1. User information 

2. Information about the Company that processes your data

Name	Abrites Italy SRL.
Registration number	04450720273
Headquarters	Italy, Chioggia, via Brondolo 13/A
Mailing Address	Italy, Chioggia, via Brondolo 13/A
E-mail	vendite@abrites.it
Website	www.abrites.it; https://eaexpo.it/en/

 

2. Information about the Mother Company (owner of Abrites Italy SRL.)

Name	Abrites Ltd.
Registration number	131566638
Headquarters	1407 Lozenets district, 147 Cherni Vrah Blvd., Sofia, Bulgaria
Mailing Address	1407 Lozenets district, 147 Cherni Vrah Blvd., Sofia, Bulgaria
Phone	+359 2 955 04 56
E-mail	info@abrites.com
Website	www.abrites.com

 

3. Information on the Data Protection Officer (DPO)

Name	Kristina Pavlinova Pavlova
Position	Legal Advisor
Mailing Address	1407 Lozenets district, 147 Cherni Vrah Blvd., Sofia, Bulgaria
Phone	+359 878 807 538
E-mail	privacy@abrites.com

 

4. Information on the competent data protection supervisory authority

Name	Commission for Personal Data Protection
Headquarters and address of management	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№ 2
Mailing address	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№ 2
Phone	+3592 915 3 518
Website	www.cpdp.bg

 

Abrites Italy (hereinafter referred to as "Controller" or "the Company") operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.

5. Reason for collecting, processing, and storing your personal data

The Controller collects and processes your personal data in connection with the implementation of the main activity of www.abrites.com - pursuant to Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:

• Explicit consent received from you as a client;

• Fulfillment of the obligations of the Controller under an oral agreement with you;

• Compliance with a legal obligation that applies to the Controller;

• For the purposes of the legitimate interests of the Controller or a third party;

6. Purpose and principles in the collection, processing and storage of your personal data

7. We collect and process the personal data that you provide us in connection with the organization of European Automotive Expo Event (“EA Expo”, “The Event”) , including for the following purposes:

• registration of a visitor and/or exhibitor via the registration form;

• individualization of a party to the contract;

• accounting purposes;

• statistical objectives;

• protection of information security;

• ensuring the implementation of the contract for the provision of the respective service;

• sending newsletters and emails with special offers if you wish;

• sending answers to inquiries.

8. We observe the following principles when processing your personal data:

• Legality, honesty and transparency:

Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

• Purpose restriction:

Personal data must be collected for specific, explicit and lawful purposes and not processed in a way that is incompatible with those purposes.

• Data minimization:

Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The Company should apply anonymity or pseudonymation of personal data, if possible, to reduce the risks for the data subjects concerned.

• Accuracy:

Personal data must be accurate and, if necessary, updated; reasonable steps must be taken to ensure that inaccurate personal data, taking into account the purposes for which they are processed, are deleted or corrected in a timely manner.

• Limitation of storage periods:

Personal data must be stored no longer than the time required for the purposes for which the personal data are processed.

• Integrity and confidentiality

Taking into account the state of technology and other available security measures, the cost of implementation, the likelihood, and severity of the risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a way that ensures adequate security of personal data. personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access or disclosure.

• Responsibility:

Data controllers must be accountable and able to demonstrate compliance with the principles set out above.

3.3. During the processing and storage of personal data, the Controller may process and store personal data in order to protect the following legitimate interests:

• fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal bodies in Republic of Bulgaria.

1. What types of personal data our Company collects, processes and stores
2. Operations performed by the Company, with the data provided by the subject 

3. The Company performs the following operations with the personal data provided by you as а customer, for the following purposes:

• Registration of a customer (visitor and/or exhibitor) via the registration form – the purpose of this operation is to exptess an intend to attend and participate in the Event.

 

Conclusion of the impact assessment: Based on the impact assessment, the Data Protection Officer considers that the operation "Registration of a customer (visitor and/or exhibitor) via the registration form" is admissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR. 

