PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. Introduction

On 28.05.2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”) entered into force.

The present Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”) is intended to inform users about what kind of personal data is processed by “DORADO 1” EOOD (hereinafter referred to as the “Personal Data Controller” or only the “Controller”)  in connection with visiting and using www.mallofsofia.bg website, including participation in our promotional campaigns, games, events, receiving our newsletter, and other similar actions. The Policy also concerns the activities related to processing of personal data, which is performed by the Controller when data subjects use the social media pages maintained and managed by the Controller in connection with the activities of Mall of Sofia shopping center, the access and use of external links to the Internet websites of our partners, as well as the relations connected with marketing, management and video surveillance at Mall of Sofia.

In this Policy you can become acquainted with your rights as data subject in relation to the personal data, which is collected, processed and stored by us as Controller within the meaning of Art. 4, item 7 of the GDPR. As Controller, we process your personal data for the purposes, within the terms and in the manner described below, in compliance with the principles and rules set forth in the GDPR and the Bulgarian legislation in force - the Personal Data Protection Act (PDPA).

For the purposes of this Policy, the term “processing” of personal data shall be interpreted in the sense set out in Art. 4, item 2 of the GDPR, namely: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

If you have any questions related to your rights and legitimate interests in relation to the processing of personal data, including issues related to this Policy, you can contact us in any of the following ways:

• by sending an e-mail to: dataprotection@mallofsofia.bg;
• Postal address: 101 Alexander Stamboliyski Blvd, Sofia;

1. Who we are

“DORADO 1” EOOD is a company incorporated in the Republic of Bulgaria, registered in the Commercial Registry under UIC 201476584, with seat and registered address: Sofia 1756, Izgrev district, 5 “Lachezar Stanchev” Str., Sopharma Business Towers complex, building B, floor 7.

“DORADO 1” EOOD is owner of  a shopping center, operating under the trademark “Mall of Sofia”. In our shopping center there are more than 130 business premises, including shops of leading international and Bulgarian brands for women's, men's and children's fashion, shoes, accessories and jewelry, home goods, coffee shops, restaurants, fast food and supermarket Billa, 12 cinema halls of Cinema City and the largest IMAX screen in Bulgaria.

In June 2018 the company “DORADO 1” EOOD became part of the family of GTC Group - one of the leading investors in Central, Eastern and Southeastern Europe. Since its establishment in 1994, the group has been building and managing modern first class office buildings and shopping centers throughout the CEE region. GTC Group has been on the Bulgarian market for more than 10 years.

“DORADO 1” EOOD is the Controller of your personal data and the owner of this website: www.mallofsofia.bg.

The personal data protection officer of the Controller is Ms Nelly Naseva.

E-mail address: dataprotection@mallofsofia.bg

III. Types of personal data and categories of subjects, whose personal data is processed by us

We process personal data of the following groups of individuals:

• Website visitors;
• Users, who use our contact form provided on the website;
• Recipients of the newsletter of shopping center Mall of Sofia;
• Users of the online smartphone application of shopping center Mall of Sofia;
• Users of social networks where shopping center Mall of Sofia maintains the relevant pages and/ or is registered, namely: Youtube, Facebook and Pinterest;
• The individuals who participate in games, events, promotions, competitions, campaigns and other marketing activities of shopping center Mall of Sofia, organized by “DORADO 1” EOOD and/or its partners;
• Visitors of shopping center Mall of Sofia;
• Others.

Whenever the collection, process or storage of personal data of persons below the age of 16 years is necessary,  „Dorado 1” EOOD shall collect, process or store personal data of such persons only when an explicit consent from their parent/adoptive parent/legal guardian or other person holder of parental responsibilities is received by the Controller.

1. Website visitors

As a visitor on www.mallofsofia.bg, you have the opportunity to browse all its sections and menus, to search for information on it, without having to enter any of your personal data or register on the website. The lack of registration on our website does not limit in any way your online activity, site navigation, and access to its content.

Keep in mind that the site www.mallofsofia.bg uses the so-called “cookies” in order to offer you better, optimized and up-to-date services, product information, and commercial terms, as well as to provide personalized content to our website users. Through the “cookies”, including other similar technologies, the Controller can obtain specific user information such as: the pages you view; the things you download; the links you follow; the duration of the site visit; your IP address; the domain from which you enter our website, etc. This information helps us learn more about how you use the technologies related to us and to provide you with adequate services and information. For more information about the “cookies”, which we use, please read the Cookies Use Policy published on our website.

