Privacy Policy of “BISOFT” Ltd.

Information about us

“BISOFT” Ltd. carries out its activity in the form of a company registered in the Commercial Register of the Registry Agency with UIC 115564538, with registered office and address of management: Plovdiv 4000, 95 Kapitan Raycho Str., 6th floor, office 3, Tel: +359 700 45 055; e-mail:; Website:

Personal data administrator:

“BISOFT” Ltd., 115564538, with registered office and address of management: Plovdiv 4000, 95 Kapitan Raycho Str., 6th floor, office 3, Tel: +359700 45 055

As a personal data administrator and a proven professional with many years of experience in the field of information technology, “BISOFT” Ltd. respects your right to maintain the confidentiality of your information and data. This policy is intended to inform you of how we collect, process, store and disclose your personal information in order to preserve your privacy. That is why we ask you to read its contents carefully.

Information on the competent supervisory authority

  1. Title: Commission for Personal Data Protection
  2. Headquarters and address of management: Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№ 2
  3. Correspondence data: Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ” № 2
  4. Phone:02 915 3 518
  5. Email:,
  6. Website:

I. I. Our main aspiration when working with personal data

"BISOFT" Ltd. processes your personal data with maximum security, on the occasion of the existing between the company and you any kind of contractual relations and regulatory obligations related to the commercial activity and the services provided by "BISOFT" LTD.

The security of the data you entrust to us is very important to us. It is of great importance for the success of our business and for our public image, which is why we protect your data by applying all appropriate technical and organizational means at our disposal and keeping up to date with the requirements of Regulation (EU) 2016/679. Through them we will not allow unauthorized access, unauthorized or malicious use, loss or premature deletion of information.

We collect and process personal data only in compliance with the requirements of local and European legislation. We are aware that the processing of your data is for a specific reason and cannot be performed without restriction.

This "Privacy Policy" aims to explain to you the purposes of the processing of personal data, the categories of personal data that are processed, the categories of recipients to whom personal data may be disclosed, and the rights you have in processing of your personal data. It has been accepted and put into effect by the personal data controller - "BISOFT" LTD., observing its main obligations.

II. Objectives and scope of the data protection policy:

This policy follows the territorial and material scope of Regulation (EU) 2016/679 and adopts its main objectives. It is applied by the Administrator and all his employees.

“BISOFT” LTD. needs the collection and processing of personal data and does so in order to carry out its activities legally, appropriately and fully. This applies to personal data of customers, suppliers, business contacts, employees and other entities with whom we have a relationship or would like to contact.

III. How and why we use your personal data:

The processing of personal data in “BISOFT” LTD. is admissible:

- For fulfillment of contractual relations - for provision of commercial services or other type of relations and protection of legitimate interest, under Art. 6, para. 1, points (B) and (F) of Regulation (EU) 2016/679:

We process the personal data of our clients on the occasion of the emergence, development and termination of contractual relationships related to the provision of information and commercial services.

The processing is performed in order to:

  • Establishing the identity of the client;
  • Establishment (preparation, conclusion, amendment) and implementation of certain contractual relations between the company and you, in which relations you have the quality of a client - party to a contract for commercial services;
  • when filling in the client form - inquiry on our website, to receive an official answer from us;
  • providing data in connection with the product (s) purchased by you from our e-shop;
  • Observance of the conditions for safe stay;
  • Preparation and sending of invoices for the services we provide, as well as other accounting, financial and banking operations;
  • To perform actions for compulsory collection of amounts due for provided goods and services;
  • The data from your accounts / invoices are processed by us for purposes compatible with the original - for the lawful implementation of the relationship between us;
  • Preparation of statistical information about our activity, which we can provide to third parties, etc .;
  • To protect and ensure the security and interests of our customers, employees and partners;
  • Preservation of the integrity of the property, ensuring the safety and health of clients and employees located on the territory of the office of “BISOFT” LTD. - protection of legitimate and vital interest through video surveillance;
  • To identify and / or prevent illegal actions or actions contrary to our working conditions;
  • Performing processing by a data processor at the conclusion of a contract, assignment, reporting, acceptance, payment;
  • For fulfillment of normative obligations under art. 6, para. 1 (C) of Regulation (EU) 2016/679:

We process your personal data in order to comply with obligations set out in regulations governing contracts, such as:

  • Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation for personal data protection - Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc .;
  • Obligations provided for in the Accounting Act, the Tax and Social Security Procedure Code, the Value Added Tax Act, the Corporate Income Tax Act and other related laws and regulations in connection with the maintenance of proper and lawful accounting;
  • Obligations provided in the Food Act, Consumer Protection Act and other related and applicable laws and regulations relating to tourist services and others;
  • Obligations provided for in the Law on Obligations and Contracts, Commercial Law, Law on Property;
  • Obligations provided in the Law on the Ministry of Interior and applicable laws and regulations related to the protection of public order;
  • Providing information to the court and third parties, within the proceedings before a court, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings;

The types of personal data that the controller collects and processes are different, according to the purposes and grounds described above:

Basic personal data includes: 3 names, PIN (personal identification number) and address.

