Privacy and Data Security Policy for Individuals

This document contains the Personal Data Security Policy for individuals (“Policy”) and is related to the General Terms and Conditions, but is not an integral part of them, as it does not regulate rights and obligations. Instead, its purpose is to explain to users what personal data we process, how we process it, for what purpose, and what security measures apply. Additionally, it provides information about the rights that you, our clients and users, have in relation to the processing of personal data by “IMG CONNECT” Ltd., UIC 207379619, VAT No. BG 207379619, with its headquarters and address at: Varna, 4 Bragalnitsa Street. In case of any changes to this Policy, the changes will be published here.

Date of last update: January 10, 2024.

Your privacy is extremely important to us. This security policy outlines the personal data we collect from you through our interactions and how we use that data.

---

DATA CONTROLLER

“IMG CONNECT” Ltd., UIC 207379619, VAT No. BG 207379619, with its headquarters and address at: Varna, 4 Bragalnitsa Street, contact phone +359 886 991 001; email: events@internetmediagroup.org (hereinafter referred to as “We”, “online store”, “Site”, “Website”, “administrator”, IMG CONNECT) is the data controller for the information, including personal data, collected or provided when browsing the website www.digital4bulgaria.com or making a purchase through it, as well as when browsing or purchasing a service through our Facebook page (hereinafter all collectively referred to as “Site”, “Internet Page”). The Policy also applies in cases where, as individuals (hereinafter “Data Subjects”), you voluntarily provide us with personal data via electronic means (such as email), by phone, or through other methods, including in person at our commercial facility or office. IMG CONNECT processes personal data from inquiries made by you, as well as for marketing and advertising purposes, profiling, participation in games, promotions, and raffles organized by us, and for any other purposes not prohibited by law. In processing personal data, IMG CONNECT adheres to all applicable laws related to data protection, including but not limited to Regulation (EU) 2016/679 (“Regulation”) and the Personal Data Protection Act, because the security of our clients’ personal data is of paramount importance to us. Therefore, this Policy also applies in these cases.

---

DATA PROTECTION RESPONSIBLE PERSON

The responsible person for data protection is Preslav Bobev.

Correspondence address: Varna, 4 Bragalnitsa Street

Email address: events@internetmediagroup.org

Contact phone: +359 886 991 001

APPLICABILITY OF THE POLICY

This Policy applies to all our clients – individuals who use our services through orders placed on the Website or show interest in them by sending inquiries (hereinafter referred to as “data subjects” or “users”).

Partners and third parties who work with or for IMG CONNECT, as well as those who have or may have access to personal data, will be expected to familiarize themselves with, understand, and comply with this policy. No third party can access personal data stored by IMG CONNECT without the company having first entered into a data confidentiality agreement, which imposes obligations on the third party that are no less burdensome than those assumed by IMG CONNECT, and which allows IMG CONNECT to conduct compliance checks on the obligations set out in the agreement.

This policy applies to all employees/workers (and stakeholders) of IMG CONNECT, as well as external suppliers of products and services with whom IMG CONNECT has contracts. Any violation of the General Data Protection Regulation (GDPR) will be considered a breach of labor discipline, or non-performance of contracts with partners, and if there is any suspicion of a criminal act, the matter will be referred for consideration to the relevant state authorities as soon as possible.

For visitors to the Website who do not place orders or send inquiries, but only browse our internet page, the Cookie Policy published on the Website applies.

---

DEFINITIONS

“Regulation” – The General Data Protection Regulation (GDPR) 2016/679 from April 27, 2016. The aim of this European legislative act is to protect the “rights and freedoms” of individuals and ensure that personal data is not processed without their knowledge, and where possible, is processed with their consent.

“Personal data” – Any information relating to an identified or identifiable individual (“data subject”); an identifiable individual is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

“Special categories of personal data” – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or membership in trade unions, and the processing of genetic data, biometric data for the unique identification of an individual, data related to health or data regarding the sexual life or sexual orientation of an individual.

“Processing” – Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making data available, alignment or combination, restriction, erasure, or destruction.

“Data controller” – Any natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a member state, the data controller or the specific criteria for its designation may be provided for in EU or member state law.

“Data subject” – Any living individual whose personal data is processed by the data controller.

“Data subject’s consent” – Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, through a statement or clear affirmative action, consent to the processing of their personal data.