2. Users, who use our contact form provided on the website

In the “Contacts” section you also have the option to send a message to us by entering a name and email address. Entering the specified personal data is not a registration on our website. In this way, you will not be created a profile on which your personal data will be stored or through which you will be subsequently identified.

For each message which you want to address to us through the form on the site, you must re-enter the name and email address in the empty boxes. Your name and email address can be saved on the site if you have allowed the use of the relevant cookies. For more information about the “cookies used by us, please read the Cookies Use Policy published on our website.

• The purpose for processing of your name and email address is to administer, process and respond to your message;
• The term for which we process and store your personal data is determined by the content of your message, with the minimum time limit for administering and responding to your message. If your message implies any obligations for us to perform certain actions or activities (for example, to perform an alert check, etc.), the processing of your personal data will be extended until finishing the relevant activities/actions or any other legally prescribed period, in connection with our legitimate obligations, rights and interests.
• The legal ground on the basis of which we process your personal data, is: your consent, given under Art. 6, para 1, letter “a” of the GDPR; for the purposes of the legitimate interests pursued by the Controller or by a third party - Art. 6. Para. 1, letter “f” under GDPR.

3. Recipients of the newsletter of Mall of Sofia

On our website you can find a subscription button for our newsletter - you should enter a name, surname and e-mail address. Entering the specified personal data is not a registration on our website. Entering the data aims to include you for the service provided by us under for sending the newsletter of Mall of Sofia to the e-mail address provided by you.

• The purpose for processing of your names and e-mail address is to be included in the Mall of Sofia newsletter system.
• The term for processing of the data is until you decide to unsubscribe by unsubscribing through the link provided to you in the e-mail together with the newsletter. Once you are unsubscribed, your personal data will be destroyed by the Controller within term of 14 days.
• The legal ground on the basis of which we process your personal data in connection with sending the newsletter of Mall of Sofia is your consent, given under Art. 6, para 1, letter “a” of the GDPR.

4. Users of the smartphone application of Mall of Sofia

On our page, you can find a button for downloading the application of Mall of Sofia - for mobile phones and other similar portable devices (tablets, laptops, etc.), which work under the respective operating systems “iOS” for “Apple” and “Android” for “Google”.

By using the application you can keep track of the services offered by Mall of Sofia shopping center, such as the cinema program; a useful map of the shopping center sites; information about events, games, promotions and other similar commercial campaigns.

You can also use our mobile application to take advantage of the promotional services of Mall of Sofia for dry cleaning, taxi services and car cleaning /car wash/. Through the application you can scan vouchers to find out in which commercial sites of Mall of Sofia you can shop with them, store your free taxi service coupons, and receive other useful user information directly from your smartphone or tablet in real time.

Keep in mind that in order to use the application, you should grant access /explicit consent/ to your personal information stored on your device, such as access to your camera, in order to scan vouchers, access to your location, etc.

• The purpose for processing of the data is to receive the services offered by the application.
• The term for processing of the data is until you decide to terminate using the application. Personal data about you which is collected and processed in this connection until this moment will be destroyed within reasonable term.
• The legal ground on the basis of which we process your personal data is your consent, given on the basis of Art. 6, para 1, letter “a” of the GDPR.

5. Users of social networks of Mall of Sofia in Facebook, Youtube and Pinterest

FACEBOOK

Mall of Sofia has a Facebook page. In this way we are closer to our customers. Our page allows us to communicate with our customers quickly and interactively, to promote events, games and other similar activities organized at Mall of Sofia shopping center by our partners and us. On our page you have the opportunity to rate our shopping center, to share your opinion on the level of service of the shopping center, to communicate with our representative through Facebook, and to keep you up to date with the latest services and products, which we offer.

We monitor the activity of our visitors on our Facebook page, such as the likes of our posts, the number of shares of our posts, etc. When you like our Facebook page, you give us access to some of the personal data you have entered in your Facebook account.

• The purpose for processing of your data is to administer our Facebook page, to analyze the information from our visitors' activity on it, and for marketing purposes.
• The term for processing of the data is until you terminate following, liking and sharing publications on our page or until you delete your Facebook account.
• The legal ground on the basis of which we process your personal data, is your consent, given under Art. 6, para 1, letter “a” of the GDPR.

On our website there is a dedicated button for direct access to the Facebook page of Mall of Sofia in order to facilitate our users who want to access the  content of the page and to make it easier for you to directly share your opinion about us and our partners.

YOUTUBE

Mall of Sofia has a YouTube channel which aims to advertise the activity of the shopping center and its partners - products, services, events, promotions, etc. You can like our videos, subscribe to our channel, or choose whether to get notifications about our YouTube activity.

We monitor the activity of our visitors on our YouTube channel, such as the number of likes, shares, views, and comments on our videos.

