PERSONAL DATA PRIVACY POLICY OF AVTO UNION AD

This Privacy Policy is aimed at clarifying the following circumstances:

  • Who are we as data controller?
  • Whose personal data does Avto Union AD process?
  • What kind of personal data does Avto Union AD process?
  • On what grounds of the General Data Protection Regulation is this data being processed?
  • For what purposes this personal data is being processed?
  • What are the ways for collection of such data?
  • What are the consequences of refusal to provide data?
  • How long this data is being stored?
  • Who has access to this data?
  • What are the rights of the data subjects and how can they exercise them?

WHO ARE WE?

Data controller is the company Avto Union AD (“the Company”) with UIC 131361786, having its seat and registered address in the city of Sofia, 43 Christopher Columbus Blvd., website: http://avtounion.bg/, e-mail: gdpr@avtounion.bg, contact phone: +3592 9651 655.

I. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

  1. The company processes personal data in its capacity of issuer of bonds and other forms of debt securities and financial instruments, including depositary receipts in respect of such securities, of personal data subjects – natural bondholders and natural persons ‘representatives of the bondholders, as well as of bondholders’ proxies, namely:

– Identification data – Three names, PIN /other unique national identification number, and if there is no such – date of birth; address, in the book of bondholders

– Financial information – number of bonds held and the percentage share in the amount of the entire bond

– Financial information on interest payments

– Identification data on the proxies contained in their proxies

  1. In its capacity of issuer, the Company processes personal data of data subjects – persons on managerial positions, their closely associated persons, persons with access to information about the financial instruments within the meaning of Regulation 596/2014 on market abuse, and namely:
  • Identification data – full name and PIN of the persons on managerial positions
  • Identification data – full name and PIN of closely associated persons
  • Identification data – full name and PIN, and date of birth, personal address, personal and business phone of the persons with access to inside information
  • Financial information – information about concluded transactions with financial instruments
  1. In its capacity of public-interest entity within the meaning of the Independent Financial Audit Act, the Company processes personal data of data subjects – members of audit committees, and namely:
  • Data about professional qualification – diplomas for master’s or bachelor’s degree in accordance with the requirements of the Independent Financial Audit Act
  • Identification data – full name and PIN
  1. In its capacity of joint stock company and issuer, the Company processes data of data subjects – members of management, supervisory and control bodies:
  • Data about convictions – criminal record certificates
  • Data about professional qualification and convictions and administrative violations in the prospects
  • Identification data
  1. The Company processes personal data necessary for the conclusion and execution of contracts with contractors who are individuals or are individuals who are authorized to manage, represent or work for a legal entity – a contractor of the Company, in their capacity as contact persons, employees., managers, procurators, representatives, etc.
  • -dentification data – three names, unique identifier;
  • Contact details – address, e-mail address, telephone number;
  • Data on position held within the organization, representative authority, term of office, signature, other data generated in the course of communication between the parties or through documents exchanged between them.
  1. As the Company is a part of a group of undertakings, It may process personal data for internal administrative purposes, including the processing of clients or employees personal data.
  2. The company processes personal data of users of the official website, for example:

– When filling out inquiry forms, registration, customer satisfaction survey and any contact form that requires the provision of feedback data such as name, e-mail, telephone number, car data or service used, in connection with which the inquiry is addressed. In all cases of using the website, it is possible to collect data through cookies. Up-to-date information about the processing of data through cookies is available on the website “Useful links” and via a link in the cookie message that the user sees on his first visit to the website.

– Personal data of applicants for employment in recruitment procedures when using the application form for a job position in one of the companies in the group, including the possibility to attach a CV file and send a cover letter. Different categories of personal data are processed for this purpose in accordance with the Recruitment Privacy Policy.

Certain forms for completing the Website may contain free text fields in which you may choose to provide information that may constitute personal data relating to you or a third party. Insofar as the provision of such information is not mandatory, personal data for which there is no legal basis for processing by the controller will be deleted within 1 month of receipt.

II. GROUNDS FOR PROCESSING

  1. The personal data of the bondholders and the proxies of the bondholders – the processing is necessary for the performance of a contract to which the data subject is a party or related to the exercise of representative power and for compliance with a legal obligation applicable to the controller under the Commercial Act, Public Offering of Securities Act;
  2. Personal data of persons in management positions, persons closely related to them and persons with access to inside information about financial instruments – processing is necessary to comply with a legal obligation that applies to the controller – Regulation 596/2014 on market abuse;
  3. Personal data of members of the audit committees – legal obligations under Independent Financial Audit Act;
  4. The personal data of the members of the management and supervisory bodies – the processing is necessary for the performance of a contract to which the data subject is a party (management and supervision contracts) and for compliance with a legal obligation applicable to the controller under the Commercial Act, Public Offering of Securities Act, Regulation (EC) No 809/2004 on the application of Directive 2003/71 / EC of the European Parliament and of the Council as regards the information contained in prospectuses and the format;
  5. Personal data of counterparties – the processing is necessary for the performance of a contract to which the data subject is a party and for compliance with a legal obligation that applies to the controller for compliance with the requirements for tax accounting;
  6. Personal data of users on the website in inquiry forms, job application forms – the processing is necessary for the provision of services, relevant information about services and products, respectively to take steps at the request of the data subject before entering into a contract. In any case, in the absence of any other legal basis, there is a legitimate interest of the Controller when it requires the provision of data in feedback forms in a survey on customers satisfaction.
  7. Personal data of users of the website who have expressed an explicit consent to receive electronic marketing messages from the Company and related companies of the group – the subject has given consent to process his data for the specific purpose.

