Login
Register
For business owners

General Information

As of 25 May 2018, a new data protection regulation adopted by the European Union – the General Data Protection Regulation or GDPR for short – came into force. The main purpose of the regulation is to ensure the protection of the data of individuals from all EU member states and to unify the regulations of their processing. As a personal data controller, EXPAT ASSISTANT. has taken all organizational and technical protection measures to be able to meet all the requirements of the new regulation by collecting individuals’ data only to fulfill the contract for the publication of promoted listings for services. and/or send a newsletter with information about new services, special news offers, etc.

Art. 1. (1) Data concerning the data controller, as well as information under the E-commerce Act and the Consumer Protection Act:

Name: “EXPAT ASSISTANT” EOOD (Limited Liability Private Company)

UIC: 205919212

Headquarters and address of management: Bulgaria, Sofia, Mladost district, residential complex Mladost 2, bl. 239, entr. 7, fl. 1, apt. 2

Address for correspondence: Bulgaria, Sofia, Mladost district, residential complex Mladost 2, bl. 239, ent. 7, fl. 1, apt. 2

Email: office@expatassistant.net

Mobile: +359 888872466

Supervising authorities:

Information on the competent data protection supervisory authority

Name Personal Data Protection Commission
Registered office and management address 1592, Sofia Blvd. “Prof. Tsvetan Lazarov № 2
Telephone 02 915 3 518
Email kzld@cpdp.bg
Website www.cpdp.bg

 

(2) The Controller carries out its activities following the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data.

Basis for collecting, processing, and storing your data

Art. 2. (1) The Controller collects and processes your data in connection with the use of the web-based platform available at: https://expatassistant.nl/ to conclude a registration and contracts for paid advertisement promotion services based on Art. 6 para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:

  1. Your explicit consent as a User;
  2. Performance of the Controller’s obligations under a contract with you;
  3. Compliance with a legal obligation applicable to the Controller;
  4. For the legitimate interests of the Administrator;

Purposes and principles of collecting, processing, and storing your data

Art. 3. (1) We collect and process the personal data that you provide to us in connection with the use of the web-based platform available at: https://expatassistant.nl/ registration and conclusion of contracts for paid advertisement promotion services, and for:

  1. Registration of a contractor profile and provision of all functionalities when using the platform;
  2. Sending newsletters and emails with information about news, special offers, and discount codes, subject to your consent;
  3. Statistical and accounting purposes;
  4. Protection of the legal interests of the company;

(2) In processing your data, we comply with the following principles:

  1. Lawfulness, fairness, and transparency;
  2. Limitation of the purposes of the processing;
  3. Data minimization following the purposes;
  4. Limitation of storage to achieve the purposes;
  5. Data accuracy and timeliness;
  6. Integrity and confidentiality of processing and ensuring its security;

(3) In processing and storing personal data, the Controller may process and store personal data to protect its legitimate interests, such as the protection of a legal interest before the competent Bulgarian court, the performance of its obligations to the National Revenue Agency (NRA), the Ministry of the Interior and other state and municipal authorities.

What types of personal data does the Controller collect, process, and store?

Art. 4. (1) The Controller shall carry out the following operations with the personal data provided by you for the following purposes:

  1. Registration of profile and provision of all functionalities when using the platform – The primary purpose is the ability to view or post listings for services tailored to digital nomads and expats
  2. Newsletter sending – the purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news, and new functionalities to users and contractors who have stated that they wish to receive such information content.
  3. Marketing strategies – for direct marketing purposes, the personal data of users and contractors may be used to send offers, invitations, and information about services, provided that there is explicit consent from the recipients;
  4. Communication – to establish correspondence arising from or in connection with the use of any functionality on the platform. 

 (2) The controller does not collect or process personal data relating to the following: 

  1. reveal racial or ethnic origin;
  2. disclose political, religious, or philosophical beliefs or trade union membership;
  3. genetic and biometric data, data concerning health, or data concerning sex life or sexual orientation.

