Personal Data Privacy Policy of the PavelAndreev.ORG Platform


I. PERSONAL DATA ADMINISTRATOR DETAILS

Pavel Andreev Foundation is a non-governmental organization registered in compliance with the laws of the Republic of Bulgaria in the Business Register and in the Register of Nongovernmental Oganizations, company No. 206678629, with seat in Varna 9000 and headquartered at Primorski district, 113 General Kolev st., floor 8, (hereinafter referred to as the Foundation and/or Administrator) as a personal data administrator within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in regard to processing personal data and about the free movement of such data and about the repeal of Directive 95/46/EC (hereinafter referred to as the Regulation) and the Personal Data Protection Act (hereinafter referred to as PDPA).

The webpage https://pavelandreev.org/ is owned and managed by the Administrator in compliance with the provisions of the Regulation and PDPA.

Contact details with the Administrator:

Full names: Pavel Andreev Andreev 

Tel.: +359 889/560925

Email address: [email protected]

II. PERSONAL DATA

Personal data according to the Regulation is any information related to an identified natural person or a natural person who can be identified due to the respective data.

III. OBJECTIVE

The objective of this Policy is to inform you about the principles and the way the Foundation processes personal data in its capacity as an Administrator, the type of data it will collect and process, and the rights of the persons whose personal data is collected and processed. This Policy, among others, has been adopted and published pursuant to the obligations of the Foundation in its capacity as an administrator under Art. 13 and Art. 14 of the Regulation.

If you have any questions or need additional information about your personal data, rights and privacy, please contact the Foundation at the contact details as specified in Section I above.

 

IV. PRINCIPLE OF PROCESSING


The protection of personal data is a fundamental human right as per Art. 8 of the Charter of Fundamental Human Rights. Further, the Foundation considers that confidentiality, protection and integrity of your personal details is a priority and it is committed to comply with the legal regulations for personal data protection. The Foundation neither sells personal data collected by it to third parties, nor it processes or provides this data to third parties without a legal reason for doing so in compliance with the Regulation and PDPA. The Foundation processes and provides personal data to third parties only if there is a justifiable legal reason for doing so, including express and freely given consent under the Regulation and/or on another reason for processing set out in the Regulation and the PDPA

When collecting and processing personal data, the Foundation, in its capacity of an administrator, shall observe the following principles set out in Art. 5 of the Regulation:

  • Legality, good faith and transparency;
  • Collection for specific legitimate purposes, without further processing in ways incompatible with those purposes;
  • Limitation, accuracy and keeping the data up-to-date;
  • Identification of the subject of the data for a period not longer than necessary to achieve the objectives;
  • Adequate level of data security, including protection against unauthorized or unlawful processing.

The Foundation processes personal data in full compliance with the principle of keeping a minimum of processed personal data needed for specific, justifiable and legitimate purposes (need-to-know principle).

V. TYPES OF PERSONAL DATA. LEGAL REASONS

5.1. The activity done by the Foundation is entirely in the scope of charity. The Foundation was set up for that purpose and its overall functions are based on organizing campaigns/causes in various fields, such as: raising funds for adults/children in serious health condition; people in difficult/disadvantaged living and social situations, for people who have suffered from a natural disaster; in general people who need financial support, fundraising including but not limited to: organizing other causes as: supporting talents in the sphere of sports, refugees and/or other persons affected by conflict, pandemic and/or other, and: raising funds for animals, for renovations and public works and other charitable causes. Funds are raised by organizing online campaigns that give details on the real situation of those who need help. In regard to the above, the Foundation processes and protects the personal data collected when carrying out its activity legally and expediently in compliance with the purposes the data is collected and/or have been collected for.

5.1.1. For the purposes of this Privacy Policy and to avoid any doubt about the terminology, the terms set forth shall have the following semantic and interpretive meaning:

Beneficiary/Person in need - people the relevant charity campaign is organized for (regardless of the nature of the cause), persons for whose treatment funds will be collected and donated.

Initiator/Organizer - the person due to whose initiative the respective charity campaign is organized and published. The organizer does not necessarily have to be a beneficiary as it can be a parent/ guardian or a third party to the person in need. The Organizer is responsible for the information provided to the Foundation to publish and for the beneficiary's consent for it.

Donor - any natural or legal person who has provided funds for the respective cause/campaign, including with or without a profile created on the website of the Foundation.

User - any person who has accessed the website of the Foundation or created an account on it.

