Privacy Policy






of Glatec EOOD


Glatec EOOD, UIC: 131407283, with residence and head office in: Kostievo 4205, 1 Kapitan Burago Str., tel.: +359 32 500 424 email: (The Controller or Glatec EOOD), while performing its activities, shall apply in its relations with third parties this Data Protection Policy (Policy),


Glatec EOOD, as a data controller, collects and processes a certain amount of natural persons data.

Such data may refer to managers, clients, suppliers, counterparties, business contacts and other natural persons (Data subject) in contact with the Controller or with whom the latter is planning to establish business contacts.

This data protection policy of Glatec EOOD provides information to data subjects on purposes and methods of processing of personal data, which the Controller collects in compliance with legal requirements.

This rules shall be applied by the Controller regarding all personal data, irrespective of whether the data are processed electronically, on hard copy or on other media


Legal grounds

This Data Protection Policy is issued on the grounds of the Data Protection Act and its regulations, in compliance with Bulgarian domestic legislation, and the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

To ensure that data processing is in compliance with legal requirements, personal data are collected and used on the relevant grounds, safely stored and the Controller undertakes all necessary measures to prevent unlawful disclosure of processed personal data.

The Controller is aware of the principles set out in GDPR and acts in compliance with them:

  • Personal data are processed lawfully, conscientiously and transparently;
  • Personal data are collected for specific, explicitly stated and legitimate purposes and are not further processed in a way inconsistent with these purposes;
  • Personal data are appropriate, relevant and limited to what is necessary for the purposes of processing;
  • Personal data are accurate and regularly updated, if necessary;
  • Personal data are stored in a form allowing the identification of the persons concerned for a period no longer than what is necessary for the purposes of data processing;
  • Personal data are processed in a way ensuring an appropriate level of data security, including protection against unauthorized or illegal processing or against accidental loss, destruction or damage, with the application of appropriate technical or organization measures.

Purposes of this Policy

This Policy ensures that the Controller shall:

  • Act in compliance with applicable personal data law and follow established good practices;
  • Establish mechanisms of keeping, maintenance and protection of data registers;
  • Determine the obligations of officers processing personal data and/or the persons having access to personal data and reporting to data processors, and their liability in case of failure to comply with these obligations;
  • Protect the rights of staff, clients and partners;
  • Ensure transparency of the methods of storage and protection of personal data of natural persons;
  • Establish the necessary technical and organizational measures for protection of personal data from unauthorized processing (accidental or illegal destruction, accidental loss, unauthorized access, change or disclosure as well as any other illegal form of data processing);
  • Be protected from risks of data breach.


  1. I. Collection of personal data

Categories of data and subjects:   

Personal data means any information relating to an identified or identifiable natural person or natural person who can be identified. In the usual course of its activities, as well as when recruiting employees, the Controller collects data for the following categories of subjects, as follows:

  • data related to physical identity: full name, data on ID card, Personal ID, address, email address, phone number, etc;
  • data related to the social, family and economic identity, as well as health data;

The Controller collects data for the following categories of subjects – Data subjects:

  • Persons representing the companies with which the Controller has or plans to have business relations;
  • Contact persons in the companies with which the Controller has business relations;
  • Persons who are interested in receiving information services – newsletters, guides, etc.;

Purposes of data collection:

The Controller collects personal data for the following purposes:

  1. To carry out activities of entering into, performance, change and termination of contracts, including for:
  • Preparation of all types of documents;
  • Contacting contact persons by phone, fax, email or in any other legal way;
  • Delivery and/or acceptance of goods/services, communications for provision and/or receiving goods/services and for provision of the associated client services;
  • Accounting for the performance of contracts to which the Controller is a party;
  • Processing of payments under the contracts entered into by the Controller;
  • Sending important information to the subjects on the change of rules, conditions and policies of the Controller and/or other administrative information;
  1. For marketing purposes – after receiving the explicit consent of data subjects;
  2. For statistical purposes.
  3. For the purposes of employee selection, training and career development;
  4. For the purposes of the legitimate interests of the Controller;
  5. For other particular purpose – based on freely, plainly and explicitly given consent;


Collection of data:

Personal data of any subject are given voluntarily by that subject and such data are collected by the Controller in compliance with statutory obligations, for entering into contracts and/or performance of obligations under existing contracts pursuant to the provisions of the relevant applicable legislation and the conditions specified in commercial contracts with the relevant client on: hard copy – written documents (including powers of attorney contracts, notices of distraint, bank information, official documents, etc.), by email – given for the performance of commercial contracts and/or by completing a registration form of the Controller. The subjects shall be notified of the provisions of this Policy beforehand or at the moment of receiving their data

  1. II. Processing of personal data while using Glatec EOOD website. Data recorded when visiting the website of Glatec EOOD and using the online services are as follows:
  • Date of the visit;
  • Browser type and operating system of the client device;
  • Viewed pages;

Such data are collected for security purposes and for the optimization and improvement of Glatec EOODonline services. It is in Glatec EOODlegitimate interests to protect its website and improve its services. Any other processing of data, except for statistical purposes in anonymous form, shall be performed only within the scope of this data protection notice. In addition, personal data shall be stored only if the data subject provides it voluntarily, plainly and explicitly, e.g. in the context of registrations, polls, competitions, online application or contract performance. Adequate security measures have been taken to ensure data encryption during the registration process, i.e. their protection from unauthorized access. Additional information, particularly of the technology used, is presented below. If data are transmitted to third parties, Glatec EOOD guarantees by contractual arrangements that such service providers process personal data in compliance with European data privacy law to guarantee a high level of protection. Personal data shared with Glatec EOOD on this website are stored only for the purpose they have been given for.

Contact form

You can use the contact form in the “Request” section of our website to contact us for any reason. The personal data entered by you in the contact form will be processed only for the purposes of giving reply to your request.

Application form

You may use the application form in the “Careers” section of our website to apply for vacant positions. Any personal data and files attached, will be used only for the processing of your application.

“Cookies” and tracking

To make your visits to our website more pleasant and to ensure the use of certain functionalities, we use “cookies” for different pages. These are small text files that are stored on the client device from which you visit our website. Some “cookies” we use are deleted after the end of the browser session i.e. after you close the browser (so called “session cookies”). Other “cookies” are stored on your client device and allow us or our partner companies to recognize your browser for future visits (“persistent cookies”). You can set your browser to inform you of the “cookies” settings and to individually decide whether to accept them or forbid acceptance of “cookies” for specific cases or in general. Additional information is available in the help section of your web browser. Rejecting “cookies” can potentially limit the functionality of our website. We will discuss specific types of “cookies” below

There are system “cookies” and promotional “cookies”. System “cookies” are necessary for the correct functioning of our website. Rejecting these “cookies” will change user experience while surfing on our website and some of our website services will be unavailable

Promotional “cookies” are described below. They are stored when downloading the website and help us analyze general data of our visitors – e.g. how they get to our website, how much time they spend on it, whether they visit us for the first time, how they view the content of our website as well as to calculate the degree of success of our marketing campaigns.

Google Analytics 

We use Google Analytics, a web analysis service offered by Google LLC. The information generated by “cookies” for your use of this website is usually sent to Google servers in the USA and stored there. Google shortens beforehand your IP addresses within the member-states of the European Union or in other member-states included in the Agreement on the European Economic Area. On behalf of the operator of this website, Google uses this information to assess the use of this website, to prepare accounts for the activity of this website and for provision of other services related to the website and Internet use, to the website operator. The IP address sent through your browser in the context of Google Analytics does not connect with other data Google has available. You can refuse to use “cookies” by selecting the relevant settings on your browser. You can also prevent the collection of data from Google by “cookies” and their connection to the use of this website (including IP address) as well as their processing by Google by downloading and installing plug-ins for your browser here:

Links to social media

Our website contains links to LinkedIn. In this case, transfer of data to the social media operators is carried out only when the relevant button on the icon illustrating the link is clicked.  If you click such a button, the page to the relevant social network opens. There, you can publish information on our products according to the the rules of the social media operator.

Our LinkedIn page

The personal data sent by you in personal messages will be processed only for the purpose of replying to your inquiry. We are not responsible for the information voluntarily shared by you on our official accounts without our explicit request.

III. Transparency. Rights of the subjects whose data are processed by the Controller


Transparency and conditions for the exercise of the rights of subjects:

The Controller presents information to the subjects in concise, transparent, understandable and easily accessible form, in clear and simple language.

The Controller presents the information to the subjects in written form or in other way, including, if relevant, by electronic means. If the subject requests so, the information may be presented orally, provided that the subject has been identified before the Controller by other means.

The Controller gives the subjects free information on the activities undertaken with regard to requests to exercise their right to access, rectification, deletion, restriction of processing, portability, objections and automated decision-making, without unnecessary delay and in any case within one month after receiving the request in writing.

If necessary, this period may be extended for another two months depending on the complexity and number of requests. The Controller shall inform the subjects of any such extension of the period within one month after receiving the request, stating the reasons for delay. If the subjects submit requests by electronic means, if possible, the information shall be presented by electronic means unless otherwise requested by the person.

If the Controller fails to act on the request, the Controller shall notify the person without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to a supervisor and seeking legal protection.

If the requests of the subject are clearly ungrounded or exaggerated, more specifically due to their repetition, the Controller can:

  • Charge a reasonable fee taking into account the administrative costs for provision of information or communication or undertaking the requested activities, or
  • Refuse to act on the request.


Right of access of the subjects:

Any subject may receive from the Controller confirmation whether his/her personal data is being processed and if so, to receive access to the data and the following information:

  • purposes of processing;
  • relevant categories of personal data;
  • recipients or categories of recipients to which personal data are disclosed or will be disclosed (including third countries or international organizations);
  • if possible, the planned period for which the data will be stored, and if this is not possible, the criteria used to set this period;
  • the existence of the right to request the Controller to rectify or delete personal data or limit the processing of personal data related to the data subjects or of the right to object against such processing;
  • the right to submit a complaint to the Commission for Personal Data Protection;
  • if personal data is not collected from the data subjects themselves, any available information of their source;
  • existence of automated decision-making, including profiling, or at least essential information on the logic used, the significance and expected consequences from such processing for the subjects.

