Privacy Policy

PRIVACY POLICY

OF SOFIA CITY ART GALLERY

With these privacy policy rules of the MUNICIPAL CULTURAL INSTITUTE “SOFIA CITY ART GALLERY” we would like to inform you about the terms and conditions in accordance with which we process your personal data received by us in regard to or on visiting our websites or in any other interaction with us.  

MUNICIPAL CULTURAL INSTITUTE “SOFIA CITY ART GALLERY”, BULSTAT code: 831929053 (SCAG, we) is the owner of the websites http://www.sghg.bg/ and http://veg.sghg.bg (websites). 

In the context of its work, SCAG processes personal data of individuals in accordance with the effective Bulgarian and European legislation; therefore, as far as it defines the purposes and tools for data processing, it acts as data controller. 

SCAG has its seat and registered office at the city of Sofia 1000, 1 Gurko str. 

You can send to the stated address, personally or through a proxy expressly authorised by you in writing, your applications, objections, requests, complaints etc., as well as electronically, while complying with the provisions of the  Electronic Document and Electronic Signature Act (EDESA) for electronic signature use at email _______@______________ to the attention of  …………………………………………….....

I.  TERMS:

For the purposes of clarity of these rules we bring to your attention some basic definitions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), concerning your personal data: 

1.1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.2. “processing”means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.3. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 

1.4. “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

1.5. “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

II. PRINCIPLES OF PROCESSSING PERSONAL DATA: 

2.1. Lawfulness – we process your personal data in full compliance with law and for purposes which do not contradict effective legal norms;

2.2. Fairness – we process your personal data to the extent such data are necessary to ensure only your better experience with our online products and for the purposes of our efficient partnership with you;

2.3. Transparency – we do not process your personal data in ways of which we have not informed you herewith and/or expressly in any other communication with you, and we are open to respond, during our working hours, to any questions about your personal data;

2.4. Purpose limitation – we process your personal data only on the grounds referred to below in section III.

2.5. Data minimisation – we process only your personal data without which the processing purposes cannot be achieved;

2.6. Accuracy – we seek to maintain and update the personal data processed by us in the form you have provided them to us, corresponding to the objective reality; 

2.7. Storage limitation – we store your personal data only and for the purposes of the processing; 

2.8. Integrity and confidentiality – we process your personal data in the manner and under the conditions as we have received them, while observing strict confidentiality. We provide your personal data to other persons and do not make them publicly available, except in the cases expressly set out by law or with your explicit consent.

III. GROUNDS FOR PERSONAL DATA PROCESSING:

In compliance with the principles set out in section II, we process your personal data received from you because: 

3.1. you have given us your explicit, prior consent for that, for purposes of which we have informed you in advance or which you have defined. For example, when we want to keep you informed about our news, products and campaigns, we will need your consent to obtain your e-mail address to which we will send such information. Other cases wherein we consider we have received your consent for processing your personal data are for example when you have sent us a letter to the mailing address or an e-mail, stating personal data yourself as you have considered it necessary. (Legal ground: article 1, paragraph 1, letter “a” of GDPR).

In any case of received consent from you to the processing of your personal data on this ground, you may withdraw such consent, free of charge and at any time, by using our contact form or sending us a letter or a message from which it becomes unequivocally clear that you have withdrawn your consent. You can also download a consent withdrawal form here.

3.2. we need your personal data to enter into a contract with you and ensure its performance. For example, for the purposes of entering into a contract for participation in an exhibition or purchase of a work of art, we will need at least your full name, personal identification number or another identifier, where applicable, address according to your ID card, where applicable, contact information (Legal ground: article 6, paragraph 1, letter “b” of GDPR);

3.3. the law requires from us to collect some personal data about you in compliance with our statutory obligations. For example, if you are our employee, subject to our employer obligations, we must process further information to ensure proper conditions in accordance with the labour medicine requirements (Legal ground: article 6, paragraph 1, letter “c” of GDPR);

3.4. we need your personal data in order to protect your vital interests or of another natural person. For example, in case of a reported missing person or protection of third party rights in regard to comments made by you within our materials which are publicly available for comments (Legal ground: article 6, paragraph 1, letter “d” of GDPR);

3.5. processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested on us by a public body, for example to make an expert examination of a work of art, for conservation of cultural heritage, etc. (Legal ground: article 6, paragraph 1, letter “e” of GDPR);

3.6. processing of your personal data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. An example of such processing is a third party claim lodged against us in regard to your comments on our publications or for the protection of our rights before public and judicial authorities in relation to your contractual or non-contractual right which has harmed our rights and interests (Legal ground: article 6, paragraph 1, letter “f” of GDPR).

IV. PERIOD FOR PROCESSING AND STORAGE:

We store your personal data on the grounds stated in section III for the maximum periods permitted by law depending on the specific case and data for which they refer. Insofar as a legal act does not provide for a longer or shorter period of storage, we store your personal data for a period not exceeding 5 years in accordance with the general limitation period under the Obligations and Contracts Act. 