Cause/Campaign - due to the wide range of causes and campaigns the Foundation organizes, these terms may mean: raising money for beneficiaries, including fundraising for renovations, for animals and/or other organized campaigns having charitable purposes and supporting people, animals, and public works.

Types of personal data collected and processed by the Foundation:

A) Personal data of users of the site collected and processed, in their capacity of donors/users:

  • through the above website, the Foundation may collect: (1) of donors/users who have created a profile on the electronic platform: name, telephone, email address; (2) of donors/users operating without creating an account: name and email address. In both cases, the Foundation may collect information about the bank account of a donor, depending on their choice to transfer a donation. If the donor wishes to get a certificate issued by the Foundation to use it for tax benefits, the latter may request a document certifying the transfer of a donation, which is set out in the General Terms and Conditions of the Foundation.
  • by contacting the  official email address of the Foundation: the Foundation does not collect and process personal data through email correspondence. However, it may collect names, email address, phone number and any other information voluntarily provided by the contacting person.
  • by making a telephone call: the Foundation may collect information about names, telephone numbers and any other information that the person making the contact has voluntarily provided.

B) Personal data of users of the site collected and processed, in their capacity of beneficiaries:

  • through the above website, the Foundation may collect and process: full name, ID number /foreigner’s ID number (if the person is a Bulgarian citizen), ID card/passport data, address, e-mail address, telephone number, and: (1) for medical campaigns: medical information of any type: medical reports, documents proving examinations performed and the results from them, medical diagnoses and/or other showing the health condition of the beneficiary, and submitted photos of the person in need (if they are voluntarily given and explicit consent for their publication has been granted, including on social networks, for a high level of publicity), results from the intervention(s) performed and/or others (after the end of the campaign and after obtaining explicit consent), bank information and any other information provided voluntarily by the beneficiary/initiator (if they are not the same person); (2) for non-medical causes/campaigns: the Foundation may collect and process: full name, ID number /foreigner’s ID number (if the person is a Bulgarian citizen), ID card/passport data, address, email address, telephone number, data on the social and living conditions of the beneficiary, i.e. conditions and quality of life, photos (if they are voluntarily given explicit consent for their publication has been granted, including on social networks, for a high level of publicity), documents showing the real need to organize a cause/campaign to raise funds, results, and any other information voluntarily provided by the beneficiary/initiator (if they are not the same person).
  • by contacting the  official email address  of the Foundation: the Foundation does not collect and process personal data through email correspondence. However, it may collect names, email address, phone number and any other information voluntarily provided by the contacting person.
  • by making a telephone call: the Foundation may collect information about names, telephone numbers and any other information that the person making the contact has voluntarily provided.

Collecting and processing data for underaged/minors in their capacity of beneficiaries:

The Foundation may collect and process: full name, date of birth, ID number /foreigner’s ID number (if the person is a Bulgarian citizen), address, ID card data (if it is applicable), telephone number, and: (1) for medical campaigns: medical information of any type: medical reports, documents proving examinations performed and the results from them, medical diagnoses and/or other showing the health status of the beneficiary, and submitted photos of the person in need (if they are voluntarily given and explicit consent for their publication has been granted by the parent/guardian/initiator, including on social networks, for a high level of publicity), results from the intervention(s) performed and/or others (after the end of the campaign and after obtaining explicit consent), bank information and any other information provided voluntarily by the parent/guardian/initiator; (2) for non-medical causes/campaigns: the Foundation may collect and process: full name, date of birth, ID number /foreigner’s ID number (if the person is a Bulgarian citizen), address ID card data (if it is applicable), data on the social and living conditions of the beneficiary, i.e. conditions and quality of life, photos (if they are voluntarily given and explicit consent for their publication has been granted by the parent/guardian/initiator, including in social networks, for a high level of publicity), documents showing the real need to organize a cause/campaign to raise funds, results, and any other information voluntarily provided by the parent/guardian/initiator.


C) Collecting and processing of personal data of users of the site in their capacity of parent/guardian/initiator:

  • through the above website, the Foundation may collect: full name, ID number /foreigner’s ID number (if the person is a Bulgarian citizen), ID card/passport data, address, e-mail and telephone number.
  • by contacting the  official email address  of the Foundation: the Foundation does not collect and process personal data through email correspondence. However, it may collect names, email address, phone number and any other information voluntarily provided by the contacting person.
  • by making a telephone call: the Foundation may collect information about names, telephone numbers and any other information that the person making the contact has voluntarily provided.

