Privacy and Data Protection Policy

1. Data Controller

‘Data controller’ means the person that determines, either alone or jointly with another person, purposes for which personal data will be processed (collected, used and stored) on paper or in electronic form.

The Company acts as a controller of your personal data where there is a basis for their processing, for example in connection with the analysis of your personal finances and services provided by the Company, and; satisfying your requests, petitions, applications and complaints to the Company or s uch concerning its business activities; the performance of contracts with the Company to which you are a party or you are a representative of a party; meeting or protection against your claims against the Company; implementation of other legal/legitimate interests of the Company; providing information about the services offered by the Company, direct marketing, statistics, reporting and pre-contractual relations with the Company. In certain cases the Company may also process your personal data in its capacity as joint controller with other data controllers, which also lawfully process information concerning you, as well as in the capacity of a processor — where the Company is entrusted with such processing.

2.1.Personal data processed

In relation to our insurance brokerage and credit intermediation activities whereby the Company administers insurance relationships and mediates in respect of loans, we process only personal data relating to you that are required under the applicable Bulgarian legislation. In this connection, we would like to inform you that where an insured/ beneficiary is a minor child (an individual up to 14 years of age), we will require the submission of a document certifying the child's parents (such as a birth certificate), and presentation of an identification document of the parent/s. In certain cases we may process personal data of your spouse/partner that you have submitted to us for the purposes of the relevant legal relationship and provided that you have given consent to their processing. We process more personal data about you:

• when completing your financial analysis and insurance application - because we aim at providing you with a better, more accessible and efficient service that enables you to choose the best insurance and credit product;
• when entering into an insurance contract – because we have to fill in all data about you required by the insurer, in your capacity of a policyholder/or insured, which the insurer requires for the purposes of the insurance relationship;
• in the intermediation for conclusion of a loan contract – for the purposes of providing all data about you, your financial/employment status, that are required by the credit institution (bank) for the credit relationship;
• when handling your complaints/requests and resolving disputes with you – because it is important for us to individually approach to your requests and complaints and respond to your expectations and needs in the best possible way;
• when establishing contractual relationship with you or with a natural or legal person that you represent – because it is important for us to identify the person, who signing the contract or document addressed to us or prepared in connection with certain relations with us, and assuming for them or a third party certain rights and obligations, is indeed the person having representative authority;
• when establishing business contacts with you – when you have provided us with contact information regarding our current or potential future business ventures, or when your contact details have been provided to us by your employer in connection with the job duties performed by you.

In view of the above, depending on the purposes of processing, the Company may process (including collect and use) different types of personal data concerning you, such as:

• Names
• Academic title
• Address (permanent, current)
• Personal identification number or other identification number
• Place and date of birth
• Health data, data on a personal physician or specialized doctor
• Copy of an identity document
• Identity card details
• Telephone numbers
• E-mail addresses
• Bank account
• Data on place of employment/employer
• Data on descendants (children)
• Property/ financial status data
• Sports activity
• Traffic data
• Data about your location
• Data on IP addresses
• Video images.

The Company directly and immediately applies the principle of minimizing personal data being processed. The types of personal data processed are defined according to the specifics of the Company's activities and risks directly associated therewith, requiring the need for the Company to take measures to ensure legitimate rights and interests of its customers – users of financial (insurance and/or credit) services.

The Company shall not collect from you – as customers – and shall not use personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, or data concerning a natural person's sexual orientation, therefore you should not disclose such data in the course of communication with it.

2.2.Technical data processed from which you could be identified

When using our website  www.partnersgroup.bg (the ‘Website’), the Company shall not collect information about you, which in itself has the nature of ’personal data’.

However, it is important to know that when visiting the Website, the Company collects information about you that can be qualified as ‘personal data’ solely in processing in combination with other information about you collected in connection with the operation of the Website. Such information (data) is the one showing your interests and behavior as a user. Such other data are processed in connection with your behaviour as a user of the Website and/or the operation of the Website and the adequate provision via the Website of services requested by you (temporary data (cookies) and other technical data, saving on your device through which you access to the browser where the Website operates). Such other data shall in particular include the following information:

• information about your browser;
• information obtained from cookies, use of pixel tags and other technologies;
• demographic information and other information provided by you; and
• summary of the use of the website.

