Please read this document carefully. It contains the User Privacy Policy of www.mainland.bg (the “Site”) and is an integral part of the Site’s Terms of Use. If you do not agree to the Policy, you may not use the Site.

“Mainland Ltd, as the company that created and operates the domain from www.mainland.bg, requests, stores and processes personal data of Customers wishing to use Services from Mainland Ltd and users of www.mainland.bg (Users/Data Subjects) for the purpose of serving them.
In the event that you do not wish to provide your personal data, you express your disagreement with our Policy, which means that you cannot use the Services of Mainland Ltd.

DATA PROTECTION POLICY OF
“Mainland Ltd.

“Mainland” EOOD, UIC 128602800, with registered office and management address. + 359 893 616 784 and email address: mainland@gmail.com, applies this Policy in its activities, (“Administrator” or “Mainland” Ltd.):

INTRODUCTION

“Mainland Ltd, as a personal data controller, collects and processes certain information about individuals.
This information may relate to employees, directors, customers, suppliers, contractors, business contacts and other individuals with whom Mainland Ltd has a relationship or wishes to establish business contact.
This privacy policy governs how personal data is collected, processed and stored to meet the standards of the Controller’s organisation and to comply with legal requirements.

1. LEGAL BASIS

This Privacy Policy (“Policy”) is issued pursuant to the Personal Data Protection Act and its regulations, as amended, (“Bulgarian Legislation”), and the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Bulgarian legislation and GDPR provide rules on how organisations, incl. “Mainland Ltd must collect, process and store personal data. These rules are applied by the Data Controller whether the data is processed electronically, on paper or on other media.
In order for the processing of personal data to comply with legal requirements, personal data shall be collected and used reasonably, stored securely and Mainland Ltd shall take the necessary measures to ensure that personal data processed is not subject to unlawful disclosure.
The data controller Mainland Ltd is aware of and follows the principles set out in the GDPR:
– personal data is processed lawfully, fairly and transparently;
– personal data is collected for specified, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes;
– the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
– personal data is accurate and kept up to date where necessary;
– personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
– the personal data are processed in a manner that ensures an adequate level of security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, implementing appropriate technical or organisational measures.

III. SCOPE

This Policy applies to the processing of personal data of contractors, suppliers, customers and partners as described in the REGISTERS established in accordance with this Policy, Bulgarian law and Article 30 of the GDPR (“Records of Processing Activities”).

1. COLLECTION OF PERSONAL DATA

Categories of data and subjects
“Personal data” means any information relating to an identified natural person or an identifiable natural person (“Data Subject”).

The controller collects personal data in respect of the following categories of persons:
1. persons representing the companies and contact persons in the companies with which the Administrator has a business relationship that are party to an agreement with the Administrator;
2. Persons interested in receiving information services – information bulletins, directories, price offers, etc;
3. Processing of personal data of persons in pre-contractual relations;
4. Users – users of the Site (www.mainland.bg);
5. Users – who have made enquiries (by calling or using one of the contact forms on the website);
6. Clients wishing to use the Services of Mainland Ltd.

What personal data does the company collect and process?

On the basis of Art. 1, point 3, first sentence of the PDPA, the processing of personal data is permitted if the natural person is party to a contract with the controller, if it is necessary for the performance of obligations under the contract (customers of Mainland Ltd. are party to a contract when using the services of Mainland Ltd. and the website www.mainland.bg).
When enquiring from www.mainland.bg , the required information to be entered by the customer is as follows:
Name;
Phone number;
E-mail;

As our customers, we receive your personal data on paper or electronically based on your voluntary consent.

1. POLICY OBJECTIVES

This Policy aims for Mainland Ltd to:
– comply with applicable data protection legislation and follow established best practices;
– establish the mechanisms for keeping, maintaining and safeguarding records;
– lay down the obligations of the officials processing personal data and/or the persons having access to personal data and working under the authority of the processors, their liability for failure to comply with those obligations;
– protects the rights of staff, customers and partners;
– be open about how it stores and protects individuals’ personal data;
– establish the necessary technical and organisational measures to protect personal data against unlawful processing (accidental or unlawful destruction, accidental loss unauthorised access, alteration or dissemination, and any other unlawful forms of processing of personal data);
– be protected at risk of breaches.

Who has access to your personal data?
– Natural/legal persons or their legitimate representatives with whom Mainland Ltd. has signed an agency agreement.