(3) Personal data are collected by the Data Controller only for the persons to whom they relate.

(4) The Controller does not perform automated decision-making with data.

(5) The Company does not collect data about persons under 18 years of age, except with the express consent of their parent or legal representative.

Art. 5. (1) The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:

Your personal data (name and surname, telephone number, e-mail address

Purposes for which the data is collected: 

  1. To provide a link between users and performers on the platform, and between the administrator and the latter; 
  2. To register a users on the platform;
  3. For sending newsletters, emails with special offers, news, and new features, with the explicit consent of the users of the platform;
  4. Signing contracts to add promoted listings for a fixed fee
  5. Communication with the administrator via the contact form.

Grounds for processing your data:

By accepting the terms and conditions and the privacy policy of the platform, upon registration of an account on the platform, a contractual relationship is established between the Administrator and you, based on which your data is processed – Art. 6, para. 1 (b) GDPR. Your data for sending a newsletter as well as for sending a message via the contact form are processed based on your explicit consent – Art. 6 para. 1 (a) GDPR.

Period for which your data is processed: 2 years from the last consent to the processing;

Details provided when placing ratings and/or reviews (Name and/or email address)

The purpose for which the data is collected: 

Users have the opportunity to provide ratings and reviews for services offered on the Platform following the Terms and Conditions. It is in our interest that users can share their independent opinion on the services. Ratings are not edited or reviewed before being published, but the Administrator reserves the right to delete obscene comments or those that are contrary to the Terms and Conditions. 

The basis for processing your data:

Your data in connection with the provision of ratings, comments, or reviews are processed based on the legitimate interests of the controller and of third parties (users of the platform) – Art. 6, para. 1 (f) GDPR.

Period for which your data is processed: 2 years from the last consent to the processing;

Bank transaction data (debit/credit card number, CVV, geolocation, IP address) 

The purpose for which the data is collected: 

The data is collected in order to carry out a bank transaction (money transfer) from the user’s account to the account of the administrator of the platform for the purpose of concluding a contract for the publication of promoted listings for services;

Reason for processing your data:

By accepting the terms and conditions and the privacy policy of the platform, upon registration of an account on the platform, a contractual relationship is established between the Controller and you, based on which your data is processed – Art. 1 (b) GDPR. Your data for sending the newsletter as well as for sending a message via the contact form and are processed based on your explicit consent – Art. 6 para. 1 (a) GDPR.

Data subject:

The controller does not store any data related to the payment method you use. All data is held solely by Stipe, as a party to a contract with the Controller. The Controller does not have access to this data except upon explicit and reasonable written request to Stripe. More about Stire’s privacy policy can be found at this link. 

Storage period of your data

Art. 6. (1) The controller shall keep your data for a period not exceeding 5 years from the date of registration of an account. After the deletion of your account, the Administrator shall take the necessary care to delete and destroy all your data without undue delay or to anonymize them (i.e. to put them in a form that does not reveal your identity).

(2) The Controller shall store your data provided in connection with the conclusion of a contract for the publication of promoted listings for services. to protect the Controller’s legal interests in the event of legal or administrative disputes with users of the Platform, as well as in compliance with the statutory retention period for accounting documents evidencing the concluded contracts.

(3) The Controller shall notify you by email to the address you have provided if the data retention period needs to be extended to comply with a legal obligation or because of the Controller’s legitimate interests, as well as in the event of a request to use a service or functionality on the Platform after the expiry of the 5 years from the initial consent given. 

Art. 7. The Controller shall store the personal data of the legal representatives of its business partners for the duration of the performance of the contract, to comply with the legitimate interests and legal obligations of the Controller, and this duration may exceed the duration of the contract concluded.

Transfer of your data for processing

Art. 8. (1) The controller may, at its discretion, transfer some or all of your data to processors for the fulfillment of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The controller shall not transfer some or all of your data to third countries or international organizations unless you have been expressly informed of this.