Sensitive data – video surveillance data.

Other information: telephone number and contact email.

  • This personal data (or part of them) is collected in respect of the following categories of persons:
  • Individuals who wish to be clients in the site of the administrator "BISOFT" LTD.;
  • Contact persons on the occasion of the commercial activity of the company through the website of "BISOFT" LTD.;

“BISOFT” Ltd. does not collect or process personal data relating to the following:

  • reveal racial or ethnic origin;
  • disclose political, religious or philosophical beliefs, or trade union membership;
  • genetic data, data on sexual life or sexual orientation.

The administrator does not collect personal data of persons under 14 years of age without the explicit consent of a parent.

The administrator does not apply "automated individual decision making, including profiling".

The policy does not apply to the processing of personal data of a data subject - a natural person, within the framework of his / her entirely personal activity, or one related to the household.

IV. How we protect your personal data

To ensure adequate data protection of the company and its customers and partners, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679 of 27 April 2016, as well as the protection of personal data at the design stage, as well as the protection of personal data by default.

The protection of personal data at the design stage is expressed in the appropriate technical and organizational measures introduced by us before the start of personal data processing (at the stage of defining the purposes and means of processing), ensuring their implementation throughout the data life cycle. Our appropriate measures are data encryption, setting of functionalities for automated accounting of storage terms and their automatic deletion after their expiration, etc.

We protect personal data by applying mechanisms that by default guarantee the fulfillment of the following requirements:

  • Only the minimum amount of personal data - absolutely necessary to achieve our specific goal, are processed and processing operations are carried out;
  • Personal data contained in electronic documents or in an electronic system are encrypted;
  • Licensed software and certificates for electronic protection of the systems and the website are used.
  • Documents containing personal data are stored in locked drawers, files and in rooms with limited access;
  • Employees do not leave documents unattended;
  • Only employees who need the relevant information to perform their official duties have access to personal data;
  • Personal data is not shared with other employees, unless necessary to perform their duties;
  • The data are stored for the minimum period - absolutely necessary to achieve the purposes of processing, and then deleted in compliance with the relevant rules and procedures;
  • The data, the grounds for which have been dropped, shall be irreversibly destroyed by a protocol for deletion;
  • Any access, transmission or sharing of data is permissible only if there is a valid legal basis for it (for example, the consent of the data subject or our legal obligations).
  • The videos from the 4 located cameras in the premises of BISOFT LTD. are stored on a DVR device, to which only the Manager of the company has access.

The company has the opportunity for security reasons to introduce, if necessary, an additional key in the work of individual employees.

For maximum security in the processing, transmission and storage of your data, we may use additional security mechanisms.

V. When we delete your personal data

As a rule, we terminate the use of your personal data for the purposes of the contractual relationship after the termination of the contract, but we do not delete them before the final settlement of all financial obligations and the expiration of the statutory data storage obligations. The data of the clients of "BISOFT" LTD. are stored for a period not longer than necessary and for not more than 3 years. Under the Accounting Act for storage and processing of accounting data (10 years), expiration of the statute of limitations set in the Obligations and Contracts Act for filing claims (5 years), obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years). Video surveillance data, in order to protect a legitimate and vital interest (1 month), unless a law or regulation requires a longer period. Please note that we will not delete or anonymize your personal data if it is necessary for pending court, administrative or appeal proceedings.

VI. When and why we share personal data with third parties

We may provide your personal data to third parties, and our main goal is to offer protection of your interests and security in connection with the performance of specific tasks and contractual obligations. We do not provide your personal data to third parties until we have made sure that all technical and organizational measures have been taken to protect this data and we strive to exercise strict control over the implementation of this purpose. We observe that your data is processed only according to the instructions given on behalf of the administrator - "BISOFT" LTD. In this case, we provide personal data to the following categories of recipients:

  • Data processors on behalf of:
  • persons who, by assignment, take care of the accounting of all the documentation of the company;
  • Persons who, by assignment, take care of the security, security and integrity of the sites and property of “BISOFT” LTD.;
  • persons who perform an audit on assignment;
  • banking institutions, in order to pay amounts due when you need to verify your identity;
  • bodies, institutions and persons to whom we are obliged to provide personal data under current legislation;
  • Data processors on their own behalf:

Competent authorities that have the power to require the provision of information, including personal data, such as courts, prosecutors, various regulatory bodies such as the National Revenue Agency (NRA), the Regional Health Inspectorate (RHI), the Commission for Consumer Protection (CPC), Commission for Personal Data Protection (CPDP), bodies with powers for protection of national security and public order;

The administrator shall take the necessary measures to ensure that the processor of personal data and any natural person acting under the authority of the controller process such data only on his instructions.

In case of violation of the security of personal data, the controller, as soon as possible after learning, will notify the competent supervisory authority - CPDPemain responsible for the confidentiality and security of your data.