“Child” – The General Regulation defines a child as any person under the age of 16. Processing of personal data of a child is lawful only if the child’s parent or guardian has given consent. The data controller makes reasonable efforts to verify that the holder of parental responsibility for the child has given or is authorized to give consent.

“Profiling” – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to a natural person, and specifically to analyze or predict aspects concerning the performance of the individual’s professional duties, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Personal data breach” – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

“Recipient” – A natural or legal person, public authority, agency, or another body to whom personal data is disclosed, whether a third party or not. Public authorities who may receive personal data in the course of a specific inquiry in accordance with EU law or the law of a member state are not considered “recipients”; processing of such data by those public authorities is subject to applicable data protection rules in accordance with the purposes of the processing.

“Third party” – Any natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and persons who, under the direct authority of the data controller or the data processor, are authorized to process personal data.

PRINCIPLES

When collecting and processing personal data, we are guided by the following principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability.

---

DATA SUBJECTS WHOSE DATA WE PROCESS

In connection with its activities, “IMG CONNECT” Ltd. enters into and executes distance contracts, reviews job applications and offers, user rights exercise forms, as well as data subject requests, responds to inquiries, issues and receives invoices, processes statistical data, manages a user panel on the website, and conducts advertising activities through campaigns (promotions, games, etc.). In the course of these activities, IMG CONNECT processes information related to the following data subjects:

• (a) Individuals using the website without registration, without providing any personal data (in this case, we process data, but not personal data) and individuals using the website without registration who have voluntarily provided a limited number of personal data (e.g., phone number and/or email address).

• (b) Individuals using the website with registration as registered users – in these cases, we process user data entered during registration – email address, delivery address, name, billing data, order details, and other data entered by the user.

• (c) Individuals who have made inquiries (including via phone), requests, initiatives, complaints, or other correspondence to us, including through the website, phone, email, or other means.

• (d) Individuals whose information is contained in inquiries (including via phone), requests, initiatives, complaints, or other correspondence addressed to us.

• (e) Individuals with whom we enter into contracts (civil, including commercial or employment contracts, mainly distance contracts) electronically (via the website or social networks, as well as by email) or in person at our office or retail location.

• (f) Individuals whose data we have received from third parties (for example, when placing an order intended as a gift).

---

PERSONAL DATA WE PROCESS

Depending on the reason for processing personal data, the types of data may vary. The functionalities provided on the website are not intended for the storage and processing of special categories of data within the meaning of Articles 9 and 10 of the Regulation. (Note! Read Articles 9 and 10 of the Regulation here). We only require personal data that is necessary for providing the activity/service/product we offer. In the course of using the website, we may also process other data that does not contain personal data but relates to the subject, such as their IP address, activity data on the website, etc.

Data Provided During Event Registration

To fulfill the distance contract entered into between you and IMG CONNECT for participation in an event, we require certain information from you. You decide whether and how to use the options to enter into a distance service contract provided through the Website or Facebook page. In the forms where personal data is entered, we clearly mark the mandatory or voluntary nature of providing the data. Data that is mandatory is data without which we cannot enter into the respective contract. These are: name, email address, delivery address, contact phone number, your payment information (e.g., bank card), billing data, including your ID number if you want an invoice issued to an individual. If you provide data about third parties who will receive the order (e.g., in the case of gift orders or other types of donations), you are responsible for providing this data to those third parties.

Data Provided During Website Registration

If you choose to store your information in the Website through registration of a profile, we store the above-mentioned data as well as the order history for each registered account. The required data corresponds to those requested during an order. Additionally, we process the IP address, activity data (e.g., registration time, acceptance of the Privacy Policy and Terms and Conditions, account login, etc.).

Data Provided During the Conclusion of Other Contracts

In cases where IMG CONNECT enters into other contracts with individuals, different from distance sales, we require the full name, personal identification number, address, and email address.

Data Provided by, Through, and to Other Websites and Applications (Third Parties)

In certain cases, you may have the opportunity to share information with social networks or use their websites to create your profile or link your profile on our website with the respective social network. In such cases, the social network may provide us automatic access to certain personal information they have collected about you (e.g., content you have viewed, content you want, and information about ads you have been shown or clicked, etc.). By linking your social network profile with your account on our website, you allow us to access your personal data processed by the respective social network and to collect, use, and store this information in accordance with this Privacy Policy. The linking of your social network profile to our website registration occurs if you click on a link provided to create registration via social media, thereby voluntarily establishing a connection with the respective social media site.

