1. Data on personal data controller
Sanrock Ltd., a company registered with the Commercial Register at the Registry Agency, UIC 121230500, having its headquarters and registered office in the city of Sofia, 40 Buxton Brothers Blvd., Floor 3, is a data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “the Regulation”) and the Personal Data Protection Act (hereinafter “PDPA”).
The website www.sanrock.com is owned and operated by Sanrock Ltd. in full compliance with the provisions of the Regulation and PDPA.
Contact details of the controller
Tel: +359 2 9554349
This Policy aims to inform about the principles and the way in which Sanrock Ltd. as a controller processes personal data of users on the company’s website, email and contact numbers, the type of data it processes, as well as the rights of the persons whose personal data are processed. This Policy, inter alia, is adopted and published in compliance of the obligations of Sanrock Ltd. under Articles 13 and 14 of the Regulation.
In case you have any questions or need additional information in connection with your personal data, rights and confidentiality, please contact Sanrock Ltd. using the contact details referred to in Section 1 above.
3. Principles of processing. Legal basis
Personal data protection is a priority of Sanrock Ltd. Sanrock Ltd. does not sell personal data collected by the company to third parties, nor does it process or provide those data to third parties without a legal basis in accordance with the Regulation and the PDPA. Sanrock Ltd. processes and provides personal data to third parties only if there is a proper legal basis for that, including explicit and freely given consent under the Regulation and/or other grounds for processing provided for in the Regulation and PDPA.
Sanrock Ltd. may be required by any law, in court/arbitration/enforcement proceedings/ proceedings for interim measures and/or at the request of a competent authority to disclose personal data, and if necessary for the purposes of national security, law enforcement or other cases provided for in the legislation.
It is also possible that personal data may be disclosed if such disclosure is reasonably necessary to protect the legitimate interests of Sanrock Ltd. In addition, in case of transformation or sale of all or part of the commercial enterprise, it is possible that Sanrock Ltd. will transfer collected personal data to the respective newly formed/transformed company or successor company.
Sanrock Ltd. processes personal data in strict compliance with the principle of maintaining a minimum of processed personal data necessary for specific, reasonable and legitimate purposes (need-to-know principle).
4. Personal data
Personal data is any information relating to an identified or identifiable natural person on the basis of the relevant data.
5. Purposes of personal data processing
Sanrock Ltd. collects and processes personal data required to carry out its activities. Sanrock Ltd. processes personal data of users of the website, by email or through the contact telephone numbers, submitted inquiry, grievance, complaint or other notice by a user. Personal data is for are processed for the following purposes:
- Sanrock Ltd. to respond and take action on the submitted inquiry, grievance, complaint or other notice by a user;
- Sanrock Ltd. to maintain reporting on submitted inquiries, grievances, complaints or other notices by users, including for the purposes of control and supervision by public authorities and proceedings before them.
6. Categories of processed personal data
Sanrock Ltd. processes the following categories of personal data of the following persons - users of the website and the contact telephone numbers of the company:
- For individuals who have submitted an inquiry, grievance, complaint or other notice Sanrock Ltd. processes personal data that the user has voluntarily provided in a telephone conversation, email or other correspondence with the company (thus giving consent to their processing). The company requires from the user at least a name, telephone number and e-mail address for contact to perform a check and prepare a response to the user.
When users send an inquiry, grievance, complaint or other notice to Sanrock Ltd. through the contact form on the website, by email or phone, it is presumed that users have given their free, explicit and informed consent to the processing of personal data, voluntarily included by them in the respective inquiry, grievance, complaint or other notice.
Cookies are small information files that are sent by the web server and stored in the user’s Internet browser (e.g. data on language used, connection time, websites visited) or on a hard disk, and then returned from the Internet browser to the server each time when this server is accessed when visiting the relevant website.
Each user can set their internet browser so that it does not store cookies, and they can delete already stored cookies at any time. Any user wishing to take advantage of these features should make the appropriate settings of their browser and/or contact the manufacturer of the Internet browser for assistance.
Sanrock Ltd. is not responsible if the Internet browser used by the user does not have functions to control use, refuse to store or delete already stored cookies. In case that the user disables the storage of cookies or deletes already stored cookies, then it is possible to technically disrupt the normal functioning of the website used by the respective user.
8. Security measures
Sanrock Ltd. takes sufficient technical and organizational measures to protect the personal data it processes from theft, misuse, unauthorized access, unauthorized disclosure, unauthorized destruction or any other illegal processing or disposal of such data.
All representatives and employees of Sanrock Ltd., and all co-contractors of the company are obliged to observe confidentiality and strictly enforce the legislation in the field of personal data protection.
Where users send an inquiry, grievance, complaint or other notice to Sanrock Ltd. by e-mail or through contact telephone numbers, Sanrock Ltd. may provide the personal data of those users to:
- employees of the Commerce Department and the Administration Department;
- employees of the company holding managerial positions;
- external consultants of the company in order to protect its legitimate interests;
- public authorities in the exercise of their powers and for the purposes of the relevant proceedings before those authorities.
For the cases in which Sanrock Ltd. provides personal data to third parties, the company applies mechanisms, including contractual ones with which it ensures that these data are processed and protected in accordance with the applicable legislation.
9. Storage period
Sanrock Ltd. shall observe the principle of data storage only for the period for which their storage is necessary to fulfill the purpose for which they were collected, unless the law provides for storage for a longer period.
Sanrock Ltd. shall delete and erase personal data related to grievances, complaints and other notices about the company’s products immediately after the expiration of the legal time limits for inspections performed by an administrative body, for imposing sanctions for compliance with the legislation, including laws in the field of consumer protection and competition protection, and for bringing legal (in and out of court) claims by a user against the company.
Sanrock Ltd. shall delete and erase personal data related to inquiries made by users regarding the company’s products no later than 12 months after the completion of the correspondence with the user regarding the inquiry.
10. Rights in relation to personal data
In accordance with the Regulation and the PDPA, data subjects have the following rights at all times: (1) the right of access to their personal data processed by Sanrock Ltd.; (2) the right to demand rectification of inaccurate data, erasure (if there is a legal basis for that), restriction or blocking (if there is a legal basis for that) of processing of their personal data processed by Sanrock Ltd; (3) the right to data portability if there are conditions for that under the Regulation; (4) the right to object at any time to the processing of their personal data, as well as the right to withdraw their consent to processing, without prejudice to the lawfulness of the processing until its withdrawal, where there are legal grounds for doing so; (5) the right to lodge a complaint with the Commission for Personal Data Protection (CPDP), if they consider that their rights in connection with the protection of their personal data have been violated.
Sanrock Ltd may refuse to fulfill requests for exercising rights where there are grounds for that provided for in the Regulation and the PDPA, including where requests are unreasonably repeated, require excessive effort and/or expenses for the controller, where they are manifestly unfounded, and where they threaten or violate the confidentiality and rights of other users.
11. Entry into force and update
This Policy shall enter into force on 1 August 2021. Sanrock Ltd. may amend and update this Policy, and any amendment/update shall be published on the official website of the company, and Sanrock Ltd. may, at its own discretion, undertake other actions to notify users of the amended or updated Policy.