(3) Your data is only stored on the territory of the European Union and in particular on AWS servers based in Germany. You can learn more about AWS’s privacy policy via this link. If your data is transferred to a third party that processes it outside the European Union, you will be explicitly notified before the transfer or allowed to explicitly consent to or oppose the transfer. 

(4) Your data in connection with the banking transaction is stored and processed solely by Stripe. The controller does not store and process the data referred to in Article 5 (1) (3). 

Your rights in the collection, processing, and storage of your data.

Art. 9. (1) If you do not wish all or part of your data to continue to be processed by the Company for any or all of the processing purposes, you may withdraw your consent to the processing at any time by completing the form to be found in the “Applications” section.

(2) The Controller has the right to request verification of the identity and identity of the data subject.

(3) By withdrawing your consent to the processing of personal data that is mandatory for the creation and maintenance of a platform account, your account will become inactive. You may continue to use the Platform, but you will not be able to use its functionalities;

(4) You may withdraw your consent to the processing of your data for direct marketing purposes at any time.

(5) The withdrawal of consent does not affect the lawfulness of the processing of personal data that the Controller has carried out up to that point.

Right of access

Art. 10. (1) You have the right to request and obtain from the Controller confirmation of whether personal data relating to you are being processed, and you may at any time view in your profile if you are a registered contractor, the data we process about you.

(2) You have the right to access the data relating to you and the information relating to the collection, processing, and storage of your data.

(3) The controller shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.

(4) Providing access to the data is free of charge, but the Controller reserves the right to charge an administrative fee in the event of repetitive or excessive requests.

Right to rectification or completion

Art. 11. You may rectify or complete inaccurate or incomplete personal data relating to you directly through your account on the website or by completing the form that you will find in the “Applications” section.

Right to erasure (“being forgotten”)

Art. 12. (1) You have the right to ask the Data Controller to erase some or all of the personal data relating to you, and the Data Controller should erase them without undue delay where one of the following grounds applies: 

  1. the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  2. you withdraw your consent on which the processing is based and there is no other legal basis for the processing;
  3. You object to the processing of the personal data relating to you, including for direct marketing purposes, and there are no lawful grounds for the processing which override;
  4. the personal data have been unlawfully processed;
  5. the personal data must be erased to comply with a legal obligation under EU or Member State law to which the Controller is subject;
  6. the personal data has been collected in connection with the provision of information society services and you no longer wish to use it;

(2) The Controller is not obliged to erase the personal data if it stores and processes them:

  1. for the exercise of the right to freedom of expression and the right to information;
  2. to comply with a legal obligation requiring processing provided for in EU or Member State law applicable to the Controller or for the performance of a task carried out in the public interest;
  3. the establishment, exercise, or defense of legal claims.
  4. To protect its legal interests from the possibility of being held financially liable.

(3) If you exercise your right to be forgotten, the Company will delete all of your data except for the following information:

  1. information necessary to verify that your right to be forgotten has been exercised – email, IP address;
  2. technical information about the functioning of the platform, which information cannot be linked in any way to your person;

(4) To exercise your right to be forgotten, you need to take the following steps:

  1. Submit a request by email by completing and submitting the form you will find in the “Applications” section.
  2. Provide a unique identification code to act, which will be sent by email to the email address associated with the registration made on the Platform;
  3. Identify yourself as the account holder;

(5) Once we have verified the identity of the person who made the request and the person to whom the data relates following the above steps, we will delete any data we process about you per paragraph 3.

(6) By deleting your data, your account will become inactive. 

(7) The controller does not delete data that it has a legal obligation to keep, including for the defense of legal claims made against it or to prove its rights.

Right to restriction

Art. 13. You have the right to require the Controller to restrict the processing of data relating to you where:

  1. you contest the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;
  2. the processing is unlawful, but you do not wish the personal data to be erased, but only for its use to be restricted;
  3. The Controller no longer needs the personal data for the processing, but you require it for the establishment, exercise, or defense of legal claims;
  4. You have objected to the processing pending verification that the Controller’s legitimate grounds override your interests.