When personal data are transferred to a third country or to an international organization, the subjects have the right to be informed of the guarantees relevant to the transfer.

The Controller will give to the subject a copy of the personal data that are being processed. For additional copies requested by the subjects, the Controller may charge a reasonable fee according to administrative costs. Where the data subject makes the request by electronic means, if possible, the information will be provided in a widely used electronic form unless otherwise requested.


Right to rectification:

Any subject whose data are processed by the Controller may request the Controller to rectify without undue delay the inaccurate personal data related to that subject. In view of the purpose of processing, the person may make additions to incomplete personal data.


Right to erasure (Right “to be forgotten”):

The data subject shall have the right to request from the controller the erasure of personal data concerning him or her without undue delay and the Controller is obliged to erase personal data without undue delay where:

  • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services.


Right to restriction of processing:

The data subject whose data are processed by the Controller shall have the right to request from the Controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.


Where processing has been restricted under the foregoing paragraph, such personal data, with the exception of storage, shall only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or for reasons of important public interest.

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is withdrawn.

Notification obligation regarding rectification or erasure of personal data or restriction of processing:

The controller shall communicate any rectification, erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject so requests.


Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where (i) the processing is based on consent for specific purposes or on a contractual obligation of the data subject or on undertaking steps before entering into a contract; and (ii) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.


Right to object:

The data subject shall have the right to object at any time, on grounds relating to his or her specific situation, to processing of personal data concerning him or her (when processing is necessary for performance of tasks of public interest or exercise of official powers of the controller or processing is for the purpose of the lawful interests of the controller or third parties), including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are being processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the time of the first communication with the data subject, at the latest, the right referred to in the foregoing paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

The aforementioned rights shall be exercised by the data subjects by sending to Glatec EOOD a written request to the following address: Kostievo 4205, 1 Kapitan Burago Str., or by email – at:


  1. IV. Technical and organizational measures for data protection

Protection of data stored on a hard copy or on electronic media from unauthorized access, damage, loss or destruction shall be performed with a number of internally regulated technical and organizational measures.


  1. Personal data transfer

The controller does not perform and shall not perform transfer of personal data to countries outside the European Union or international organizations. When such transfer of personal data is necessary, the Controller duly notifies the data subject of the transfer, as well as of the appropriate data protection safeguards, in compliance with the requirements of the Regulation.

  1. VI. Breach. Notification of breach


Breach of data security occurs when personal data for which Glatec EOOD is responsible are affected by a security accident resulting in breach of confidentiality, existence or integrity of personal data. In this sense, data breach occurs in case of breach of security leading to accidental or illegal destruction, loss, change, unauthorized disclosure of data which are transmitted, stored or otherwise processed.

In case of personal data security breach, please inform immediately the personal data protection officer at


Assessment of breach: 

After the relevant Glatec EOOD employee receives information of the data breach, he or she shall assess whether that specific event is a breach of personal data and respectively inform the Controller’s managers of the event (in case they are not informed).

In case of personal data security breach resulting in possible risk for the rights and freedoms of natural persons, the Controller (through the relevant employee), without delay and if possible — not later than 72 hours after being informed of it, shall inform the Commission for Personal Data Protection of the violation.


When and as far as it is impossible to transmit information simultaneously, the information may be submitted gradually without further undue delay.

When the breach of personal data security could lead to a high risk for the rights and freedoms of natural persons the Controller shall promptly inform the subject of violation.

The Controller shall document any breach of personal data security, including the facts related to the breach, the consequences and the measures undertaken for coping with it.


  1. Destruction

Accounting and commercial information as well as any other information and documents related to taxation and compulsory tax insurance installments shall be stored by the Controller for the following periods:

  • payrolls – 50 years;
  • accounting registers and financial statements – 10 years;
  • documents of tax insurance control – 5 years after expiry of the limitation term for payment of the public obligation to which they are related;
  • all other carriers – 5 years in accordance with legal requirements.


After expiry of the period of storage, information carriers (hard copy or technical) which shall not be transferred to the National Archives can be destroyed.

After expiry of the period of storage, data shall be destroyed as fast as possible by the destruction of hard copies with shredding and of technical carriers-by erasure and deletion of the relevant files from Company computers.


Additional provisions

Pursuant to this internal rules:

  • 1. “Personal data controller” is Glatec EOOD, UIC 131407283, and activities on behalf of the controller shall be performed by a data protection officer appointed for the purpose.
  • 2. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • 3. This policy was approved by the Glatec EOOD Manager on 26 August 2021 and came into effect on 1 September 2021.
  • 4. Glatec EOOD will update this Policy in due course, by amending and supplementing, at any time, if necessary, when legislative requirements or other circumstances demand it.