Mandatory Information on Personal Data Protection Rights
Information about the company processing your data:
Name: Diva 691 Ltd.
Company Identification Number (UIC/BULSTAT): 203132322
Registered Office and Address: 35 Varshava Street, Plovdiv, Bulgaria
Correspondence Address: 35 Varshava Street, Floor 2, Apt. 4, Plovdiv, Bulgaria, Postal Code 4017
Phone: +359888804553
Email: dvproduct691@gmail.com
Website: www.diva691.com
Information about the competent supervisory authority for personal data protection:
Name: Commission for Personal Data Protection
Registered Office and Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Correspondence Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Phone: +3592 915 3 518
Website: www.cpdp.bg
Diva 691 Ltd. (hereinafter referred to as the "Controller" or the "Company") operates in compliance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR) regarding the protection of natural persons with respect to the processing of personal data and the free movement of such data. This document aims to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.
Legal Basis for the Collection, Processing, and Storage of Your Personal Data
Article 1. The Controller collects and processes your personal data in connection with the use of the Miracle Cosmetics World online store and the conclusion of contracts with the company, pursuant to Article 6, paragraph 1 of Regulation (EU) 2016/679 (GDPR), based on the following grounds:
Explicit consent provided by you as a customer;
Fulfillment of the Controller's obligations under a contract with you;
Compliance with a legal obligation applicable to the Controller;
Legitimate interests pursued by the Controller or by a third party.
Purposes and Principles of Collecting, Processing, and Storing Your Personal Data
Article 2.
(1) We collect and process the personal data you provide in connection with the use of the online store and the conclusion of contracts with the company, including for the following purposes:
Creating an account and providing full functionality for using the online store;
Concluding and executing distance contracts;
Identifying the parties to the contract;
Accounting purposes;
Statistical purposes;
Protecting information security;
Ensuring the execution of the contract for the provision of the respective service;
Sending newsletters, if you have expressed your consent.
(2) We adhere to the following principles when processing your personal data:
Lawfulness, fairness, and transparency;
Purpose limitation;
Data minimization, ensuring relevance to the purposes of processing;
Accuracy and timeliness of the data;
Storage limitation in line with achieving the purposes;
Integrity and confidentiality, ensuring an appropriate level of security for personal data.
(3) During the processing and storage of personal data, the Controller may also process and store personal data to protect the following legitimate interests:
Fulfilling its obligations to the National Revenue Agency, the Ministry of Interior, and other state and municipal authorities.
Types of Personal Data Collected, Processed, and Stored by Our Company
Article 3.
(1) The company performs the following operations with the personal data you provide, for the following purposes:
User registration in the online store and execution of a distance purchase agreement:
Purpose: To create a profile for using the online store to purchase goods and to provide contact details for the delivery of purchased goods.
Note: Registration and account creation are not mandatory for accessing the online store, as many features are available without an account.
Impact Assessment Conclusion: The operation is permissible and provides sufficient guarantees for protecting the rights and legitimate interests of data subjects in compliance with GDPR requirements.
Conclusion and execution of commercial transactions with customers or partners:
Purpose: To conclude and manage contracts with commercial partners or customers.
Note: Due to the limited scope of personal data collected (some of which may be publicly available), an impact assessment is not required.
Sending newsletters:
Purpose: To manage the process of sending newsletters to customers who have expressed a desire to receive them.
Note: Given the limited scope of collected data, an impact assessment is not required.
Exercising the right of withdrawal or filing complaints:
Purpose: To manage the process of exercising the customer’s right of withdrawal or handling complaints.
Note: Due to the limited scope of collected data, an impact assessment is not required.
(2) The Controller processes the following categories of personal data for specific purposes and on the following legal grounds:
Identification data (email, name, etc.):
Purpose:
To establish communication with the user and send information.
To register users in the online store.
To send newsletters.
Legal Basis:
By accepting the terms and conditions and registering in the online store or placing an order without registration, a contractual relationship is established under Article 6(1)(b) GDPR.