Such data are used by the Company to improve operation of the Website, improve the user’s view of the Website, facilitate administration of pages, and obtain information on consumer habits and targeted advertising.

We and our third-party service providers can obtain such other data in different ways, including:

• through your Internet browser: most websites collect certain types of information, such as your IP address (i.e. the address of your computer on the Internet), resolution of the screen, type and version of the operating system (Windows or Mac), type and version of the Internet browser, time of visiting the page (pages). We use this information for purposes such as calculating the level of attendance of our website, diagnosing problems with the server and website administration.
• Use of cookies: cookies are small text files that are stored on your computer or mobile device when you visit a website. They allow the site to memorize your actions and preferences (such as user name, language, font size, and other settings for the display) for a certain period of time, so that there is no need to enter them each time you visit the site or switch from one page to another. A cookie itself does not contain or collect any information, except when it is read from a server through a web browser; it can provide information with a view to achieving a more convenient service to the user through registration, along with the other data, of the preferences of the user, through the identification of errors and/or data collection for statistical purposes. These files will not harm your computer, but they allow us to recognize your computer and collect information such as your browser type, time spent on the website, pages visited, language preferences, and the relevant country of the webpage.

There is a description below of cookies that we use on our website for the Republic of Bulgaria, what their function is, and what data they collect and how we use them.

Some of the cookies collected by us are ‘session cookies’ - they are necessary for the implementation of important functions of the Website, such as memorization of a recurring form field within a browser session. They also help to limit the need to transfer information on the Internet. They are not stored on your computer and are deleted when you end the session of your browser. It is important to be aware that we cannot guarantee the proper use of the website without the use of cookies.

You may refuse to receive cookies through your browser settings. But if you do not accept the use of these cookies, you may experience some inconvenience with the use of the Website and some online services. For more information, see the Cookie Management Policy of the Website. You can also delete all cookies already stored on your computer, and you can also set most browsers to block them. However, if you do so, you may need to manually adjust some parameters each time you visit a website, and it is also possible that some services and features may not function.

We also collect personal data about you by filling in our contact forms through our website.

3. How does the Company collect and process your personal data?

As already mentioned, the purposes for which the Company processes your personal data are:

• Analysis of personal finances, provision of services by the Company and performance of the contracts concluded by it;
• meeting your requests, petitions, applications and complaints to the Company or such related to its activities;
• protection of the rights and interests of the Company in connection with the performance of contracts to which you are a party or a representative of a party;
• fulfillment of legal obligations;
• realization of legal/ legitimate interests of the Company related to its business activities, business processes;
• provision of information about services offered by the Company, direct marketing;
• statistics, accountability and pre-contractual relationships with the Company.

To achieve such purposes the Company collects data in a variety of ways and the most commonly processed personal data are personally provided by you. There are also other sources from which the Company may receive information, for example, from our partners; from your representatives; from your employer; from official registers (such as the property register, the trade register, the central register of special pledges, the central credit register, etc.); from databases of public authorities (the National Social Security Institute, the National Revenue Agency, etc.); from our video surveillance and/or Internet connectivity devices.

The Company processes your personal data through various processing operations (including, but not limited through collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) carried out manually and automatically. The type and the manner in which processing operations are carried out depend on the purposes of processing and on business processes related to such purposes. In the course of its processing activities, the Company is likely to use processors that it monitors to ensure compliance with the requirements for a high level of security and confidentiality of the personal data processed.

It is important to take into consideration that your consent to processing of personal data is not the only legal basis with which the Company justifies its data processing activities. Therefore, the Company will lawfully process information about you, even in the event that you do not expressly consent to such processing, or if you have given consent, you have exercised your right to withdraw your consent so given to processing.

In this connection, we would like to note that for the purposes set out above, when your consent is not a prerequisite for the processing of your personal data, the Company may request from you the provision of information, or to disclose/provide to a third party such information on grounds relating to the realization of its legal/legitimate interests (for example, with a view to preventing f inancial/insurance fraud, with a view to successful performance of our business activities and strategy, etc.). The security of your data is a priority for us and regardless of the need for the realization of legal/legitimate interests of the Company, in order to protect your data appropriate technical and organizational security measures will be implemented.

