1.1. EVOLINK AD attaches great importance to the confidentiality of the personal data of its clients and partners. The purpose of this policy is to inform you of the ways in which we collect, use, disclose, transfer and store personal data, the purpose of processing the collected personal data and the duration of its storage related to the use of services provided by EVOLINK AD.
The personal data we collect is controlled by EVOLINK AD, which is responsible for it within the meaning and in accordance with Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) and the Electronic Communications Act, the Personal Data Protection Act and other applicable legislation in the Republic of Bulgaria.
II. Information and contacts
2.1. Administrator / processor of personal data
Headquarters: “Mladost-1”, bl. 54, entr. 1, floor 1, apt. 1-2, Sofia, Bulgaria
Correspondence Address: Ovcha Kupel, 16B Barzaritza Street, 1618 Sofia, Bulgaria
Phone: +359 2 9691555,
Registered in the Commercial Register of the Registry Agency under UIC 131350551,
2.2. Personal Data Protection Officer at EVOLINK AD:
Address for correspondence: Sofia 1618, Ovcha Kupel, 16B Barzaritza Street,
Telephone: +359 2 9691555,
2.3. Supervisory Authority for Personal Data Protection in the Republic of Bulgaria:
COMMISSION FOR THE PROTECTION OF PERSONAL DATA
Address: Sofia 1592, "Prof. Tsvetan Lazarov "№2,
Center for Information and Contacts - phone: +359 2 9153518,
III. Collection, storage and processing of personal data by Evolink AD as a data administrator
3.1. Reasons for collecting, storing and processing personal data from EVOLINK AD
EVOLINK AD collects, processes and stores personal data to its clients and partners on the following occasion:
• The presence of a free, specific, informed and unambiguous consent from the data subject. When processing is done on this basis, the subject of personal data may withdraw it at any time by contacting us using the contact details as specified in 2.1 and 2.2. of the present Policy. The withdrawal of the consent does not affect the lawfulness of the processing performed by EVOLINK AD, based on the given consent prior to its withdrawal;
• To fulfil the obligations of EVOLINK AD under contracts with clients or with partners;
• To respect the legal obligations that apply to EVOLINK AD;
• For the purposes of the legitimate interests of EVOLINK AD in its relations with clients and partners, to ensure the necessary quality of the provided services, to ensure the necessary level of security in the data centres of Evolink AD, to exercise and protect our legal rights and other cases of legitimate interests of the company.
The provision of the relevant personal data mentioned in point 3.3 below by our clients and partners is a requirement necessary for the provision and maintenance of the services provided by Evolink AD. In the event that a user does not wish to provide us with personal data, this makes it impossible to provide services by EVOLINK AD.
3.2. Collection of personal data
EVOLINK AD collects personal data from its clients and partners in the following cases:
• When it is necessary to carry out a feasibility study on the technical availability to provide services;
• To prepare and submit offer (s);
• To conclude and execute a contract (s);
• Upon initial configuration of the services and in the process of their maintenance and support;
• To identify the persons authorised to access the technical sites and Data centres of EVOLINK AD;
• To perform registrations in public Internet registers (RIPE, domain registers, SSL certificates, etc.) in the name and on behalf of the client;
• Creation and management of registered accounts in the Evolink’s web pages;
• When accepting online requests for services and online payments;
• When using the contact forms on Evolink’s web pages.
3.3. Types of personal data that EVOLINK AD collects and processes
Depending on the purpose of processing specified in paragraph 3.4. below and in abiding by the principle of minimizing the collection of data, EVOLINK AD collects and processes personal data, which may include:
• Phone number;
• E-mail address;
• Personal identification number;
• Permanent address or correspondence address;
• Traffic data;
• Video recordings of security systems at the Evolink data centres.