Sharing data with processors
We have a lot of work that we cannot do alone. That’s why we use third-party partners. In many of these cases, our partners naturally cannot do without your personal data. For this reason, we share it with them. In all such cases, however, we remain the controllers of your personal data and they act as data processors.
This means that although they hold your data, they can only process it for our purposes and we will always be responsible for it. Under no circumstances can they use the data for their own purposes or in a way that is contrary to our agreement.
In addition, we only use the services of partners who have given us sufficient assurances that they comply with the requirements of the GDPR and that your data will always be protected.

Objectives of the data collection
The controller collects personal data in connection with the performance of the following purposes:
1. For the performance of activities related to the conclusion, existence, amendment and termination of contractual relations, including:
o to contact the contact person by telephone, email or any other lawful means;
o for the provision of services, for communication in connection with the provision and/or receipt of goods/services and for the provision of related customer service;
o To keep accounting records in relation to the performance of contracts to which Mainland Ltd is a party;
o To process payments in relation to contracts entered into by Mainland Ltd;
o To send important information to subjects regarding changes to Mainland Ltd’s terms, conditions and policies and/or other administrative information;
2. For marketing purposes – after obtaining explicit consent from data subjects;
If the initiative to take the action to conclude the contract lies with the controller, one of the other conditions of Art. 1 of the PDPA, most often that the data subject has given his or her explicit consent for direct marketing purposes. The consent of the individual must be a freely given, specific and informed indication by which the data subject unambiguously accepts that the data may be processed. The law does not prescribe a form for the validity of consent, but the requirement that it be in writing in practice is relevant to the burden of proof, which rests with the data controller. Consent may be withdrawn at any time and, in the absence of any other condition for the lawful processing of personal data, the relevant processing activities will cease.

„Cookies“

Mainland Ltd uses cookies on its website. These are small files that are stored on your disk and which save certain settings and data for communication with our system via your browser. Some of the cookies we use are deleted after the end of each browser session, i.e. after you close your browser. These are so-called session cookies. Others remain on your device and enable both us and our partners to recognise your browser the next time you visit (persistent cookies). This helps us to build our website in a way that’s relevant to you and to offer you an easier way to use it, for example by storing certain of your details in a way that removes the need to keep entering them. From your browser settings you can choose restrictions on the use and deletion of cookies. You can find information on what settings to choose in the browser help section. Your refusal to use cookies may prevent you from using our services offered via the Internet.

Web analysis

Google Analysis

This website uses Google Analytics, an advertising analysis service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. In addition, this website uses Google’s AMP Client ID API to associate user activity on AMP pages with that on non-AMP pages through Google Analytics. The Google tracking code for this site uses the _anonymizeIp() function. This means that the IP address is only processed in a truncated form in EU member states or other countries in the European Economic Area in order to prevent direct association with a specific person. In exceptional cases, the full version of an IP address may be sent to a Google server in the USA for truncation. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage in general. Google will not associate the IP address transmitted by your browser with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that you may not be able to use the full functionality of this website if cookies are disabled. You may also refuse the use of cookies by selecting the appropriate settings on your browser, such as the use of the toolbar on your desktop, the use of cookies by default, the use of cookies by default.

Data collection
The personal data of each individual is provided voluntarily by the individuals themselves and is collected by the Administrator in fulfilment of a legal obligation in connection with the conclusion of a contract and/or the performance of obligations under a contract concluded in accordance with the provisions of the Commercial Act, the Accounting Act, the Obligations and Contracts Act, the Value Added Tax Act, etc. and the terms and conditions set out in a commercial contract with the relevant client. (including powers of attorney, contracts, notices of seizure, bank information, etc.), by persons who have been informed of the provisions of this Directive in advance or at the time of receiving their data.

1. LEGAL INTERESTS OF Mainland Ltd.
   The processing of data is carried out on the basis of a legitimate interest and in connection with the conclusion, existence, amendment and termination of commercial and civil contracts in the application and implementation of the legal requirements of the Commercial Law, the Social Security Code, the Tax and Social Security Procedure Code, the Insurance Code, the Personal Income Tax Act, the Accounting Act, the Obligations and Contracts Act, etc.
   Art. 1(3) of the PDPA provides for two separate grounds for processing personal data, applicable in the pre-contractual and contractual relationship between the controller of personal data and the natural person to whom the data relate. They are also listed in Art. 6 par. 1, б. “b” of Regulation (EU) 2016/679, which provides that data processing is lawful if it is “necessary for the performance of a contract to which the data subject is party or for taking steps at the request of the data subject prior to entering into a contract”.
2. TRANSPARENCY. RIGHTS OF PERSONS WHOSE DATA IS PROCESSED BY Mainland Ltd.

