Who we are
MEXON OOD (Ltd), Company ID Code 115168282 (hereinafter “MEXON”, “We”, the “Company”) is a personal data administrator as defined in Regulation (ЕU) 2016/679 (GDPR, the “Regulation”) and the applicable law. We are striving to comply with the highest applicable standards and established good practices for the processing of personal data. The competent general supervisory authority responsible for the protection of personal data processed by MEXON is the Personal Data Protection Committee in the Republic of Bulgaria.
This Policy will let you know what kind of information we shall be collecting about you as our customer, partner or counteragent, for what purposes such information will be used, the reasons for its collection and processing, the conditions of data storage in verbal written and electronic form, as well as what security measures the Company applies with regard to your personal data.
How to contact us?
If you have any questions regarding this Policy or in case you want to exercise any of your rights specified in Your Rights Section further below or if you have any doubts that your personal data may be processed in violation to the Regulation or to your personal preferences/consents, please, do not hesitate to get in touch with us at any of the contacts:
266 Vasil Levski St.
Plovdiv, postal code 4003
Telephone: + 359 32 502 008
Principles relating to the processing of personal data?
While processing your personal data, the Company shall strictly adhere to the following principles:
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Personal data shall be accurate and, where necessary, kept up to date;
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Personal data shall be processed in a manner that ensures appropriate security of the personal data.
Definition of personal data and related terms?
“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Special categories of personal data” mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited;
“Data subject” means an identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The relations between the controller and the processor shall be arranged in a contract or other legal act of the controller specifying the type and amount of obligations assigned by the controller to the processor;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“Applicable law” means the European Union legislation and the Bulgarian laws that are relevant to the personal data protection (the Personal Data Protection Act, etc.);
“Regulation (ЕU) 2016/679” means Regulation (ЕU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as published in the Official Journal of the European Union on 4 May 2016.
How do we collect and obtain information about you?
MEXON shall mainly process personal data that you provide to us at your own good will, as for instance in the course of performing a contract or an order, or in connection to our manufacturing activities, or to your registration for participation in games/lotteries/campaigns that we organize from time to time, or to visits and registration in our websites, sending requests/enquiries, etc.
We can also obtain information about your personal data from our current or prospective business partners, suppliers and counteragents in the supply chain or from the public registers and from other persons as well in relation to games/lotteries/campaigns that we organize from time to time.
What sort of information we are going to obtain about you?
Representatives, contact persons and employees of MEXON’s customers, partners and counteragents.
Normally we would obtain your personal data from your employer or from you personally when we need to prepare, sign or perform a contract or establish business relations with it. For instance, you may have been nominated as a legal representative or contact person in a contract or some business communication related to the conclusion, performance or termination of a contract (including the acceptance of basic raw materials or the delivery of finished products), or to the proposing of a quotation, resolving possible business disputes and similar. We shall process such data as we are required to do so in accordance with our contractual and legal obligations, and also on the basis of your own freely obtained consent which you have given at the time of contacting us.
The type of information that we shall collect about you from your visits of our websites shall normally depend on the purpose of your visit and the function you have been using. Most of the functions do not require registration and allow you to visit our websites, without us being able to identify you. Nevertheless, some functions do require you to provide your personal data, for instance, our contact form. In such cases, the requested information shall include but shall not be limited to: name, postal code, e-mail, telephone number or mail address.
We shall collect such information on the basis of the consent you have given us with the purpose to reply to your enquiry regarding the products that we offer for sale. Depending on the data you have provided to us, it may be processed with the purpose to establish and exercise rights with respect to a potential or existing dispute resulting from possible product or service claims or complaints.
Participants in the games/lotteries/campaigns organized in our websites, Facebook and Instagram profiles.
If you wish to participate in the games we, MEXON, organize (including to comment on a post in our official page), you should freely provide to us your personal data such as name, e-mail, telephone number, delivery address to receive the prize you may win or your Facebook and Instagram profile to identify you for the purpose of participating in the game you are in. We shall process your data on the basis of the your freely given consent to participate in the game in accordance with the terms and conditions for participation in the game, as well as our interest to establish and exercise our rights with respect to a potential or existing dispute with you.