 

• Sending a newsletter/marketing messages- the purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news and new features to customers who have stated that they wish to receive.

Given the limited scope of the personal data collected, the Data Protection Officer considers that it is not necessary to carry out an impact assessment of the operation.

• Exercising the right of withdrawal or making a claim - the purpose of this operation is to administer the process of exercising the right of withdrawal or claim by the customer for the services in respect of which these rights may be exercised.

• Inquiries through the website/contact email - the purpose of this operation is to send a response to an inquiry.

Given the limited scope of the personal data collected, the Data Protection Officer considers that it is not necessary to carry out an impact assessment of the operation.

• Use of log files by a customer - the purpose of this operation is to maintain the platform, ensure the security of your personal data and maintain the continuous security and operation of the website, including protection against cybercrime.

Given the limited scope of the personal data collected, the Data Protection Officer considers that it is not necessary to carry out an impact assessment of the operation.

• Taking photo and video images during the event period – the purpose of this operation is to record your participation in the event, as well as in connection with the marketing and communication campaign for the event

Conclusion of the impact assessment: Based on the impact assessment, the Data Protection Officer considers that the operation "Taking photo and video images during the event period" is admissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in accordance with the requirements of the GDPR. 

4. The Аdministrator shall not collect or process personal data, which refer to the following:

• reveal racial or ethnic origin;

• disclose political, religious or philosophical beliefs, or trade union membership;

• genetic and biometric data, health data or data on sexual life or sexual orientation.

5. Personal data is collected by the Controller from the persons to whom it relates.

6. The Аdministrator does not perform automated data decision making.

7. The Company does not collect data on persons under 16 years of age, except with the express consent of their parent or legal representative.

4.2. Categories of personal data and purposes and grounds for processing by the Controller

4.2.1. The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:

• Your personal data (first name, last name, e-mail address and contact phone number, visual images, by taking photos and video materials)

Purpose for which the data is collected: 1) Making contact with the user and sending information to him, 2) for the purposes of registering a user in the registration form, and 3) sending a newsletter, emails with special offers, promotions , news and new features, 4) send a response to an inquiry and 5) to record your participation in the event, as well as in connection with the marketing and communication campaign for the event

Grounds for processing your personal data: By accepting the general conditions and registration for attending the event via the registration form or when concluding a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data - Art. 6, para. 1, p. (b) GDPR. Your data for sending a newsletter and emails, as well as for sending a response to an inquiry and also your visual image on photos and video materials during the period of the event, are processed with your explicit consent - Art. 6, para. 1, p. (a) GDPR.

• Data from log files (IP address, web browser used, time of visit to our website, pages visited.)

Purpose for which the data is collected: 1) Maintenance of the platform, ensuring the security of your personal data, ensuring the continuous security and operation of the website, including protection against cybercrime.

Grounds for processing your personal data: By accepting the general conditions and registration for attending the event via the registration form or when concluding a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data - Art. 6, para. 1, p. (b) GDPR. 

8. Term of storage of your personal data

The Аdministrator stores your personal data for a period not longer than the existence of the EA Expo Platform. After deleting your account or closing the platform, the Controller takes the necessary care to delete and destroy all your data without undue delay or to anonymize them (i.e. to bring them in a form that does not reveal your identity).

The Controller stores your personal data provided in connection with your registration for participation for a period of 5 years for the purpose of protecting the legal interests of the Controller in court or administrative disputes with users of the EA Expo Platform, and accounting documents are stored for the statutory period.

The Controller notifies you in case the data retention period needs to be extended in order to fulfill a regulatory obligation or in view of the legitimate interests of the Controller or otherwise.

The Controller stores the personal data that it is necessary to keep in accordance with the applicable legislation for the relevant period, which may exceed the period of existence of your account in the e-shop or until the completion of the order.

The Controller keeps the personal data of the legal representatives of its business partners for the term of the contract, for compliance with the legitimate interests and legal obligations of the Controller, and this term may exceed the term of the contract.

