Privacy policy

 GDPR policy


You can download the latest GDPR policy on the button below.


Download GDPR Policy

 

 1.  Privacy policy?

1.1  This Privacy Policy determines what happens to personal data that you may supply to us by interacting with the Website.

1.2   You can find a Table of Contents and a brief summary of this Privacy Policy in the chart below. For further details with regard to the data processing carried out by the Company click to the links in each section of the summary to access the full content of the Privacy Policy relevant to that topic.

2.  SUMMARY

Matter

Information

What and who this Privacy Policy covers?

The Company is the data controller of the personal data we collect from and about you through the Website.

This Privacy Policy applies to all users, including those who use the Website without being registered or having subscribed.

For further information go to PARAGRAPH 3.

What kind of personal data do we collect about you?

The Company may collect data from and about you, specifically:

  • contact information: your first and last name, telephone number and e-mail, which you provide by filling in forms on the Website;
  • record of the correspondence with the Company, including information provided by you when sending us a question or comment through the Website contact form; and
  • details of your visits to our Website and the resources that you access.

However, we do not collect special categories of personal data relating to you, specifically any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, as well as personal data relating to criminal convictions and offences.

For further information go to PARAGRAPH 4.

Why do we use your personal data and on what legal grounds?

The main reason why we collect personal data about you is to allow you to use the Website or to provide you with our Company services and to allow you to interact with such services.

It is not mandatory to provide us with your personal data. However, should you choose not to provide us with your personal data some of the Website's functionalities may be unavailable for your use.

We currently do not process your data to send offer, marketing communications etc. Should we plan this in future we will do it, only with your prior consent.

For further information go to PARAGRAPH 5.

How do we process your personal data?

The security of your data is a priority for us. For this purpose, the Company has implemented adequate administrative, technical and physical measures to safeguard your personal data against loss, theft and unauthorized use, disclosure of modification.

For further information go to PARAGRAPH 6.

Who can access to your personal data?

 

The Company might share your personal data with: (i) third party providers who act as processors for the Company and/or (ii) Company affilates

For further information go to PARAGRAPH 7.

Is your personal data transferred abroad?

Your personal data might be transferred to other countries within or outside the European Economic Area (EEA). We always make sure that appropriate and suitable safeguards compliant with applicable laws are in place to protect your personal data.

For further information go to PARAGRAPH 8.

Data Retention

We will retain your data only for the period necessary to fulfil the purposes for which the data was collected as outlined in this Privacy Policy.

At the end of the retention period your personal data will be either cancelled, anonymized or aggregated.

For further information go to PARAGRAPH 9.

What are your rights with regard to your personal data?

You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your personal data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for international transfers. You may also exercise a right to complain to the Romanian supervisory authority.

For further information go to PARAGRAPH 10.

Updates to this Privacy Policy

The Company may modify or update this Privacy Policy also in order to comply with applicable law.

Please look at the Effective Date at the top of this Privacy Policy to see when this Privacy Policy was last revised.

For further information go to PARAGRAPH 11.

3. WHAT AND WHO THIS PRIVACY POLICY COVERS?

3.1 The Company is the data controller with respect to the personal data (i.e. information that identifies a specific person, such as full name or email address) we collect from and about you through the Website.

3.2 This Privacy Policy and our Cookies Policy apply to all users, including those who use the Website without being registered or having subscribed to a specific service.

4. WHAT TYPE OF PERSONAL DATA DO WE COLLECT ABOUT YOU?

4.1 The Company collects the following personal data from and about you:
·contact information in the context of you filling in forms or the data required on the Website contact form, specifically: your first and last name, telephone number and e‑mail;
·records of the correspondence with the Company, including information provided by you when sending us a question or comment through the Website contact form; and
·details of your visits to our Website and the resources that you access - when you access and interact with the Website, we may collect certain information about those visits. For example, in order to permit your connection to the Website, our servers receive and record information about your computer, device, and browser, including potentially your IP address and browser type. If you access the Website from a mobile device, we may collect a unique device identifier assigned to that device. Cookies and other tracking technologies (such as browser cookies, pixels, beacons, and Adobe Flash technology including cookies) may also be collected. These technologies may also be used to collect and store information about your usage of the Website, such as pages you have visited, content you have viewed, search queries you have run and any advertisements you have seen. For more information please visit our Cookie Policy.