If you provide your personal data to IMG CONNECT via Viber, Skype, Facebook, or another platform/social network, we inform you that these platforms/websites/social networks have their own privacy policies, and we do not accept any responsibility or liability for these policies as their processing cannot be controlled by IMG CONNECT. Therefore, we recommend that you check these policies before submitting your personal data to us via these websites/applications.

Data Provided When Posting a Comment, Review, or Publication

If you leave a post or comment on this website, your IP address will be stored along with your name if you have entered that information. This is for the security of the website operator. If your text violates the law, the operator may need to trace your identity. Additionally, IMG CONNECT has an obligation to store this data (referred to as “traffic data”) for specific periods and for specific purposes, as outlined below. Since sending comments, inquiries, and other messages to the website, Facebook page/group, or their administrators constitutes sending an electronic statement, according to the Electronic Document and Electronic Certification Services Act (“EDES”), the administrator is obliged to maintain logs of the submission for a period of 1 year. The log contains the date of the statement, name, and email address of the sender.

Employee and Job Application Data

We process data when entering into employment contracts and when evaluating and processing job applications. When entering into employment contracts, we require the full name, personal identification number (EGN), address, age, gender, educational background, work experience, and bank details. Subsequently, we process health-related data. When processing CVs, we handle personal information such as names, addresses, email addresses, age, gender, education, work experience, photographs, and data voluntarily provided by the applicant during the interview or in the CV.

Data Provided for Correspondence, Complaints, and Reports

In order to resolve submitted complaints, reports, disputes, inquiries, requests, or other matters communicated to IMG CONNECT through electronic forms on the website, via phone calls to IMG CONNECT, or via regular or electronic mail, IMG CONNECT LTD stores and processes this information, as well as the results of this processing. This may include names, email addresses, phone numbers, and addresses.

Additionally, due to the fact that sending comments, inquiries, and other messages to the website, Facebook page, or administrators constitutes an electronic statement under the Law on Electronic Documents and Electronic Signature Services (“ZEDES”), we are required to maintain a log of the fact that the statement was sent (without its content) for a period of 1 (one) year. The log contains the date of the statement, the sender’s name and email address, and identification of the sender.

If you provide us with personal information about someone else, you must do so only with the authorization of that person. You must inform them about how we collect, use, disclose, and store their personal information in accordance with our current Privacy Policy.

Technical Data Collected During the Use of the Website

In addition, we collect information from your computer, phone, tablet, or other devices you use. This information may include the following:

• Device identifier, type of device, and unique identifier for that device, “log data,” including information automatically sent by your browser when visiting the website; this log data includes IP address, the address and activity of websites you visit, search terms, browser type and settings, date and time of your request, how you used the site, cookie data, and device data; if you want more details about the information we collect, please contact us through the contact form.

• Location information sent by the device if you have set it to share location data – please note that mobile devices allow you to control or disable location services for any application on your mobile device through the device settings menu.

• Information about the computer and connection, such as statistical data about page views, IP address, browsing history on the website, language settings, date and time.

• Logs for facilitating your searches – quick links for repeating previous searches give you the option to repeat your searches without entering them each time. This functionality can be used with or without registration. When using the website in your browser, a randomly generated number cookie is stored, allowing the site to show quick links to repeat previous searches. The website stores and shows the last 10 searches associated with this browser. When logged into your account, you can save and use them there. If you use the service with registration (currently an inactive feature), the last 10 searches are stored in your account.

• Logs related to security, technical support, development, etc.:

  • To ensure the reliable functioning of services and identify technical problems.

  • To ensure the security of services and detect malicious activities.

  • To develop and improve website services.

  • To measure website traffic and usability.

  • Logs when required by law (such as logs of electronic declarations).

  • Login logs for user accounts – this log allows the identification and automatic blocking of unauthorized attempts to access accounts; it is maintained for a period of 1 (one) year and contains the date and time of login, status, whether the login was through a mobile version, application, or desktop browser, IP address.

  • Server logs, logs from security devices (e.g., Web Application Firewalls), and other similar devices. These logs are necessary to identify technical problems, detect malicious activities, etc., as mentioned above. They are stored for a period of up to 1 (one) year. Logs may contain information such as date and time, IP address, URL, and browser/device information. Additionally, some devices may use security technology based on cookies.

  • Cookies – the use of cookies is necessary for the functioning of the website. A Cookie Policy has been adopted, and you can review it for more details regarding the types of cookies we use, their storage periods, and usage.

It is possible that we may choose to reduce the volume of data we store and process, depending on the purposes of the processing.

We do not require and will not collect or process personal data that reveals: race or ethnic origin; political, religious, or philosophical beliefs; membership in trade unions; genetic or biometric data; data concerning health, or data concerning sexual life or sexual orientation. If a subject voluntarily provides such categories of data, IMG CONNECT LTD is not responsible for the provision but is only obliged to apply the same protective measures as those for the required personal data. We do not transfer data to third countries. Additionally, we do not make automated decisions regarding personal data and do not process data of persons under the age of 16. If you are under the age of 16, you should not provide us with personal data about yourself.

For what purposes do we process your data?

The main purpose for which IMC CONNECT processes your personal data is generally related to providing services through the Website and social networks, namely entering into distance sales contracts and delivering the goods and services you have ordered, as well as accounting for revenue. We use your personal information to provide and improve our services, offer you a personalized experience on our website, communicate with you regarding your profile and our services, provide customer service, deliver personalized advertising and marketing based on your interests, conduct organized raffles and games, and, in certain cases, to detect and investigate fraudulent or illegal activities.

IMC CONNECT collects, uses, and processes the information described above for the purposes set out in this Policy, which may include:

• Entering into distance sales contracts for goods/services between you and IMC CONNECT via the Website or social networks: we require your identification, contact, and payment information to conclude a contract with you and to send your order.

• Entering into consumer credit agreements when you have requested a purchase of goods or services via credit.

• Processing payments and preventing fraudulent transactions (we may share your data with a third party to perform these functions).

• Entering into employment contracts and processing and evaluating submitted CVs.

• Protection and enforcement of the legitimate interests of other service users, third parties, and the Website – the legitimate interest pursues goals related to the legal interests of IMC CONNECT and/or third parties. These include:

  • Identifying and resolving technical issues or functional problems, developing and improving the purpose of the Website.

  • Communicating with you, including electronically, regarding important issues related to the services we provide and the execution of concluded contracts.

  • Targeting our marketing efforts, updating services, and offering promotional offers based on your preferences.

  • Receiving and processing complaints, requests, and other correspondence.

  • Safeguarding the rights and legitimate interests of the Website, including in court, and assisting in protecting the rights and legitimate interests of other users and/or affected third parties.

  • Administering and securing the website and application.

  • Analyzing and improving the use of our website, application, and retail activities (e.g., tracking how you navigate on our website, App, and/or stores).

  • Measuring and analyzing our advertising and offering suggestions and recommendations based on the information you share with us.

  • Communicating with you regarding your profile, resolving issues with your profile. When we contact you by phone to ensure efficiency, we may use automated or prerecorded calls and text messages.

  • Informing you about products and services you wish to receive information about via email, postal mail, mobile phone, and/or other digital means (depending on your stated preferences), including social media platforms – only when we have obtained your explicit consent for this.

  • Registering you on the website (in this case, we will use your personal information to maintain and update your profile, e.g., changing your address or marketing preferences).

  • Administering any contests/raffles/games organized by IMC CONNECT.

  • Providing you with location-based services (e.g., advertising, search results, and other personalized content).

  • Fulfilling IMC CONNECT‘s legal obligations, which include:

    • Complying with legal requirements for retaining or providing information for tax purposes (e.g., based on the Accounting Act and other tax laws such as VAT, income tax, corporate tax, tax procedure code, etc.).

    • Fulfilling obligations under the Labor Code, the Commercial Register Act, and the Register of Non-Profit Legal Entities, and other regulations.

    • Complying with directives issued by competent state or judicial authorities (e.g., based on the Ministry of Interior Act, Criminal Procedure Code, Electronic Surveillance Act).

    • Fulfilling obligations under the General Data Protection Regulation related to informing you of various circumstances related to your rights, the services provided, or the protection of your data.

    • Fulfilling obligations under the Consumer Protection Act, such as ensuring the right of withdrawal and statutory warranties.

    • Defending IMC CONNECT in court.

Your data may be processed based on your explicit consent, in which case the processing is specific and limited to the scope and extent set out in that consent. Typically, we request such consent when we wish to process your personal data without a legal obligation or legitimate interest for IMC CONNECT. Such consent is usually required when we wish to inform you about new promotions, products, etc.

Retention period of your personal data

When storing data, we apply the general principle of storing data in minimal volumes and for no longer than necessary to provide the services and fulfill the contracts, ensure their security and reliability, and comply with legal requirements. We will retain your personal information for the period necessary to achieve the purposes outlined in this “Privacy Policy,” unless required by law or based on our legitimate interest to retain it for a longer period. Depending on the type of data and the purposes for which it was collected, a specific retention period is determined, after which the information will be permanently deleted.

Type of Data	Retention Period	Basis for Processing
Registration data (name, surname, email address, phone number, address) Information about registration and acceptance of the Terms (date, time, IP address)	For the entire period of account maintenance on the Website and up to 5 years after account termination	Fulfillment of contractual obligations; compliance with legal obligations; protection of legitimate interests
Personal data from orders and issued or received invoices, payment documents (orders, statements), accounting, reporting, and payment documents	For the period during which the rights and obligations of the parties under the agreement are valid, up to 5 years after the termination of the agreement; certain data are stored for a legally defined period, between 5 and 50 years	Compliance with legal obligations and protection of the legitimate interests of the administrator
Personal data from employee personnel files	For the period of employment or as long as the rights and obligations of the parties are valid	Fulfillment of legal obligations and protection of the legitimate interests of the administrator
Personal data from correspondence, complaints, signals, requests, initiatives	Stored for up to 5 years based on the Law on Obligations and Contracts (prescription period for claims)	Protection of the legitimate interests of the administrator
Log confirming the submission of a comment, inquiry, order, or other statement (including sender, recipient, date, and time of the statement)	From 1 year to 5 years	Fulfillment of legal obligations and protection of the legitimate interests of the administrator
Quick searches	Until deletion by you; until account termination, or up to 6 months if used without registration	Consent of the data subject and protection of the legitimate interests of the administrator
Settings and system logs	Until deletion by you or account termination. If stored in cookies – between 6 and 12 months from the last use	Consent of the data subject. Fulfillment of legal obligations and protection of the legitimate interests of the administrator
Information stored in mobile application	For the period of use (until uninstalled)	Information necessary for the technical provision of services (such as settings, etc.)
Cookies	Between 6 and 12 months – depending on the type of cookie and your browser settings	Consent of the data subject and protection of the legitimate interests of the administrator

Exceptions to Data Retention Periods

Please note that we will not delete or anonymize your personal data if it is required for ongoing legal, administrative, arbitration, enforcement proceedings, or for the examination of your complaint filed with us. Deletion will take place once the need for the data has ceased, which may be after the expiration of the periods specified above.

You may always request that we delete certain information or close your account, and we will respond to this request by retaining specific information, even after the account is closed, if applicable legislation or legal interests require it. If we are legally obligated or if it is reasonably necessary to comply with regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms, we may retain some of your personal information for a limited period of time, even after you have deleted your profile.

For the purpose of ensuring the reliability of services and protecting against data loss for technical reasons, the Website implements a data backup policy. The maximum period for data updates (deletion of data) from all backup copies is 30 days.

Do We Share Your Personal Data with Third Parties?

“IMG CONNECT” Ltd., and the Website, do not share your personal data with third parties unless there is a legal basis for doing so—such as a legal or contractual obligation, legitimate or vital interests, or your consent. We strive to minimize the personal data we disclose, and this is always directly related and necessary for achieving a specific purpose. We do not sell, rent, or otherwise disclose your personal information to third parties for their marketing and advertising purposes without your consent. We guarantee that access to your data by third-party private entities is carried out in accordance with the legal provisions in the area of data protection and information confidentiality, based on agreements concluded with them.

We may disclose your personal data when we are subject to a legal obligation. In certain cases, “IMG CONNECT” Ltd. is required to disclose your data to public authorities such as the police, prosecutors, or courts in connection with preventing or investigating crimes. This includes the exchange of information with other companies and organizations to protect against fraud and reduce credit risk. Please be aware that if the police or another regulatory or state authority investigating alleged illegal activities requests your personal data or any other information we have received about you, we are entitled to provide it once we verify the legitimacy of the request from the state authorities. When we receive revenue from sales, we may be obligated by tax authorities to provide sales data containing information from your orders, including personal data. In this regard, we share your data with the accounting firms we work with. It is the legal obligation of the Website and IMG CONNECT to protect the security of networks and data processed by the company. Accordingly, we implement a series of measures, the execution of which may require processing your data by IT companies that manage security within our company.