When getting in touch with the Foundation at the official email address and/or by phone call, the Foundation always advises and guides individuals to organize the campaigns through the website. The Foundation does not collect and process personal data of beneficiaries by e-mail and telephone, limiting inquiries as much as possible and redirecting the organization to the site. On the email and/or on the phone, the Foundation mainly provides information about past/current campaigns, technical assistance on how to organize a campaign. To put it clearly - the Foundation provides information upon inquiries by donors/users/persons who have contacted, only which is public and accessible. If documents containing sensitive personal data are sent via email and/or in a profile on the social networks of the Foundation, the Foundation presumes that the person has given consent and read this Privacy Policy and General Terms and Conditions; however, the Foundation shall explain about the documents again and redirect the persons to the website.

5.2. Reasons for collecting and processing the indicated personal data:

Personal data needs submitting so that the Foundation could perform its activities, including organizing campaigns, raising funds for a person in need and verification of the credibility of the request received for launching a charity campaign to avoid misappropriation. In such cases, the collection and processing of personal data is on contractual basis and provisions, without which the services could not be provided by the Foundation. If personal data that is photos and/or another one that cannot be accepted as a contractual basis, the Foundation shall request the express, voluntary consent by the respective person.

5.3. Pursuant to the legislation it is possible that the Foundation may be requested to disclose personal data of third parties in case of a court / arbitration / enforcement / collateral process and/or by a competent authority; disclosure might be needed for the purposes of national security, law enforcement or other cases set forth in the legislation. In such cases, the processing of personal data is in compliance with the legal obligation of the Foundation. Personal data may also be disclosed if such a disclosure is reasonable and needed to protect the legitimate interests of the Foundation. Therefore, namely to avoid misappropriation of funds and the ability of the Foundation to inform the competent authorities in case of suspicion about unlawful actions, the Foundation keeps a register of its donors, beneficiaries and initiators.

The Foundation hereby declares that it is a subject to the Measures against Money Laundering Act (MMLA) as it gets in the scope of persons indicated under Art. 4, item 28 of the Act. So, the Foundation has legal obligations and pursuant to them it may request from the donors information about the origin of funds pursuant to MMLA. If the Foundation detects a risk and/or a suspicious transaction (donation) exceeding the legal limits regulated under MMLA, more precisely, as incorporated in Art. 11 of the Act, then it may inspect that and/or notify the competent authorities. As "suspicious" and/or "risky" donations are considered: (1) performing a random operation or executing a random transaction with a value equal to or exceeding the BGN equivalent of 15 000 euros or its equivalent value in another currency, regardless of whether the operation or transaction is carried out through a single operation or transaction, or through several related operations or transactions; (2) any case of suspicion of money laundering, suspicion of terrorist funding and/or funds of criminal origin, regardless of the value of the operation or transaction, the risk profile of the customer, other conditions for applying the verification measures, or other exceptions set out in the respective law or in the guidelines for its implementation. The Foundation reserves the right, subject to its legitimate interests, to inspect in case of suspicion, incl. collecting the necessary volume of personal data required under the Personal Data Protection Act, including notifying the competent authority.

The activity of the Foundation is only and solely related to charity and therefore, it exercises its rights under Art. 11, para. 5, as it may perform and/or shall be able to:

  1. identify the donors and beneficiaries by collecting full information as much as possible which will allow unambiguous identification, including information about persons exercising control without obstructing the activity of the organization, and if need be, methods and means of complex verification might be applied;
  2. check the donors and beneficiaries, partner non-governmental organizations if there is negative public information or possible coincidence with persons under Art. 4b of the Measures Against the Financing of Terrorism Act.

5.4. If the initiator/beneficiary gives their express written consent (this also refers to the cases when the consent was granted by electronic signature on the declaration) to provide photos showing the condition or the need to organize a campaign, then the initiator/beneficiary gives consent to their publication, so they could end up in a post on social networks of the initiator/beneficiary and/or another platform for marketing and/or other purposes. In such cases, the reason for collecting and processing the personal data is the express consent. The initiator, if it is different from the beneficiary, is responsible for the provided personal data of the beneficiary that can be published.

