PRIVACY POLICY OF THE EMBLEMA GROUP

1. Data Controller Details

The EMBLEMA Group consists of independently operating investment affiliated companies that process personal data as independent data controllers as defined in the General Data Protection Regulation (Regulation (EU) 2016/679- GDPR) and local legislation.

The companies in the EMBLEMA Group, with registered office and registered address in the city of Sofia, Izgrev district, 15G Tintyava Str., 3rd floor, apply uniform policies and practices in their companies with regard to the processing and protection of the personal data of their clients, suppliers and employees.

12 minutes by metro to the Medical University, the National Palace of Culture (NDK) and Sofia city center

The EMBLEMA Group respects the privacy of all individuals and the protection of the personal data of our clients and suppliers is a top priority. We strive to provide you with maximum transparency about why we need your data, how we store it, and what your rights are, which is why we provide you with the necessary information in this document.

2. Contact details for questions related to personal data protection

If you have any questions about our Privacy Policy, and/or would like to exercise any of your rights, or suspect that your personal data may be processed in violation of the law or your wishes, you can contact us using the following contact details:

Address: Sofia, Izgrev district, 15G Tintyava Str., 3rd floor

Phone: +359 885 100 400

E-mail: gdpr@emblema.bg

3. What personal data we process and store about you

In the course of its activities, the EMBLEMA Group processes various types of personal data, which are grouped into the categories listed below.

• Personal information - names, Personal Identification Number/date of birth and place of birth, Foreigner Identity Number, citizenship, address(es), incl. country, details contained in the identity document, telephone number, e-mail address, details of legal and authorized representatives, details of persons through whom a particular natural or legal person is contacted, etc.
• Financial information – bank account number,
• Social information - education, professional activities, expertise and previous experience if you are a job applicant.
• Communication information - the information we learn about you from correspondence between us.
• Special categories of personal data - biometric data: video images from our CCTV system when you visit our facilities, photo ID for identification purposes.

In some cases, we also collect and process your data when you are not one of our clients.

For example:

• when you act as a representative (legal or authorized) of one of our clients or
• when you are in the process of making an enquiry about one of our facilities;
• where you are named as a contact person by one of our clients or a person with whom we have a contractual relationship.

4. Sources from which we collect data

We collect the above data in the following ways:

• Information you provide to us;
• Information available in public registers;
• Video surveillance at our facilities.

In the event that it is established, with or without the assistance of the competent authorities, that data about a third party has been provided without a lawful basis or without the consent and/or knowledge of the data subject or in any other unlawful manner, the personal data will be deleted and each of the companies in the EMBLEMA Group will make the necessary efforts to immediately notify the data subject thereof to the extent possible.

5. Purposes for which we process and store your data

The companies in the EMBLEMA Group process your personal data for the following purposes:

• Provision of information on property enquiries,
• identification of clients and individuals with a view to considering the possibility of making property sales and providing services. The provision of personal data is voluntary for the purposes of pre-contractual and contractual relations for the performance of purchase or after-sales service. In the event of refusal to provide it, the relevant company in the EMBLEMA Group will not be able to enter into a contract with you;
• for the implementation of the agreements concluded between the EMBLEMA Group and you/the person you represent;
• for the purposes of protecting the legitimate interests of the companies in the EMBLEMA Group;
• for strategic planning of our business and business process management;
• investigating and responding to an enquiry, recommendation, complaint or appeal made by you/your representative;
• sending you/the person you represent information on paper and electronically in connection with our contractual activities;
• auditing by a supervisory authority of the activities of the companies in the EMBLEMA Group;
• to establish, exercise or defend legal claims,
• to carry out a selection process if you are a candidate for employment with us,
• statistical purposes and analyses;
• document storage and archiving;
• the implementation of marketing campaigns and surveys if you have provided your consent.

6. Grounds on which we process your personal data

The EMBLEMA Group processes your personal data lawfully on the basis of the legal grounds provided under Article 6 of the General Data Protection Regulation.

• Contractual grounds

  We process your personal data where this is necessary to take steps to conclude a contract with you/the person you represent or to perform a contract already concluded with us.

• Legal obligation

  In the events where companies within the EMBLEMA Group are subject to a number of regulatory obligations under various pieces of legislation, both nationally and under EU law, in order to implement them, the relevant company processes your personal data to comply with the relevant obligation that applies to it.

• Legitimate interest

  In a number of cases, the companies in the EMBLEMA AD Group process your data on the basis of their legitimate interests, such as video surveillance and access control at the companies’ facilities, sending marketing information about our new services similar to the ones you use. Before we start processing your data for these purposes, and in the course of processing it, we carry out a balancing test between our legitimate interests and your fundamental rights and freedoms or interests and, in the event that the latter prevail, no processing of your data is undertaken or discontinued unless you explicitly consent to the processing.

• Consent

  In other cases, e.g. marketing campaigns or satisfaction surveys on the projects and services provided by the EMBLEMA Group in order to improve the level of service, we process your personal data only on the basis of and after obtaining your explicit consent to do so.

  Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time, which will not affect the lawfulness of the processing on another valid legal basis, as well as the lawfulness of the processing based on your consent prior to its withdrawal.

  In case you wish to withdraw your consent to the processing of your personal data for consent-based purposes, you may do so in one of the following ways:

  • by means of a written declaration (download), submitted to the office of the EMBLEMA Group or sent by e-mail to: gdpr@emblema.bg,
  • Upon receipt of your objection, the relevant company of the EMBLEMA Group shall cease processing your data for these purposes.

7. Third parties to whom the EMBLEMA Group provides personal data

The companies in the Group will not provide your personal data to third parties except to the recipients/categories of recipients specified below and if one of the following circumstances applies:

• Processing by another person on behalf of an EMBLEMA Group company

We provide personal information to affiliated or other trusted parties to process it on our behalf pursuant to a contract concluded between us, based on our instructions and in accordance with applicable data protection law.

This includes the following third parties who process your data on behalf of companies in the EMBLEMA Group:

• providers of systems/services for management and support of our operations and the quality of our services, including those related to information technology, with which our companies have concluded contracts (e.g. IT and telecommunications service providers, software product providers, computer support providers, administrative service providers, etc.);
• providers of postal and courier services for the purposes of communicating with us;
• attorneys, lawyers, consultants, auditors;
• subcontractors for various services.

The companies in the EMBLEMA Group take the necessary measures to ensure that the persons involved in the processing of personal data comply strictly with data protection legislation and that they have taken appropriate technical and organisational measures to protect personal data.

The EMBLEMA Group does not transfer personal data to third parties as defined in Regulation (EU) 2016/679.

• Pursuant to a legal obligation

  We share your data with public authorities/institutions, persons with public functions, regulators and supervisory authorities or persons performing public functions (including the National Revenue Agency (NRA), the Commission for Consumer Protection (CCP), the Commission on Protection of Competition (CPC), the Commission for Personal Data Protection (CPDP), the State Agency for National Security SANS), judicial, prosecutorial and investigative authorities, public and private bailiffs, etc.), auditors or organisations if we have sufficient grounds to believe that access, use, preservation or disclosure is necessary for:

  • the execution of an applicable law or other regulation of a mandatory nature;
  • responding to an enquiry made by a supervisory authority, regulator or other state institution or person performing public functions in connection with or on the occasion of the performance of its statutory functions or an initiated inspection, appeal, audit, etc.;
  • the performance of representational functions - to your representatives by virtue of law or authorisation;
  • taking measures to protect the rights and property of companies in the EMBLEMA Group, ensuring the safety of our clients or the public as required and permitted by law.

• In order to perform a contract

  In order to provide the products and/or services requested by you or a person represented by you or in order to perform a contract to which you or a person represented by you is a party, we provide your personal data to third parties without whose participation the performance of the contractual obligations undertaken by the parties would be impossible.

• With your explicit consent

  Outside of the cases listed above, we will share your personal data with companies, organisations or external parties where we have your consent to do so.

8. Processing of your personal data

All companies in the EMBLEMA Group process and store your personal data on electronic and paper media. All electronic and paper databases are protected by adequate organisational and technical measures in accordance with the identified risks in order to prevent accidental or intentional destruction or partial damage, data leakage, accidental loss, unauthorised access, alteration or dissemination, as well as other unlawful forms of processing.

9. Storage period of your personal data

Each of the companies in the EMBLEMA Group will store your personal data for a period not exceeding 10 years, starting from the year following the year of termination of our contractual relationship, in connection with which your personal data was collected and as long as there is no other basis for processing the data.

Data from the CCTV system is stored for 60 days in accordance with the Private Security Act.

The data you have submitted in the form of a curriculum vitae (CV), if you are a job applicant, will be stored for a period of 6 months, unless we enter into an employment relationship with you or we have your explicit consent for a longer storage period.

The other categories of data are stored for as long as they are necessary for the purposes or until you withdraw your consent.

We will store your data for the following reasons:

• So that we can meet your requests for information;
• So that we can respond to your questions and/or appeals;
• So that we can prove the fulfillment of our commitments to you;
• So that we can fulfill the legal obligations imposed on the companies in the EMBLEMA Group regarding the storage of client data and documents related to the establishment and maintenance of commercial or professional relationships;
• To enable us to meet our legal obligations in relation to accountability;
• To pursue our legitimate interests, e.g. to establish, exercise and defend legal claims.

The storage and processing of your data after the expiry of the aforementioned period is permissible where its deletion is prevented for legal, regulatory or technical reasons or for reasons relating to the implementation of measures to prevent unlawful conduct.

10. Your rights as a data subject

You are entitled:

• to access your personal data processed by the respective company in the EMBLEMA Group and the right to request rectification and updating of your stored personal data;
• to withdraw at any time the consent provided by you for the processing and storage of your personal data in cases where they are processed solely on the basis of consent (e.g. for direct marketing or market research purposes). The withdrawal of your consent does not affect the lawfulness of the processing of your data carried out up to that point;
• to submit a request for deletion of your personal data stored and processed by the respective company in the EMBLEMA Group in cases where there is no longer a basis for their processing;
• to request restriction of the storage and processing of your personal data and to object to the processing;
• to receive your personal data that you have provided to the relevant company in the EMBLEMA Group in a structured, commonly used and machine-readable format and transfer this data to another data controller where the data is processed on the basis of your consent or in the performance of a contract concluded between you and the company, as well as where the processing is carried out by automated means;
• to file an appeal with the Commission for Personal Data Protection at the following address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd. tel. 02/91-53-518, e-mail: kzld@cpdp.bg and/or another supervisory/regulatory authority when you believe that there is a violation in connection with the processing of your personal data by the EMBLEMA Group.

You could exercise your rights in the following ways:

• by submitting an Application to exercise subject rights to the following email address: gdpr@emblema.bg
• in person at the administrative office of the EMBLEMA Group at the following address: Izgrev district, 15G Tintyava Str., 3rd floor.

The application to exercise your rights as a data subject can be downloaded here.

Anonymous applications, appeals, and reports will not be considered.

We will respond to each of your requests without undue delay within 30 days of receiving your request.

If we are unable to fully deal with your request within a calendar month (due to its complexity, the need for third party assistance or the number of requests), we may extend this period and will explain the reasons for this to you.

11. Automated analyses and decisions, profiling

The EMBLEMA Group does not perform automated analyses, does not make automated individual decisions and does not perform profiling.

12. Third Party Links

At our discretion, we may include or offer third party products or services on our site. These third parties have separate and independent privacy policies.

Date of last update: 28 April 2025

INFORMATION ON THE CONDITIONS AND PROCEDURE FOR REPORTING AT EMBLEMA GROUP

under the Act on the protection of persons reporting or publicly disclosing information on breaches (Whistleblower Protection Act)

1. Activities for which reports can be submitted under the Whistleblower Protection Act

Reports under the Whistleblower Protection Act may be filed for violations of Bulgarian legislation or of the acts of the European Union specified in the law in the areas under Article 3 of the law, related to the activities of the companies in EMBLEMA Group.

2. Reporting via the internal reporting channel at EMBLEMA Group

• No proceedings shall be initiated in respect of anonymous reports or reports relating to violations committed more than two years prior to reporting.
• Reports which do not fall within the scope of the Whistleblower Protection Act and the content of which does not warrant being considered credible shall not be considered.
• Reports containing manifestly false or misleading statements of fact shall be returned with instructions to the whistleblower to correct the statements and to inform him/her of his/her liability for incrimination under Article 286 of the Criminal Code.
• If the report does not meet the requirements of the law for its submission, the whistleblower shall be notified in order to correct the irregularities. If they are not remedied within 7 days of the notification, the report, together with its attachments shall be returned to the whistleblower.

To register a report, a model form approved by the national authority for external reporting - the Commission for Personal Data Protection (CPDP) shall be used, which must contain at least the following data:

1. the sender's full name, address and telephone number, and e-mail address, if available;

2. the name of the person against whom the report is filed and their place of work, if the report is filed against specific persons and they are known;

3. specific data on a violation or a real danger of such being committed, the place and time of commission of the violation, if any, description of the act or situation and other circumstances, to the extent that such are known to the reporting person;

4. date of submission of the report;

5. signature, electronic signature or other identification of the sender.

Any type of information sources supporting the allegations made therein and/or references to documents may be attached to the report, including information about persons who could confirm the reported data or provide additional information.

A written report shall be submitted:

• by e-mail to: gdpr@emblema.bg;
• in person or by mail to: Sofia, Izgrev district, 15G Tintyava Str., 3rd floor, with the text “Report under the Whistleblower Protection Act” written below the recipient's address - the report must be signed by hand.

A verbal report shall be submitted:

• by calling 0885 100 400 during normal office hours.

The verbal report shall be documented by the completion of the form by the Reporting Officer. The person submitting the report is invited to sign it, if they wish.

Within 7 days of receipt of the report, the Reporting Officer will confirm receipt and provide you with information about the registration of the report, its Unique Identification Number (UIN) and the date the report was received.

This Unique Identification Number shall be applied to any subsequent information or communication relating to the report.