal obligations).

• Sharing and downloading any data or confidential information accessed by employees for their work responsibilities is strictly prohibited. Storing such data on personal devices (including, but not limited to, laptops, tablets, mobile devices, cameras, or smartphones) or recording such data in any form (e.g., by taking a picture, video, screenshot, or other images) is also prohibited.

• In the event of a security breach, the service to the targeted individual(s) is temporarily or permanently suspended to prevent unauthorized actions by third parties.

• The controller takes necessary measures to ensure that the data processor and any individual, acting under the controller's authority, process this data only based on the controller's instruction for the respective purpose.

• In case of a breach of personal data security, the controller, upon awareness, will notify the competent supervisory authority – CPDP, and if necessary, the data subject affected by the malicious actions.

'BENDWIRE' Ltd. has the ability, when necessary for security purposes, to introduce an additional key for protection. To ensure maximum security during data processing, transmission, and storage, we may use additional protection mechanisms.

VII. Data Transfer to Third Countries

The transfer of personal data to third countries does not take place, and the processing of personal data outside the framework of the European Union is not carried out. Data transfer and processing is only possible on the territory of the Swiss Confederation, where the sole owner of the capital – PLASTIFIL HOLDING SA, operates as a Joint Controller. All necessary technical and organizational measures for protection have been implemented, and an updated Personal Data Protection Law has been adopted in the country, which is enforced in parallel with Regulation (EU) 2016/679.

VIII. Data Retention Period

'BENDWIRE' Ltd. typically ceases complete processing of personal data for the listed purposes upon termination of contractual relations or at the data subject's request. However, the data is not deleted before the expiration of the legally determined obligations for data retention, following the principle of limited storage. Your personal data will not be deleted or anonymized if they are necessary for ongoing legal, administrative proceedings, or proceedings relating to your complaint. The data is stored for a period not exceeding what is necessary. Below are the data retention periods for categories of data of particular significance.


1. Legally defined data retention periods:

• Data processed based on the data subject's consent, excluding biometric data – until the consent is withdrawn;


• In accordance with the Accounting Act – storage and processing of accounting data – 5 years from the year following the last payment;


2. Controller-defined retention periods:

• Biometric data processed through video surveillance of the company's production facility located in Stara Zagora, Boulevard 'Novozagorsko Shose', U.P. No. 59006 (after METRO) – retained for 60 days after leaving the premises.


IX. Data Subject Rights – For Individuals


1. Right to Information and Access.

You have the right to request:

• Information about whether data concerning you is being processed, the purposes of such processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;

• A communication in an intelligible form containing your personal data being processed, as well as any available information about their source;

• Information on the logic behind any automated processing of personal data related to you, at least in cases of automated decisions.


2. Right to Rectification.

In cases where we process incomplete or incorrect data, you have the right, at any time, to request:

• Deletion, correction, or blocking of your personal data whose processing does not comply with legal requirements;

• Notify third parties to whom your personal data has been disclosed of any deletions, corrections, or blocking, except where this is impossible or requires excessive effort.


3. Right to Erasure.

The right to erasure, or "the right to be forgotten," provides the ability, when you no longer wish your data to be processed and there are no legal bases for their storage, to request their deletion based on one of the following grounds:

• Personal data is no longer necessary for the purposes for which they were collected or otherwise processed;

• You withdraw your consent on which the data processing is based;

• You object to the processing and there is no overriding legal basis for the continuation of processing;

• Personal data have been processed unlawfully;

• Personal data must be erased to comply with a legal obligation;


"The right to be forgotten" is not an absolute right. There are situations in which the controller may refuse to erase the data, namely when the processing of specific data is necessary for any of the following purposes:

• Exercising the right to freedom of expression and information.

• Archiving for purposes in the public interest, scientific research, historical research, or statistical purposes.

• Establishing, exercising, or defending legal claims.


4. Right to object.

At any time, you have the right to object to the processing of your personal data where there is a legal basis for doing so. When the objection is justified, the personal data of the respective individual cannot be processed further.


5. Right to restrict processing.

You can request the restriction of the processing of personalized data if:

• You dispute the accuracy of the data for the period during which its accuracy is being verified; or

• Processing the data is without legal basis, but instead of deletion, you want their restricted processing; or

• We no longer need this data (for a specific purpose), but you need it to establish, exercise, or defend legal claims; or

• You have objected to the data processing while waiting for the administrator to verify the legality of the grounds.


6. Right to data portability.

You can request us to provide the personal data you have entrusted to us in an organized, structured, commonly used, and machine-readable format to another controller if:

• We process the data based on the contract and the consent declaration, which can be withdrawn, or based on contractual obligations, and

• The processing is carried out automatically.

