Personal information we collect
When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.
Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number. We refer to this information as “Order Information”.
How do we use your personal information?
We use the Order Information that we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
- Communicate with you;
- Screen our orders for potential risk or fraud; and
- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
- Place your order to the vendors who develop and/or provide the software you would like to purchase
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
Sharing you personal Information
We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store--you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout. Others third parties may apply too.
Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by using the links below:
- Facebook: https://www.facebook.com/settings/?tab=ads
- Google: https://www.google.com/settings/ads/anonymous
- Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Do not track
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.
Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information might be transferred outside of Europe, including to Canada and the United States.
When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.
The Site is not intended for individuals under the age of 18
For the purposes of its activity, "AECO SPACE" Ltd. processes personal data of natural persons ("data subjects") in strict compliance with the GDPR, the Personal Data Protection Act and this Personal Data Processing Policy.
According to GDPR and this policy:
"Personal Data" means any information relating to an identified natural person or an identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;
"Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;
"Restriction of processing" means the marking of stored personal data in order to restrict their processing in the future;
"Profiling" means any form of automated processing of personal data consisting in the use of personal data to assess certain personal aspects related to a natural person, and more specifically to analyze or predict aspects related to the performance of professional duties that individual's economic status, health, personal preferences, interests, reliability, conduct, location or movement;
" Pseudonymization " means the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is stored separately and subject to technical and organizational measures with purpose of ensuring that the personal data is not linked to an identified natural person or an identifiable natural person;
"Administrator" means a natural or legal person, public body, entity or other structure that alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of this processing are determined by Union law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State;
"Processor of personal data" means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the controller;
"Recipient" means a natural or legal person, public body, agency or other structure to which personal data is disclosed, whether or not it is a third party. At the same time, public authorities that may receive personal data within the framework of a specific investigation in accordance with Union law or the law of a Member State are not considered "recipients" ; the processing of this data by the specified public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
"Third party" means a natural or legal person, public body, agency or other body other than the data subject, the controller, the personal data processor and the persons who, under the direct supervision of the controller or the personal data processor, have the right to process the personal data;
"Personal data register" means any structured set of personal data that is accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle;
"Consent of the data subject" means any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his consent for the personal data relating to him to be processed;
"Personal Data Security Breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of Personal Data that is transmitted, stored or otherwise processed;
"Health data" means personal data related to the physical or mental health of an individual, including the provision of health services that provide information about their health;
"Relevant and justified objection" means an objection to a draft decision on whether or not there is a violation of this Regulation, or whether the intended action in relation to the controller or processor of personal data meets the requirements of this Regulation, which clearly demonstrates that the draft a decision leads to significant risks for the fundamental rights and freedoms of data subjects and, where applicable, for the free movement of personal data within the Union;
"Video surveillance" in the sense of § 1, item 3 of the DR of the Act on private security activities is a technical form of processing and storage within the period provided for in the law of personal data, carried out in compliance with the requirements for the protection of personal data and the regulations and of this law, related to the requirements for the processing of personal data according to Art. 5 of the GDPR, including photographing persons in a guarded facility and recording the data obtained.
When processing personal data, AECO SPACE Ltd. observes and is guided by the principles laid down in the GDPR for legality, good faith and transparency, limitation of purposes, reduction of data to a minimum, accuracy, limitation of storage, integrity and confidentiality, accountability.
Principles of personal data processing
The processing of personal data within "AECO SPACE" Ltd. is carried out in accordance with the data protection principles in Art. 5 of the GDPR.
Legality, good faith and transparency
"AECO SPACE" Ltd. processes personal data lawfully, in good faith and in a transparent manner in relation to the data subject.
- Legally - personal data are processed only if there is a legal basis within the meaning of Art. 6 or Art. 9 of the GDPR.
- In good faith - personal data is processed in good faith, taking into account the legitimate rights and expectations of data subjects.
- Transparent - "AECO SPACE" Ltd. provides the data subject with information regarding the processing of his personal data in a short, transparent, comprehensible and easily accessible form and in clear and simple language.
