These Rules for the processing and protection of personal data in relation agreements with shops (the "Rules") are adopted by "Edenred Bulgaria" AD, UIC: 130526402, having its seat and management address in Sofia 1784, Slatina District, 137 Tsarigradsko Shosse Blvd., floor 3, represented by the Executive Director Medhi Benbouguerra ("Edenred" or "Controller") on 25 May 2018.
These Rules concern the shops and commercial chains having an agreement signed with Edenred, in its capacity as operator, for servicing of customers with respect to food vouchers, free food vouchers, gift vouchers and vouchers ‘reward’ (the “Agreements”) where in the current Rules the shops and commercial chains shall be referred to as “Shops” (which includes all sites for food trade, including foodstuff shops, supermarkets, hypermarkets, etc.) or “Processor” and the Shop and Edenred together the “Parties” and each one of them a „Party“.
The Rules aim to regulate the processing activities related to personal data in compliance with the current personal data protection legislation in the Republic of Bulgaria, including in relation to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation" or the "Regulation").
1.1 In these Rules the terms "personal data", "data subject" and "personal data processing" shall have the meaning assigned to them under the Regulation or under the respective Bulgarian laws, ordinances and guidelines, effective at the respective moment.
2. SUBJECT OF THE RULES
2.1 Тhese Rules regulate the rights and obligations of the Parties in relation to the processing of the personal data, which the Processor shall be processing on behalf of the Controller in a manner which is transparent for the data subjects.
2.2 The compliance with the Rules by each Party shall not incur additional expenses for the other Party.
2.3 The processing, which shall be performed by the Processor under thе Agreements shall include the processing under Attachment No. 1 (Information about the Data Processing) to the Rules.
2.4 For the avoidance of doubt, the present Rules may be amended unilaterally by Edenred, from time to time, following amendments to the regulatory framework, the applicable law and/ or with the aim to implement changes resulting from the amendments in the internal rules or an internal decision of the Edenred group of Companies. The amended version shall be considered applicable as of the date of its upload to Edenred’s webpage, where the version shall expressly provide for its number and date.
3. RIGHTS AND OBLIGATIONS OF THE PARTIES
3.1 Each Party shall comply with the data protection laws and the privacy laws and any similar laws, ordinances and guidelines, effective as of the respective moment in the Republic of Bulgaria ("Personal Data Protection Laws"), including without limitation the General Data Protection Regulation, which are applied in relation to all personal data, processed under and in relation to the Agreements.
3.2 The Processor shall comply with those requirements of the internal policies of Edenred which regulate its obligations regarding the processing of personal data under the Agreements and which have been notified to it by the Controller.
3.3 As regards the personal data provided to the Processor in relation to the Agreements (and regardless whether it has been provided by the Controller, by the data subject or in any other manner), the Processor guarantees that:
3.3.1 it processes such personal data solely for the purposes and according to the instructions notified to it by the Controller and documented under Bulgarian legislation, including the Digital Document and the Digital Certifying Services Act, in compliance with the principles and the requirements of the General Data Protection Regulation;
3.3.2 it maintains the appropriate technical and organizational security measures of the processing (including without limitation, the appropriate policies, notified to the employees, the continuous management of the compliance with them in the course of work and effective security measures) as regards personal data and as well as for protection against accidental or unlawful destruction, accidental loss, unauthorized access, modification or distribution, as well as against other illegal forms of personal data processing so that to ensure the processing and the degree of protection of personal data under the Personal Data Protection Laws;
3.3.3 In particular, the Processor shall guarantee that the persons authorized to process the personal data (its employees and subcontractors) are obliged to keep confidential or are obliged by law to keep confidentiality, as well as that the Processor shall take measures to ensure that any individual acting under its authority, who has access to personal data, processes personal data in compliance with the Personal Data Protection Laws.
3.4 Each of the Parties, in order to facilitate the compliance with the Personal Data Protection Laws by the other Party, shall provide the other Party with access to the entire information, necessary for evidencing the performance of the obligations stipulated under these Rules and the Personal Data Protection Laws, it shall provide copies of reports on security, audit and control, as well as other documents, prepared by the auditors or by other persons acting by request of, for and on behalf of the Party or by the competent authorities, which refer to the processing or protection of the personal data and which may be reasonably requested by the other Party; as well as it shall allow and assist for the performance of inspections and audits, as well as for the implementation of the rights and obligations of the Party under the Personal Data Protection Laws, in the event when such documents, actions and assistance are requested reasonably by the other Party or by parties authorized by it. In the event when any of the Parties possesses information about an event of unauthorized, unlawful or undue conduct or activity or any other breach of the terms and conditions of these Rules or of the applicable Personal Data Protection Laws, the respective Party notifies the other Party immediately about this and assists in order to undertake the necessary measures according to the applicable Personal Data Protection Laws.
3.5 In order to comply with the rights of the data subjects, the Processor shall record and then refer all requests of data subjects it receives to the Controller within 3 (three) business days of receiving each request. As far as practicable, the Processor shall assist the Controller in the performance of its obligation to respond to the requests of the data subjects.