For newsletters, processing is based on explicit consent under Article 6(1)(a) GDPR.
Delivery data (name, phone, address, etc.):
Purpose: To fulfill the Controller's obligations under a sales contract and ensure the delivery of purchased goods.
Legal Basis:
Contractual necessity under Article 6(1)(b) GDPR.
Additional data provided by you:
Purpose: To enhance your user account with additional details (e.g., name, surname, phone number).
Legal Basis: Explicit consent for specific purposes under Article 6(1)(a) GDPR.
Note: Providing this data is optional and not mandatory for registration.
(3) The Controller does not collect or process personal data related to the following:
Racial or ethnic origin.
Political, religious, or philosophical beliefs, or trade union membership.
Genetic and biometric data, health-related information, or data concerning sexual life or sexual orientation.
Additional Details on Data Collection, Processing, and Use
Article 4
(4) Personal data is collected directly by the Controller from the individuals to whom it pertains.
(5) The company does not engage in automated decision-making based on data.
(1) Operations involving personal data provided by you, as legal representatives or authorized agents of legal entities (commercial partners), include:
Conclusion and execution of commercial transactions:
Purpose: To conclude and execute commercial transactions with a legal entity, the company processes only the full name of the legal representative or the authorized agent.
Impact Assessment Conclusion: Given the limited scope of personal data collected and the small number of individuals affected, an impact assessment is not required.
(2) Personal data is collected directly from the individuals concerned and from the Commercial Register at the Registry Agency.
(3) The company does not engage in automated decision-making based on data.
Article 5
The Controller may use cookies to:
Provide full website functionality.
Enhance user experience.
Collect statistical data.
Facilitate easier access and navigation.
By using our website, you consent to the use of cookies. You can manage or delete cookies at any time via your browser settings.
Cookies do not constitute personal data and are not used to identify visitors or users of the online store.
Retention Period for Your Personal Data
Article 6
(1) The Controller retains your personal data for no longer than the existence of your account in the online store. Upon account deletion, the Controller takes the necessary steps to delete and destroy all your data without undue delay or anonymize it (i.e., render it unidentifiable).
(2) If you place an order without registering, the Controller processes your personal data only until the order is completed, unless you explicitly consent for your data to be processed for purposes such as service improvement, personalized recommendations, promotions, and statistical purposes.
(3) The Controller retains personal data related to online orders for a period of 5 years to protect its legal interests in case of judicial or administrative disputes with users of the online store.
(4) The Controller will notify you if the retention period needs to be extended due to legal obligations or legitimate interests.
(5) The Controller retains personal data required by applicable law for the legally prescribed period, even if it exceeds the duration of your account or the completion of your order.
Article 7
The Controller retains personal data of the legal representatives of its commercial partners for the duration of the contract, compliance with legitimate interests, and legal obligations, even if this period exceeds the contract term.
Transfer of Your Personal Data for Processing
Article 8
(1) The Controller may, at its discretion, transfer part or all of your personal data to data processors to achieve the agreed processing purposes, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR).
(2) The Controller will notify you if it intends to transfer part or all of your personal data to third countries or international organizations.
Your Rights Regarding the Collection, Processing, and Retention of Personal Data
Withdrawal of Consent for Processing
Article 9
(1) If you no longer wish for your personal data to be processed for marketing purposes or to receive newsletters, you can withdraw your consent at any time by filling out the withdrawal form in Appendix 1 or by submitting a free-text request via email.
(2) Once your request is received, the Controller will send detailed instructions to the email address you provided for newsletters and promotional messages, verifying you as the recipient of newsletters and the data subject whose consent is being withdrawn.
(3) Withdrawal of consent does not affect the lawfulness of personal data processing performed by the Controller up until the withdrawal request.
Right of Access
Article 10
(1) You have the right to request and receive confirmation from the Controller about whether personal data related to you is being processed by sending a free-text request via email.
(2) You are entitled to access your personal data and information related to the collection, processing, and retention of your data.