By subscribing to our YouTube channel, you give us access to the data you have entered into your YouTube account.

• The purpose for processing of your data is to administer our YouTube channel, to analyze the activity of our visitors, and for marketing purposes.
• The term for processing of the data is until you cancel your subscription to our channel or delete your YouTube account.
• The legal ground on the basis of which we process your personal data, is your consent, given under Art. 6, para 1, letter “a” of the GDPR.

On our website there is a dedicated button for direct access to our YouTube channel in order to facilitate the visitors of the site who want to access its online content.

PINTEREST

Mall of Sofia has a profile on the social network PINTEREST for sharing photos and information, which purpose is to advertise the activity of the shopping center and its partners - products, services, events, promotions, etc.

We monitor the activity of our visitors to our PINTEREST account in order to improve the quality of our services.

By subscribing to our PINTEREST account, you give us access to the data you have entered in your account on this social network.

• The purpose for processing of your data is to administer our PINTEREST account, to analyze the information from the activity of our visitors, and for marketing purposes.
• The term for processing of the data is until you cancel your subscription to our account or delete your PINTEREST account.
• The legal ground on the basis of which we process your personal data, is your consent, given under Art. 6, para 1, letter “a” of the GDPR.

There is a dedicated button on our website for direct access to our PINTEREST account to facilitate the visitors of the site.

6. The individuals who participate in games, events, promotions, competitions, campaigns and other marketing activities of Mall of Sofia, organized by “DORADO 1” EOOD and/or its partners

We organize events, games, competitions, promotions, campaigns and other activities (hereinafter collectively referred to as the “Activities”), in which you can participate. If you wish to be part of our Activities - at the Mall of Sofia shopping center or any of our social networks, your personal data may be collected and processed by the Controller, and details about it will be given in the terms and conditions of the Activity itself. By participating in the Activity in the provided way, you agree that your personal data will be processed for the purposes of the relevant marketing activities.

For the purposes of the relevant Activity, as Controller we can process the following personal data for limited time and for the relevant marketing purposes: names, e-mail address, phone, photos, videos, data from social networks to which we have access, etc. depending on the conditions of the respective Activity.

• The purpose for processing of your personal data is to conduct the relevant activity, to get in touch with the participants and the winners, in order to fulfill our obligations deriving from the respective Activity - for example, giving awards, announcing results, etc. Also, the purpose for processing of your personal data is to fulfill the tax and accounting obligations of the Controller under current Bulgarian legislation.
• The legal ground on the basis of which we process your personal data is your consent under Art. 6, para 1, letter “a” of the GDPR; a contractual obligation in connection with the giving awards, if such are provided in the respective activity - according to Art. 6, para 1, letter “b” of the GDPR; the processing is necessary to comply with a legal obligation as Controller - Art. 6, para 1, letter “c” of the GDPR, as well as on the basis of the legitimate interest of the Controller - Art. 6, para 1, letter “e” of the GDPR.
• The term for processing and storing of your data is different, depending on the respective personal data, the purposes and the respective Activities, as follows:

- for carrying out the respective Activity - up to 14 days after ending the respective Activity for the data of the participants.

- in respect of the personal data contained in the documents related to fulfillment of our obligations arising from contractual relations between us and the winners - 5 years after fulfillment of all obligations of the parties under the contractual obligation;

-  Within the terms specified in art. 12, par. 1 of the Accountancy act for storage of accounting information as follows:

- 10 years - agreements, accounting registers and financial statements, including documents tax control, audit and follow-up financial inspections;

- 3 years - all other carriers of accounting information

- for marketing purposes (e.g. marketing survey; statistical analysis etc.) the storage period is 1 year after fulfillment of all obligations of the parties under the contractual obligation within which personal data has been collected from users;

7. Visitors of Mall of Sofia shopping center

The Controller also processes the personal data of visitors of Mall of Sofia, including at the parking area, through video surveillance of the sites. In this way we collect video images of the visitors in the shopping center and the parking, as well as video images of the cars and other vehicles in the parking, including registration plates of all vehicles.

• The purpose for processing of the aforementioned data is to ensure a consistent high level of protection and security for the visitors of the shopping center and the property of the tenants in the premises; in relation to the legitimate interests of the controller; for protection and assistance in bringing legal claims; for avoiding and thwart criminal and other acts prohibited by law; to respect public order within the business premises operating in the Mall of Sofia and to organize the movement of vehicles in the parking area of the shopping center.
• The term for processing of the personal data of visitors, which is processed on the basis of video monitoring may be divided into two categories:

- the term for processing of personal data obtained through video monitoring in the public areas of Mall of Sofia shopping center is 2 months. After expiration of the term, the video files are destroyed by the Controller without undue delay.