9. Transfer of your personal data for processing

The Controller may, at its discretion, transfer some or all your personal data to personal data processors for the purposes of processing you have agreed to, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

The Controller notifies you in case of intention to transfer part or all your personal data to third countries or international organizations. 

10. Your rights in the collection, processing, and storage of your personal data

11. Withdrawal of consent for the processing of your personal data

In case that you do not wish all or part of your personal data to continue to be processed by the Company for specific or all purposes of processing, you may at any time withdraw your consent to processing by filling out the "Withdrawal of Personal Data Consent Form” or by request in free text.

The Controller may ask you to verify your identity and identity with the data subject.

You may at any time withdraw your consent to the processing of your personal data for the purposes of direct marketing.

The withdrawal of the consent does not affect the legality of the processing of personal data, which the Controller has performed so far.

12. Right of access

You have the right to request and receive confirmation from the Controller whether  your personal data is processed, and you can at any time see in your account and the data we process for you.

You have the right to access data related to you, as well as information related to the collection, processing and storage of your personal data.

Upon request, the Controller provides you with a copy of the processed personal data related to you in electronic or other appropriate form.

Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetitive or excessive requests.

In order to exercise your right of access, you need to submit a request via the "Access to Personal Data Request Form" or by e-mail in free text

13. Right of correction or completion

You may correct or complete inaccurate or incomplete personal data relating to you by making a request to the Controller.

14. Right to delete ("to be forgotten")

You have the right to request from the Controller the deletion of part or all the personal data related to you, and the Controller has the obligation to delete them without undue delay when there is any of the following reasons:

• personal data are no longer needed for the purposes for which they were collected or otherwise processed;

• You withdraw your consent on which the data processing is based and there is no other legal basis for the processing;

• You object to the processing of personal data related to you, including for the purposes of direct marketing, and there are no legal grounds for processing to take precedence;

• personal data have been processed illegally;

• personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State applicable to the Controller;

• personal data have been collected in connection with the provision of information society services.

The Controller is not obliged to delete personal data if he stores and processes them:

• to exercise the right to freedom of expression and the right to information;

• to comply with a legal obligation requiring processing provided for in EU or Member State law applicable to the Controller or for the performance of a task in the public interest or in the exercise of official powers conferred on him or her;

• for reasons of public interest in the field of public health;

• for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;

• to establish, exercise or defend legal claims.

In case of exercising your right to be forgotten, the Company will delete all your data, except for the following information:

• information needed to certify that your right to be forgotten has been exercised - email, IP address;

• technical information about the operation of the online platform, which information can not be associated in any way with your personality;

• e-mail with which you registered in the online platform.

To exercise your right to be forgotten, you need to take the following steps:

• Submit an application via the "Delete Request Form (right to be forgotten)" or by email;

• To present a unique identification code for performing the action, which will be sent to you by e-mail to the e-mail address related to the registration in the online platform;

• To identify yourself as an account holder;

Once we have verified the identity of the requester and the data subject in accordance with the above steps, we will delete all data we process for you.

The Controller does not delete the data that he has a legal obligation to store, including for protection in connection with court claims against him or proof of his rights.

15. Right of restriction

 

You have the right to ask the Controller to restrict the processing of data related to you when:

 

• challenge the accuracy of personal data for a period that allows the Controller to verify the accuracy of personal data;

• the processing is illegal, but you do not want the personal data to be deleted, but only their use to be restricted;

• The Controller no longer needs the personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;

• You have objected to the processing pending verification of whether the legal grounds of the Controller take precedence over your interests.

In case of exercising your right of restriction, the Company will suspend the processing of your data, but will not remove the publications you have made on the website.

16. Right of portability

If you have given your consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you may, after identifying yourself with the Controller:

• ask the Controller to provide you with your personal data in a readable format and transfer them to another Controller;

• ask the Controller to directly transfer your personal data to an Controller designated by you, when this is technically feasible.

You may at any time request to exercise your right of transfer through the "Personal Data Portability Request Form" (hyperlink) or by requesting an email to the Controller.