(3) Upon receiving your request, the Controller will send detailed verification instructions to the email you used for registration or orders in the online store.
(4) After completing the verification process as described in (3), the Controller will provide, upon request, a copy of the personal data processed about you in electronic or another suitable format.
(5) Access to data is free of charge. However, the Controller reserves the right to impose an administrative fee in case of repeated or excessive requests.
Right to Rectification or Completion
Article 11
(1) You can correct or complete inaccurate or incomplete personal data related to you at any time using the "Edit Profile" option.
(2) You can also correct or complete your personal data directly through your profile on the website or by submitting a request to the Controller via email. You may use the form in Appendix 4 or send a free-text request.
Right to Erasure ("Right to Be Forgotten")
Article 12
(1) You have the right to request the deletion of some or all of your personal data from the Controller, and the Controller is obligated to delete the data without undue delay if any of the following grounds apply:
The personal data is no longer necessary for the purposes for which it was collected or processed.
You withdraw your consent on which the processing is based, and there is no other legal basis for the processing.
You object to the processing of your personal data, including for direct marketing purposes, and there are no overriding legitimate grounds for the processing.
The personal data has been unlawfully processed.
The personal data must be deleted to comply with a legal obligation under EU law or the applicable national law.
The personal data was collected in connection with offering information society services.
(2) The Controller is not obligated to delete personal data if it is being stored and processed for the following reasons:
To exercise the right to freedom of expression and information.
To comply with a legal obligation requiring processing under EU law or national law applicable to the Controller or to perform a task carried out in the public interest or in the exercise of official authority vested in the Controller.
For reasons of public interest in the area of public health.
For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
For the establishment, exercise, or defense of legal claims.
(3) To exercise your right to be forgotten, you need to send a request for the deletion of your personal data processed by the Controller via email. You may use the form in Appendix 2 or submit a free-text request. The Controller will then send detailed instructions for verifying your identity as a customer of the online store and as the data subject to the email you used for registration or orders.
(4) After verifying your identity following the instructions sent to you, the Controller will delete all data processed about you in accordance with (3).
(5) If you have placed an order that is still being processed, the earliest point at which you can request to be forgotten is upon the successful completion of the order.
Right to Restriction
Article 13
(1) You have the right to request from the Controller the restriction of processing of your personal data by sending a free-text request via email when:
You dispute the accuracy of your personal data, for a period allowing the Controller to verify the accuracy of the personal data;
The processing is unlawful, but you do not want the personal data to be deleted, only the use of the data to be restricted;
The Controller no longer needs your personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims;
You have objected to the processing while waiting for verification of whether the legitimate grounds of the Controller override your interests.
(2) After receiving your request, we will send a letter to the email address you used for registration or for placing orders in the online store, with detailed instructions for verifying your identity as a user of the store and the data subject for whom the restriction request has been made.
(3) After verification in accordance with paragraph 2, the Company will suspend the processing of your data, but will not remove any publications you may have made in the online store.
Right to Data Portability
Article 14
(1) If you have given consent for the processing of your personal data, or if processing is necessary for the performance of the contract with the Controller, or if your data is processed automatically, you may:
Request from the Controller to provide your personal data in a readable format and transfer it to another Controller;
Request from the Controller to directly transfer your personal data to a Controller of your choice, where technically feasible.
(2) You can exercise the right to data portability by sending us an email with the completed form in Appendix 3 or a free-text request. The Controller will then send detailed instructions to the email you used for registration or placing orders in the online store for verifying your identity as a user of the store and the data subject for whom the portability request has been made.
(3) After verification in accordance with paragraph 2, the Company will send the requested data to the email address you provided, in XML format.
Right to Information
Article 15
You may request from the Controller information regarding all recipients to whom the personal data, for which correction, deletion, or restriction of processing has been requested, has been disclosed. The Controller may refuse to provide this information if it is impossible or requires disproportionate effort.