Limitation of objectives
"AECO SPACE" Ltd. collects personal data for specific, explicitly indicated and legitimate purposes and does not process them further in a manner incompatible with these purposes.
Data minimization principle
"AECO SPACE" Ltd. collects and processes only personal data that is appropriate, related to and limited to what is necessary in relation to the purposes for which it is processed.
"AECO SPACE" Ltd. guarantees that the personal data it processes are specific and accurate, updating them if necessary. For this purpose, "AECO SPACE" Ltd. undertakes all reasonable measures and actions for the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed.
"AECO SPACE" Ltd. stores the personal data in a form that allows the identification of the data subject for a period no longer than is necessary for the purposes for which the personal data is processed.
Integrity and confidentiality
"AECO SPACE" Ltd. guarantees an appropriate level of personal data security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by applying the technical or organizational measures specified in this Policy.
In cases where the Enterprise uses personal data processors, it requires them to provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure an equivalent or higher level of data protection and security.
"AECO SPACE" Ltd. applies in practice the above-mentioned principles for the protection of personal data, certifying this by preparing and storing the relevant documents in paper and/or electronic form.
Information and personal data collected by AECO SPACE Ltd
When using a site https :// www .aecospace.com /, www.aeco.space or choosing the contact form https://www.aeco.space/en/contact or any of the services that "AECO SPACE" OOD offers, information and personal data are collected about the subjects, which in most cases they themselves provide , choosing and agreeing to submit information about themselves. In certain cases, personal data is required, to comply with a legal obligation, to conclude a contract, to take steps at the request of the subject before concluding a contract ( pre-contractual relations), to protect the vital interests of the subject or another natural person, to the performance of a task in the public interest or in the exercise of official powers granted to us, for the purposes of our legitimate interests or those of a third party, except where your interests or fundamental rights and freedoms that require the protection of personal data prevail over such interests .
"AECO SPACE" Ltd. may collect and process the following information, depending on the relationship in which the subject wishes to enter (e.g. pre-contractual relationships, performance of an already concluded contract, job application, etc. ):
Names, billing address, shipping address, payment information (including credit card numbers), email address and phone number - when you make a purchase or attempt to make a purchase through the Site. We we call this one " Order Information " information .
Device information including browser information , IP address , time area and some of the cookies that are installed on the device you visit the site https://www.aecospace.com and/or https://www.aeco.space/ . In addition, as you browse the Site, we collect information about the individual web pages or products you view, which websites or search terms directed you to the Site, and information about how you interact with the Site. We call this automatically collected information "Device Information." It is collected through the following technologies:
- " Cookies " are data files that are placed on your device or computer and often include anonymous unique identifier . For more information regarding cookies and how to disable them cookies , visit http://www.allaboutcookies.org.
- " Registration files ” track the actions performed on the site , and collect data , incl your IP address , type browser , internet provider _ referral / outbound services _ pages and date / time stamps . _
- " Web beacons ” , “ tags ” and “ pixels ” are electronic files used to record information about how _ _ you are looking at the site .
In this one Politics under " Personal information” we understand both " device information " and " order information " .
In certain cases (e.g. the conclusion of an employment contract, insurance, health insurance, etc.) we also collect and process the following personal data: name, social security number, identity card data, address, age/date of birth, gender, position, workplace contact phone number, email address, educational and qualification degree, additional qualification and legal capacity, specialty, etc.
In the event that it is necessary to collect special categories of personal data (e.g. health data, etc.) they are used to fulfill contractual or pre-contractual obligations (e.g. the conclusion of an employment contract, insurance, health insurance, etc.) and if available to any of the conditions listed in the GDPR:
- In the presence of the person's express consent to the processing for one or more specific purposes, unless the legislation excludes the possibility of such consent;
- For the purposes of preventive or occupational medicine, to assess the working capacity of employees, the provision of insurance services, health or social care;
- In order to protect vital interests of the data subject or another natural person, when the data subject is physically or legally unable to give consent;
- For the purposes of fulfilling the obligations and exercising the special rights of the controller or the data subject by virtue of labor law and law in the field of social security and social protection, insofar as this is permitted by Union law or the law of a Member State , or pursuant to a collective agreement in accordance with the law of a Member State, which provides for appropriate safeguards for the fundamental rights and interests of the data subject;
- For reasons of important public interest on the basis of Union law or the law of a Member State which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject .
In view of their sensitive nature, special categories of personal data enjoy enhanced protection and are processed subject to the obligation of professional secrecy/confidentiality.
The listed data is collected in the specified cases by the following subjects:
- Users of the services and products of "AECO SPACE" Ltd. ;
- Staff, current and former employees or job applicants;
- Contracts or potential contracts of "AECO SPACE" Ltd. and/or their employees;
AECO SPACE Ltd. processes personal data for the following purposes:
(a) When exercising the subject of activity of "AECO SPACE" OOD for the purposes of pre-contractual or contractual relations with the company's customers, including when preparing a response/offer or performing a requested service, etc.;
The collection of personal data is also possible in any other aspect of interaction between "AECO SPACE" Ltd. and its customers, such as: contact information; information related to the persons who visit it in connection with training or consulting activities, etc. It also collects other information related to the purchase and receipt of products or services provided by the company, information related to payment for services/products used, such as payment card number and other related information, as well as authentication information and invoice and payment account issuance and payment data related to mobile payments; communication and marketing preferences; any information related to individuals, but related to the activities of delivering the relevant product or providing the desired service.
It is also possible to process other personal data in certain cases, such as when participating in various events in which the company participates and/or offers services/products, insofar as this is permitted by law and is of mutual interest.
When participating in various social networks ( facebook , instagram and others) "AECO SPACE" Ltd. may receive certain information from your account given the selected settings (location, interests, photos, registrations, activities, status, friends, etc.).
Text marketing notifications
By subscribing to SMSBump text notifications, you agree to receive automated marketing text messages from us about our products and services at the phone number you provided when you subscribed, and that the messages may be sent via an automated telephone dialing system or other technology. Message frequency is repeated. Consent is not a condition of purchase. Message and data charges may apply. You can answer STOP, END, CANCEL, UNSCRIBE or QUIT to opt out and HELP customer support. You may receive an additional text message confirming your decision to opt out. You understand and agree that attempting to opt-out by any means other than sending the opt-out commands above is not a reasonable opt-out method.
Use of your personal information
We use the order information we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for delivery, and providing invoices and/or order confirmations). In addition, we use this ordering information to:
- Communicating with you and improving the level of services provided by "AECO SPACE" Ltd, considering the interest of customers and offering various facilities;
- Checking our orders for potential risk or fraud;
- To provide you with information or advertising related to our products or services where it is consistent with the preferences you have shared with us and
- To place your order with the suppliers who develop and/or provide the software you wish to purchase.
We use the device information we collect to help us check for potential risks and fraud (in particular your IP address) and more generally to improve and optimize our site (for example by generating analytics about how our customers browse and interact with the site and to evaluate the success of our marketing and advertising campaigns).
As described above, we use your personal information to provide you with targeted advertisements or marketing communications that we believe may be of interest to you. For more information on how targeted advertising works, you can visit the Network Advertising Initiative's ("NAI") education page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work .
You can opt out of targeted advertising using the links below:
- Facebook : https://www.facebook.com/settings/?tab=ads
– Google : https://www.google.com/settings/ads/anonymous
– Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
You may also opt out of some of these services by visiting the Digital Advertising Alliance opt-out portal at: http://optout.aboutads.info/.
"AECO SPACE" Ltd. does not collect and process special categories of personal data ("sensitive data") relating to racial or ethnic affiliation, political views, religious or philosophical beliefs, trade union membership, health status, sex life or sexual orientation, genetic information .
"AECO SPACE" Ltd can use the health information provided by the data subject in order to provide more adequate service and meet specific needs (for example, for people with disabilities).
In any case, in view of the sensitive nature of personal data, they enjoy enhanced protection and are processed subject to the obligation of professional secrecy/confidentiality.