5.5. The Foundation complies with all the provisions of the Regulation and the PDPA about informing the subjects in this regard as the Foundation has notified them (the subjects) in accordance with this Policy, incl. the Foundation has waited to get voluntary consent from its initiators/beneficiaries before getting into actions to publish and organize a campaign.

5.6. In regard to item 5.4. of this Policy, due to the nature of the provided data, namely data about health status, diagnosis, social and living conditions, etc., the initiators of the respective campaign shall delete the personal data of the beneficiaries. So, when organizing a campaign, the initiators should delete the ID number, identity card data, address of the beneficiary. If this has not been done, in compliance with the regulations the Foundation has the right to delete the personal data of the persons before publishing the information. It is important for the Foundation to comply with all regulations at national and supranational level, therefore, it shall publish only data for which it has obtained voluntary consent and data that is needed for the purposes of the respective campaign/cause.

5.7. Taking into account the desire of the Foundation to organize and help people/animals in a serious/disadvantaged condition as the funds are raised for treatment/improvement in their living and social situation, the foundation has the right to publish photos that are voluntarily provided to it by the initiator and photos proving the respective diagnosis/condition to third parties, solely for the purpose of campaign transparency. Hence, after obtaining an express and voluntary consent, the Foundation can also publish results on spending the funds to the donors to prove that the money was allocated only and solely for the purpose of improving the health, social, living conditions, for public works, renovation and/or other if money has been raised for that.

VI. PURPOSES FOR COLLECTING AND PROCESSING OF PERSONAL DATA 

6.1. The Foundation shall collect and process personal data needed to perform its activities and its contractual obligations to initiators/beneficiaries/users/donors. In that scope, the Foundation shall process personal data for the following purposes:

  • Contact achieved by the user/donor on the website of the Foundation through the contact form on the Internet site indicated above, which is maintained and managed by the Foundation, and/or directly by a message to an e-mail address, or via a phone call.
  • Organization of a charity campaign to raise funds for a person in need, incl. the verification of the medical documents submitted to prove the need for it and avoid misuses by third parties;
  • Drafting responses and taking action after inquiries, complaints, petitions, applications, etc. by users of the website /donors/beneficiaries.

6.2. Upon the consent of the initiator/beneficiary or when permitted by law, the Foundation may use personal data, namely e-mail address, names, photos (voluntarily provided), a document proving the diagnosis/need (possibly medical) for the purposes of informing donors and of transparency of the actions of the Foundation. Further, in the field specially designed for that on the website, the Foundation may announce the closure of the respective cause/campaign because the funds have been raised and/or another event that has occurred and because of which it should come to an end.

6.3. Donors can receive emails containing information about the campaign – funds raised, treatment of the beneficiary, their current condition and other public data uploaded on the website of the Foundation. The Foundation makes a clear distinction that these e-mails should not be credited as "unsolicited commercial information" and/or otherwise because, when donations are made, it is taken into account that the donor should be interested in and have access to information about the progress of the campaign.

6.4. The Foundation shall store personal data for a period it is needed for to achieve the goals it was collected for, including the compliance with the regulations.

6.5. The processing of the above personal data complies with the purposes of administrative and other operating processes in the Foundation, including, but not limited to, the services that the Foundation offers, such as, but not only: quick and timely organization of a campaign for a person in need, assistance when a third party wishes to make a donation for a specific purpose and others.

6.6. For duly and high-quality storage, incl. proving the authenticity of the campaigns, the Foundation shall keep the personal data of its donors, initiators, beneficiaries in registers specially designed for that.

VII. SECURITY MEASURES

7.1. The Foundation shall take sufficient technical and organizational measures to protect the personal data it processes against theft, misuse, unauthorized access, unauthorized disclosure, unauthorized destruction or any other unlawful processing or arrangement of such data. Further, the Foundation shall not store personal data of its initiators, beneficiaries, donors on hard copy in the  office of the Foundation or at another physical place; therefore higher security means for data encryption and backup shall be applied.

7.2. All representatives and employees of the Foundation and all contractual parties to the Foundation, shall comply with confidentiality and strictly observe the legislation in the sphere of personal data protection, in line with the Regulation and PDPA.

7.3. When the Foundation provides personal data to third parties, then the Foundation shall implement mechanisms, including contractual ones, to ensure that this data is processed and protected in compliance with the applicable laws.

VIII. TIME LIMITS FOR DATA KEEPING

8.1. The Foundation shall observe the principle of data storage only for the period the storage of that data is needed and mandatory to achieve the purpose it was collected, unless the law sets out a longer period for storage.

8.2. After the expiration of the legal periods for keeping documentation, in compliance with the applicable accounting, financial and tax laws in the Republic of Bulgaria, including the legal provisions on document archiving, the Foundation shall erase and delete the personal data related to:

  • inquiries made, questions asked, requests submitted, petitions and others by e-mail and/or in another manner made on the Internet platform;
  • when performing its administrative and operational activities;
  • before/during and after an organized campaign.

8.3. The administrator shall erase and delete personal data related to an inquiry sent to the official email address after 1 month if the person has not duly organized a campaign in line with the requirements of the Foundation. If the user/initiator/beneficiary used the electronic platform to organize a campaign, the Foundation shall erase and delete the personal data after the expiration of all legal terms, including tax, accounting and others, as the appropriate moment for starting the erasure is the end of the campaign on the website of the Foundation

8.4. The initiators/beneficiaries understand and declare, through the adoption of this Policy, that after implementing the request to delete the personal data provided to the Foundation, the Foundation shall delete the respective campaign/cause so that it would not be able to raise funds and/or disseminate it publicly. To this end, when requesting the erasure of personal data, the initiator/beneficiary is aware that the cause/campaign ends within the time limit for erasure of the  personal data of the subject. This rule shall also apply when the initiator is different from the beneficiary but it has requested their personal data to be deleted. The Foundation, as a charitable organization, shall monitor and comply with its legal obligations against misappropriation of donor funds, therefore it is of much importance for the Foundation to be able to identify the initiator if it has detected misuse, illegal actions and/or other legal breaches.

IX. RIGHTS RELATED TO PERSONAL DATA 

9.1. Pursuant to the Regulation and PDPA, subjects of data shall have the following rights at any time:


(1)  right of access to their personal data processed by the Foundation;

(2) right to request correction of inaccurate data, deletion (including if there is a legal reason for that), limitation or blocking (if there is a legal reason for that) of the processing of their personal data processed by the Foundation;

(3) right to data portability if the conditions for this are met in line with the Regulation;

(4) the right at any time to protest to the processing of their personal data when there are legal reasons for that;

(5) the right to appeal to the Commission for Personal Data Protection (CPDP) if they consider that their rights in relation to the protection of their personal data have been violated.

9.2. The Foundation may refuse to fulfill requests to exercise rights, when there is a reason for this set out in the Regulation and PDPA, incl. when the requests are unreasonably repeated, require excessive effort and/or costs for the administrator, when they are clearly unjustifiable, and when they threaten or violate the privacy and rights of other users.

X. PROCEDURE TO EXERCISE THE RIGHTS OF SUBJECTS OF PERSONAL DATA 

10.1. Subjects of personal data can exercise the rights in compliance with this Policy after submitting a request to exercise the respective right.

10.2. Requests to exercise the rights of the subjects of personal data can be submitted in the following way:

А) To the Foundation:

  • electronically to the following email address: [email protected]
  • on the spot at the  administration of the Administrator;
  • by post - to the  address  of the Administrator- Varna, Primorski district, 113 General Kolev st., 8th floor

10.3. A request to the Foundation to exercise rights related to the personal data protection should contain the following information:

  • Identification of the person - full name;
  • Contact for feedback - address, telephone, e-mail;
  • Request - description of the request.

10.4. The Foundation shall provide information about actions taken pursuant to a request to exercise the  rights of the subjects within one month after receiving the request.

10.5. If need be, this period can be extended by another two months, taking into account the complexity and number of requests from a certain person. The Foundation shall inform the person about such extension if any within one month after receiving the request, specifying the reasons for the delay.

10.6. The Foundation shall not be obliged to respond to a request if it is unable to identify the subject of the data.

10.7. The Foundation may request the submission of additional information (e.g. ID No.) needed to confirm the identity of the subject of the data when there are reasonable concerns in regard to the identity of the natural person making the request.

When a request is submitted electronically, the information shall be provided by electronic means whenever possible, unless the subject of the data has requested otherwise.

XI. EFFECTIVENESS AND UPDATE 

This Policy is effective as of 07.10.2021. The Pavel Andreev Foundation may amend and update this Policy as every amendment/update shall be published on the above official website of the Foundation, and at its discretion the Foundation may also take other actions to notify users/ donors/ beneficiaries /initiators of the amended or updated Policy

Date of last update: 05.04.2024