Personal Data Protection Policy
Personal Data Protection Policy
1. Objectives and Content of the Policy
Under this Personal Data Protection Policy, Neterra EOOD, UIC 121039370 (Neterra), in its capacity as a controller, takes into account the privacy and the need to protect natural persons' data. In accordance with the legislation in force and the best practices, the company shall implement the necessary technical and organisational measures to ensure the protection of personal data.
The protection of personal data that entrusted to Neterra is very important for the company and our business activities. It is very important for the success of our business and for our reputation. We are aware that the processing of personal data is for a certain reason and can not be done without limitation. We recognise the need to protect the privacy of the person. That is why we shall make our best endeavours and take responsibility to protect the personal data of our end-users by not allowing unauthorised access, unauthorised or malicious use, loss or erasure of information.
The personal data required for the provision of Neterra's services and products shall be collected and processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 April 95/46 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) as well as the applicable national or EU law.
This Policy provides systematised information to the end-users – natural persons on the reasons for and manner of processing their personal data.
This Policy is mandatory for all employees of Neterra who process personal data of end-users.
Within the meaning given by the applicable legislation and this Policy:
'Personal data' shall be any information related to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'Special categories of personal data' shall be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person's sex life or sexual orientation;
'Basic data' shall be names, gender and age group, address (permanent address);
'Data Subject' shall be any living natural person who is associated with specific personal data;
'Network/Traffic Data' shall be data processed in an electronic communications network for the purpose of conveyance of signals, broadcast or electronic content exchange, including data used to track and identify the source and destination of the communication, location data and device type, generated in the context of the provision of electronic communications services as well as date, time, duration and type of communication, data on the usage of television services, etc.;
'Consumption data' shall be aggregated data for the consumption of Neterra's services, including type of service, total number and duration of use;
'Processing' shall be any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
'Controller' shall be any natural or legal person, public authority, agency or other authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'Processor' shall be a natural or legal person, public authority or other authority which processes personal data on behalf of the controller;
'Consent of the data subject' shall be any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
'Profiling' shall any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
'Detailed analysis' shall be an analysis method that allows the processing of large volumes of data through statistical models and algorithms and others, which involve the use of network and personal data as well as pseudonymising and anonymizing them for the purpose of retrieving information about trends and various statistical indicators;
'Personal data breach' shall be a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
'Recipient' shall be a natural or legal person, public authority, agency or another authority, to which the personal data are disclosed, whether a third party or not. The public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
'Third party' shall be a natural or legal person, public authority, agency or authority other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
'Partners' shall be companies with which Neterra has entered into partnership agreements and which provide a variety of products and services.
3. Guarantees for lawful processing of the personal data
Neterra shall processes customer's personal data on one of the following grounds:
a) the customer has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of the contract to which the customer is party or in order to take steps at the request of the customer prior to entering into the contract;
c) processing is necessary for compliance with a legal obligation to which Neterra is subject;
d) processing is necessary for the purposes of Neterra's legitimate interests.
4. How are we going to use the personal data
4.1. For performance of a contract or in the context of pre-contractual relations with users
Neterra shall processes identification data and other personal data in order to provide the services and products requested by customers, in order to perform its contractual and pre-contractual obligations to the customers as well as to exercise its rights under the concluded contracts. The processing of personal data shall be carried out for the purpose of:
a) identifying the customer through all sales channels;
b) managing and executing customer requests for products or services, execution of contracts for sell of products and services;
c) drafting a contract proposal;
d) preparing and sending orders/invoices for the products and/or services that the customers use;
e) ensuring the necessary comprehensive customer service as well as collecting the due amounts for the products and services used;
f) ensuring the technical maintenance of our networks in order to provide quality services;
g) any technical assistance for the maintenance of the provided services;
h) drafting proposals for distance contracts, sending pre-contractual and contractual information by courier services; servicing an opt-out;
i) notifications for everything related to the products and services that the customers use, including, but not limited to, sending different notices, notifications of problems or responding to applications, complaints, suggestions submitted by the customers;
j) preparing aggregated statistical information about Neterra's sales, services, customers, network traffic, location models, which we can also provide to third parties, etc.;
k) analysing customer history and preparing a user profile in order to determine an appropriate offer for the customer;
l) protecting and ensuring the security and integrity of Neterra's network, customers and employees;
m) identifying and/or preventing unlawful actions or actions contradicting Neterra's General Terms for the respective services;
n) evaluating and measuring the effectiveness of the advertising of our products and services as well as offering advertising content that meets the needs of the customers;
o) the data from orders/invoices of customers shall be processed by Neterra for purposes consistent with the initial purpose of their collection in order to provide an overview of our products and services;
p) researching and analysing the customer’s usage of our products and services on the basis of anonymous or personalised information in order to identify the key trends, to improve our understanding of our customers' behaviour and to collaborate with third parties to develop new services for our customers;
q) processing by a processor upon entering into a contract, assignment, reporting, acceptance, payment;
r) performing warranty and after-sales servicing of devices.
4.2. For the performance of regulatory obligations
Neterra shall process the identification data, traffic data, location data, customers invoicing data and other personal data in order to comply with obligations that are provided for under a regulation, including but not limited to:
a) obligations to provide information to the Communications Regulation Commission or third parties, as defined in the Electronic Communications Act;
b) fulfilment of obligations related to distance selling provided for in the Consumer Protection Act;
c) providing information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act;
d) providing information to the Commission for Personal Data Protection in connection with obligations provided for in the regulatory framework on protection of personal data – the Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc.;
e) obligations provided for in the Accounting Act and the Tax and Social Insurance Procedure Code and other related regulations in connection with the keeping of correct and lawful accounting;
f) providing information to the court and third parties in the course of court proceedings in accordance with the requirements of procedural and substantive regulations applicable to the proceedings;
g) age verification for online shopping.
4.3. With customer’s consent
In some cases, Neterra shall process the personal data only with the prior written consent of the customer. Such explicit consent from the customer shall only be necessary if Neterra requires data that are more than the minimum data required for the conclusion and performance of the contract. The consent is a separate ground for the processing of personal data and the purpose of processing shall be specified therein and shall not overlap with the other purposes listed in this Policy.
The given consents may be withdrawn at any time. The withdrawal of the consent shall not affect the performance of Neterra’s contractual obligations. If the customer withdraws its consent to the processing of personal data for some or all of the purposes described above, Neterra shall not use the personal data and information for the relevant activities as of the moment of withdrawal. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
When consent to the processing has been given, this consent shall apply to all products and services used by the customer.
In order to withdraw the consent, the customer shall have to use the company's contact details.
4.4. Considering the company’s legitimate interest
Neterra shall use basic customer data to prepare subscriber accounts considering the company's legitimate interest in order to perform a basic analysis of the data and to adapt the offered services and products to the customer's individual needs, as well as to offer new services.
4.5. Processing of anonymised data
Neterra shall process customers' traffic data for statistical purposes. This means performing analyses in which the results shall be summarized and the data used shall be anonymous. It is impossible to identify a specific person and data related to him/her through this information.
5. What types of data does Neterra process
5.1. basic data (identification data): full name, personal identification number or personal number of foreigner, permanent address;
5.2. traffic data (network data) data necessary for the provision of electronic communications services, for billing; data for preparation of customer accounts as well as for proving their authenticity; data which are being processed in the electronic communications networks for determining the geographic location of the electronic communication end device;
5.3. other data: information on the type and contents of the contractual relationship, as well as any other information relating to the contractual relationship, including:
5.3.1. information on the inquiries/orders for troubleshooting, petitions, applications, complaints;
5.3.2. other feedback we receive from the customers;
5.3.3. personal contact details – contact address, phone number and contact information (email, phone number), gender, age group;
5.3.4. preferences for the services we provide to the customers;
5.3.5. credit or debit card information, bank account number or other bank and payment information related to the payments made to Neterra;
5.3.6. other information such as:
a) customer number, code or other identifier created by Neterra for identification of customers/users;
b) data provided through the company's websites and mobile applications;
c) information about the electronic communication end device used, the type of the device, the operating system used, the IP address when visiting our website;
d) demographics, household information when the customers agree to participate in our surveys, prize draws, or other feedback they provide us with in connection with the products and services used;
e) other personal data provided by the customers or by a third party upon conclusion or within the duration of a contract with Neterra, in particular: the full name, personal identification number or personal number of foreigner, permanent address of a proxy indicated in a document in which he/she has been authorised to represent; social network profile data, contact details, contact person; username, password (upon registration on Neterra's website or other similar service); data provided upon participating in games, prize draws and/or other seasonal or promotional campaigns organised by Neterra, including through the social networks.
When we process the data for identification of the customer and his/her traffic data as well as the other described data for the purposes of providing products and services, for their payment, for the fulfilment of requests/orders for services as well as to fulfil our statutory obligations, this processing shall be mandatory for the achievement of these objectives. We would not be able to perform the respective activities without these data.
The customers is obliged to take reasonable care necessary for the protection of his/her personal data when the latter have been provided to third parties other than Neterra.
6. Why and how we use automated algorithms
For the processing of customers' personal data, we shall use partially automated algorithms and methods to continually improve our products and services in order to adapt our products and services to the customers' needs in the best possible way or for calculation. This process is called profiling.
7. How do we protect our customers' personal data
In order to ensure adequate protection of the company' and customer’ data, we implement all the necessary organisational and technical measures provided for in the applicable legislation as well as the best practices of international standards (ISO 27001: 2013, etc.).
The company has established rules for restricted and authorised access to data in order to prevent abuse and security breaches, it has designated a Data Protection Officer to support the personal data safeguard and security procedures.
For the purpose of maximum security during processing, transfer and storage of the personal data, we use additional data protection mechanisms such as encryption, pseudonymisation, etc.
8. When do we erase personal data
The use of personal data for the purposes related to the contractual relationship shall cease upon the termination of the contract but the data shall not be destroyed before the expiration of 1-year period after the termination of the contract or until the final settlement of all the financial relationships arising out of it; expiration of the regulatory obligations for storing the data, such as obligations under the Electronic Communications Act for storing and providing information for the purpose of detecting and investigating crimes (6 months); under the Accounting Act for the storage and processing of accounting data (11 years); expiration of the statutory time limitations for bringing claims (3 years for recurrent payment services and 5 years for the remaining services) under the Obligations and Contracts Act; obligations to provide information to the court, competent state bodies and others grounds provided for in legislation in force (5 years).
Neterra shall not erase or anonymise personal data if they are required for a pending court, administrative proceedings or proceedings on a client's complaint before the company.
The personal data can also be anonymised. The anonymisation is an alternative to the erasure of the data. Upon anonymisation, any personal identifiable element/elements that enable the identification of the customer shall be irreversibly erased. There is no regulatory obligation to erase anonymised data, as they do not constitute personal data.
9. When and why do we share personal data with third parties
Neterra shall not provide personal data to third parties before making sure that all technical and organisational measures for the protection of these data have been implemented by striving to carry out strict control to achieve this objective. In this case, Neterra shall remain responsible for the confidentiality and security of the personal data.
9.1. Categories of recipients to which we provide personal data:
a) persons processing data on behalf of Neterra:
b) collection and/or debt collection companies – debt collection agencies, credit agencies that service and collect claims through surety or other means;
c) postal operators with a view to sending parcels containing contracts, supplemental agreements and other documents and the need to verify the identity upon servicing;
d) distributors and agents of Neterra who act as representatives of the company in the sale of services and products;
e) Neterra's partners for the purpose of preparing a joint technical solution for the customer's needs;
f) persons who have been assigned to maintain the equipment, software and hardware used for the processing of personal data and necessary for the construction of the service, for the provision of various accounting services, payment of services and products, technical support, etc.;
g) persons providing maintenance service of end devices; call centers that assist Neterra in the sale of products and services and customer service before and in the course of the duration of the contractual relationship;
h) installers – for installation or support for the provision of the service;
i) persons hired by Neterra under a freelance contract who assist the sales, logistics, delivery processes, etc.;
j) authorities, institutions and persons to whom we are obliged to provide personal data under the applicable law;
k) providers of electronic authentication services where a document related to the provision of a product or a service shall be signed with an electronic signature;
l) banks – for servicing of payments made by the customers;
m) security companies holding a license to perform private security activities in connection with the processing of the video recordings from Neterra's sites and/or provision of the access regime at the sites of the company;
n) persons providing services for organising, storing, indexing and destroying archives in paper and/or electronic form;
o) persons performing consulting services in various fields.