(b) Fulfillment of the company's legal obligations, regulated in the Law on Electronic Communications, Law on Cyber Security , Law on Electronic Document and Electronic Authentication Services, Trade Law, Consumer Protection Law, Law on the Ministry of Internal Affairs and issued by-laws under their application, for the needs of providing information to the authorities of the Ministry of Internal Affairs or officials authorized by them, for the needs of state fire control by the authorities for fire safety and protection of the population, the authorities of the National Revenue Agency, Commission for the Protection of consumers, etc.;
(c) Fulfilling the requirements of the labor, insurance and social legislation in relation to the employees;
(d) Fulfillment of obligations regulated in accounting and tax legislation;
(e) Other lawful purposes related to the physical and informational security of the site and IT systems and protection of the legitimate interests of "AECO SPACE" Ltd;
Provision of personal data
"AECO SPACE" Ltd. provides personal data to competent state authorities in fulfillment of their legal obligations, including, but not limited to: Ministry of Internal Affairs, Consumer Protection Commission, National Revenue Agency, National Insurance Institute , etc.
AECO SPACE Ltd. uses third parties to support certain activities such as: trading companies providing various services, including accounting, communications, recruitment/labour and payroll, occupational medicine, other providers of electronic communication services, banks, etc. The collected information can be shared with this person or with the person who manages the building in which the object/office of "AECO SPACE" Ltd is located , and if necessary with other persons who have their own or rented/used premises in the same building, in cooperation with other trading companies-partners for the provision of products, services or proposals in connection with the implementation of the subject of activity . In all such cases, "AECO SPACE" Ltd. will bind these third parties with a contractual obligation to process the provided personal data in accordance with the applicable legislation on the protection of personal data.
In view of the fact that the GDPR provides guidelines for the controller of personal data to outsource the processing of personal data only to persons who have a reason to receive them and provide sufficient guarantees for the application of appropriate technical and organizational measures in such a way that they meet of the requirements of the regulation: "AECO SPACE" Ltd ( in all these cases) will take the necessary measures to protect the rights and interests of the subjects of the personal data, based on the concluded express contracts with the processors of the personal data to guarantee the security of the data and protection of their confidentiality, which regulate the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the administrator according to Art. 28 of the GDPR.
Sharing of your personal information
We share your personal information with third parties. For example, we use Shopify to power our online store - you can read more about how Shopify uses your personal information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use the site - you can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
Information about you may be collected in the process of interaction with third parties - partners for providing services or social network services in accordance with the settings for these services or other persons who have the right by law to share personal data with "AECO SPACE" Ltd. AECO SPACE Ltd. also uses and shares this information (and may add this information to other information it has about the subject) for the purposes described in this Policy.
" AECO SPACE" Ltd uses a subscription service with HubSpot Inc. – you can read on more for this at: https://legal.hubspot.com/dpa and https://legal.hubspot.com/terms-of-service , Microsoft SharePoint – you can read on more for this at https://privacy.microsoft.com/bg-bg/privacy and https://privacy.microsoft.com/en-us/privacystatement , a service of Stripe Inc. – you can read on more for this at: https://stripe.com/en-bg/privacy and hosting services provided by Hetzner Online GmbH , based on a concluded contract under the conditions described at https://www.hetzner.com/ – you can read more about this at https://www.hetzner.com/legal/privacy-policy.
In certain cases, "AECO SPACE" Ltd may need to transmit (transfer) personal data to third countries outside the European Union, when - the transmission is necessary for the performance of a contract between the data subject and the administrator or for the performance of pre-contractual measures taken at the request of the data subject or the transmission is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
In the event that it becomes necessary in connection with the company's international activity and cooperation, business trips, participation in international forums and other events, "AECO SPACE" Ltd. carries out the transfer subject to the relevant conditions and guarantees, according to Chapter V of the GDPR and -specifically in accordance with the Standard Contractual Clauses (according to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ) and in view of the Decision of the Court of Justice of the EU of 16 July 2020 in Case C-311/18 and Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries according to Regulation (EU) 2016/679 of the European Parliament and of the Council and the Privacy Principles Shield .
