Enhancing Customer Awareness and Service Transparency for a Leading Utility Company in Bulgaria

CASE STUDY 4

da_DKDanish
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Decline
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active
Last Updated: December 11th, 2023 Privacy notice Information about the Company, which processes your personal data:               
Legal name – “JTN Research” Ltd
UIN/BULSTAT – 175340999
Seat and registered office – 51, Alexander Malinov boulevard, floor 6, office B13, Sofia, 1712, Bulgaria
Address of correspondence – 51, Alexander Malinov boulevard, floor 6, office B13, Sofia, 1712, Bulgaria
Telephone number – +359 (0)2 4896090
E-mail – info@jtnresearch.com
Website https://www.jtnresearch.com
Information about the Supervisory authority:
Legal name Commission for Personal Data Protection
Seat and registered 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Address of correspondence 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Telephone number 02/9 153 518
Website www.cpdp.bg
Information about the Data Protection Officer: Zhivko Vasilev
Legal name – “JTN Research” Ltd
UIN/BULSTAT – 175340999
Seat and registered office – 51, Alexander Malinov boulevard, floor 6, office B13, Sofia, 1712, Bulgaria
Address of correspondence – 51, Alexander Malinov boulevard, floor 6, office B13, Sofia, 1712, Bulgaria
Telephone number – +359 (0)2 4896090
E-mail – info@jtnresearch.com
Website https://www.jtnresearch.com
JTN Research Ltd. (hereinafter referred to as “Data Controller”) carries out its activity in accordance with the Law on personal data protection and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is meant to provide you with all aspects of the processing of your personal data by the Company and the rights you have in relation with this processing.   The basis for the collection, processing and storage of your personal data Art. 1. JTN Research collects and processes your personal data in connection with the use of the website https://www.jtnresearch.com/ for the conclusion and for the performance of a contract with the Company under Art. 6, para. 1 and Art. 9, para. 2 Regulation (EU) 2016/679, and in particular under the following:
  • Performance of a contract or taking steps for concluding a contract with trading partner/client.
  • Processing is necessary for compliance with a legal obligation to which the Company is subject;
  • Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party.
  Objectives and principles in the course of collection, processing and storage of your personal data Art. 2. (1) We collect and process the personal data which you provide us in relation to the use of the website https://www.jtnresearch.com/ and concluding a contract with the company, including the following purposes:
  • using the website https://www.jtnresearch.com/;
  • individualization of a party to the contract;
  • accounting purposes;
  • statistical purposes;
  • protection of information security;
  • ensuring the performance of the contract for the provision of the respective service;
  • sending newsletters if you have indicated you wish to receive such;
  • communication and answering to inquiries;
  • organizing games, raffles, campaigns and other events
(2) The Company adheres to the following Principles in the course of processing of your personal data:
  • lawfulness, fairness and transparency;
  • purpose limitation of the processing personal data;
  • proportionality with the processing purposes and data minimisation;
  • accuracy and relevance of the data;
  • storage limitation in accordance with purpose achievement;
  • integrity and confidentiality of the processing and ensuring an adequate level of security of the personal data.
(3) In the course of processing and storage of personal data, the Controller is entitled to process and store the personal data for the purposes of performing its legal obligations and protecting the following legitimate interests:
  • to perform its obligations towards state and municipal bodies and perform its obligations under the applicable legislation and regulations;
  • protection against claims against the Company.
What type of data do we collect, process and store Art. 3. The Company carries out the following operations with the personal data you provide for the following purposes:
  • Conclusion and performance of an employment or a civil contract – the purpose of this operation is to conduct a selection for the appointment of employees or persons on a civil contract, the conclusion of the contract and its administration and implementation by the company.
  • Conclusion and performance of a commercial transaction or contract with a client or partner – the purpose of this operation is the conclusion and execution of a contract with a commercial partner or client and its administration. In some cases, the purpose of the operation may be the protection of the legitimate interests of the company in the course of performing the contract. Due to the limited scope of the collected personal data and the fact that some of the personal data is collected from publicly available sources, an impact assessment is not necessary for this operation. In its relations with its clients, the Company processes personal data in its capacity of data processor for the personal data, which is assigned to the Company for processing by clients. This also applies in the case of carrying on campaigns, landing pages, marketing activities, games, websites, Facebook groups and pages and others. In this case, the Company takes preliminary steps to ensure that your personal data is processed lawfully and in accordance with GDPR requirements and follows the explicit instructions of the client (data controller) in the course of processing. After the completion of the respective activity, the Company transmits the data to the client (the data controller) and deletes the personal data from its database.