In some cases the law provides for longer storage periods such as in case of accounting. In other cases, for example when submitting documents to apply for a job with us, the law provides for a maximum period of 6 months for storage and processing of the personal data obtained. 

In cases of legal disputes we store your data for a period of 5 years after their finalisation. 

V. YOUR RIGHTS: 

5.1. You may request information or assistance concerning your personal data as processed by us at the above-mentioned contact details and you may state the preferred way of receiving it. We will reply to you within a month from receipt of the relevant request from you in the way preferred by you, to the extent practicable. Depending on the specific type of request, we may need additional information to verify your identity and we will promptly inform you thereof.

5.2. You may request from us, at any time, to confirm whether we are processing your personal data and, where this is the case, to provide you with such data along with information about: 

a) the purposes of the processing;

b) the relevant categories of personal data;

c) the recipients or categories of recipients to whom the personal data were or will be disclosed, in particular recipients in third countries or international organisations; 

d) where possible, the envisaged period for the personal data storage, and, where this is impracticable, the criteria used for the determination of such period;

e) your existing right to require from us to correct or erase personal data relating to you or restrict its processing, or object to such processing; 

f) your right to complain before a supervisory authority, and for Bulgaria this is the Commission for Personal Data Protection and its contact details are given in section X;

g) where the personal data have not been provided by you, any available information about their source;

h) whether automatic decision-making applies, including profiling, along with significant information about the rationale used, and the importance and the implications for you from such processing.

5.3. You may request from us, at any time, to correct without undue delay your personal data when they are incorrect and/or incomplete.

5.4. We guarantee your right to request the erasure of your personal data without undue delay to the extent where: 

a) the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed; 

b) you have withdrawn your consent on which the data collection is based and there is no other legal ground for the processing;  

c) you object to the processing, at any time and on grounds related to your specific situation, insofar as it is necessary for the performance of a task in the public interest or in the exercise of official authority vested on us, or the processing is necessary for the purposes of our legitimate interests or of a third party, unless your interests or fundamental rights and freedoms override such interests and require protection of personal data, in particular when you are a child.  

A precondition to respect your request in this case is the absence of legal grounds for processing your overriding data or if you have objected to the processing of your data for the purposes of direct marketing;

d) your personal data have been processed unlawfully;

e) your personal data must be erased in order to comply with a legal obligation under the law of the European Union or the law of a Member State applicable to us;

f) your personal data have been collected in relation to the offer of information society services to persons aged under 16.

5.5. You have the right to request from us to restrict the processing of your personal data where: 

a) you contest the accuracy of the personal data for a reasonable period enabling us to verify the accuracy of the personal data;

b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

c) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; 

d) you have objected to processing pursuant to Article 5.4, letter “c” pending the verification whether our legitimate grounds override yours. 

5.6. We have a legal obligation to notify you of any case of correction or erasure or restriction of the processing of your personal data. 

5.7. You have the right to receive your personal data in a structured, commonly used, machine-readable and interoperable format, and to request to transmit them to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability to the extent this does not prevent us, provided that we have received your personal data on the basis of your consent or the processing is necessary for the performance of a contract, and we will process such data by automatic means.

5.8. You may object, at any time and on grounds related to your specific situation, to the processing of your personal data, as far as the processing is necessary for the performance of a task of public interest or in the exercise of official authority vested on us, or the processing is necessary for the purposes of our legitimate interests or of those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child, including in the cases of profiling. In this case we will terminate the processing of your personal data, unless compelling legitimate grounds for the processing exist which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

5.9. You may object, at any time, to the processing of your personal data for the purposes of direct marketing and the processing will be terminated on receipt of your objection. 

You should keep in mind that the exercise of your rights under this section is not absolute and may be refused if in compliance with the conditions laid down in law their exercise would create risk for: 

1. national security;

2. defence;

3. public order and security;

4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public order and security;

5. other important objectives of general public interest, in particular an important economic or financial interest, including monetary, budgetary and taxation a matters, public health and social security; 

6. the protection of judicial independence and judicial proceedings; 

7. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

8. your protection or the rights and freedoms of others; 

9. the enforcement of civil law claims.

To exercise your rights under this section, you should send us a written application in standard form, which can be downloaded here.  

IV. THE PERSONAL DATA WE PROCESS:

6.1. Identification data: the full name, the personal identification number or the non-resident’s personal number, permanent address – we process such data mainly when entering into contractual relations with you, participation in SCAG events for which advance registration is required or which are carried out on request, etc.;

6.2. Other data:

- information about the type and content of the contractual relation, as well as any other information relating to the contractual relation, including media plans, e-mails, letters, information about your requests for rectification of problems, complaints, requests; feedback received from you; 

- personal contact data – contact address, telephone number and contact information (e-mail, telephone number);

- preferences for the services we are providing; 

- IP address applied when visiting our website;

- account user data for the social media, data provided for participation in games, raffles and/or other public initiatives organised by us, including via the social media; 

- activity data – data processed in the network to report user preferences. 

We may process information about you from other legal sources in order to provide you high-quality services. Such sources of information are from our partners (if you have agreed) or publicly available information.  