(2) If you exercise your right to restriction, the Company will cease processing your data but will not remove the posts, comments, reviews, and ratings you have made on the Platform.

Right to portability

Art. 14. (1) If you have given your consent to the processing of your data or the processing is necessary for the performance of the contract with the Controller, or if your data are processed in an automated manner, you may after having legitimized yourself to the Controller:

  1. request the Controller to provide you with your data in a readable format and transfer it to another Controller;
  2. ask the Controller to transfer your data directly to a controller designated by you, where this is technically feasible.

(2) You may, at any time, download or obtain in a machine-readable format the data that is stored and processed about you in connection with your use of the Controller’s services, directly through your account via the data export option or by email request after completing the form that you will find in the “Applications” section.

Right to receive information

Art. 15. You may request the Data Controller to inform you of all recipients to whom the personal data for which rectification, erasure, or restriction of processing has been requested has been disclosed. The controller may refuse to provide this information only if it would be impossible or would require a disproportionate effort.

Right to object

Art. 16. You may object at any time to the processing of personal data concerning you by the Controller, including if it is processed for profiling or direct marketing purposes.

Your rights in the event of a personal data breach

Art. 17. (1) If the Controller becomes aware of a breach of the security of your data which may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the breach and of the measures which have been taken or are to be taken.

(2) The controller is not obliged to notify you if: it has taken appropriate technical and organizational measures to protect the data affected by the breach; it has subsequently taken measures to ensure that the breach will not result in a high risk to your rights; notification would require a disproportionate effort.

Persons who have access to your data

Art. 18. (1) to process your data and provide the service in its full functionality and view of your interests, the Controller may provide your data to the following processors:

Processors:

  1. Employees of EXPAT ASSISTANT who are responsible for processing requests;
  2. Employees in the accounting and legal department;
  3. Hosting service provider – Cloudways 

Purposes of processing personal data: 

  1. Processing of contractor data for account registration;
  2. Processing of accounting records, in fulfillment of the Controller’s obligations under Bulgarian law;
  3. Provision of information society services;
  4. Protection of the legitimate interests of the Controller; 

(2) Said data processors shall comply with all legality and security requirements in the processing and storage of personal data.

Art. 19. (1) The Controller shall not transfer your data to third countries unless you expressly agree. If the consent relates to a transfer, the Data Controller shall describe the possible risks of the transfer of the data to third countries in the absence of an adequate protection solution and appropriate means of protection.

(2) As a general rule, your data is stored and processed throughout the European Union and the European Economic Area (EEA). If your personal data is transferred outside the European Union or the EEA, the transfer will be subject to any of the following safeguards:

  1. Binding corporate rules from the relevant supervisory authority;
  2. Based on standard contractual terms adopted by the European Commission;
  3. An approved code of conduct or certification mechanism in the presence of legally binding and enforceable obligations on the third-party processor.

(3) If we determine that one of these measures is not sufficient to provide an adequate level of protection, on a case-by-case basis, we will adopt additional technical and/or organizational security measures following the recommendations of the European Commission. You can contact us at any time using the contact details listed above to find out more about the countries to which we transfer your data and the safeguards we have in place in respect of these transfers.

Final Provisions

Art. 20. In the event of a violation of your rights under the foregoing or applicable data protection law, you have the right to file a complaint with the Personal Data Protection Commission as follows

Art. 21. The Company may amend the Privacy Policy by posting a notice to that effect on its website.

Annexes

Art. 22. You can exercise all your rights regarding the protection of your data through the forms attached below or through the functionalities in your profile. 

  1. Withdrawal of consent form for processing purposes – Annex 1
  2. Request “to be forgotten” – to delete personal data relating to me – Annex 2
  3. Request for the portability of personal data – Annex 3
  4. Request for rectification of data – Annex 4

(2) These forms are optional and you may make your requests in any form that contains a statement to that effect and identifies you as the data holder, provided that you clearly state your specific wishes about the processing and storage of your data. 

This privacy policy is accepted and effective as of 27.12.2023.