4.2 We do not collect special categories of personal data relating to you, specifically any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, as well as personal data relating to criminal convictions and offences.

4.3 We ask that you do not provide us, and you do not disclose, any information included in a special category of personal data on or through the Website or otherwise.

5.WHY DO WE COLLECT YOUR PERSONAL DATA?

5.1 The Personal Data will be processed by the Company in compliance with applicable data protection laws for the following purposes:

Processing purpose

Legal Basis

Type of Personal Data processed

Provide you with customer support and to respond to your inquiries about our services

Processing is necessary for the performance of a contract to which you are a party or in order to take steps, at your request, prior to entering into a contract.

  1. contact information:
  2. name and surname;
  3. telephone number and
  4. e‑mail.
  5. records of the correspondence with the Company, including information provided by you when sending us a question or comment through the Website contact form

Allow you to use the Website and improve your experience on the Website, by delivering content you will find relevant and interesting

The collection of this personal data is necessary for the running of the Website and the provision of the Company services. Therefore, it is necessary since otherwise the content of our Website and our services could not be provided.

  1. Information collected when accessing the Website from a computer:
  2. your IP address;
  3. browser type;
  4. operating system
  5. screen Resolution
  6. language
  7. country
  8. service provider
  9. refferal source
  10. demographic
  11. social activities
  12. If you access the Website from a mobile device:
  13. unique device identifier assigned to that device;
  14. browser type;
  15. operating system
  16. screen Resolution
  17. language
  18. country
  19. service provider
  20. refferal source
  21. demographic
  22. social activities

5.2 It is not mandatory to provide us with your personal data. However, should you choose not to provide us with your personal data some of the Website's functionalities may be unavailable for your use (for example, you will not be able to send any questions or comments to us through the contact form if you do not include all required contact information).

5.3 We currently do not process your data to send offer, marketing communications etc. Should we plan this in future we will do it, only with your prior consent.

6. HOW DO WE PROCESS YOUR PERSONAL DATA?

6.1 With regard to the above mentioned purposes, the personal data is processed through both electronic and manual means, and is protected through adequate security measures. With this regards, although the Company uses appropriate administrative, technical, personnel and physical measures to safeguard personal data in its possession against loss, theft and unauthorized use, disclosure or modification, it cannot guarantee that all possible cyber-risks can be excluded.

7. WHO HAS ACCESS TO YOUR PERSONAL DATA?

7.1 For purposes consistent with those at Section 5 of this Privacy Policy, the Company may share your personal data to the following categories of recipients located within or outside the European Union, in compliance and within the limits of the provisions of Section 8 below:
7.1.1Third parties service providers entrusted with processing activities and duly appointed as processors, for example: cloud service providers, Company affiliates (please see below), companies that provide IT services, experts and consultants.

7.2.For the processing of your personal data when participating in the "With us on the road" program, the company works with the following companies - service providers, duly appointed as data processors (Information according to Art. 13, paragraph 1, letter D of Regulation (EU) No. 2016/679 of April 27, 2016):

Oil Processing Company East Balkans EOOD, Sofia, registered address: town of Sofia 1784, 115N Tsarigradsko Shose Blvd. , MHQ Building,  Oil Processing Company Europe d.o.o. Beograd, registered address: Majora Branka Vukosavljevića 46/3, Novi Beograd, Republic of Serbia, Yettel d.o.o. Beograd, with registered address at 90 Omladinskih brigada St., Telekom Srbija a.d, a Serbian joint stock company with registered address at Beograd, 11000, Takovska 2, Serbia; Mainstream d.o.o. Nušićeva 15, 11000 Beograd, Link Mobility EAD, Sofia, 1, "Bulgaria" square.