We may have a contractual obligation to provide your data if you enter into a distance sales contract with us, under which we are required to deliver the goods or services you requested via courier. The same applies if you choose to purchase, pay for, or order a product or service on our Website through payment, credit, or banking services, where you personally share your data or entrust us with doing so. If you choose to insure a product/service during the purchase on the Website, your data will be shared with the insurance companies. If we install a purchased product through a subcontractor, we may share your data with them to perform the service/guarantee.

Our legitimate interest justifies, in certain cases, sharing your personal data with third parties. Such a case would be when proceedings are initiated before the Personal Data Protection Commission, the Consumer Protection Commission, and other state authorities. Legitimate interest exists for IMG CONNECT Ltd. when we engage other companies or individuals to perform certain tasks on our behalf, complementing our services, under data processing agreements. We would always like you to be informed of the best offers for the products/services you are interested in. In this regard, we may share certain of your data—only with your explicit consent—with providers of marketing/telemarketing services and other companies with which we may develop joint programs to market our goods and services.

Our website may also contain links to and from third-party websites. If you follow a link to any of these websites, please be aware that these websites have their own privacy policies, and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to these websites. Our site uses YouTube LLC, represented by Google Inc., to integrate videos. Typically, when you visit an embedded video page, your IP address will be sent to YouTube, and “cookies” will be installed on your device. However, our YouTube videos are embedded in “enhanced privacy mode” (in this case, YouTube is still in contact with Google’s DoubleClick service, but personal data is not used in accordance with Google’s privacy policy). As a result, YouTube does not store any information about visitors unless you view the actual video. If you click on the video, your IP address will be sent to YouTube, and YouTube will know that you have watched the video. If you are logged into YouTube with your user profile, this information will be linked to your profile (you can prevent this by logging out of YouTube before clicking on the video to view it). We do not have information about the potential collection and use of your data by YouTube. For more information, please see YouTube’s privacy statement at www.google.com/intl/en/policies/privacy/.

To Which Countries Do We Transfer Your Personal Data?

Currently, we store and process your personal data in Bulgaria.

However, it is possible that some of your personal data may be transferred to entities located within the European Union or outside of it, including countries for which the European Commission has not recognized an adequate level of personal data protection.

We will always take steps to ensure that any international transfer of personal data is carefully managed to protect your rights and interests. Transfers of data to service providers and other third parties will always be secured by contractual obligations and, where appropriate, by other safeguards such as standard contractual clauses issued by the European Commission or certification schemes, such as the EU-U.S. Privacy Shield for personal data transfers from the EU to the United States.

You can contact us at any time using the contact details provided at the end of this Policy to find out which countries we transfer your data to and what protective measures we apply in relation to these data transfers.

---

Your Rights Regarding Your Personal Data

Under the General Data Protection Regulation, you have the following rights:

Right to Information

This Policy aims to inform you in detail about the processing of your personal data in connection with the processing of your personal data. When there is a risk of a breach of the security of your personal data, the controller is obliged to notify you of the nature of the breach and the measures taken to address it, as well as whether the supervisory authority has been notified of the breach. Additionally, the data subject can request information about all recipients to whom personal data, for which correction, deletion, or restriction of processing is requested, has been disclosed.

Right to Access

You have the right to obtain confirmation as to whether your personal data are being processed, access to them, and information regarding the processing method and your rights in relation to it. As a data subject, you have the right to request confirmation of whether your personal data are being processed and, if so, to access your data and obtain the following information: the purpose of processing, what personal data are being processed, the recipients of the data, and the duration of processing. Access requests must be made in written/electronic form and addressed to the controller. In this case, we will provide a copy of the processed personal data in electronic or another suitable form.

Right to Rectification

You have the right to correct and complete your personal data if they are incomplete or inaccurate. For registered users, this option is also available in the user panel on the Website. Unregistered users can obtain this information by making a request to the controller. As a data subject, you have the right to request the correction or completion of personal data that are inaccurate/outdated or incomplete. To do so, you must submit a separate request. Your request will be answered by the controller in writing at the electronic address you provided.

Right to Erasure (Right to be Forgotten) and Account Closure

As a data subject, you have the right to “be forgotten,” i.e., to request that your personal data be erased without undue delay, meaning the controller must delete your personal data from all systems and records where they are stored, including notifying any third parties/data processors to whom the data have been provided.