3.6 In relation to each personal data breach (actual or alleged), related to thе Agreements, including the Processor (or a subcontractor) or which the Processor has become aware of in any other manner, by virtue of the Personal Data Protection Laws the Processor shall:
(a) inform the Controller of the breach without undue delay (but in any event not later than 24 hours after it has been notified of the breach of the personal data);
(b) provide to the Controller without any undue delay (where possible not later than 48 hours after it has been informed of the breach) information, which it would have reasonably requested regarding:
(i) the nature of the breach, including the categories and the average number of the data subjects and the affected record of personal data;
(ii) all investigations regarding this breach;
(iii) the possible consequences of the breach; and
(iv) all undertaken measures or such measures that the Processor recommends to be undertaken in order to deal with the breach and to mitigate its possible adverse consequences,
In the event when the Processor reasonably thinks that it would not be possible to provide the information within this timeframe, it will explain to the Controller before the end of the period the reasons for the delay and when it expects to be able to provide it (which may be at different stages) and it will provide to the Controller regular updates on these matters; and
(c) provide reasonable cooperation and assistance to the Controller in relation to each correcting activity to be undertaken in response to the personal data breach, including regarding each communication regarding the breach of personal data of the individuals whose personal data has been affected.
3.7 The Controller shall have the right to share each notification and information provided by the Processor under Art. 3.6 with the Personal Data Protection Commission or any other regulatory authority in compliance with the Personal Data Protection Laws.
4.1 The Processor shall not assign the personal data processing to a third party without the explicit written consent of the Controller. In the event when the Processor includes another personal data processor (subcontractor) for performing specific activities of processing, the Processor imposes upon the subcontractor and ensures the performance of the same obligations, guarantees and responsibilities for personal data protection under these Rules and the Personal Data Protection Laws.
4.2 In case the third party, processing the personal data under the instruction of the Processor does not fulfil the obligation for personal data protection, the Processor continues to bear full liability before the Controller for the fulfilment of the obligation of this third party processing personal data.
5.1 The Processor shall compensate and keep the Controller indemnified against all risks, claims, cases, expenses, costs (including without limitation, legal fees and payments on the basis of full compensation), damages, losses and damages incurred or resulting from, awarded against or arranged to be paid by the Controller, resulting from or in relation to:
5.1.1 The Processor acting outside or against the legal instructions of the Controller; and
5.1.2 Each material breach by the Processor of its obligations for data protection under these Rules or the Personal Data Protection Laws.
5.2 The Controller shall indemnify and shall keep the Processor indemnified in relation to all claims, demands, cases, costs, expenses (including without limitation legal costs and payments on the basis of full compensation), damages, losses and damages, incurred or resulting from, awarded against or arranged to be paid by the Processor resulting from or in relation to:
5.2.1 each material breach by the Controller of its obligation under these Rules; and
5.2.2 Each processing performed by the Processor or by a subcontractor by virtue of instruction by the Controller, which breaches the Personal Data Protection Laws:
(i) In the event when the Processor has notified the Controller that its instruction breaches the Personal Data Protection Laws;
(ii) With the exception to the extent to which the Processor is in breach of these Rules in any other way and this breach separately causes or contributes to the suffered damages.
5.3 If any Party receives a claim for compensation related to the personal data processing, it will duly notify the other Party and it will provide it with detailed information about such claim.
5.4 The Party which performs the activity:
5.4.1 shall not acknowledge responsibility, neither shall it agree to an arrangement or compromise regarding the respective claim without the preliminary written consent of the other Party (which shall not be unreasonably obstructed or delayed); and
5.4.2 Shall consult entirely with the other Party in relation to any such action and the terms and conditions of each settlement or compromise regarding the claim, shall be an exclusive decision of the Party, which is responsible under these Rules for payment of the compensation.
5.5 Without limitation of the obligation of the Party with respect to a data subject under the Personal Data Protection Laws and for the purpose of avoiding any doubt in relation to any compensation, which is ordered by the Personal Data Protection Commission or another competent authority to be paid by a party (“Indemnifying Party”), the parties agree that the Indemnifying Party shall not be authorized to claim from the other Party any part of the compensation, paid by the Indemnifying Party in relation to such damage up to such extend, for which the Indemnifying Party bears liability for compensating the other Party in compliance with Art. 5.1 and 5.2. (as the case may be).
6. TERM AND TERMINATION
6.1 Thе Processor shall comply with these Rules for the term of the Agreements.
6.2 Following the termination of the Agreements or after completion of the respective service of processing or upon written request by the Controller, the Processor shall delete in a secure manner or shall return to the Controller (according to the instructions of the Controller) all personal data after completion of the services for processing or after fulfilment of the purposes for processing and it shall delete the existing copies unless the Personal Data Protection Laws require its safekeeping.
7. GENERAL PROVISIONS
7.1 The amendments and supplements to the Rules may be performed by the Controller in written form only, where the respective amendments shall be uploaded on the website of the Controller.
7.2 Bulgarian legislation shall apply to these Rules. For the avoidance of doubt, in the event of discrepancy between the provisions of these Rules and the provisions of the Personal Data Protection Laws, the legal provisions shall prevail.
7.3 All disputes resulting from or in relation to these Rules, including their validity, termination and interpretation shall be resolved by the Parties by mutual consent and if they fail to do so, the dispute shall be referred to the competent Bulgarian court.
7.4 In case of discrepancy between the Bulgarian and the English text of the current Rules, the Bulgarian version shall prevail.
Attachment No. 1 Information about data processing;
Attachment No. 2 Declaration – consent for direct marketing.