Right to Object
Article 16
You may object at any time to the processing of personal data by the Controller related to you, including if it is being processed for profiling or direct marketing purposes.
Your Rights in Case of a Personal Data Security Breach
Article 17
(1) If the Controller determines that there has been a breach of the security of your personal data, which could pose a high risk to your rights and freedoms, they will inform you without undue delay about the breach, as well as the measures that have been or will be taken.
(2) The Controller is not obliged to notify you if:
Entities to Whom Your Personal Data Is Provided
Article 18
(1) For the purposes of processing your personal data and providing the service in its full functionality, and in accordance with your interests, the Controller may provide the data to the following entities, who are data processors:
Data Processor |
Purpose of Processing Personal Data |
Miracle Cosmetics World |
E-commerce |
DIVA 691 LTD |
E-commerce |
... |
... |
(2) The data processors comply with all legal and security requirements in processing and storing your personal data.
Data Transfer to Third Countries
Article 19
The Controller does not transfer your data to third countries.
Filing a Complaint
Article 20
In case your rights have been violated according to the above or applicable data protection legislation, you have the right to file a complaint with the Personal Data Protection Commission as follows:
Headquarters and Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg
You can exercise all your rights regarding the protection of your personal data using the forms attached to this information. These forms are not mandatory, and you may submit your requests in any form that contains a statement identifying you as the data subject.
If the consent relates to data transfer, the Controller will describe the potential risks involved in transferring the data to third countries in the absence of a decision on adequate protection and suitable safeguards.
Consent Withdrawal Form for the Purpose of Processing
Your Name*: .........................
Your Email Address used in the online store*: .........................
Feedback Contact Information (e-mail)*: .........................
To
Name: .........................
Company ID/Business Register Number (EIK/BULSTAT): .........................
Headquarters and Address: .........................
Correspondence Address: .........................
Phone: .........................
E-mail: .........................
Website: .........................
In case of violation of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:
Name: Commission for Personal Data Protection
Headquarters and Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg
Request for "Right to be Forgotten" – Deletion of Personal Data Related to Me
Your Name*: .........................
Your Email Address used for registration or orders in the online store*: .........................
Feedback Contact Information (e-mail)*: .........................
To
Name: .........................
Company ID/Business Register Number (EIK/BULSTAT): .........................
Headquarters and Address: .........................
Correspondence Address: .........................
Phone: .........................
E-mail: .........................
Website: .........................
Please delete all personal data that you collect, process, and store, provided by me or third parties related to me, based on the specified identification, from your databases.
I declare that I am aware that part or all of my personal data may continue to be processed and stored by the administrator for the purpose of fulfilling its legal obligations.
In case of a violation of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:
Name: Commission for Personal Data Protection
Headquarters and Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg
Request for Personal Data Portability
Your Name*: .........................
Your Email Address used for registration or orders in the online store*: .........................
Feedback Contact Information (e-mail)*: .........................
To
Name: .........................
Company ID/Business Register Number (EIK/BULSTAT): .........................
Headquarters and Address: .........................
Correspondence Address: .........................
Phone: .........................
E-mail: .........................
Website: .........................
Please transfer all personal data related to me, collected, processed, and stored in your databases, in XML format to:
E-mail: .........................
Receiving Data Controller
Name: .........................
Identification Number (EIK, BULSTAT, or registration number in CPDP): .........................
E-mail: .........................
Your Name*: .........................
Your Email Address used for registration or orders in the online store*: .........................
Feedback Contact Information (e-mail)*: .........................
To
Name: .........................
Company ID/Business Register Number (EIK/BULSTAT): .........................
Headquarters and Address: .........................
Correspondence Address: .........................
Phone: .........................
E-mail: .........................
Website: .........................
Please correct the following personal data, collected, processed, and stored, provided by me or by third parties related to me, as follows:
Data subject to correction:
..................................................
Corrected as follows:
..................................................
In case of a violation of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection as follows:
Name: Commission for Personal Data Protection
Headquarters and Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg