Privacy policy in relation to agreements for cards

These Rules for the processing and protection of personal data in relation agreements for cards (the "Rules") are adopted by "Edenred Bulgaria" AD, UIC: 130526402, having its seat and management address in Sofia 1784, Slatina District, 137 Tsarigradsko Shosse Blvd., floor 3, represented by the Executive Director Medhi Benbouguerra ("Edenred") on 25 May 2018.
These Rules concern the clients of Edenred (the “Clients”), having Agreements signed with Edenred for Provision of Services, Related to the Programme for Compliments Cards and Compliments Cards Selection (the “Agreements”), under which Edenred distributes the Cards to its Clients in Bulgaria as products for gifts/ reward to their employees or their relatives or business partners. 
The Rules aim to regulate the processing activities related to personal data in compliance with the current personal data protection legislation in the Republic of Bulgaria, including in relation to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation" or the "Regulation").
1.    DEFINITIONS
1.1    In these Rules the terms "personal data", "data subject" and "personal data processing" shall have the meaning assigned to them under the Regulation or under the respective Bulgarian laws, ordinances and guidelines, effective at the respective moment.
1.2    The capitalized terms, which are not expressly defined herein, shall have the meaning ascribed to them in the Agreements. 
2.    SUBJECT OF THE RULES
2.1    Тhese Rules regulate the rights and obligations of Edenred and the Clients (together the “Parties” and each one of them a „Party“) in relation to the processing of the personal data of the Cardholders, which the Parties shall process jointly, in their capacity as joint controllers under the meaning of Art. 26 of the Regulation, in a manner which is transparent for the data subjects.
2.2    The compliance with the Rules by each Party shall not incur additional expenses for the other Party.
2.3    The processing, which shall be performed by the Parties under thе Agreements shall include the processing under Attachment No. 1 (Information about the Data Processing) to the Rules.
2.4    For the avoidance of doubt, the present Rules may be amended unilaterally by Edenred, from time to time, following amendments to the regulatory framework, the applicable law and/ or with the aim to implement changes resulting from the amendments in the internal rules or an internal decision of the Edenred group of Companies. The amended version shall be considered applicable as of the date of its upload to Edenred’s webpage, where the version shall expressly provide for its number and date.
3.    RIGHTS AND OBLIGATIONS OF THE PARTIES
3.1    Each Party shall comply with the data protection laws and the privacy laws and any similar laws, ordinances and guidelines, effective as of the respective moment in the Republic of Bulgaria ("Personal Data Protection Laws"), including without limitation the General Data Protection Regulation, which are applied in relation to all personal data, processed under and in relation to the Agreements.
3.2    Each Party shall comply with those requirements of the internal policies of the other Party which regulate its obligations regarding the processing of personal data under the Agreements and which have been notified to it by the other Party.
3.3    As regards the personal data of the Cardholders provided to Edenred in relation to the Agreements (and regardless whether it has been provided by the Client, by the data subject or in any other manner), Edenred guarantees that it processes such personal data solely for the purposes and according to the instructions notified to it by the Client and documented under Bulgarian legislation, including the Digital Document and the Digital Certifying Services Act, in compliance with the principles and the requirements of the General Data Protection Regulation.
3.4    As regards the personal data of the Cardholders, each of the Parties guarantees that:
3.4.1    it maintains the appropriate technical and organizational security measures of the processing (including without limitation, the appropriate policies, notified to the employees, the continuous management of the compliance with them in the course of work and effective security measures) as regards personal data and as well as for protection against accidental or unlawful destruction, accidental loss, unauthorized access, modification or distribution, as well as against other illegal forms of personal data processing so that to ensure the processing and the degree of protection of personal data under the Personal Data Protection Laws;
3.4.2    In particular, each Party shall guarantee that the persons authorized to process the personal data (its employees and subcontractors) are obliged to keep confidential or are obliged by law to keep confidentiality, as well as that it shall take measures to ensure that any individual acting under its authority, who has access to personal data, processes personal data in compliance with the Personal Data Protection Laws.
3.5    Each of the Parties, in order to facilitate the compliance with the Personal Data Protection Laws by the other Party, shall provide the other Party with access to the entire information, necessary for evidencing the performance of the obligations stipulated under these Rules and the Personal Data Protection Laws, it shall provide copies of reports on security, audit and control, as well as other documents, prepared by the auditors or by other persons acting by request of, for and on behalf of the Party or by the competent authorities, which refer to the processing or protection of the personal data and which may be reasonably requested by the other Party; as well as it shall allow and assist for the performance of inspections and audits, as well as for the implementation of the rights and obligations of the Party under the Personal Data Protection Laws, in the event when such documents, actions and assistance are requested reasonably by the other Party or by parties authorized by it. In the event when any of the Parties possesses information about an event of unauthorized, unlawful or undue conduct or activity or any other breach of the terms and conditions of these Rules or of the applicable Personal Data Protection Laws, the respective Party notifies the other Party immediately about this and assists in order to undertake the necessary measures according to the applicable Personal Data Protection Laws.
3.6    In order to comply with the rights of the data subjects, the each Party shall record and then refer all requests of data subjects it receives to the other Party within 3 (three) business days of receiving each request. As far as practicable, the other Party shall assist the Party, which has received the request in the performance of its obligation to respond to the requests of the data subjects.
3.7    In relation to each personal data breach (actual or alleged), related to thе Agreements, the Party which has become aware of the breach shall:
(a)    inform the other Party of the breach without undue delay (but in any event not later than 24 hours after it has been notified of the breach of the personal data);
(b)    provide to the other Party without any undue delay (where possible not later than 48 hours after it has been informed of the breach) information, which it would have reasonably requested regarding:
(i)    the nature of the breach, including the categories and the average number of the data subjects and the affected record of personal data;
(ii)    all investigations regarding this breach;
(iii)    the possible consequences of the breach; and
(iv)    all undertaken measures or such measures that the Party which has become aware of the breach recommends to be undertaken in order to deal with the breach and to mitigate its possible adverse consequences,
In the event when the Party which has become aware of the breach reasonably thinks that it would not be possible to provide the information within this timeframe, it will explain to the other Party before the end of the period the reasons for the delay and when it expects to be able to provide it (which may be at different stages) and it will provide to the other Party regular updates on these matters; and
(c)    provide reasonable cooperation and assistance to the other Party in relation to each correcting activity to be undertaken in response to the personal data breach, including regarding each communication regarding the breach of personal data of the individuals whose personal data has been affected.
3.8    Each Party shall have the right to share each notification and information provided by the other Party under Art. 3.6 with the Personal Data Protection Commission or any other regulatory authority in compliance with the Personal Data Protection Laws.
4.    SUBCONTRACTORS
4.1    Neither Party can assign the personal data processing to a third party without the explicit written consent of the other Party.  In the event when one of the Parties includes a personal data processor (subcontractor) for performing specific activities of processing, such Party imposes upon the subcontractor to ensure the performance of the same obligations, guarantees and responsibilities for personal data protection under these Rules and the Personal Data Protection Laws.
4.2    In case the third party, processing the personal data under the instruction of one of the Parties does not fulfil the obligation for personal data protection, the Party which has assigned the processing to the third party, continues to bear full liability before the other Party for the fulfilment of the obligation of this third party processing personal data. 
4.3    The above limitations do not apply to the processing performed by PPS in compliance with the Agreements. 
5.    COMPENSATION
5.1    Each of the Parties shall compensate and keep the other Party indemnified against all risks, claims, cases, expenses, costs (including without limitation, legal fees and payments on the basis of full compensation), damages, losses and damages incurred or resulting from, awarded against or arranged to be paid by one of the Parties, resulting from or in relation to:
5.1.1    Edenred acting outside or against the legal instructions of the Client; 
5.1.2    Each material breach by one of the Parties of its obligations for data protection under these Rules or the Personal Data Protection Laws; and
5.1.3    Each processing performed by one of the Parties or by its subcontractor by virtue of instruction by the other Party, which breaches the Personal Data Protection Laws:
(i)    In the event when the Party performing the processing has notified the instructing Party that its instruction breaches the Personal Data Protection Laws;
(ii)    With the exception to the extent to which the Party performing the processing is in breach of these Rules in any other way and this breach separately causes or contributes to the suffered damages.
5.2    If any Party receives a claim for compensation related to the personal data processing, it will duly notify the other Party and it will provide it with detailed information about such claim.
5.3    The Party which performs the activity:
5.3.1    shall not acknowledge responsibility, neither shall it agree to an arrangement or compromise regarding the respective claim without the preliminary written consent of the other Party (which shall not be unreasonably obstructed or delayed); and
5.3.2    Shall consult entirely with the other Party in relation to any such action and the terms and conditions of each settlement or compromise regarding the claim, shall be an exclusive decision of the Party, which is responsible under these Rules for payment of the compensation.
5.4    Without limitation of the obligation of the Party with respect to a data subject under the Personal Data Protection Laws and for the purpose of avoiding any doubt in relation to any compensation, which is ordered by the Personal Data Protection Commission or another competent authority to be paid by a party (“Indemnifying Party”), the parties agree that the Indemnifying Party shall not be authorized to claim from the other Party any part of the compensation, paid by the Indemnifying Party in relation to such damage up to such extend, for which the Indemnifying Party bears liability for compensating the other Party in compliance with Art. 5.1 and 5.2. (as the case may be).
6.    TERM AND TERMINATION
6.1    Thе Parties shall comply with these Rules for the term of the Agreements.
6.2    Following the termination of the Agreements or after completion of the respective service of processing or upon written request by the Client, Edenred shall delete in a secure manner or shall return to the Client (according to the instructions of the Client) all personal data of the Cardholders after completion of the services for processing or after fulfilment of the purposes for processing and it shall delete the existing copies unless the Personal Data Protection Laws require its safekeeping.

7. EXERCISE OF GDPR RIGHTS

7.1 For any additional questions regarding the manner in which personal data is processed and for exercising the rights mentioned above, please fill out the following form.

8.    GENERAL PROVISIONS
8.1    The amendments and supplements to the Rules may be performed by the Parties in written form only, where the respective amendments shall be uploaded on the website of Edenred.
8.2    Bulgarian legislation shall apply to these Rules. For the avoidance of doubt, in the event of discrepancy between the provisions of these Rules and the provisions of the Personal Data Protection Laws, the legal provisions shall prevail.
8.3    All disputes resulting from or in relation to these Rules, including their validity, termination and interpretation shall be resolved by the Parties by mutual consent and if they fail to do so, the dispute shall be referred to the competent Bulgarian court.
8.4    In case of discrepancy between the Bulgarian and the English text of the current Rules, the Bulgarian version shall prevail. 

Attachments:
Attachment No. 1 Information about data processing;
Attachment No. 2 Declaration – consent for direct marketing.