In cases where AECO SPACE Ltd. is a joint administrator with other companies within the meaning of Art. 26 of the GDPR, "AECO SPACE" Ltd. necessarily concludes a separate written agreement with the other joint administrators, in which the respective responsibilities for fulfilling the obligations under the GDPR are allocated, including regarding the exercise of the data subject's rights and their respective obligations to provide information .
In cases where "AECO SPACE" Ltd., in its capacity as an administrator, uses processors of personal data, "AECO SPACE" Ltd. selects only those who are able to guarantee that they will apply appropriate technical and organizational measures in such a way that the processing takes place in accordance with the requirements of the applicable legislation for the protection of personal data and provides an adequate level of protection of the rights of data subjects. For this purpose, before entering into a contract with a personal data processor, "AECO SPACE" Ltd. must familiarize itself with the personal data protection policy of the processor, and clauses for the protection of personal data are included in the contract for the provision of services in accordance with Art. 28 of the General Regulation .
In cases where AECO SPACE Ltd., in its capacity as an administrator, exchanges personal data in fulfillment of its rights and obligations under a contract with another administrator, the contract includes rules for the protection of personal data shared between the parties, in order to fulfill the legal obligations of each administrator in accordance with the requirements of the current legislation on the protection of personal data and settlement of relations between the parties in a transparent manner.
Terms of storage of personal data
The collected personal data are stored until the end of the term of the provided service, the relationship with "AECO SPACE" Ltd. or according to the prescribed limitation periods in the current legislation.
As a rule, the use of personal data is terminated when the purposes for which they were collected are achieved (for example, the provision of the relevant service or the performance of the contract), but not before the final settlement of all financial obligations and the expiration of the statutory periods defined in the Law on Obligations and Contracts (LOC) limitation periods for making claims (5 years according to Art. 110 of the LOC and 3 years according to Art. 111 of the LOC), the Consumer Protection Act (LOC) (3 years according to Art. 140 of the LOC).
In some cases, the collected personal data is stored by virtue of a legally defined term in a special law.
According to Art. 38, para. 1 of the Tax and Insurance Procedural Code (TIPC), accounting and commercial information, as well as all other information and documents of importance for tax collection and mandatory insurance contributions are stored by the obligated person in accordance with the procedure established in the Law on the National Archive Fund, in the following deadlines:
- payroll - 50 years;
- accounting registers and financial statements - 10 years;
- documents for tax and insurance control - 5 years after the expiration of the limitation period for repayment of the public obligation to which they are related;
- all other carriers - 5 years.
After the expiration of the term for their storage, the carriers of information under para. 1 (paper or technical), which are not subject to transfer to the National Archive Fund, may be destroyed (Art. 38, Para. 2 of TIPC).
According to Art. 38, para. 3 of the Code of Criminal Procedure, the obliged persons who, when creating and processing all or part of the information under para. 1 use information systems, products or archives, store the created data in electronic form for the period under para. 1 regardless of their storage on another medium. The obligations under para. 1 and 3 of Art. 38 of the Code of Civil Procedure also has the legal successors of the obliged persons.
The personal data of job candidates who are not approved for appointment at "AECO SPACE" Ltd. are stored for the period determined according to the current regulations in the field of personal data protection (6 months), from the end of the procedure, after which returned to the person or destroyed. Personal data may be stored for a longer period, for the purpose of making job offers, only with the applicant's written consent.
The personal data of the workers at "AECO SPACE" Ltd are stored within the time limits according to the current labor and insurance legislation.
The personal data contained in accounting documents are stored within the terms of Art. 12 of the Accounting Act:
Accounting information is stored on paper and/or on a technical medium in the following terms:
- payrolls - 50 years, starting from January 1 of the accounting period following the accounting period to which they refer;
- accounting registers and financial statements, including documents for tax control, audit and subsequent financial inspections - 10 years, starting from January 1 of the accounting period following the accounting period to which they refer;
- all other carriers of accounting information – three years, starting from January 1 of the accounting period following the accounting period to which they refer.