The specifics of the business activities of the Company require processing of personal data and, therefore, it is important to take into account the fact that if you do not want to provide us with some of the data requested by us, it is possible that the Company may not be able to offer/provide you the services in which you are interested, or assistance requested by you, or to draw up proposals tailored to your specific needs.

4. Who will have access to your personal data?

The Company ensures that your personal data will be processed only in accordance with the purposes stated. In connection with these purposes, your data may be provided/disclosed to third parties acting as data controllers as follows:

• State and other public authorities (such as municipalities, authorities of the Ministry of Interior of the Republic of Bulgaria and of third countries; other supervisory bodies);
• Courts, prosecution offices, notaries, private enforcement agents;
• Our contracting parties in relation to the insurance/credit relationship - insurers, banks, reinsurers, other credit/insurance intermediaries.

In connection with the said objectives, we may also provide the data to persons acting as data processors or as joint controllers, in respect of which the Company is acting as controller:

• other companies in our group;
• technical consultants, lawyers, accountants, and companies to whom we provide the performance of specific activities (such as IT support, etc.).

Except in the above cases, we may provide your data to third parties:

• in the event of a planned or actual reorganization of the Company such as merger, sale of an enterprise, and any other expropriation of part of our business or assets, including in the event of insolvency proceedings;
• in order to comply with a legal obligation, including, for example, proceedings initiated as a result of your report/complaint;
• in order to provide timely and accurate development of examination proceedings of an insured event, refinancing a loan, etc.

As mentioned above, the security of your data is a priority for us, and therefore the Company will not disclose/provide /transfer your data to third parties that do not have a legitimate right to know information about you.

5. Where will your personal data be processed?

Your data are mainly processed on the territory of the Republic of Bulgaria and within the European Union.

Regarding the location of processing of your data, it should be noted that the Company may also use cloud technologies to process your data. In this connection, we would like you to know that the practice of the Company requires the conclusion of a contract with providers of such technologies, which contains explicit instructions concerning measures for the protection of data and their confidentiality, which the providers are required to comply with. In the case that the processors engaged by the Company use similar technologies for the purposes of their activity, the Company shall impose requirements on processors and shall ensure that they also apply and require from the providers of cloud technology to apply high level of protection of data processed by those technologies. Notwithstanding of the above, it is important to take into account the fact that the providers of cloud services and technologies apply by default enhanced protection measures providing significantly high level of data protection.

6. What are your rights in respect of your personal data?

Practices and methods for protecting data and ensuring information security adopted by us set parameters of the established measures, which are aimed at:

• ensuring confidentiality of information by applying a system of approved restrictions on access and disclosure of information;
• ensuring integrity of information through protection against unauthorized alteration or deletion of information;
• ensuring accessibility of information through reliable and timely access to information;
• achieving accountability of information - by implementing control over access and rights to information systems.

In you capacity of data subject, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’), you have the following rights:

• right of access to your data – upon request, we will provide you with information about your data that are being processed;
• right to rectification of your data – if you consider that some of your data processed by us are no longer valid or accurate for any other reason, you have the right to request rectification of such data that are being processed;
• right to erasure of your data (‘right to be forgotten’) – you have the right to request the erasure/deletion of data concerning you processed by us and we will meet your request only provided that there are no longer legal grounds for us to process your data. Accordingly, we may also partially satisfy your request for erasure/deletion;
• right to restriction of processing – you have the opportunity to exercise this right only when you have contested the accuracy of the processing of your data, and the restriction of the processing can be only for the period in which we verify the accuracy of your data; when the processing is unlawful, but you oppose the erasure of the data; when we no longer need your data for the purposes of the processing, but you as a data subject require them for the establishment, exercise or defense of your legal claims; when you have objected to the processing and pending the verification whether the legitimate interests of the controller override your interests as a data subject;
• right to data portability– you can request from us to transfer to you or another controller all or part of your data that are being processed and that you have personally provided to us, in a machine-readable format, where the processing of such data is based on your consent or on performance of a contract, and where the processing is carried out by automated means;
• right to object to automated processing of your data, to processing by profiling and processing for direct marketing purposes – we provide you the opportunity to exercise this right at any time and completely for free;
• right to information on security breaches – you have the right to be promptly informed of any breach of the security of your data, and we will fulfill our obligation in this regard by posting information on the Website on any such breach, and we may send you information via email if you have provided such to us, and if it is valid;
• right to object to processing for direct marketing purposes – you have the right to change, at any time and for free, your marketing preferences and withdraw your consent to processing of your personal data for direct marketing purposes, or to object to such processing;
• right to withdraw your consent to processing of personal data – you have to withdraw, at any time and for free, your consent to the processing of personal data. We would like you to know that your consent is not the only basis for the processing of your personal data, therefore, it is possible to continue to process your personal data also after the withdrawal of your consent.

You may exercise the rights above by changing the settings of your browser or mobile application where technically feasible, or by contacting us through the means described below, by completing Application Form for Exercising Rights under the General Data Protection Regulation, which you can find on our Website (www.partnersgroup.bg) or receive at our office, and by submitting it to the Company on paper form or by post, or sending it to the e-mail of the Company.

In view of the fact that the Company makes contact (establishes relationships) with different categories of persons and on various occasions (including on the occasion of your factual and indirect participation in certain events), then the proper handling of the Application Form for Exercising Rights submitted by you is directly linked to the proper identification on your part of the circumstances in which the Company had to process your personal data.

In the exercise of your rights as a data subject, the Company must request and process certain personal data relating to you for the purpose of identifying and verifying your identity. As a data controller the Company is obliged both to provide a way for the exercise of your rights and ensure that such rights will be exercised only by subjects who are actually holders of the respective right governed by the General Data Protection Regulation.

Your Application Form for Exercising Rights will be examined in due course, in general for not more than 30 (thirty) calendar days, unless your request is specific and is associated with an in-depth examination of information. Our team will do our best to inform you by sending information via email in the event of a delay in handling your application. In view of the fact that the Company highly appreciates the need of data protection, the same has approved and applies a procedure for handling requests for exercising rights under the General Data Protection Regulation, which also set outs deadlines of processing and provision of response upon submission of Application Form for Exercising Rights by a data subject.

In addition to the above, it is important to be informed that in certain rare cases (such as the death of a data subject) you may also exercise the rights of another data subject. In such case, in addition to the application (Application Form for Exercising Rights under the General Data Protection Regulation) you should also present documents evidencing your relationship (kinship) with the data subject whose rights you wish to exercise.

7.How can you object to the processing of your personal data?

You have the right to object to the processing of your personal data by the Company or terminate the processing (including for direct marketing purposes). After notifying us about your desire, we will stop processing of your personal data, unless it is permitted or justified in view of the existence of another legal basis for the processing. If we have disclosed your personal data to third parties during the processing, we will immediately notify those individuals of your objection.

8.How long does the Company store your personal data?

The period of processing of your data is also consistent with the purposes of processing and regulatory requirements for storing accounting and tax information. Determining the specific period for storing your personal data is governed by the type of relationship we have established with you and for which we process personal data. Thus, for example, in relation to our activities only related to presentation (introduction) of a credit/insurance product or provision of a reference proposal for credit/insurance, we do not usually collect and do not record your personal data (probably our staff is likely to get acquainted with your personal data after presenting them certain identification documents). Therefore, we will not store personal information about you in these cases. However, if you have requested a customized credit/insurance proposal (without entering into an insurance contract), we will collect and store your personal information in accordance with our financial analysis and will delete them after the expiry of one year from the date of receipt of the data.

The Company has approved and shall implement a schedule for the storage of all types of data we process and shall monitor its compliance. The Company will store your personal data for no longer than is necessary and will store them only in connection with the purposes for which they were collected.

9. HOW CAN YOU CONTACT US?

PARTNERS GROUP BG LTD
City of Sofia 1000,
Sofia Municipality –Triaditsa District,
2, Ivan Denkoglu Str., fl.1, office 1
Telephone.: +358 (2) 907 2190

You can contact us by e-mail at info@pgbg.bg or through the Inquiry Form published on http://www.partnersgroup.bg/kontakti

In connection with the collection and processing of your personal data, you can also contact the Commission for Personal Data Protection at: city of Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; www.cpdp.bg.

When is this policy UPDATED?

We periodically review this Policy. The current version can be found on our site: http://www.partnersgroup.bg, and we will notify you of any significant changes that might concern you by posting information on such changes. The last update of this Policy was on 23 May 2018.