  • Sending newsletters – The purpose of this operation is administration of the process of sending newsletters to the persons who have stated that they wish to receive newsletters. Due to the limited amount of data which is collected, carrying out an impact assessment for this operation is not necessary.
  • Organizing and holding an event – the purpose of this operation is communication with participant by email for the purpose of receiving information about the event, identifying the data subject as a participant in the event; providing an opportunity to participate in the event; making an inquiry by the individual in connection with the event and providing feedback to him on this occasion; Obtaining results from a training, survey or exam conducted at the event; Due to the limited scope of the personal data collected and the small number of individuals whose personal data are collected at the moment, it is not necessary to carry out an impact assessment of the operation.
  • Processing of inquiries sent through the forms on the website https://www.jtnresearch.com – the purpose of this operation is to identify the data subject as an inquirer and sending a response to an inquiry or offer. Due to the limited scope of the personal data collected, it is not necessary to carry out an impact assessment of the operation.
Art. 4. (1) The Data Controller processes the following categories personal data and information for the following purposes and on the following grounds:
  • Personal data of candidates for job/internships: (for the selection of job candidates we process names, telephone number, email address, social media profile and personal data that you have sent us in your CV and cover letter);
✔ Purpose for which the data is collected: 1) Individualization of the candidate; 2) Communication with the candidate 3) Selection of candidates. ✔ Grounds for processing your personal data – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6, para. 1, letter (b) GDPR.
  • Personal data for concluding a contract with a partner / client – legal entity: (names of the legal representatives of legal entities and names and personal identification number of proxies of legal entities)
✔ Purpose for which the data is collected: 1) Identification of the natural person as a legal representative of a legal entity or trader for the purposes of concluding and performing a contract and drawing up tax and accounting documents and 2) Identifying the proxy in order to certify his representative power. ✔ Grounds for processing your personal data – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6, para. 1, letter (b) GDPR.
  • Data for concluding a contract with a partner / client – natural person: (names, personal identification number, address, telephone number, e-mail address)
✔ Purpose for which the data is collected: 1) Identification of the person as a partner / client, 2) Communication and 3) Execution of the contract. ✔ Grounds for processing your personal data – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6, para. 1, letter (b) GDPR.
  • Personal data for sending a response to an inquiry sent through the forms on the company’s website: (names, e-mail address)
✔ Purpose for which the data is collected: 1) Identification of the inquirer and 2) Making contact with the inquirer through the forms on the website and sending a response to the inquiry. ✔ Grounds for processing your personal data – Your personal data for making inquiries for digital marketing services and other inquiries are processed on the basis of taking steps to conclude a contract or to perform a contract – Art. 6, para. 1, letter (b) GDPR, as well as for the purposes of the legitimate interests of the Data Collector – Art. 6, para. 1, p. (f) the GDPR, namely contacting the inquirer.
  • Details for receiving the newsletter (email address, names)
✔ Purpose for which the data is collected: Sending a newsletter; ✔ Legal ground for processing of your data – The Data Controller processes your data on the ground of given explicit consent – Art. 6, para. 1, letter (a) GDPR.
  • Data of participants in events organized by the Data Collector (names, email address
✔ Purpose for which the data is collected – 1) Making contact with the person and sending information to him and 2) For the purposes of registration for participation in events. ✔ Grounds for processing your personal data – Your data for registration in an event are processed on the basis of a legitimate interest of the controller or a third party – Art. 6, para. 1, letter (f) the GDPR, namely for holding the event.
  • IP address data – Improving service security and interface localization, statistical and marketing research;
✔ Purpose for which the data is collected: The company processes personal data for IP address of an individual, visitor of the website, for the purpose of improving the security of the service and identification of the user as a person using the services from Bulgaria or another country. ✔ Grounds for data processing: The IP address is collected without it being possible to identify a specific individual, ie. the data is collected in an anonymized form on the ground of realization of the legitimate interests of the Data Collector – art. 6, para. 1, letter (f) of the GDPR. ✔ The collection of this data is necessary for the technical functioning of the site. (2) The Data Controller does not collect or process personal data related to the following:
  • revealing racial or ethnic origin;
  • disclosing political, religious or philosophical beliefs, or trade union membership;
  • genetic and biometric data, health data or data on sexual life or sexual orientation.
