Notice of personal data processing

Date of the last change: 02.10.2023
SharePark LIMITED LIABILITY COMPANY which operates under the GimleParking brand (hereinafter referred to as the "Controller") in this Personal Data Processing Notice (hereinafter referred to as the "Notice") describes how it processes personal data of adult individuals (hereinafter referred to as the "Personal Data Subjects") and/or "Users" when using the GimleParking website, web application, mobile application (hereinafter referred to as the "Software") and in any other case of obtaining personal data of Users.
I. General terms and conditions:

  1. The Controller collects personal data of the Users in order to enable the Users to use the Software and receive the services specified in the Agreement, to improve the Software. This Personal Data Processing Notice describes what Personal Data the Controller collects, how it is processed and for what purposes.
  2. The Software shall be used in accordance with the Public Offer of the GimleParking Agreement available at https://gimleparking.com/bg/public-offer (hereinafter referred to as the "Agreement"), which is concluded between the Controller and the User.
II. Terms:

  1. Controller - an individual or legal entity that determines the purpose of processing personal data, establishes the composition of this data and the procedures for its processing.
  2. Processing of personal data means any action or set of actions, such as collection, registration, accumulation, storage, adaptation, modification, updating, use and dissemination (distribution, sale, transfer), depersonalization, destruction of personal data, including with the use of information (automated) systems.
  3. Software means the gimleparking.com website, web application and mobile application of the Controller.
  4. Personal data means information or a set of information about an individual who is identified or can be specifically identified.
  5. The legal basis for processing personal data is one of the grounds for which the processing of personal data is permitted by law. There are the following grounds:
  • Consent;
  • Legitimate interest of the Controller;
  • Conclusion of a contract;
  • Other grounds defined by the legislation of the Republic of Bulgaria
6. Termination of a legal entity is the termination of a legal entity in the event of liquidation or reorganization. In the case of reorganization of legal entities, property, rights and obligations are transferred to legal successors. Types of reorganization:

  • Merger - two legal entities merge into one;
  • Merger - one legal entity merges with another;
  • Division - two legal entities are formed from one legal entity;
  • Transformation - one legal entity changes its organizational and legal form.
7. Processor - a natural or legal person who is authorized by the Personal Data Owner or by law to process this data on behalf of the Controller;
8. Personal data subject is an individual whose personal data is processed;
9. Third party - any person, except for the personal data subject, the Controller or Processor and the Supervisory Authority to whom the Controller or Processor transfers personal data.
10. The Independent Supervisory Authority (hereinafter referred to as the "Supervisory Authority") is a government agency of the Republic of Bulgaria - the Personal Data Protection Commission, authorized to supervise compliance with the provisions of the personal data protection legislation. More information is available at the link.
III. Rights of personal data subjects:

  1. For access to personal data
  2. To clarify personal data
  3. To delete personal data.
  4. To restrict the processing of personal data.
  5. To data portability.
  6. To object to the processing of personal data on the basis of legitimate interest.
  7. To withdraw consent to the processing of personal data.
  8. To apply for legal remedies, to lodge complaints about the processing of their personal data with the Supervisory Authority or in court.
  9. To be protected against an automated decision that has legal consequences for him/her.
IV. Realization of the rights of personal data subjects:

  1. To exercise the rights specified in Section III of this Notice, the personal data subject or his/her representative must send the Controller an application for the exercise of the personal data subject's rights (hereinafter referred to as the "Application") to the email address _____ or to the support service.
  2. The application must contain:
  • Name, surname and patronymic, address, unified civil or personal number of a foreigner or other similar identifier or other identification data of an individual;
  • Description of the request;
  • Preferred form of obtaining personal data in the exercise of rights;
  • Signature, date of application and address for correspondence.
3. If the application is submitted by a representative, he or she must provide a notarized power of attorney issued to the representative by the relevant personal data subject.
V. Personal Data:
  1. The Controller collects Personal Data provided by the Personal Data Subject. The Controller does not receive it from any third party.
  2. If the Controller receives personal data from a third party in the future, the Controller will act and/or notify the specific Personal Data Subject of each such fact in accordance with the law.
  3. The Controller has the right to transfer personal data to any Processor to fulfill the Purpose of Processing and the Grounds for Processing specified in this Notice for the period specified in this Notice.
VI. Location of personal data:

  1. Personal data of the Data Subjects is stored in the DigitalOcean data center in Frankfurt, Germany.
VII. Processors:
VIII. Transfer of personal data to a third party:

  1. The Controller may transfer personal data to a third party with the consent of the personal data subject, a legal requirement, a court decision and/or a government agency.
  2. The Controller shall notify personal data subjects of the desire to transfer personal data by e-mail to its e-mail address or in the Software or by publishing a new version of this Notice, unless they have previously consented to this.
  3. Using the above-mentioned methods, the Controller provides an opportunity to express consent to the transfer, informs the purpose of the transfer, the transfer period, the rights of the personal data subject, etc.
  4. Consent is expressed by checking an empty checkbox next to which is written "I agree to the transfer of personal data and confirm that I have read this notice".
  5. In case of liquidation and bankruptcy, information on the transfer of personal data may be published in the Software.
  6. Personal data in case of termination and bankruptcy of a legal entity.
IX. Personal data in case of termination and bankruptcy of a legal entity.
The bankruptcy of a legal entity is the inability to repay debts by methods provided for by law, except for liquidation.

  1. The Controller performs the following actions with personal data during reorganization:
2. In the event of liquidation and bankruptcy, personal data is destroyed or transferred to a third party in accordance with the section Transfer of personal data to a third party.
X. Protection of personal data:

  1. The Controller cares about the protection of your personal data, so we use technical, administrative and legal security measures for this purpose.
  2. The Controller uses the following security measures:
  • SSL and TLS certificates protect your personal data when it is transmitted through our website and web application;
  • Your personal data is stored in different databases. If you access one of them, you cannot be identified without accessing the other;
  • Databases are protected by encryption;
  • The [application name] protects our website and web application from DDOS attacks;
  • Stores personal data in secure data centers, which is confirmed by many certifications;    
  • Conclude non-disclosure agreements with each employee and contractor for confidential information and trade secrets, including your personal data;
  • Set strong passwords for access to all accounts on any platforms, services and equipment.
XI. Transfer of personal data outside of Bulgaria:

1. The controller has the right to transfer your personal data by default to:
  • Other member states of the European Union and the European Economic Area;
  • States that are recognized by the European Commission as generally providing an adequate level of personal data protection, or, partially, in certain areas.
2. The Controller has the right to transfer your personal data to other states and international organizations on the basis of:
  • Standard Contractual Clauses approved by the European Commission;
  • Mandatory corporate rules;
  • Codes of conduct;
  • Certifications;
  • Other grounds determined by the legislation of the European Union and Bulgaria.
XII. Notification of a personal data security breach:

  1. The Controller is obliged to notify the Supervisory Authority within 72 hours of a cyber incident (meaning any event that has led to a breach of the conditions for processing personal data in accordance with this Notice). The Controller is also obliged to document this event.
  2. The Controller is obliged to notify the personal data subject of a personal data leak and/or cyber incident that has led to a violation of the terms of personal data processing in accordance with this Notice by sending an e-mail to the subject's e-mail, posting a message in the Software and/or providing information by any other means of communication within 7 calendar days from the date on which the Controller became aware of the cyber incident.
  3. The controller provides the following information to the personal data subject:
  • Information about the Controller;
  • A description of the specifics of the personal data protection breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records affected;
  • Notification of the individual and contact details of the data protection officer or other focal point where more information can be obtained;
  • A description of the likely consequences of the personal data protection breach;
  • A description of the measures taken or proposed to be taken by the Controller to respond to the personal data protection breach, including, if necessary, measures to mitigate its potential negative consequences.
4. The controller may not send the above information to the personal data subject if
  • The controller has implemented appropriate technical and organizational protection measures and these measures have been implemented with respect to the personal data affected by the cyber incident, in particular measures that make the personal data unintelligible to any person not authorized to access them, such as encryption;
  • The controller has subsequently taken measures to ensure that the high risk to the rights and freedoms of the data subjects will no longer occur;
  • Notification would result in a disproportionate effort; in this case, a public announcement or other similar measure is taken to ensure that data subjects are equally effectively informed.
XIII. Validity and amendments:

  1. The notice is valid from the date indicated in the "Date of last modification" at the very beginning of the page and indefinitely.
  2. The Controller reserves the right to change the notice at any time and without your consent, but the Controller undertakes to keep old versions of the notice and to notify the Personal Data Subject of significant changes.
  3. The Controller shall indicate that changes have been made by putting the date in the "Date of last modification" designation.
XIV. Appeal:

  1. If the Personal Data Subject has any questions regarding the notification and/or processing of personal data, the Personal Data Subject may send a request to info@gimleparking.com, which the Controller will respond to within 60 calendar days.
  2. A personal data subject may send an appeal to the Supervisory Authority for the Protection of Personal Data Subjects' Rights if he or she believes that his or her rights have been violated by the Controller. For more information, please follow the link.
XV. Final provisions:

  1. The Notice shall be governed by and construed in accordance with the laws of the Republic of Bulgaria. All disputes arising out of this notice shall be resolved in accordance with the laws of the Republic of Bulgaria in the appropriate court.
  2. The notice on the use of cookies available at https://gimleparking.com/bg/cookie-notification is an integral part of this notice.
XVI. Information about the Personal Data Controller:

Name: SLLC SharePark
Identification code: 207049614
Registration address: Bulgaria, 8000, Burgas, Georgi Kirkov Str., 16, floor 2
E-mail: info@gimleparking.com / gimle.parking@gmail.com
Manager: Sergii Kravetskiy