Transparency and conditions for exercising individual rights
The controller shall provide information to individuals in a concise, transparent, understandable and easily accessible form, in clear and plain language.
The controller shall endeavour to ensure that individuals are aware of the personal data it processes and that individuals fully and completely understand and are informed about the processing, in accordance with the requirements of the GDPR and Bulgarian law.
The controller shall provide the information to the data subject in writing or by other means, including, where appropriate, electronic means. At the request of the data subject, the information may be provided orally, provided that the identity of the data subject is otherwise established.
The controller shall provide individuals with information, free of charge, on the action taken in response to a request concerning their rights of access, rectification, erasure, restriction of processing, portability, objection and automated decision making, without undue delay and in any event within one month of receipt of the request.
If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the data subject submits a request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject has requested otherwise.
If the controller does not comply with the request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request, of the reasons for not complying and of the possibility of lodging a complaint with a supervisory authority and of seeking judicial redress.
Where requests from a person are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

Right of access of persons
Any person shall have the right to obtain from the controller confirmation as to whether personal data relating to him or her are being processed and, if so, access to such data and the following information
o the purposes of processing;
o the categories of personal data concerned;
o the recipients or categories of recipients to whom the personal data have been or will be disclosed (including to third countries or international organisations);
o where possible, the intended period for which the data will be kept and, if that is not possible, the criteria used to determine that period;
o the existence of a right to require the Controller to rectify or erase personal data or to restrict the processing of personal data relating to the individuals concerned or to object to such processing;
o the right to complain to the Data Protection Commission;
o where the personal data is not collected from the individuals themselves, any available information about its source;
o the existence of automated decision-making, including profiling, and, at least in those cases, substantial information about the logic used and the meaning and intended consequences of that processing for individuals.
Where personal data are transferred to a third country or to an international organisation, individuals have the right to be informed of the appropriate safeguards in relation to the transfer.
The administrator shall provide the data subject with a copy of the personal data being processed. For additional copies requested by the individual, the controller may charge a reasonable fee based on administrative costs. If the individual makes a request by electronic means, the information shall, where possible, be provided in a commonly used electronic form, unless the individual has requested otherwise.

Right of rectification
Any person whose data is processed by the Controller shall have the right to request the Controller to rectify without undue delay any inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.
Right to erasure (right to be “forgotten”)
Any person whose data is processed by the Controller shall have the right to request the Controller to erase the personal data relating to him or her without undue delay, and the Controller shall have the obligation to erase the personal data without undue delay if:
– the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
– the data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
– the data subject objects to the processing and there are overriding legitimate grounds for the processing;
– personal data has been processed unlawfully;
– the personal data must be erased in order to comply with a legal obligation to which the administrator is subject;
– personal data have been collected in connection with the provision of information society services.
Where the administrator has made the personal data public and is required under the preceding paragraph to erase the personal data, it shall take reasonable steps, including technical measures, taking into account the technology available and the cost of implementation, to notify the controllers who process the personal data that the data subject has requested those controllers to erase any links, copies or replicas of his or her personal data.

Right to restriction of processing
Any person whose data is processed by the Administrator shall have the right to require the Administrator to restrict processing where one of the following applies:
– the accuracy of the personal data is disputed by the data subject for a period of time sufficient to allow the administrator to verify the accuracy of the personal data;
– the processing is unlawful, but the data subject does not wish the personal data to be erased, but instead requests that the use of the personal data be restricted;
– The administrator no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims;
– the data subject has objected to the processing pending an assessment of whether the controller’s legitimate grounds override the data subject’s interests.
Where processing is restricted pursuant to the above paragraph, such data shall be processed, with the exception of their storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for important reasons of public interest.
Where a data subject has requested the restriction of processing, the controller shall inform the data subject before the restriction of processing is lifted.

Obligation to notify rectification or erasure of personal data or restriction of processing
The administrator shall communicate any rectification, erasure or restriction of processing to any recipient to whom the personal data have been disclosed, unless this is impossible or involves a disproportionate effort. The controller shall inform the data subject of those recipients if the data subject so requests.