17. Right to receive information

You may request the Controller to inform you of all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information if this would be impossible or would require a disproportionate effort.

18. Right to object

You may object at any time to the processing of personal data by the Controller relating to him, including if they are processed for profiling or direct marketing purposes.

19. Your rights in the event of a breach of the security of your personal data

In case that the Controller finds a violation of the security of your personal data, which may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the violation, as well as of the measures that have been taken or are to be taken. 

The Controller is not obliged to notify you if:

• has taken appropriate technical and organizational protection measures with regard to data affected by the security breach;

• has subsequently taken steps to ensure that the breach does not pose a high risk to your rights;

• notification would require a disproportionate effort.

 

20. Persons to whom your personal data is provided

In all cases, the list of recipients of personal data processed by the Controller derives mainly from the scope of services used by you.

The list of recipients of the data is also the result of your consent or derives from the law and is specified as a result of the actions taken by you in the online platform.

In the processing of personal data, the partners, associates and employees of the Controller may participate to a certain extent, for activities as follows:

• those who provide technical assistance for the effective operation of the online platform, including communication with customers (eg assistance in sending e-mails; in the case of advertising activities - assistance in marketing campaigns);

• hosting services or telephone or IT service providers;

• companies that service the software support the Controller in marketing companies;

• providers of legal and consulting services;

• others.

Based on the above principles, your personal data may also be transferred to companies from the Abrites Ltd. Group referred to in item 12 below.

The specified processors of personal data comply with all requirements for legality and security in the processing and storage of your personal data.

 

 

21. Transfer of personal data to third countries (outside the European Economic Area)

As part of the use of tools by the Controller that support its current activity, provided e.g. by Google, your personal data may be transferred to a country outside the European Economic Community, in particular to the United States of America (USA) or another country where a person cooperating with the Controller maintains personal data processing tools in cooperation with Controller.

Appropriate security measures for the provided personal data are provided by the Controller, through the use of standard clauses for personal data protection, adopted by a decision of the European Commission and contracts for outsourcing the processing of data that meet the GDPR requirements.

The Client has the right to receive a copy of the security tools used by the Controller after contacting us.

 

22. Cross-border processing of personal data. Leading supervisory body

The company carries out cross-border processing of personal data, as, according to Art. 4, para. 23 of GDPR, the processing of personal data takes place in the context of the activities of the places of establishment in more than one Member State of a Controller or Processor in the Union, the Controller or Processor being established in more than one Member State (France and Italy).

The Commission for Personal Data Protection has been appointed as the leading supervisory body.
 In appointing a Leading supervisory body, the Controller complied with the "Guidelines for the designation of a supervisor of a Controller or Processor" adopted on 13 December 2016 by the working group on personal data protection set up in accordance with Article 29 of Directive 95/46 / EC and thus published on the website of the Commission for Personal Data Protection.  

 

23. Violation of consumer rights. Claim to the supervisory authority.

In the event of a breach of your rights under the above or applicable personal data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:

 

Name	Commission for Personal Data Protection
Headquarters and address of management	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№ 2
Mailing address	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ”№ 2
Phone	+3592 915 3 518
Website	www.cpdp.bg

You can exercise all your rights regarding the protection of your personal data through the forms attached to this policy. Of course, these forms are optional and you can submit your requests in any form that contains a statement to that effect and identifies you as the data holder.

Companies in the Abrites OOD Group Ltd.

- „ZARINA 73“ EURL;

- „ABRITES FRANCE” SAS; 

- „PLUMERIA“ ЕООD;

- „ABRITES TRADE“ ЕООD;

- „ABRITES ITALY“ SRL;

- „ABRITES USA“ LLC;

-„ABRITES PRODUCTION“ ЕООD.

13. Applications

The following forms are relevant as annexes to this Policy:

 

1. Withdrawal of Personal Data Consent Form; 

2. Access to Personal Data Request Form; 

3. Delete Request Form (right to be forgotten);

4. Personal Data Portability Request Form

 

This version of the Policy is effective from October 2022.