III. PURPOSES OF PROCESSING

Purposes of processing are as follows:

  • Issue of prospectuses and public offering of financial instruments
  • Accounting and preparation of reports
  • Participation in general meetings of bondholders
  • Payment of dividends and interests
  • Increase or decrease of capital
  • Meeting the legal provisions of the Commerce Act, the Public Offering of Securities Act, the Independent Financial Audit Act and Regulation 596/2014 on measures against market abuse with financial instruments and their related legal regulations and any other applicable legislation
  • Entering into and performance of management contracts, as well as other contracts and transactions related to the respective data subjects
  • For internal administrative purposes within the group of undertakings – common and shared systems and processes in the area of human resources management, recruiment, consolidated financial statment, direct marceting of products and services of companies – part of the corporate group, collection and analysis of information on customer satisfaction, administrative and legal services.
  • Provision of services through the website.
  • For direct marketing by e-mail or mobile phone, for customer satisfaction surveys on products and services of companies in the corporate group through contact forms and surveys on the website.\

IV. WAYS FOR COLLECTION OF PERSONAL DATA

Personal data is collected as follows:

  • Personal data provided by the data subjects;
  • Personal data from other sources.

V. CONSEQUENCES FROM REFUSAL TO PROVIDE PERSONAL DATA

The processing of personal data for purposes that are based on the explicit consent of the subject is not mandatory and the refusal to provide consent, respectively the data may not have any consequences.

Where the processing of data is necessary for the provision of services, or it is necessary for the performance of a contract to which the subject is a party, the provision of data is not mandatory, but the refusal to provide data may lead to impossibility to obtain the requested service,respectively impossibility to conclude and to perform the contract.

The explicit consent of the individuals whose data are processed is not always necessary if the Controller has another legal basis for the processing of personal data, for example in processing which is based on a legal obligation to which the controller is subject.

VI. TIME PERIOD FOR STORAGE

The criteria used to determine the periods of retention of your personal data include the duration of our current relationship, our legal obligations, or our legal position (eg in litigation and / or regulatory investigations).

VII. ACCESS TO DATA

Certain employees of the Company have access to your personal data with view of performing their employment duties with regard to the services rendered to you.

Your data may be provided to third parties – personal data processors, on the grounds of data processing agreements we have entered into with them. Your data may be also provided to the competent state authorities with view of exercising their powers in accordance with the legal regulations, and in particular to the Registry Agency, the National Revenue Agency and the Financial Supervision Commission.

The Company undertakes all required technical and organizational measures for protection of personal data of data subjects and ensures their implementation.

Your personal data is stored and transferred in a secure manner. The transfer of personal data to third countries or international organizations is only allowed under the terms of Chapter V of the General Data Protection Regulation.

All required internal policies and rules are in place and the employees of the Company are aware of them. They ensure:

  • permanent privacy, integrity and sustainability of processes for personal data processing;
  • prevention of accidental or illegal destruction, loss, change, unauthorized disclosure or access to personal data.
  • timely recovery of availability of personal data in case of physical or technical accident;
  • continuous assessment of the efficiency of technical and organizational measures for personal data protection.

VIII. WHAT ARE THE RIGHTS OF DATA SUBJECTS AND HOW THEY CAN EXERCISE THEM?

  1. Upon request, the data subject has the right to receive the entire necessary information relevant to the processing of data they have provided.
  2. The data subject has the right to request the Company to provide access to, rectification or erasure of personal data or to restrict the processing of personal data if prerequisites to this effect exist.
  3. The data subject has the right to make objection to the processing and to lodge a complaint with the Personal Data Protection Commission or with the competent court upon illegal processing of data.
  4. The data subject has the right to withdraw their consent for personal data processing at any time, where data is provided on the grounds of consent, without affecting the legality of processing before such withdrawal.
  5. The data subject has the right to be informed about the consequences of failure to give consent for processing of their personal data.
  6. The data subject has the right to be informed about the purposes and time periods of their personal data processing and if the Company has the intention to process such data for any purpose other than the purpose it has been collected for, as well as in case of change in the processing purposes.
  7. The data subject has the right to be informed about any correction in the individualization features of the Company. Such information is provided by publication on the official website of the Company or by entry in the Commercial Register or another public register.
  8. The data subject has the right to receive a copy of collected personal data.
  9. The data subject has the right to receive personal data concerning them and the data they have provided to the controller, in a structured, commonly used and machine readable format, and has the right to transmit this data to another controller, without hindrance from the controller.
  10. The data subject has the right not to have their data subject to a decision based solely on automated processing, including profiling, as well as the right to be informed about the existence of automated decision-making, including profiling. The data subject has the right to meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject, at least in case such automated decision-making produces legal effects concerning them or similarly significantly affects them.