(3) Personal data is collected by the Data Collector from the persons to whom it relates. (4) The Company does not perform automated data decision making. (5) The company does not collect and process data for persons under 14 years of age, except with the express consent of their parents or legal representatives. Duration of personal data storage Art. 5. (1) JTN Research stores your personal data as a candidate for job/internship for period no longer than 6 months from the moment of completion of recruitment and selection procedures of employees / interns. After the expiration of the term, JTN Research makes all reasonable efforts to delete and destroy all of your personal data without undue delay or to make them anonymize (ie to make them in a form that does not reveal your identity), unless you give your explicit consent your personal data to continue to be stored and processed in the future. (2) In case that the unapproved candidate for job/internship has provided original or notarized copies of documents certifying physical and mental fitness, qualification degree, professional experience or other circumstance, the Company returns these documents to the candidate within 6 months from the end of the selection. (3) The personal data of the partners and clients is stored for a period of 5 years from the date of the termination of the contract or for longer period in case of legal proceedings or administrative disputes for the purpose of protection of the legitimate interest of the company. The accounting and tax documents are stored for the respective statutory term – up to 11 years. (4) The Data Controller processes your personal data provided on the legal ground of consent, until the explicit withdrawal of this consent. (5) The Company stores the personal data of persons who have made an inquiry through the form of the Company’s website, until the explicit withdrawal of the consent given by the individual or 1 year from the last communication with the requester. (6) The data of the participants in the events are stored until the explicit withdrawal of the consent by the individual or until the end of the event. (7) The Data Controller informs you in case that the period for the storage of personal data is necessary to be extended in regard to performing legal obligation or in regard to legitimate interests of the Company or other. (8) The Data Controller stores the personal data that it is necessary to keep under the applicable law for the relevant period. Transmission of your personal data for processing Art. 6. (1) The Data Controller is allowed on its own discretion to transmit part or all of your personal data to personal data processors for performing the purposes of processing which you have agreed, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR). (2) The Data Controller informs you in case of intention to transmit part or all of your personal data to third countries or international organizations. Your rights in the course of collection, processing and storage of your personal data Withdrawal of consent for the processing of your personal data Art. 7. (1) If you do not wish all or part of your personal data, which are processed on the ground of given consent to continue to be processed by JTN Research for specific or all purposes of processing, you may at any time withdraw your consent to processing by sending request in free text to us or through functionality provided by us in Appendix № 1. (2) The Data Controller could request you to certify your identity with the data subject by requesting from you to present identification document on-the-spot. (3) Withdrawal of consent does not affect the validity of the processing of personal data provided by you until the withdrawal of consent. (4) JTN Research may continue to process some or all of your data if there is a legal obligation to do so or for the purpose of protecting its legitimate interests. (5) With regard to the legal representatives and natural persons-partners or clients under a contract with the company, para. 4 will apply. Right of access Art. 8. (1) You have the right to request and receive confirmation from the Data Controller whether personal data related to you are processed. (2) You have the right to access data related to you, as well as information related to the collection, processing and storage of your personal data. (3) The Data Controller provides you with a copy of the processed personal data related to you, in electronic or other appropriate form, upon request. (4) Providing access to data is free of charge, but the Data Controller reserves the right to impose an administrative fee in case of repetitive or excessive requests. Right to correct or complete Art. 9. You have the right to demand the Data Controller:
  • to rectify inaccurate or incomplete information concerning you directly;
  • to complete inaccurate or incomplete information concerning you directly.
Right to erasure (“Right to be forgotten”) Art. 10. (1) You have the right to request the Data Controller to erase all or part of your personal data, and the Data Controller has the obligation to erase such data without undue delay, when one of the following grounds applies:
  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • You have withdrawn your consent on which the processing is based and where there is no other ground for processing;
  • You have objected to the processing of personal data, relating to you, including for the purposes of the direct marketing, and there are no legal grounds for the processing, which have advantage;
  • The personal data have been unlawfully processed;
  • Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
  • The personal data have been collected in relation to the offer of information society services.