The purposes for which we shall use your personal data, are as follows:
- to register you as participant in our games and to send you a code which shall be generated especially for your participation in the game/lottery/campaign (whatever is applicable);
- to have the opportunity to contact you and inform you in case you win a prize;
- to announce the winners and guarantee the transparency and equality of all participants by publishing/posting your name and participation code in the game/lottery/campaign (whatever is applicable) in our websites and/or official pages in the social networks Facebook and Instagram;
- to send you the prize you have won.
You can find more information about the games we organize in our Confidentiality Policy, which can be viewed before you register in our website or in any of our pages in the social networks.
Visitors to MEXON premises
When you pay a visit to our offices, manufacturing facilities and amenities, your visit will be registered by technical means, which have been installed in order to ensure the security, the protection of Company assets and the physical privacy of its employees, the protection of employees and visitors, and to control the access of our employees and visitors to MEXON premises.
Employees of MEXON
Being our current and former employees, we shall process your personal data, including the special categories of personal data relating to employment or service agreements, or the data of job applicants. We shall process such data with the purpose to fulfill our legal obligations as specified in the employment and social law and the obligations we have taken with regard to you by signing the relevant employment or service agreement.
How will your personal data be stored?
MEXON shall store your personal data on both electronic medium (server systems) and on paper as well. The Company shall store different types of personal data contained in different documents for a strictly determined period of time. The periods for data storage must always be determined so as to ensure correspondence to the purpose of processing the relevant personal data.
As a matter of example, accounting and supporting documentation of material nature (such as an annex, for instance), and documents which concern and contain information about accounts, shall be stored for maximum 10 years starting from 1 January of the year following the year of respective contract termination. The periods for data storage have been described in the internal Policy for storage and destruction of Company documentation.
Your contact data shall only be used to send you information and shall be stored until you withdraw your consent to receive e-mail messages from us.
Video records shall be stored for 14 (fourteen) days.
To whom are we allowed to provide your personal data?
MEXON shall respect and keep the confidentiality of your personal data. Acting in compliance with legal requirements the Company may disclose your personal data to any of the following persons:
- In the course of contract performance, we shall provide your personal data to third parties, which are our customers, carriers, contractors, couriers and partners in our supply chain, provided that the sharing of your personal data is subject to the application of all measures that are necessary to ensure their protection;
- Service providers: When we employ service providers to ensure the technical support of our internal information systems and the operative support for our business, and software firms to be responsible for the support of our websites or of individual functions, official Facebook and Instagram page of MEXON. Such disclosure of data shall take place only if there is a good reason to do so and only based on written agreement with the recipients requiring them to ensure adequate security level as appropriate;
- State and municipal authorities: To fulfill its legal obligations, the Company may be required to disclose your personal data subject to the explicit instructions given by any State or municipal authority (such as the National Revenue Agency, the National Social Security Institute, the Customs, the Ministry of Transport, Information Technologies and Communications, the Executive Agency of Marine Administration, etc.);
Special categories of data
MEXON shall not process sensitive personal data of its employees/representatives of customers, partners and counteragents, or visitors of its websites and pages in the social networks.
Data about children
We administer our websites in accordance with applicable law. Children aged 18 years or younger must always obtain the consent of their legal representative before they provide any personal data through our websites. In case during the collection of data it becomes evident that a certain user is younger than 18 years of age and has failed to provide the consent of his/her legal representative prior to the provision of any personal data, we shall no longer use or support his/her personal data unless he/she obtains the consent of his/her legal representative. Unless the child was given such a consent, the child will not be allowed to participate in the certain activities.
Profiling and automated processing of personal data
MEXON OOD will not use your data to prepare personal or user profiles for marketing purposes. We do not use automated processing of your personal data.
Personal data recipients residing outside the Republic of Bulgaria
In general the Company would not disclose any personal data to persons who reside outside the European Union or the European Economic Area.