 

8. IS YOUR PERSONAL DATA TRANSFERRED ABROAD?

8.1 Your personal data may be transferred to countries within and outside the European Economic Area (EEA), in particular to:
8.1.1 the Republic of Serbia; and
8.1.2 the Russian Federation.

8.2 Some non EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards. The full list of these countries is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-o....

8.3 For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place appropriate and suitable safeguards to protect your personal data and that transfer of your personal data is in compliance with the requirements and the obligations provided by applicable data protection laws, such as standard contractual clauses adopted by the European Commission as per Articles 45 and 46 of the EU General Data Protection Regulation 2016/679 (the “GDPR").

8.4You have the right to request a copy of the above measure or further information on your personal data by contacting the Company at the address indicated in Section 12 of this Privacy Policy.

9.RETENTION

9.1We will retain your data only for the period necessary to fulfil the purposes for which the data was collected as outlined in this Privacy Policy. In any case, personal data collected for the purposes mentioned at Section 5 of this Privacy Policy is retained for the time necessary to provide you access to the Website or to grant you the provision of the Company services plus the length of any applicable statute of limitations following the termination of any Company services.

9.2 At the end of the retention period your personal data will be either cancelled, anonymized or aggregated.

10. WHAT ARE YOUR RIGHTS WITH REGARD TO YOUR PERSONAL DATA?

10.1 You have a number of rights in relation to your personal data.

10.2 You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your personal data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for international transfers. You may also exercise a right to complain to the Romanian supervisory authority. More information about each of these rights can be found by referring to the table set out further below.

10.3To exercise your rights you may contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
10.3.1 Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
10.3.2 Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, respective repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
10.3.3 Timescales. We aim to respond to any valid requests within one (1) month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months.  We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about.  This will help us to action your request more quickly.
10.3.4 Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

Right

What this means

Access

You can ask us to:

  • confirm whether we are processing your personal data;
  • give you a copy of that data;
  • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any automated decision making or profiling, to the extent that information has not already been provided to you in this Policy.

Rectification

You can ask us to rectify inaccurate personal data.

We may seek to verify the accuracy of the data before rectifying it.

Erasure

You can ask us to erase your personal data, but only where:

·it is no longer needed for the purposes for which it was collected; or

·you have withdrawn your consent (where the data processing was based on consent); or

·following a successful right to object (see 'Objection' below); or

·it has been processed unlawfully; or

  • to comply with a legal obligation to which the Company is subject.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:

·for compliance with a legal obligation; or

·for the establishment, exercise or defence of legal claims;

There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request

Restriction

You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

·its accuracy is contested (see Rectification), to allow us to verify its accuracy; or

·the processing is unlawful, but you do not want it erased; or

·it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or

  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.

Portability

You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but in each case only where:

·the processing is based on your consent or on the performance of a contract with you; and

  • the processing is carried out by automated means.

Objection

You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.

Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

International Transfers

You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area.

We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.

Supervisory Authority

You have a right to lodge a complaint with The National Supervisory Authority For Personal Data Processing. We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 

11.UPDATE TO THIS PRIVACY POLICY

The Company may modify or update this Privacy Policy also following different interpretations, decisions, opinions and orders relating to the GDPR. Please look at the effective date at the top of this Privacy Policy to see when this Privacy Policy was last revised. Any updates to this Privacy Policy will be posted in the form of a revised Privacy Policy on the Website. If we make material chances to this Privacy Policy that expand our rights to use the personal data we have already collected from you, we will notify you and provide you with a choice about our future use of the personal data.

12.INFORMATION CONCERNING THE PROTECTION OF PERSONAL DATA IN VIDEO SURVEILLANCE IN THE TRADE FACILITIES OF NIS PETROL EOOD

Administrator of personal data:

"NIS Petrol" EOOD, UIC 201703950, 

address, town of Sofia 1784,  115N Tsarigradsko Shose Blvd. 

telephone for contact + 359 904 97 00 

email for contact bgr.ceo@nis.rs and bgr.dpo@nis.rs

Company "NIS PETROL" EOOD, managing a chain of gas stations under the trademark "Gazprom" in the territory of the Republic of Bulgaria, uses in its commercial sites - gas stations, offices, warehouses and car washes, video surveillance and monitoring system in order to ensure safety and security of the sites, self-protection of the property located on the territory of the sites, as well as in order to optimize the work process and increase the efficiency of customer service by the employees of the trade sites.

In view of the above, we provide the following information regarding the processing and protection of personal data while using the video surveillance and monitoring system:

Scope

 

This information applies to persons who fall within the video surveillance zone on the territory and/ or in premises of the sites, regardless of the reason.

 

 

Personal data being processed

 

Personal data that are processed when persons enter a video surveillance area of ​​a certain site are image and sound. These data do not always represent protected personal data (respectively biometric personal data), because:

  • one video record may contain an image of a person but that person my be not possible to be identified if the resolution does not allow it and/or if it is captured in the back and other data in combination with which that person to be identified are not available;
  • one record may contain sound from the voice of one person, but that person my be not possible to be identified because of lack of technical ability to identify one person by voice, i.e. there is no special system for identifying the person by his or her voice, as well as the lack of other information in combination with which to identify that person;

Purpose of the processing of personal data

 

The purposes of video surveillance and monitoring of the facilities of "NIS Petrol" EOOD are:

  • ensuring the safety and security of the sites, self-protection of the property located on the territory of the sites;
  • preventing and/ or detecting of incidents or violations on the territory of facilities;
  • ensuring control of the access to the monitored sites and security of the persons working at the sites and visitors;
  • control over adherence to work discipline and optimization of the work process;
  • improvement of the efficiency of customer service by the employees of the trade facilities.

The cameras for video surveillance are positioned at suitable locations for achievement of the specified purposes - entry-exit points of the sites, parking lots, gas columns, car washes, indoor premises, office premises and more.

Legal basis for the processing of personal data

 

The processing of personal data for the purposes of video surveillance is performed on the basis of the Law on private security services.

 

Disclosure of data from the video surveillance systems

 

Access to the data processed through video surveillance, in addition to "NIS Petrol" EOOD, may have also:

  • The persons managing and maintaining the video surveillance system and the persons - providers of services for the construction and maintenance of the video surveillance systems. These persons shell act on behalf of and at the expense of "NIS Petrol" EOOD and shell not process the data for their own purposes.
  • Competent state and municipal authorities, law enforcement and judicial authorities, as well as other bodies and institutions, where such disclosure has legal basis.

Storage and protection of the personal data

Period of storage

 

The records of the video surveillance systems are stored within the stipulated by the law time limits under the Law on private security services, after which the data shell be destroyed.

 

"NIS Petrol" EOOD maintains an appropriate system of technical and organizational measures to protect the data against unauthorized access and/or unlawful use of the data and/or against their loss, unauthorized alteration, disclosure, access, damaging and/or copying. The storage period of personal data is up to two months after the video surveillance has been carried out.

 

Rights of the persons whose data are processed by video surveillance

 

Persons whose data are processed by video surveillance have the following rights:

  • Right of access to the corresponding data;
  • Right of correction and/or deletion;
  • Right of transferability of the data;
  • Right of restriction of data processing;
  • Right of objection;
  • Right of complaint to the Commission for protection of the personal data

The above-mentioned rights may be exercised under certain conditions.

 

Contact information for "NIS Petrol" EOOD

 

We provide the following contact details for additional questions and/or exercise of the rights regarding the processing of data by video surveillance:

Address: town of Sofia 1784,  115N Tsarigradsko Shose Blvd. 

Telephone: +359 2 904 9700

Email bgr.ceo@nis.rs and bgr.dpo@nis.rs