If you wish, you have the option to close your account on the website at any time. This option is also available in the user panel on the Website. After closing the account, all or some of your data will be deleted. In relation to our obligations, responsibilities, and legal requirements (e.g., the GDPR or the Electronic Commerce Directive), we may retain certain data for a specific period (see the section above).

To ensure the reliability of services and to protect against data loss due to technical reasons, the Website implements a data backup policy. The maximum update period (deletion of data) from all backup copies is 30 days.

A request for deletion may be submitted on the grounds provided in the Regulation, including in the following cases:

• The personal data are no longer necessary for the purposes for which they were collected;

• You have withdrawn your consent;

• You have objected to the processing of personal data, and there are no overriding legal grounds for processing;

• The processing is unlawful;

• The personal data must be erased to comply with a legal obligation under EU law or the law of a Member State applicable to the controller;

• The personal data were collected in connection with the offering of information society services.

Please note that we may refuse to delete part or all of your personal data in cases where there is a substantial reason and/or legal obligation for their processing. You will be informed promptly about this. The controller may refuse to delete personal data on the grounds set out in the Regulation, when the processing of specific data is necessary:

• For the exercise of the right to freedom of expression and the right to information;

• To comply with a legal obligation that requires processing under EU law or the law of the Member State applicable to the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• For reasons of public interest in the area of public health;

• For archiving purposes in the public interest, for scientific or historical research, or for statistical purposes;

• For the establishment, exercise, or defense of legal claims;

Right to Restriction of Processing of Personal Data

The General Data Protection Regulation provides the possibility for you to restrict the processing of your personal data if there are grounds for it as provided by the Regulation. Restriction is allowed in the following cases:

• When you believe that your personal data is inaccurate, in which case the restriction will last for the time necessary for the controller to verify the accuracy;

• When the processing of your personal data is unlawful, but you do not wish them to be deleted, and you only want the use of them to be restricted;

• When the controller no longer needs your personal data for the purposes of processing, but you, as the data subject, require it for the establishment, exercise, or defense of legal claims;

• When you have objected to the processing pending verification of whether the legitimate grounds of the controller override your interests.

---

Right to Notify Third Parties

If applicable, you have the right to request that the Controller of your personal data notify third parties to whom your data has been provided, regarding the correction, deletion, or restriction of processing of your personal data.

---

Right to Data Portability

You have the right to receive your personal data, which concerns you and which you have provided, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from our side, provided that the processing is based on consent or contractual obligation or that the processing is carried out by automated means.

Important: The responsibility for storing the exported data from the Website, as well as for any consequences of providing them to other controllers, is entirely yours.

---

Right Not to Be Subject to a Decision Based Solely on Automated Processing

You have the right not to be subject to such automated processing, including profiling, which produces legal consequences for you or significantly affects you in a similar manner, unless there are grounds for such processing as specified in applicable data protection law, and appropriate safeguards are provided for the protection of your rights, freedoms, and legitimate interests.

---

Right to Withdraw Consent

You have the right to withdraw your consent, which you have previously given in connection with the processing of personal data based on your prior consent, at any time. Such withdrawal does not affect the lawfulness of processing based on the consent before the withdrawal. For services such as email subscription to advertisements, which are based on your consent (subscription), there is an option to unsubscribe at any time (withdraw consent). In the case of withdrawal of consent, we have the right to verify the identity of the requestor to establish the identity of the person for whom the data pertains.

---

Right to Object

You have the right to object to the processing of data based on legitimate interest. If such an objection is made, we will review your request and, if it is justified, we will implement it. If we believe that there are compelling legal grounds for processing or that the processing is necessary for the establishment, exercise, or defense of legal claims, we will inform you about it.

---

Right to File a Complaint with a Supervisory Authority

You have the right to file a complaint against our company (data controller) with the supervisory authority if you believe that the processing of personal data relating to you violates applicable data protection law. The supervisory authority in Bulgaria is the Commission for Personal Data Protection, located at Sofia 1592, Prof. Tsvetan Lazarov Blvd. № 2, email: kzld@cpdp.bg, website: www.cpdp.bg, phone: 02 915 3 518.

---

How to Exercise Your Rights. Deadlines for Response

You can exercise the above rights free of charge at any time, by email or request sent to the contact addresses specified in the contact form on the Website or at the end of this Privacy Policy. You can address your requests to both the controller and directly to the Data Protection Officer. Requests must be made in a way that allows the identification of the requestor’s identity. For some rights, there may be technical means available for exercising them, such as an unsubscribe button. In any case, the controller must respond to the request or address the exercise of the right to the provided address (including email) within one month from its receipt.