- processing of personal data obtained through video monitoring in case of violation of public order, a crime or any other action which is prohibited by law or there is a recorded incident in the shopping center, it shall be kept for a period of 5 years as of occurrence of the relevant antisocial act /incident/ or until completion of the actions and procedures taken by the enforcement authorities for investigation and identification of the offenders, as well as until completion of any court proceedings.

• The legal ground on the basis of which we process your personal data collected through video monitoring of the shopping center and its parking area is Art. 6, para 1, letter “e” of the GDPR, according to which processing is lawful when it is necessary for the legitimate interests of the controller or a third party.

Keep in mind that “DORADO 1” EOOD has a legal obligation to assist the judicial authorities by handing over such video files upon request if there are any actions which are prohibited by the law, legal claims and others in connection with the rights and legitimate interests of the visitors of the shopping center and the parking area, the people working in the shopping center, etc.

You have the right to object to the processing of your personal data through video monitoring for the term and purpose stated above.

In the shopping center and the parking area, you will see dedicated signs indicating that the sites are under video monitoring.

8. Other

The present page contains links to other webpages, which are owned by other controllers.

• In the “Cinema” section you can follow the link www.cinemacity.bg - managed and owned by “Cinema City Bulgaria” EOOD.
• In the “Stores” section you can follow the links to the pages of the respective store owned by the owner of the relevant site.

“DORADO 1” EOOD is not responsible for collection and processing of your personal data by other controllers, nor for the personal data, which is provided by you to those controllers, the content of their pages and their advertisements.

1. Rights of our clients

All visitors and users of the site and Mall of Sofia shopping center have the rights listed below according to the current European and Bulgarian legislation.

We strive to always process your personal data in a lawful manner, acting in good faith and in a transparent manner, to collect it for specific, explicit and legitimate purposes, to minimize the collection, processing and storage of your data to the necessary minimum. We always stand to ensure that your personal data is processed in a way which guarantees an appropriate and adequate level of security.

As controller of your personal data, we at “DORADO 1” EOOD are ready to answer your questions about processing and storing your data in order to always keep you aware of what data we collect, process and store; for what purpose and for what period we do so, who else can access them, what are your rights and our obligations.

Rights	Essence of the right	Actions which shall or may be undertaken by the Controller
1. Right of consent	The data subject (visitor or user of the site, the applications of Mall of Sofia, and the shopping center) shall give consent for processing their data. The consent shall be given freely, explicitly, in an informed and unambiguous way.	The consent is given by implicit action or by signing an explicit declaration, given by the Collector. Consents of this kind will be stored by us in files protected and archived in a safe and appropriate way.
2. Right of access to data	You have the right to request access to the personal data which is collected and processed about you. You may request provision of a copy of the personal data collected about you multiple times.	The Data Protection Officer shall collect the relevant personal data and respond to you in writing within two weeks (in a confidential manner) after identifying the person who has requested access to it. We will give access to personal data ONLY to the person whose personal data is being processed. If you wish your personal data to be provided to another person, we should be provided with an explicit power of attorney. In case of complicated circumstances or multiple requests, the two-week term may be extended up to 20 days; in such case you will be notified of the extension of the term. We have the right to charge an administrative fee of reasonable amount upon receipt of more than one request for a copy of your data.
3. Right of rectification	You have the right to ask us to update or rectify your personal data.	When we receive such request, it will be accepted and the relevant actions for update or rectification will be taken within reasonable time. You will be notified in writing about the actions we have taken.
4. Right to object	You have the right to object to the processing of your personal data by submitting an objection to us. You can always object to the processing of personal data in connection with direct marketing.	We have the right to accept or reject the objection while we will always give reasons in our response to you in case of rejection in order that you are aware why we have not accepted your request. If you object to the processing of your personal data in connection with direct marketing, we will always accept your objection. We hereby inform you that we are not conducting profiling.
5. Right of erasure or "the right to be forgotten"	You may request from us to erase the personal data which we process about you. Please note that this right is not absolute and should be considered in relation to its function to balance other fundamental rights and obligations of the Controller and the data subject in accordance with the principle of proportionality. Keep in mind that there are separate cases in the GDPR, in which there is an obligation for us to erase your personal data. In other cases we do not have such an obligation.	If the consent for processing of personal data has expired or is revoked, “DORADO 1” EOOD may have an obligation to erase the personal data. Apart from these cases, we may either accept or reject the request for erasure of data, and in case of  rejection, we will provide reasons for that. Within two weeks of submitting your request for erasure of your personal data, you will receive a response from the Controller regarding the satisfaction of your request or its refusal and the reasons thereof.
6. Right to have the processing restricted	You have the right to request restriction of the processing of your personal data in certain cases specified in the GDPR.	We have the right to accept or reject your request; in case of rejection, we will state reasons for that. Within two-weeks term, you will receive a response from us regarding the acceptance of your request or its refusal and the reasons thereof.
7. Right of data portability	If your personal data is processed on the basis of your explicit consent or on the basis of a contractual obligation for processing and if the processing is done in an automated manner, you have the right to data portability. This entitles you to require from the controller to transfer some or all of the personal data processed by him/her to another controller or to receive the personal data, which concerns you and which are provided by you to the controller in a structured, widely used and machine-readable format.	When there are circumstances provided in the GDPR, we are obliged to perform the requested action. Keep in mind that we have the right to charge a reasonable administrative fee for the service.
8. Right to lodge a complaint	If you consider that your rights in relation to protection of your personal data have been violated, you have the right to lodge a complaint with the competent supervisory data protection authority in the Republic of Bulgaria, namely the Commission for Personal Data Protection (CPDP).	You can contact the CPDP in the following ways: at the address for correspondence: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd; phone number: 02/915 35 18; e-mail: kzld@cpdp.bg; website: www.cpdp.bg Apart from the abovementioned, if you consider that your rights or legitimate interests are violated, you are also entitled to legal protection.
9. Right to withdraw the consent for processing of personal data	You have the right to withdraw the consent for processing of your personal data at any time, but only when the processing of personal data is based on an explicit consent you have given under Art. 6, para 1, letter “a” of the GDPR. Subsequent withdrawal will not affect the lawfulness of processing made until this moment on the basis of the consent already given.	Such requests shall be considered and accepted by us within a reasonable time without undue delay. Keep in mind that the withdrawal takes effect in the future. It will not affect the legality of data processing so far. Therefore, if there is a request from a court authority to access such data, we shall provide them with it.