3.4. Objectives of processing the collected information
EVOLINK AD uses the collected personal data of its clients and partners for the following purposes:
• Name, telephone number, address and e-mail address - for communication regarding the preparation, conclusion and execution of contracts with Evolink AD as well as for the provision of services ordered online through the sites of EVOLINK AD;
• Name and Personal Identification Number - to identify the persons authorized to access the client equipment located in one of the Evolink Data Centres, as well as for managing, including accounting and legal, of orders/contracts with individuals;
• Permanent address or address for correspondence - for managing orders/contracts with individuals and for their accounting and legal services;
• Traffic data for the provision of electronic communications services including IP addresses, MAC addresses, e-mail addresses, sessions data, protocols, used communication devices and software - are collected automatically for the provision of electronic communications services;
• Real-time IP communication samples - analysed when providing network security protection services to prevent and filter the attack traffic;
• Email communication - analysed by automated systems to provide SPAM and computer virus protection services;
• Non-personal information - to improve our services and to analyse the behaviour of visitors to our websites.
3.5. Privacy of personal data
EVOLINK AD will not sell, exchange, transfer or transmit your personal information to any third party for any reason without your explicit consent, except in case of need to fulfil your request for providing, modifying or terminating a service; as well as in cases of necessity to disclose information to competent authorities by virtue of a law, court decision or other appropriate act, and/or if its disclosure is necessary for solving crimes in the Republic of Bulgaria and/or abroad.
3.6. Protection of information
EVOLINK AD applies various measures in order to protect the personal data of its counterparties. We use the state-of-the-art technical means to keep your data protected. At Evolink we have developed and adhere to strict rules regarding the access to our customers’ and partners’ personal data. Only company personnel whose job requires access to such personal data are authorised to operate with it and their access is limited only to the information they need in order to perform their tasks for providing and supporting the services and only limited to the time limits they need to perform these tasks.
3.7. Disclosure to recipients of personal data
EVOLINK AD provides personal data to the following categories of recipients:
• Bodies, institutions and persons to whom we are required to provide personal data under current legislation;
• Electronic Payment Systems and / or Banking Institutions in connection with payments you have made for the use of services;
• Companies from the group of EVOLINK AD;
• Subcontractors of EVOLINK AD, engaged in the provision of services - only contact details provided by the clients;
• Companies and persons performing accounting and legal services to EVOLINK AD.
3.8. Term of storage of personal data
3.9. Consumer rights (personal data subjects)
Customers of EVOLINK AD have the following rights related to their personal data:
• Right of access: You may at any time request from EVOLINK AD:
o Acknowledgment of whether we process personal data that relates to you. In case we process such data - to be allowed access to this data, as well as information about the processing purposes, categories of personal data, recipients, or recipient categories to which we disclose them, as well the term envisaged for its storage;
o The logic of automated processing of personal data relating to you in the case of automated decision taking;
o The sources of personal data, including if they are from a publicly accessible source.
• Right to correction and deletion: You may at any time request:
o Evolink to correct inaccurate personal data relating to you, and to fill in your incomplete personal data, if any;
o Evolink to delete your personal data following the legal requirements in the process.
• Right to Limitation of Processing: This right may be exercised when you dispute the accuracy of your personal data for the duration of the verification of its accuracy, in the case of unlawful processing, if you do not want the data to be deleted, but only to limit their processing if the data are unnecessary for EVOLINK AD but you require them to fulfil your legal claims as well as the term of review in case of objection from you to the processing;
• Data portability: You have the right to receive the personal data that concerns you and which you have provided to Evolink AD in a structured, widely used and machine readable format and you have the right to transfer this data to another Administrator without hindrance from EVOLINK AD when EVOLINK AD processes your data under a contract and it is based on your declaration of consent or contractual obligation and if the processing is done in an automated way;
• Right of objection: You have the right at any time to object to the processing of personal data relating to you, including against profiling. EVOLINK AD will terminate the processing of your personal data unless, in accordance with the specific situation, there are compelling legal grounds for the processing or establishment, exercise or protection of legal claims;
• Right to file a complaint: If you believe that your personal data processed in connection with the use of services by EVOLINK AD violates your rights or any law regulations, please contact us using the contact details listed above in this document.
You also have the right to file a complaint by contacting the Data Protection Supervisor of the Republic of Bulgaria represented by the Personal Data Protection Commission. Contact details of the Personal Data Protection Commission are listed in paragraph 2.3 above.