VII. Your rights in connection with the processing of your personal data:

  1. Right to information and access:
    You have the right to request:
    • information on whether data relating to you are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data are disclosed;
    • message in an understandable form containing your personal data being processed, as well as any available information about their source;
    • information on the logic of any automated processing of personal data concerning you, at least in the case of automated solutions.
  2. Right of correction:
    In the event that we process incomplete or erroneous / erroneous data, you have the right, at any time, to request:
    • to delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
    • to notify the third parties to whom his personal data have been disclosed of any deletion, correction or blocking, except in cases where this is not possible or involves excessive effort.
  3. The right to be forgotten:
    The right to be deleted (or the “right to be forgotten”) allows you, when you do not wish your data to be processed and there are no legal grounds for its storage, to request that it be deleted for one of the following reasons:
    • personal data are no longer needed for the purposes for which they were collected or otherwise processed;
    • You withdraw your consent on which the data processing is based;
    • You object to the processing and there is no overriding legal basis for continuing the processing;
    • personal data have been processed illegally;
    • personal data must be deleted in order to comply with a legal obligation;

    The "right to be forgotten" is not an absolute right. There are situations in which the controller has the option to refuse to delete the data, namely when the processing of specific data is necessary for any of the following purposes:
    • to exercise the right to freedom of expression and information;
    • archiving for purposes of public interest, historical research or statistical purposes;
    • to establish, exercise or defend legal claims.
  4. Right of objection
    At any time, you have the right to object to the processing of your personal data if there is a legal basis for it; where the objection is justified, the personal data of the natural person concerned may no longer be processed;
  5. Right to limit processing
    You can request a restriction on the personalized data being processed if:
    • you dispute the accuracy of the data, for the period in which we have to check their accuracy; or
    • the processing of the data has no legal basis, but instead of deleting them, you want their limited processing; or
    • we no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims; or
    • you have objected to the processing of the data, pending verification that the administrator's grounds are lawful.
  6. Right to data portability:
    You can ask us to provide the personal data you have entrusted to our care to another Administrator in an organized, orderly, structured, generally accepted electronic format if:
    • we process the data according to the contract and based on the declaration of consent, which can be withdrawn or on a contractual obligation, and
    • processing is performed automatically.
  7. Right of appeal:
    In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to file a complaint to the Commission for Personal Data Protection or to a relevant court under the Administrative Procedure Code. From 25 May 2018, you can also lodge a complaint with a regulatory body within the EU.
  8. Right to compensation:
    According to Art. 39, para. 2 of LPPD and Art. 82, para. 1 of Regulation (EU) 2016/679, any person who has suffered damage as a result of a breach of the provisions of Regulation (EU) 2016/679 is entitled to receive compensation by way of an action before the competent judicial authority.
    Exercise your rights
    Requests for access to information or for correction shall be submitted in person. We will rule on your request within 14 days of its submission. In case of an objectively necessary longer term - in order to collect all the requested data and when this seriously hinders our activity, this term may be extended to 30 days. With our decision we give or deny access and / or the information requested by the applicant, but we always motivate our answer.
    The minimum information contained in the application (according to Article 37c of LPPD) should be the following: name, address, PIN / PIN / of the passport, description of the request, signature and date of submission, address for correspondence / email (depending on of the preferred form for obtaining information), power of attorney.
    In connection with the rights described above: of information, of correction, of the "right to be forgotten", of objection, of restriction of processing, of complaint, as well as in view of the actions of the administrator in connection with these rights, a special register is created, in which all performed actions will be entered.
    The initial provision of personal data is free of charge, any subsequent request made by a client / co-contractor is charged.

VIII. Principles of personal data processing according to Regulation (EU) 2016/679

  • "Legality, good faith and transparency" - Your data is processed in accordance with applicable law, in good faith and in a transparent manner with respect to the data subject;
  • "Purpose limitation" - your data is collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes;
  • "Data minimization" - the types of data we collect are appropriate, related to and limited to the minimum necessary in relation to the purposes for which they are processed;
  • "Accuracy" means accurate and, where necessary, kept up to date, taking all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which they are processed;
  • "Storage restriction" - Your data is stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed;
  • "Integrity and confidentiality" - processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.

IX. Definitions

  • "Personal data – means any information relating to an identified or identifiable natural person;
  • "Data subject" – " means a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, mental, the mental, economic, cultural or social identity of that individual;
  • "Processing" – means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing, disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying it;
  • "Restriction of processing" – marking of stored personal data in order to limit their processing in the future;
  • „Pseudonymization“ – means the processing of personal data in such a way that personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is stored separately and is subject to technical and organizational measures. in order to ensure that personal data are not linked to an identified or identifiable natural person;
  • „Administrator“ – means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its determination may be laid down in Union law or in the law of the Member State;
  • „Processor of personal data“ – means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • „Data subject's consent“ – means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clear confirmatory action expressing his or her consent to the processing of personal data relating to him or her;
  • „Breach of security of personal data“ – a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed.

X. Relevance and policy changes

In order to apply the most up-to-date protection measures and in order to comply with the current legislation, we will regularly update this Privacy Policy. We invite you to regularly review the current version of this Privacy Policy, to be constantly informed about how we take care of the protection of personal data that we collect.

This "Privacy Policy" is prepared by "DATA CORP" Ltd., based on current national and European legislation.