Right to data portability
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the administrator in a structured, commonly used and machine-readable format and to have that data transferred to another administrator without hindrance from the administrator where (i) the processing is based on consent in relation to specified purposes or on a contractual obligation of the data subject or the taking of pre-contractual steps and (ii) the processing is carried out by automated means.
When exercising the right to data portability, the data subject shall have the right to obtain the direct transfer of personal data from one administrator to another, where technically feasible.

Right to object
The data subject shall have the right, at any time and on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her (where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of the controller, or the processing is for the purposes of the legitimate interests of the controller or of a third party), including profiling. The Administrator shall cease processing the personal data unless he can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for this type of marketing, including profiling insofar as it relates to direct marketing. Where the data subject objects to the processing for direct marketing purposes, the processing of personal data for such purposes shall cease.
At the latest at the time of the first contact with the data subject, the data subject shall be explicitly informed of the existence of the right referred to in the preceding paragraphs, which shall be presented to him in a clear manner and separately from any other information.

VII. TECHNICAL AND ORGANISATIONAL DATA PROTECTION MEASURES
The protection of data on paper and electronic media against unauthorised access, damage, loss or destruction is ensured by a series of internally regulated technical and organisational measures.

VIII. TRANSFER OF PERSONAL DATA
The controller does not and will not transfer personal data to countries outside the European Union.

1. VIOLATIONS. BREACH NOTIFICATION

Violations
A data breach occurs when personal data for which Mainland Ltd is responsible is affected by a security incident that results in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data breach occurs when there is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of data that is transmitted, stored or otherwise processed.
In the event of a personal data breach, the Designated Data Protection Contact, a representative of the Data Administrator, shall be notified immediately and shall report the breach to the Supervisory Authority.
data protection contact person – representative of Mainland Ltd.
Stanislav Getsov, e-mail: mainland@gmail.com

Data subjects may contact the data protection contact person, a representative of Mainland Ltd, on any matter relating to the processing of their personal data and the exercise of their rights.

Assessment of infringements
As soon as the relevant Mainland Ltd employee becomes aware of a breach, they must determine whether the specific event constitutes a personal data breach and report the event to Mainland Ltd’s senior management (if they are not aware).
In the event of a personal data breach that is likely to pose a risk to the rights and freedoms of natural persons, the controller (through the relevant employee) shall notify the Personal Data Protection Commission of the breach without undue delay and, where practicable, no later than 72 hours after becoming aware of it.
Where and to the extent that it is not possible to submit the information simultaneously, the information may be submitted in stages without further undue delay.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the administrator shall notify the data subject of the breach without undue delay.
The administrator shall document any personal data breach, including the facts relating to the breach, its consequences and the action taken to address it.

1. DESTRUCTION

Accounting and business information and all other information and documents relevant to taxation and compulsory social security contributions will be retained by Mainland Ltd for the following periods:
– payroll – 50 years;
– accounting records and financial statements – 10 years;
– documents for tax and social security control – 5 years after the expiry of the limitation period for repayment of the public debt to which they relate;
– all other carriers – 5 years.
After the expiration of their retention period, information media (paper or technical) that are not subject to transfer to the National Archives Fund may be destroyed.
At the end of the retention period, the data shall be destroyed as soon as possible by destroying the paper media by shredding and the technical media by deleting and erasing the relevant files from the Company’s computers.

Additional provisions

For the purposes of these Internal Rules:
§ 1. The “Personal Data Adminsitrator” is “Mainland” Ltd, UIC 128602800, with registered office and registered address. 2225, Bojurishte Municipality, Sofia Region, with the designated representative Stanislav Getsov acting on behalf of the Controller.
§ 2. ‘Processing’ shall mean any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
§ 3. ‘Representative’ means a natural or legal person appointed by the controller or processor in writing pursuant to Article 27 to represent the controller or processor in relation to their respective obligations under the General Data Protection Regulation (EU) 2016/679;
§ 4. This Policy is subject to approval and bringing to the attention of the persons concerned by order of the Manager Stanislav Getsov.

CONTACTS

You can contact the data protection contact person – a representative of Mainland Ltd Stanislav Getsov on all issues concerning the protection of personal data at:
– address:r. 2225, Municipality of Bojurishte, Sofia Region
– Tel: + 359 888 220 094
– e-mail: mainland@gmail.com
The policy has been approved by the manager of Mainland Ltd.

The policy comes into force on: 01.07.2024.