We also use analytics for visitors’ behaviour on our websites from renowned online services such as Google Analytics. The information we collect is summarized and anonymous, including operating system data, browser type, ISP, etc. This information is useful to us in order to better understand the needs of our customers, to improve the functionality of our websites and to provide more reliable and quality services.
EVOLINK AD does not collect or process personal data of persons under 18 years of age. If we learn that we have inadvertently collected personal data on a person under the age of 18, we will immediately take the necessary steps to erase all available information that relates to him/her.
IV. Processing of personal data by Evolink AD as a personal data administrator
4.1. Scope and responsibilities
As a personal data administrator EVOLINK AD:
• Processes personal data on behalf of personal data administrators for the purposes and means defined by these administrators by written agreements with them;
• refrain from using personal data for purposes other than those expressly indicated by data administrators in written agreements with them;
• Processing personal data under the General Data Protection Regulation (Regulation (EU) 2016/679) and in line with the commitments made with the contracts concluded with the personal data administrators;
• Complies with all necessary conditions for the inclusion of other personal data processor, if such is necessary in connection with the execution of the contracts signed with the data administrators.
EVOLINK AD is solely responsible for the processing of personal data according to the specifics of the provided services and the contracts signed with the administrators, in accordance with the instructions of the administrators and the controlling body.
4.2. Technical and organizational measures
As a personal data administrator, EVOLINK AD applies appropriate technical and organizational measures in such a way that the processing is in accordance with the requirements of the General Regulation on the Protection of Personal Data (Regulation (EU) 2016/679), the legislation applicable in the Republic of Bulgaria and to protect the rights of data subjects.
For this purpose EVOLINK AD:
• Applies data protection principles to the design stage and by default;
• Keep records of processing activities and assess the impact on data protection;
• Ensures the necessary level of security, taking into account the risks of different probabilities and weight on the rights and freedoms of individuals, including ensuring continued confidentiality, integrity, availability and sustainability of processing systems and services, ability to restore personal data availability and access in a timely manner in the event of a physical or technical incident;
• Evaluates the appropriate level of security, taking into account the risks associated during processing with accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to transferred, stored or otherwise processed personal data;
• Performs regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures taken with a view to maximum processing security.
4.3. Authorized persons and persons acting under the direction of Evolink AD
Persons authorised by EVOLINK AD to process personal data have committed to confidentiality or are legally bound to keep confidentiality.
Individuals acting under the control of Evolink AD who have access to personal data relating to the execution of signed contracts with personal data administrators shall process such data only at the direction of the administrators unless the person concerned is required to do so under the power of EU law or the law of a Member Country.
4.4. Notification to data administrators
EVOLINK AD notifies the data administrators in the following cases:
• If according to EVOLINK AD, a mandate violates the General Regulation on Personal Data Protection (Regulation (EU) 2016/679) or other EU or Member State provisions on the protection of personal data;
• In case of data leakage or other breach, EVOLINK AD informs the affected administrators about this by providing them with full and accurate information about the violation, including details of the alleged reasons, the known and/or expected consequences, the proposed solution and the measures taken.
Personal data administrators are required to notify Evolink AD of checks performed by data protection authorities in relation to personal data processed by Evolink AD and requests received from data subjects if the requests relate to the data that are subject to processing by Evolink AD.
4.5. Relations with data administrators and assisting in the performance of their duties
Taking into account the nature of the processing and the information to which it is given access in connection with the execution of the contracts concluded with the administrators, EVOLINK AD assists the administrators on behalf of which it processes personal data for:
• Guarantying the fulfilment of their obligations to ensure security of the data processing, including notification to the supervisory authority; and notifying a data subject about personal data breach, data protection impact assessment and prior consultation with the supervising authority;
• Responding to requests for the exercise of the rights of data subjects, as far as possible, through appropriate technical and organizational measures.
EVOLINK AD provides access of the data administrators, to all information necessary to prove the fulfilment of the personal data processing obligations related to the execution of the signed contracts with them.
At the discretion of the data administrators, EVOLINK AD deletes or returns all personal data after termination of the processing services under contracts concluded with them, deleting existing copies, unless EU law or the member country law requires their storage.