Upon achievement of the purpose for which they were collected or expiration of the legally defined storage periods, the personal data (which are not subject to transfer to the National Archive Fund) are destroyed or deleted in an appropriate manner according to their carrier. In certain cases, " anonymization " or " pseudonymization " can be performed (" anonymization " - all personally identifiable elements allowing the identification of a natural person are irreversibly deleted. There is no legal obligation to delete anonymized data, as it does not constitute personal data; " "pseudonymization " within the meaning of Article 4, paragraph 5 of the GDPR means the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without using additional information, provided that it is stored separately and is subject to technical and organizational measures to ensure that personal data are not linked to an identified natural person or an identifiable natural person).
Personal data is not destroyed, deleted or anonymized if it is necessary for pending legal proceedings, administrative proceedings or proceedings for consideration of a complaint before another competent authority.
Register of processing activities
AECO SPACE Ltd. maintains a register of personal data processing activities, pursuant to Art. 30, para. 1 of the GDPR, containing information on:
- the name and contact details of the administrator and with the data protection officer;
- the purposes of processing;
- description of categories of data subjects and categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
- the transmission of personal data to a third country or international organization, including the identification of this third country or international organization, documentation of the appropriate safeguards (when applicable);
- the stipulated terms for deletion of the various categories of data;
- general description of technical and organizational security measures;
- the documents used to process personal data.
The register is maintained in written form and in electronic format. It is not public and is provided only to the competent authorities (CPDP) upon inspection and request.
Access to the register is available to the employees of "AECO SPACE" Ltd. , who have been assigned this in connection with the processing and implementation of the protection of personal data.
Security of personal data
"AECO SPACE" Ltd. implements all appropriate technical and organizational measures to ensure the security of personal data, including undertaking an express obligation of professional secrecy and confidentiality.
All areas where paper and electronic records containing personal data are available are stored and restricted only to employees for the purpose of fulfilling their job duties, in accordance with the "Need to Know" principle. All records and paper documents containing personal data are stored in locked cabinets in restricted access rooms accessible only by authorized personnel.
Data is protected through the use of physical access control and door locking. All premises where paper data is stored are located in restricted access areas and are protected by access control, locking containers or other similar means. Electronic media, including servers, are similarly protected in dedicated climate-controlled areas.
Personal data is processed in a non-public part of the premises, which is physically limited and accessible only by employees who need to have access in order to perform their official duties.
The personal data of employees is processed by a company with which a contract for processing personal data has been concluded in accordance with the GDPR.
The communication and information systems used to process personal data are separated from the areas accessible to visitors and are physically protected. Access to them is limited only to those employees who need it for the performance of their official duties.
Physical access to restricted access areas, including those where information systems (computers, servers, communication equipment) are located, is possible only through locked access doors. Access is granted only to employees to whom it is directly assigned or necessary for the performance of their official duties, after proper authorization.
The following technical measures have been taken: electronic access control system; locking of premises, metal boxes and cabinets; fire alarm system and fire extinguishers; security guards; air conditioning of the premises.
"AECO SPACE" Ltd. processes personal data in a way that guarantees an appropriate level of their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures .
In accordance with Recital 49 of the GDPR, the processing of personal data is to an extent that is strictly necessary and proportionate to the objectives of ensuring network and information security, i.e. the ability of a given network or information system to withstand, with an appropriate level of confidence, random events or illegal or malicious actions that affect the availability, authenticity, integrity and confidentiality of personal data stored or transmitted, as well as the security of related services, provided or accessed through these networks and systems, by public authorities, computer incident response teams (CIRCTs), computer security incident response teams (CRISCs), providers of electronic communications networks and services, and technology providers and security services, is a legitimate interest of the relevant data controller. This may include, for example, preventing unauthorized access to electronic communications networks and the spread of malware, and stopping denial-of-service attacks and damage to computers and electronic communications systems.