Such information includes: 

- data to make contact with you;

- publicly available information, such as information contained in public registers, media publications, information made available in the public domain by authorities in power. 

In any case where we have not received personal data from you yourself, when contacting you, we will inform you about the sources and type of personal data we are processing. 

VII. SECURITY OF YOUR DATA:

In order to ensure adequate protection of your data we apply all the existing organisational and technical measures, given the level of technical advance and the assessment of risks from affecting their security. 

For the purposes of preventing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have implemented appropriate measures such as encryption, pseudonymisation, established procedures for regular testing, assessing and evaluating the effectiveness of technical and organisational measures. We apply mechanisms aimed to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, etc.

Despite the measures implemented by us, if the security of your data is compromised, which poses a high risk for your rights and freedoms, we will inform you thereof and of the measures we have taken, as soon as possible.

VIII. COOKIES:

Cookies are small text files generated on request by your browser to our web server and which the website may save on your computer or mobile device while visiting a site or a page. The cookie will help the site or other sites to recognise your device next time you visit it.  

Cookies perform multiple functions. For example, they help us analyse how well our sites perform, show you advertisements which we believe are relevant to your interests, or allow us to recommend you content which we think might be interesting to you.  

The cookies we use are anonymous and do not contain any personal data.

There are two main types of cookies – persistent and non-persistent (session cookies).

Session cookies are stored temporarily to your computer while visiting our sites and they are deleted the moment you close the page.

Persistent cookies are stored as a file on your computer or device for a longer period of time.  

Except for cookies necessary for the operation of our site, we store cookies on your device only with your consent. If you do not want to accept cookies, you may adjust the settings of the browser in accordance with its technical requirements.  

Mandatory (essential) cookies

They are necessary for the normal provision of our services, for example in order to save the code of the visited site and for other relevant purposes. Without them, we cannot recognise your device and hence you will not have access to our services. They help us implement our General Terms and Conditions and maintain the security of our services. 

Mandatory cookies are often persistent. They are used to allow you to go from one page to another on our site without the need to re-enter information. 

No consent is required for the use of these cookies as a technical requirement to access our sites, as far as you have made a request for access to them and wish to use the services available on our sites. 

Efficiency and functionality cookies

These cookies are not mandatory for access and use of our sites but they enable us to personalise your online experience while using our websites. They allows us to remember your preferences so that you do not have to enter information which you have already provided, for example while entering your data about access to our services.  

They allow us to collect information on how our users use our services so that we can improve our sites and services. If you decide to delete such cookies, you may have limited functionality to our services. 

Third party cookies

We also use some third party cookies as part of our services, i.e. references to social media and platforms integrated in our sites.

These cookies are operated by the relevant sites and we do not control them, and they all use various cookies. 

Furthermore, we may use some authorised third parties to place cookies while you are visiting our sites for the purposes of services they provide to us.

Types of cookies we use: 

  • ___________ period of storage: _______________ purposes of use:___________;
  • ___________ period of storage: _______________ purposes of use:___________
  • ___________ period of storage: _______________ purposes of use:___________
  • ___________ period of storage: _______________ purposes of use:___________
  • ___________ period of storage: _______________ purposes of use:___________
  • ___________ period of storage: _______________ purposes of use:___________

In case you want to limit or refuse the use cookies on your device, please make your choice here. 

IX. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES:

We disclose your personal data only to:

9.1. public authorities, institutions and persons to whom we are obliged to provide personal data by law; 

9.2. persons who, by assignment, maintain equipment, software and hardware used for personal data processing, SCAG employees, lawyers, accountants or other persons which by assignment or by law have access to your personal data processed by us. All these persons have entered into confidentiality agreements with us and have accepted our internal security rules for the processing of personal data;

9.3. our partners working for the purposes of assignment to SCAG under contractual relations and helping us to provide you our services, with whom we have have entered into agreements on the confidentiality of information and personal data protection. 

9.4. We use the services of third parties who provide personal data processing services for some purposes such as measuring and following user conduct in our sites, sending e-mail communications, sharing user content, sign in with social media profile, etc. Such third parties are entitled to collect personal data and in regard to their policy on collecting, processing and storage of personal data the users of SCAG sites should contact them, namely (including, but not limited to):

- Google (with Google Analytics, Google Tag Manager, DoubleClick for Publishers, AdX, AdSense, AdWords, Google Plus): https://privacy.google.com

- Facebook (with Facebook Tracking Pixel, Facebook Tools – Plug-in "like" button, Sign in with Facebook profile etc.) : https://www.facebook.com/privacy 

- YouTube: https://support.google.com/youtube/answer/2801895?hl=en-GB 

X. COMPETENT AUTHORITIES FOR PERSONAL DATA PROTECTION:

You have the right to make a complaint before the Commission for Personal Data Protection located in Sofia 1592, 2 Prof. Tsvetan Lazarov str., tel.: +3592/91-53-518, е-mail: kzld@cpdp.bg

The period for making a complaint to the Commission is 6 months from becoming aware of the violation but not later than two years of its commitment.

The up-to-date content of this privacy policy is published on all our sites and reflects all the changes we have made in them.