7. Right to withdraw consent.

You have the right, at any time, to withdraw your consent for the processing of personal data if the processing is based on your consent. Such withdrawal does not affect the lawfulness of the processing based on the consent before its withdrawal.


8. Right to fill a complaint.

If you believe that we are violating applicable regulations, please contact us to clarify the issue. Of course, you have the right to file a complaint with the Commission for Personal Data Protection or with the respective court following the Administrative Procedure Code. As of May 25, 2018, you can also file a complaint with the regulatory authority within the EU.


9. Right to obtain compensation.

According to Article 39, paragraph 2 of the Bulgarian Personal Data Protection Act and Article 82, paragraph 1 of Regulation (EU) 2016/679, anyone who has suffered damages as a result of a breach of the provisions of Regulation (EU) 2016/679 has the right to obtain compensation through a lawsuit before the competent judicial authority.


X. Exercising Your Rights


Requests to exercise your rights should be submitted to one of the following email addresses: , . They should be signed with a Qualified Electronic Signature (QES) or by another method verifying indisputably the will of the person submitting the request. We respond to your request within one month of its submission. When an objectively necessary longer period is required, for instance, to collect all requested data or when it significantly hampers our operation, this period can be extended with up to 30 days. In our decision, we grant or refuse access and/or the requested information, always providing a reasoned response.


The minimum information contained in the request (according to Art. 37v of the Bulgarian Personal Data Protection Act) should be as follows: name, address, Personal Identification Number (EGN)/Foreigner's Personal Number (FPN)/passport number, a description of the request, signature, and date of submission, mailing address/email (depending on the preferred form of receiving information), power of attorney.


Concerning the aforementioned rights: to information, to correction, the "right to be forgotten," to object, to restriction of processing, to not be subject to a decision based solely on automated processing, to withdraw consent, to file a complaint, and in view of the actions of the administrator in connection with these rights, a specific register is created to record all actions carried out.


The initial provision of a response to a submitted request is free of charge. In cases of excessiveness (repetition – more than 2/ two/ requests of the same substance within a period of 12/ twelve/ months) or apparent lack of merit in the requests from the same subject, the Controller may request a reasonable fee for executing the request or refuse to take action on the request.


XI. Principles of Personal Data Processing, in accordance with Regulation (EU) 2016/679


• "Lawfulness, fairness, and transparency" – Your data is processed in compliance with applicable legislation, fairly, and in a transparent manner towards the data subject.

• "Limitation of purpose" – Your data is collected for specific, explicitly stated, and legitimate purposes and is not processed further in a manner incompatible with these purposes.

• "Data minimization" – The types of data we collect are suitable, related, and limited to the necessary minimum in connection with the purposes for which the personal data is processed.

• "Accuracy" – Accurate and, if necessary, to be kept up to date, taking all reasonable measures to ensure the timely deletion or correction of inaccurate personal data, considering the purposes for which they are processed.

• "Limitation of storage" – Your data is stored in a form that allows the identification of the data subject for a period no longer than necessary for the purposes for which the personal data is processed.

• "Integrity and confidentiality" – Processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using suitable technical or organizational measures.


XII. Definitions


"Personal data" – any information related to an identified or identifiable natural person.


"Data subject" – an individual who can be identified directly or indirectly, especially through an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.


"Processing" – any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.


"Restriction of processing" – marking stored personal data with the aim of limiting their processing in the future.


"Pseudonymization" – processing personal data in a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.


"Controller" – a natural or legal individual, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.


"Processor" – a natural or legal individual, public authority, agency, or other body which processes personal data on behalf of the controller.


"Consent of the data subject" – any freely given, specific, informed, and unambiguous indication of the data subject's wishes, which, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.


"Profiling" – any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.


"Automated decision-making" – the ability to make decisions using technological means without human intervention.


"Electronic identification" – the process of using data in electronic form for the identification of individuals, which data uniquely represents a natural or legal individual or a natural person representing a legal entity.


"Trusted parties" – recipients of Qualified Electronic Signatures (QES), for example, as part of electronic statements, which rely on the authentication and/or electronic signatures verified by the public key of that certificate.


"Personal data breach" – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed.


"Recipient" – a natural or legal individual, public authority, agency, or another body to whom personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not considered recipients. The processing of such data by those public authorities complies with applicable data protection rules in line with the purposes of the processing.


"Third country" – any state that is not a member of the European Union or a party to the Agreement on the European Economic Area.


INFO

© Bendwire. All rights reserved.