"AECO SPACE" Ltd. takes measures to guarantee the security of their processing considering:
- the achievements of technical progress, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons, the administrator and the processor of personal data apply appropriate technical and organizational measures to ensure level of security commensurate with this risk, including, inter alia , when appropriate:
- pseudonymization and encryption of personal data;
- introduction of personal user accounts and personal passwords for each user;
- ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ability to promptly restore availability and access to personal data in the event of a physical or technical incident;
- a process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to guarantee the security of the processing;
- anonymization or destruction of paper and electronic documents containing personal data, incl. their copies, as well as records in databases, files, etc., which are no longer needed and/or there is no legal basis for their further storage (including shredding , burning, deletion or other appropriate method).
Employees are familiar with the regulations in the field of personal data protection and the Personal Data Protection Policy of "AECO SPACE" Ltd. Sharing of personal identifiers, access passwords and other similar information among staff is prohibited . Employees are provided with training on personal data protection immediately after their employment and at least once a year. There is an obligation not to disclose personal data received during and on the occasion of the performance of duties by signing a declaration.
Access is limited and granted only to authorized personnel in accordance with the principle of "Need to know" and only for specific, minimally necessary data needed to perform specific duties.
In the event of a breach of personal data security, "AECO SPACE" Ltd will notify the supervisory authority of the breach of personal data security without undue delay and when feasible - no later than 72 hours after becoming aware of it .
Rights of data subjects
The GDPR regulates the rights of the data subject in detail (Article 12 et seq.). Every natural person whose data is processed by "AECO SPACE" Ltd has the following rights: right to transparent information, communication and conditions for the exercise of the data subject's rights, right to information provided when collecting personal data from the data subject and of access to them, right of correction, right of correction and deletion of personal data (right "to be forgotten"), right to restriction of processing, right to receive and portability of personal data, right which is correlative to the obligation of the administrator to be notified when correcting or deleting personal data or restricting processing, right to object to the processing of personal data, right of the data subject not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for the data subject or in a similar way affects him to a significant extent, right of protection before the competent authorities.
In accordance with the GDPR, "AECO SPACE" Ltd. provides pre-made declarations in an understandable and easily accessible form, in clear and simple language, which do not contain unfair clauses.
In accordance with the Law on the Protection of Personal Data, the above-mentioned rights can be exercised by submitting a written application to the address: Sofia, Bulgaria, bul. Professor Tzvetan Lazarov 105A. An application can also be made electronically, as follows of the Law on electronic document and electronic authentication services at the address: email@example.com. The application is made personally by the data subject or by a person expressly authorized by him with a notarized power of attorney, a copy of which is provided with the application.
A response to a request for an exercised right is prepared on paper and received by the applicant at the address of "AECO SPACE" Ltd. after verifying the identity of the applicant by reference to an identity document presented by the latter. A reply shall be provided in two copies, one for each party, signed by the applicant.
All individuals - data subjects have the right to access their personal data stored by "AECO SPACE" Ltd, as well as the right to correct and supplement such data. All requests for access, correction, blocking and/or deletion of personal data should be sent to the Administrator of personal data at the following addresses: Sofia, Bulgaria, bul. Professor Tzvetan Lazarov 105A, E-mail: firstname.lastname@example.org.
The personal data administrator sends the sender a confirmation of receipt within 5 working days after receiving the request and a specific motivated response to the request within 10 calendar days. When this is not possible, the sender is notified of the next steps and the reasons for the delay. In this case, the final response of the Personal Data Administrator should be sent to the sender within 30 calendar days.
In the event of irregularities or apparent abuse by the data subject in exercising his rights, the Personal Data Administrator may consult a supervisory competent authority regarding the request and/or refer the data subject to the data protection officer to take a decision on the admissibility of the request and the relevant follow-up.
Protection of data subjects' rights
In accordance with the GDPR and the Law on the Protection of Personal Data, any natural person who believes that his right to the protection of his personal data has been violated may submit a complaint to the Commission for the Protection of Personal Data at the address: Sofia 1592, Blvd. "Prof. Tsvetan Lazarov" No. 2, website: www.cpdp.bg.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e‑mail at email@example.com or by mail using the details provided below:
Boulevard "Professor Tsvetan Lazarov", 105A,
1582 Sofia , Bulgaria