When providing personal data to persons residing in a Member State of the European Union, such personal data will be protected by such a level of security as specified in the Regulation (ЕU) 2016/679, and in the relevant legal acts of the European Union.
When providing personal data to persons residing in countries outside the European Economic Area, it should be taken into account that the European Commission has recognized some of those countries as providing adequate level of security. This information can be checked at the official page of the European Commission and on the website of the Personal Data Protection Committee in the Republic of Bulgaria.
What are your rights?
In accordance with applicable law, you may exercise the following rights with regard to your personal data processed by MEXON:
- Right of access and right to obtain a copy of your personal data
You shall have the right to obtain confirmation as to whether or not your personal data are being processed, and, where that is the case, demand access to the personal data and to certain information about the manner of its processing and also to request a copy of the personal data undergoing processing. For this purpose you will be required to file an application form for access.
- Right to rectification of your personal data
You shall have the right to obtain the rectification of any inaccurate or incomplete personal data of yours.
- Right to erasure (“right to be forgotten”)
You shall have the right to obtain the erasure of your personal data when they are no longer necessary in relation to the purposes for which they were collected or otherwise processed, as well in the other cases provided for in the Regulation, for instance, if you want to withdraw your consent or if your personal data have been unlawfully processed.
- Right to restriction of processing
You shall have the right to obtain restriction of your personal data processing if you contest the accuracy of your personal data for a period enabling us to verify its accuracy as well in the other cases provided for in the Regulation.
- Right to data portability
You shall have the right to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the processing of such data:
- is based on consent or on a contract with us; and
- is carried out by automated means.
In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from the Company to another controller, where technically feasible.
- Right to object
You shall have the right to object, on grounds relating to your particular situation at any time to the processing of your personal data, which is based on the Company’s legitimate interests.
- Right to withdraw your consent
You shall have the right to withdraw any previously given consent for processing of your personal data at any time.
In case you wish to exercise any of your rights as specified above or if you have further questions regarding the processing of your personal data, please, do not hesitate to contact us at any of the contact information shown in paragraph 2 above. We shall proceed to review your request/complaint within 30 days as of its receipt and we shall come back to you with information on the action taken. That period may be extended by two months where necessary, taking into account the complexity and number of the requests, and we shall inform you of any such extension, together with the reasons for the delay.
The exercise of your rights is free of charge except for certain specified cases.
You can find detailed information on the order and procedure to exercise your rights in the Rules for exercise of rights by the personal data subjects, which are posted in our website www.mexon.bg.
If you believe that your personal data have not been processed lawfully, please, contact the Personal Data Protection Committee to submit a claim by calling 02/91-53-518 or writing to e-mail: firstname.lastname@example.org.
Security of personal data
MEXON shall take and maintain adequate administrative, technical and organizational measures to ensure the security and privacy of your personal data and to protect it from incidental or illegal destruction, loss, unauthorized correction, disclosure or access, abuse and any other illegal processing. The Company shall maintain secure computer systems used for processing personal data. Our computer systems operate under adequate controlling mechanisms for data separation and management, and restricted access and security guards has been insured for the premises, which is subject to regular inspections.
For the fulfillment of its obligations to protect personal data, MEXON duly takes into account the achievement of engineering progress by applying tested methods for security systems and potential risks management.
The Company has implemented and applies security procedures as well as technical and physical restrictions of the access and use of personal data.
MEXON shall train on a regular basis its employees on the policies and procedures for protection of personal data to help them keep the information confidential and restrict the access to personal data only to those employees of ours who need to have access to it in order to perform their duties.
We implement strict policies and procedures with regard to our staff in order to minimize the risks of personal data processing.
Breach in the security of personal data
The Company has adopted and applies procedures for efficient identification, reporting and investigating breaches in the security of personal data. In case the security of personal data has been breached the Company shall take immediate actions to restrict the effects of such breach and to inform the concerned data subjects and the supervisory authority.
MEXON shall promptly update this Policy from time to time, by amending and revising it anytime when any legal requirement or other relevant circumstances require it to do so.
This policy shall take effect on 23.05.2018.