All requests for provision of information about personal data processing, copy of processed data, for erasure of personal data, rectification and withdrawal of consent, should be made in writing, signed by the data subject and lodged with the Company for processing by email: gdpr@avtounion.bg, or at the Company’s registered address.

The Company replies to the data subjects’ requests by specifying the reasons for performing such requests if there are grounds to this effect, or for giving reasoned refusal if there are grounds to do so, by notifying the data subjects about their right to lodge a complaint with the Personal Data Protection Commission or with the competent court.

Requests will be considered excessive due to their repetitiveness if they refer to static data, which is not subject to rectification during the time period between the requests, and if they refer to dynamic data that is subject to rectification, if more than two requests within four months have been submitted with regard to such data.

IX. COOKIES

Up-to-date information about cookies is available on the website in the “Useful links” field or via the link in the cookie message that the user sees on his first visit to the website.

DEFINITIONS

  1. “Personal data” (hereinafter referred to as “the data”) means any information relating to the identified or identifiable natural person by reference to name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  2. “Personal data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. “Data Controller” (hereinafter referred to as “the controller”) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by the Union or the member state law.
  4. “Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
  5. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  6. “Consent of natural person” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to him or her.
  7. “Data subjects” (hereinafter referred to as “the subjects”) are natural persons.
  8. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  9. “Person discharging managerial functions” means within the meaning of paragraph 3, item 25 of Regulation 596/2014 a person within an issuer, an emission allowance market participant or another entity referred to in article 19(10), who is:

а) a member of the administrative, management or supervisory body of that entity; or

b) a senior executive who is not a member of the bodies referred to in point (a), who has regular access to inside information relating directly or indirectly to that entity and power to take managerial decisions affecting the future developments and business prospects of that entity;

10. “Closely associated person” within the meaning of paragraph 3, item 26 of Regulation 596/2014 means:

а) a spouse, or a partner considered to be equivalent to a spouse in accordance with national law;

b) a dependent child in accordance with the national law;

c) a relative who has shared the same household for at least one year on the date of the transaction concerned; or

d) a legal person, trust or partnership, the managerial responsibilities of which are discharged by a person discharging managerial responsibilities or by a person referred to in point (a), (b) or (c), which is directly or indirectly controlled by such a person, which is set up for the benefit of such a person, or the economic interests of which are substantially equivalent to those of such a person;

11. “Right of access” – the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

12. “Right to rectification” – the data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them. Taking into account that incomplete personal data may be completed, including by means of providing supplementary stating.

13. “Right to erasure” – the data subject has the right to obtain from the controller the erasure of personal data concerning them, and the controller has the obligation to erase personal data where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  1. “Right to restriction of processing” – the data subject has the right to obtain from the controller restriction of processing where one of the following applies:
  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
  1. “Right to data portability” – the data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means.
  • In exercising their right to data portability pursuant to paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  1. “Inside information” within the meaning of Regulation 596/2014 means: 1. For the purposes of this Regulation, inside information shall comprise the following types of information:

а) information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments or on the price of related derivative financial instruments;

b) in relation to commodity derivatives, information of a precise nature, which has not been made public, relating, directly or indirectly to one or more such derivatives or relating directly to the related spot commodity contract, and which, if it were made public, would be likely to have a significant effect on the prices of such derivatives or related spot commodity contracts, and where this is information which is reasonably expected to be disclosed or is required to be disclosed in accordance with legal or regulatory provisions at the Union or national level, market rules, contract, practice or custom, on the relevant commodity derivatives markets or spot markets;

c) in relation to emission allowances or auctioned products based thereon, information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more such instruments, and which, if it were made public, would be likely to have a significant effect on the prices of such instruments or on the prices of related derivative financial instruments;

d) for persons charged with the execution of orders concerning financial instruments, it also means information conveyed by a client and relating to the client’s pending orders in financial instruments, which is of a precise nature, relating, directly or indirectly, to one or more issuers or to one or more financial, the instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments price of related spot commodity contracts, or on the price of related derivative financial instruments.

This Policy was approved and enters into force on 25.05.2018, amended on 11.05.2020, enters into force on the same date.