If you exercise these rights in an obviously unfounded or excessive manner, particularly due to their repetitiveness, we reserve the right to charge a reasonable fee, taking into account administrative costs for providing the information or communication or taking the requested actions, or to refuse to take action on the request. We will inform you of our fees, if applicable, before responding to your request.

ACCURACY OF INFORMATION

We do not take responsibility for the accuracy of the information you provide, and we do not perform checks in this regard. We do not guarantee the actual identity of individuals providing the data. In cases of doubt, fraud detection, or abuse, please notify us immediately. You are obligated, when providing any information on the Website, not to infringe on the rights of others in relation to the protection of their personal data or other rights.

---

GENERAL INFORMATION ABOUT THE POLICY

This Privacy Policy may be changed or supplemented due to changes in applicable Bulgarian or European legislation, at the initiative of “IMG CONNECT” Ltd. or by a competent authority.

“IMG CONNECT” Ltd. will inform users of any changes or additions to this Privacy Policy by publishing the updated Privacy Policy on our website.

It is recommended that users periodically check the most up-to-date version of this Privacy Policy on the website of “IMG CONNECT” Ltd.

---

HOW WE PROTECT YOUR RIGHTS

SECURITY MEASURES

To ensure the best possible protection of the company’s and our clients’/users’/contractors’/visitors’ data on the Website, WE apply all necessary organizational and technical measures provided in the General Data Protection Regulation and the Personal Data Protection Act, as well as best practices from international standards. We apply the appropriate level of protection, and for this purpose, we have developed effective physical, electronic, and administrative procedures to protect the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

We store your data on secure servers, using the latest encryption algorithms and ensuring the storage of backup copies.

The company has adopted the necessary rules and procedures related to the lawful processing of your personal data, including an Action Plan for data security breaches, has established structures for preventing abuse and security breaches, and has designated a Data Protection Officer who supports the processes of lawful processing, safeguarding, and ensuring the security of your data.

Access to your personal data is granted only to those employees, service providers, or affiliated persons on a need-to-know basis for business purposes or who require it to fulfill their duties. All employees/workers are required to be trained and accept the relevant contractual clauses/declarations/rules for compliance with organizational and technical access control measures before being granted access to any type of information.

A principle in our structure is that all employees/workers are responsible for ensuring the security of the data they handle, which we process, and that the data is securely stored and not disclosed under any circumstances to third parties, unless we have granted such rights to the third party by entering into a contract/confidentiality clause. In this regard, all personal data is accessible only to those who need it, and access can only be granted in accordance with established access control rules. All personal data is treated with the utmost security and stored:

• In a separate room with controlled access; and/or

• In a locked cabinet to which only authorized persons have access; and/or

• In a computerized system protected by a password in accordance with internal requirements set out in the organizational and technical access control measures; and/or

• On computer media protected in accordance with organizational and technical measures for controlling access to information.

Personal data is deleted or destroyed only in accordance with internal procedures for data retention and destruction.

For maximum security in processing, transferring, and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, and backup technology for backup copies.

We use a payment service for processing payments. All payment information is encrypted using SSL technology.

When you post on forums, chat rooms, or social media services, the personal information you share is visible to other users and may be read, collected, or used by them. In these cases, you are responsible for the personal information you choose to provide.

Despite the measures we implement to protect your personal data, we acknowledge that, in general, the transmission of information over the Internet or other public networks is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties. We cannot take responsibility for vulnerabilities in systems that are not under our control. In the event of a data breach involving personal data, we guarantee that we will comply with all applicable notification requirements in such cases.

---

COOKIE POLICY

As an integral part of this Privacy and Data Protection Policy for individuals, IMG CONNECT has adopted a Cookie Policy, which is published and accessible both on the Website and on our Facebook page.

---

CONTACT US

DATA PROTECTION OFFICER

Questions and requests related to the exercise of your rights concerning the protection of your personal data can be sent to “IMG CONNECT” Ltd. via the contact form available on the Website or through any of the following contact methods:

“IMG CONNECT” Ltd., UIC 207379619, VAT No. BG 207379619, with registered office and address: Varna, 4 Bragalnitsa St.

The Data Protection Officer is Preslav Bobev.

Correspondence address: Varna, 4 Bragalnitsa St.

• By email: events@internetmediagroup.org

• By phone: +359 886 991 001