(2) The Data Controller is not obliged to erase the personal data, if he collects and process them:
  • For exercising the right of freedom of speech and the right of information;
  • For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • For reasons of public interest in the area of public health;
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • For the establishment, exercise or protection against legal claims.
(3) In case of an exercised right “to be forgotten”, the Company shall erase all your personal data, except for:
  • Information which is necessary to certify that your right “to be forgotten” has been exercised;
  • Technical information for the functioning of the website which cannot be connected to your personality;
(4) To exercise your right to be forgotten, you need to send request in free text or on the completed form in Annex № 2 by e-mail. (5) The Data Collector may ask you to verify your identity with the identity of the data subject. (6) The Data Controller does not erase the personal data which it has a legal obligation to store or which is necessary for proving its legitimate rights against claims against the Company. Right to restriction of processing Art. 11. You have right to request the Controller to restrict the processing of the personal data, concerning you, when:
  • The accuracy of the personal data is contested by you, for a period, which allows the Data Controller to check the accuracy of the data;
  • The processing is unlawful, but you oppose the erasure of personal data, and request only for the restriction of their usage;
  • The Data Controller no longer needs the personal data for the purposes of the processing, but you require them for establishment, exercise or defense of legal claims;
  • You have objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of yours.
Right to data portability Art. 12. (1) In case you have given your consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Data Controller, or in case your data is processed in an automated manner, you can, after identification before the Data Controller:
  • ask the Data Controller to provide you with your personal data in a readable format and transmit it to another Data Controller;
  • ask the Data Controller directly to transmit your personal data to another controller designated by you, when this is technically possible.
(2) You can exercise your right to data portability by submitting a written text or filling in the form in Appendix № 3. Right to receive information Art. 13. You have the right to require from the Controller to inform you about all recipients, to whom your personal data, for which has been required rectification, erasure or restriction of processing, have been disclosed. The Controller is allowed to refuse to provide this information if this is impossible or involves disproportionate effort. Right to object Art. 14. You have the right to object at any time to processing of personal data concerning you including processing for the purpose of profiling or direct marketing. Your rights in case of personal data breach Art. 15. (1) When the Data Controller detects personal data breach, which is likely to result in a high risk to your rights and freedoms, the Data Controller communicates the personal data breach to you without undue delay, as well as the measures taken or proposed to be taken by the Company. (2) The Data Controller is not obliged to inform you if:
  • The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach;
  • The Data Controller has taken subsequent measures which ensure that the high risk to your rights is no longer likely to materialize;
  • It would involve disproportionate effort.
Persons to whom your personal data is provided Art. 16. (1) For the purposes of processing your personal data and fulfilling the contract, as well as to provide the service in its full functionality and in view of your interests, JTN Research may provide your data to third parties processing personal data who comply with all requirements for legality and security in the processing and storage of your personal data. You can get more detailed information about the processors of personal data by contacting us on the contact details provided. (2) The specified data processors and Controllers comply with all requirements for legality and security in the processing and storage of your personal data and the Company enters into contracts with data processors to guarantee their obligations to protect your personal data. Art. 17. The Controller does not transfer your data in third countries. Art. 18. In the event of a breach of your rights under the above or applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission as follows:
Legal name Commission for Personal Data Protection
Seat and registered 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Address of correspondence 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Telephone number 02/9 153 518
Website www.cpdp.bg
Art. 19. You could exercise all your rights related to the protection of your personal data through the forms attached to this privacy notice. Of course, these forms are optional and you could submit your requests in any form that contains a statement to that effect and identifies you as the data subject. Art. 20. If there is consent for transfer, the Data Controller describes the possible risks for the transfer to third countries in case of lack of decision of an adequate level of protection and appropriate means of protection. Art. 21. The Company may amend the Privacy notice by posting a notification for that effect on its website. This Privacy notice is adopted on 15.11.2023 JTN Research ensures that it will refer to this Privacy notice with a link to its website, by indication or in another appropriate way, ensuring that you have the opportunity to be informed with its content     Appendix № 1 - Exemplary forms of withdrawal of consent for processing purposes Appendix № 2 – Request “to be forgotten” – for erasure of personal data related to me Appendix № 3 – Request for portability of personal data Appendix № 4 – Request for rectification of personal data
Save settings
Cookies settings