 

All rights listed above can be exercised by:

• Sending a written request to the e-mail address specified above to the data protection officer. Please provide us with three names, contact phone number and email address in your request, to which you wish to be contacted, as well as the content of your request. Please also indicate how you want to be provided with copies of your personal data, if you have submitted such a request, in what format, etc.

 

NOTES:

1. “DORADO 1” EOOD may reject or charge for claims, which are clearly unfounded or excessive. In case of  rejection of a request, we will notify you in writing (by e-mail or by post, depending on what you have specified in your request).
2. As a controller of personal data, we are required to monitor, report, and investigate personal data breaches.

Each person acting on behalf of “DORADO 1” EOOD or a third party, such as the data processor, is obliged to immediately notify the data protection officer for breach in security. The latter will endeavor to terminate the breach and will inform the Commission for Personal Data Protection within 72 hours when there is such a requirement under the GDPR.

3. Your requests will be processed without undue delays and will be answered in writing within two weeks as of receipt of the request in our system. Please keep in mind that sometimes there may be delays due to the large amount of information which our employees process. We will do our best to respond to your inquiries and requests as soon as possible, precisely and in compliance with the requirements of the legislation of the European Union and the Republic of Bulgaria.
4. Recipients of your personal data

Your personal data may be disclosed to third parties – the so-called recipients of personal data. Apart from governmental bodies and institutions to which the controller has legal obligations to disclose personal data, such recipients of personal data may also be companies, part of GTC Group, which are solely based in the European Union.

Except the cases above, your personal data may be provided to other persons - controllers/ processors outside our team. For example, advertising agencies, marketing experts and business partners, in connection with the legitimate interests of the controller.

Disclosure of your personal data to third parties fully complies with the requirements of Regulation 2016/679. The recipients of your personal data may be persons in respect of whom there is a statutory obligation for the controller to disclose it: /for example, the Consumer Protection Commission, the Commission for Personal Data Protection, judicial and enforcement authorities, etc/.

Your personal data will not be delivered to recipients based in third countries or international organizations for which an adequate level of protection is not available, in accordance with Art. 45 of the GDPR.

1. Changes to the present terms

If there are any subsequent updates to the privacy policy of “DORADO 1” EOOD, we will publish the changes on the page of  http://mallofsofia.bg/

and will change the date of their update so that you are always aware what information we collect online, how we use it and what options and opportunities in this regard are provided to you.

Publishing the changes and updates will be made publicly on the page of http://mallofsofia.bg/ so you become acquainted with them.

Last update:

20.07.2018

“DORADO 1” EOOD team