9.2. Persons processing data on their own behalf:
a) assignees – parties to account receivable purchase agreements to which Neterra assigns (sells) outstanding liabilities;
b) competent authorities which by virtue of a regulation have the power to demand the provision of information, including personal data, such as courts, prosecutors, various supervisory authorities such as the Commission for Consumer Protection, the Communications Regulation Commission, the Commission for Personal Data Protection, bodies with national security and public order protection powers.
10. Rights of the customers in relation to the processing of their personal data
10.1. Right to information:
10.1.1. The customers have the right to request:
a) information on whether data relating to them are being processed, information on the purposes of that processing, on the categories of data and on the recipients or categories of recipients to whom the data are being disclosed;
b) a communication in comprehensible form containing the personal data being processed as well as any available information about their source;
c) information on the logic of any automated processing of personal data relating to the customers in the case of automated solutions.
10.2. Right to rectification:
10.2.1. In the event that we process incomplete or incorrect data, the customers have the right to request at any time:
a) that we erase, rectify or block their personal data, the processing of which does not meet the requirements of the law;
b) that we notify the third parties, to whom the customers' personal data have been disclosed, of any erasure, rectification or blocking, except where this is impossible or involves excessive efforts.
10.3. Right to object:
10.3.1. At any time the customers have the right to:
a) object to the processing of their personal data if there is a legitimate reason for doing so; where the objection is justified, the personal data of the natural person concerned can no longer be processed;
b) object to the processing of their personal data for the purposes of direct marketing.
10.4. Right to restriction of processing:
10.4.1. The customers may request a restriction of the processed identification data if:
a) they challenge the correctness of the data for the period in which Neterra should verify their correctness; or
b) the processing of data lacks legal basis, but instead of being erased, the customers have requested their limited processing; or
c) Neterra does not need these data (for the intended purpose), but the customers need them in order to identify, exercise or protect their legal claims; or
d) the customers have objected to the processing of the data pending investigation whether the reasons for the controller are lawful.
10.5. Right to data portability:
10.5.1. The customers have the right to receive personal data concerning them which they have provided to Neterra in a structured, commonly used electronic format and have the right to transmit those data to another controller where:
a) the processing of those data by Neterra is based on the explicit consent of the customer to data processing for a particular purpose and
b) the processing is carried out by automated means.
10.6. Right to complaint:
10.6.1. In the event that a customer decides that Neterra is in breach of the applicable regulatory framework, we expect the customer to contact us to clarify the matter. The customer has the right to lodge a complaint with the Commission for Personal Data Protection. As 25 May 2018, the customers can also lodge a complaint with a supervisory authority within the European Union.
10.7. The applications for access to information or for rectification are to be submitted in person or by a person explicitly authorised by the customer through a notarised power of attorney. An application may also be submitted electronically under the Electronic Document and Electronic Trust Services Act.
10.8. Neterra shall rule on the customer's request within 14 days of its submission. If a longer period to collect all the requested data is objectively required and this seriously impedes our activity, this period may be extended to 30 days. The decision on the complaint shall be motivated.
11. Compliance and Amendments of the Policy
In order to apply the most up-to-date protection measures and to comply with the legislation in force, we shall regularly update this Personal Data Protection Policy. If the changes we make are substantial, we can post a message on our websites about the changes made.
This Privacy and Data Protection Policy has entered in force as of 25.05.2018.
12. Contact details regarding the protection of the personal data
20A Andrey Saharov Blvd., 1784 Sofia
tel.: +359 2 975 1616, fax: +359 2 975 3436
Data Protection Officer: