I. General provisions
“Wonder Group” AD, UIC 201181897 (“Company,” “WG”, „St. George Spring Camp 2024“, “we,” “us,” “our”) respects your personal data and is committed to protecting and processing your personal data fairly and transparently in accordance with the provisions of Regulation 2016/679 of the European Union on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (“GDPR / Regulation”). All your personal data and information belong to you, and we acknowledge and respect that. The security and proper use of personal data are of utmost importance to both our users and us. Therefore, it is essential for us that our users understand why and how we process their personal information concerning the use of the Modul for applying and paying for the St. George Spring Camp 2024 (“Modul,” “Platform”).
This Privacy Policy and Personal Data Protection is an integral part of the General Terms and Conditions of the Modul for applying and paying for the St. George Spring Camp 2024, but it is not part of them. It does not regulate rights and obligations but aims to explain to users what personal data is processed, why and how it is processed, including when it is necessary to disclose personal data to third parties. Also, within this Privacy Policy, you can find information about your rights as a data subject and how you can exercise them.
The Modul uses “cookies” in accordance with the Cookie Policy.
The Modul is intended for use solely by users of services provided by “Wonder Group” AD. Users have the opportunity to apply for the spring camp and make the necessary payments for it.
This Privacy Policy applies solely in connection with the data we process during and on the occasion of the use of the Modul for applying and paying for the St. George Spring Camp 2024.
For greater clarity and user convenience, examples illustrating why and/or how WG processes personal data are provided in certain parts of this Privacy Policy. However, these examples are not exhaustive.
II. Definitions
To facilitate understanding of this Privacy Policy, below is a glossary of relevant legal terms and concepts and their definitions/explanations:
General Data Protection Regulation – (GDPR) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The full text of the regulation is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&qid=1531857927851&from=EN
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, personal identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The types of personal data covered by this Privacy Policy are:
– Information about the child: three names, the school they attend/will attend, personal identification number (PIN)/personal identification code (PIC), current grade level, age of the child; health data about the child are also collected for the purpose of ensuring the child’s health and safety during their stay in the camp and/or for assessing the team’s ability to care for the child.
– Information about the parent/guardian: name, email address, and telephone number of the parent.
– Special categories of personal data – In addition to the health data of the child mentioned above, no other special categories of personal data are collected when using the Electronic Payment Portal. For definition purposes, special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s sex life or sexual orientation. Data subject/User – An identified or identifiable natural person whose personal data is processed and who has requested the use of the Portal.
– Processing – means any operation or set of operations performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient – A natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether a third party or not. Consent – Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him/her. IP address
– An IP address is a unique identifier that allows a computer, group of computers, or other internet-connected device (such as your mobile phone or tablet) to browse the internet.
The Modul, all available services and therefore all related data processing activities are carried out by the following company as Administrator: “Wonder Group” AD, registered in the Commercial Register at the Commercial Register Agency with Unified Identification Code 201181897, with registered office and management address in Sofia, “N. Y. Vaptsarov” Blvd. №47.
If you have any questions regarding this Privacy Policy or wish to exercise any of your rights mentioned herein, please contact us in one of the following ways:
o Send an email to gdpr@stgeorgeschool.eu (attention of Mrs. Nadezhda Shemshirova, Data Protection Officer);
o Write to us in free text at: Sofia, “N. Y. Vaptsarov” Blvd. №47, PC 1407, attention of Nadezhda Shemshirova – Data Protection Officer).
III. What personal data do we process:
1. Registration data: These are data necessary for requesting services on the Modul, including the name and surname of the parent/guardian, mobile number, email address;
2. Children’s data: Three names of children and/or students whose parent/guardian is the User, information about the child: three names, which school they attend/will attend, personal identification number or national identification number, current grade, age of the child, information related to the child’s health condition;
3. Payment data: These are data processed for the purposes of paying bills.
4. Data on the use of the Modul and Analytical Data – We use third-party analytical tools (Google Analytics) that help us measure traffic, performance, and trends in the use of the portal.
IV. How we collect personal data:
In connection with the use of the Modul, the Company collects user data in various ways. In most cases, we receive information directly from them. Certain data is generated automatically when users use the Modul, and sometimes the data is provided to the Company by third parties.
V. How we process data:
1. Processing of data necessary to provide access to the Modul:
– We process data to provide access to the Modul and to provide a convenient, reliable, and secure way to log in.
– We process data to provide users with information about the services we offer through the Modul.
– One of the main purposes of the Modul is to provide users with information about themselves (e.g. registering a child for a Spring camp for a specific period and paying for the service). Without processing personal data about users, this would be impossible.
– We process data to enable users to pay outstanding amounts through the Modul. It is important to note that UG does not process or store card details and payment authorization data (e.g. CVV). Such data is provided by the user only on the bank or payment institution’s online card payment page – our partner that services payments through the Modul; UG does not have access to the content of confidential data exchanged between the cardholder and the bank or payment institution. – We process data to maintain the Modul.
To prevent, detect, locate, and correct malfunctions and software errors in the Modul, we need to process data about how users use it.
-We process data to provide access to the Modul. We process user data to provide a convenient, reliable, and secure way to log in to the Modul.
2. Data processing necessary for compliance with regulatory obligations:
1. In certain cases, applicable national and European legislation requires the BG to process personal data about its users for specific purposes, in a specific manner, and/or for a specific period of time. Where there are established legal grounds, this personal data processed by BG should be provided to competent authorities, such as pursuant to the Criminal Procedure Code (CPC), upon request from a court, prosecutor, or investigative agency. The Company is obliged to provide books or data that are relevant to the case. The requested books or data may contain personal data about the users.
2. The commercial activities carried out by BG are subject to control by various state and municipal authorities, such as the Commission for Consumer Protection (CCP), Commission for Personal Data Protection, National Revenue Agency (NRA), and others. In the course of carrying out this control, these authorities have the authority to conduct inspections and require us to provide documents and information in our possession. The requested documents and information may contain personal data about users.
• Examples: Upon receipt of a signal or complaint from a user, CCP and Commission for Consumer Protection and Personal Data Protection have the authority to request that BG provide relevant documents and information pertaining to the case, which may contain personal data about the user. During a tax audit, NRA authorities have the authority to request that BG provide accounting documents, which may contain personal data about certain users.
3. We process personal data to fulfil obligations arising from accounting and tax legislation. Bulgarian tax and accounting legislation requires BG to compile certain accounting and commercial information, including storing this information for a specified period of time, as well as any other information and documents of relevance to tax assessment. In fulfilling this obligation, the relevant information and documents containing personal data about users are stored by BG for the periods provided for in the relevant laws. These periods are of considerable duration (for example, documents for tax and insurance control must be stored for a period of five years).
4. Data processing necessary for the protection of the legitimate interests of the company:
We process data when conducting internal analyses aimed at improving the Modul, including introducing new services, developing new functionalities, and optimizing it. We process data on users to understand how they use the Modul, which enables us to improve and further develop its functionalities, introduce new services, and optimize its design. The data is processed in an aggregated form and is collected both internally and through the use of the analytical tool Google Analytics.
Through the analysis of aggregated data, we:
• measure the number of users who use the Modul;
• measure the actions that users perform on the Modul;
• create reports that reflect trends in the use of the Modul;
• obtain the ability to visualize how users navigate the Modul. Users can opt-out, free of charge, from the analysis of their data through Google Analytics at any time. For opting out, please see https://tools.google.com/dlpage/gaoptout
We process personal data when necessary to provide information to banks and payment institutions in case of disputes regarding payments made through the Modul. After a successful payment through the Modul, it is possible for the cardholder to dispute the payment with the organization that issued their card. In such cases, that organization requires us and our bank to provide certain information for the purpose of conducting a verification. To carry out this verification, we need to provide certain limited information related to the payment made (such as the invoice number on which the payment was made, the transaction code, etc.). As a result of such verifications, it is possible for the cardholder to receive a refund, and the payment made through the portal to be canceled.
We process personal data when necessary to settle legal disputes. Sometimes, to exercise its rights or legitimate interests, it may be necessary for the company or related persons to process personal data of certain users of the Modul to file a claim outside the court or to file a lawsuit for unpaid obligations. Accordingly, it is possible for the above-mentioned persons, as well as users of the Modul, to file a claim outside the court or to file a lawsuit against the company. In such cases, it may be necessary for the company to process personal data of certain users in order to organize and conduct the defense of the respective claim or case (in this way the company aims to protect itself from unlawful encroachments against its property and/or reputation). The type and scope of the processed personal data depend on the nature of the claims or cases filed.
VI. Categories of individuals to whom we disclose personal data under this Policy:
1. Processors of personal data are individuals who process personal data on behalf and at the request of the company based on a written agreement. They are not authorized to process the provided personal data for purposes other than the performance of the work assigned to them by the company. Processors are required to comply with all company instructions. The company takes necessary measures to ensure that the engaged processors strictly comply with the legislation for personal data protection and our instructions, and that they have taken appropriate technical and organizational measures to protect personal data.
Examples of personal data processors:
• Providers of implementation and/or maintenance services for information systems, who sometimes need to access personal data processed in the respective systems for the purposes of accessing and functioning of the Modul;
• Accounting firms or other providers of consulting services.
2. Partners of the company: In order to provide access to the Modul and certain services through it, the company enters into contracts with third parties (partners). In this regard, it is sometimes necessary to provide personal data of the Modul users to the respective partners.
3. Banks and payment institutions: In connection with servicing payments made by Modul users through it, it is necessary to exchange data between the company and the respective bank or payment institution.
4. Third parties in connection with the transformation (e.g. merger, consolidation) or transfer of the enterprise: In case of transformation of the company, as well as in case of transfer of assets in accordance with applicable law, the personal data of Modul users administered by the company may be provided to a third party – successor.
5. Teachers and support staff – for the purpose of providing educational and entertainment services.
VII. How long do we keep personal data:
The company keeps the personal data of the users of the Electronic Payment Portal for as long as is necessary to achieve the purposes stated in this Privacy Policy or to comply with legal requirements. In order to fulfill our obligations arising from tax and accounting legislation, data about a given user is stored for a period of 5 years, counted from the last day of the child’s visit to the camp.
VIII. What are your rights as a data subject?
You have the following rights regarding the personal data we hold about you:
– Your right to be informed about how your personal data is used: You have the right to receive sufficient information in a concise, transparent, and easily understandable form to gain an idea and understanding of our processing activities and thus ensure transparency in the use of personal data. For such informational purposes, we have developed and provided this Privacy Policy.
-Your right of access
In brief:
If you make a request for access to us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (together with some other details).
In detail:
Upon your request, we will confirm that we are processing your personal data and if so, we will provide you with a copy of your personal data that is subject to processing as well as the following information:
a. the purposes of the processing;
b. the categories of the relevant personal data;
c. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
d. where possible, the period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
e. the existence of the right to request the controller to correct or delete personal data or to restrict the processing of personal data relating to the data subject or the right to object to the processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the personal data are not collected from the data subject, any available information as to their source.
The first copy of your personal data is provided free of charge. For additional copies of the same personal data, we may impose a reasonable additional fee, taking into account the administrative costs associated with this.
-Your right to correct personal data
If the personal data we hold about you is inaccurate or incomplete, you have the right to correct them by submitting a request, and we will make the necessary changes. If we have shared your personal data with others, we will notify them of the changes where possible. If you ask us, where possible and lawful, we will disclose with whom we have shared your personal data, so you can contact them directly. To keep data accurate, we may request that you confirm/renew your personal data from time to time.
-Your right to erase personal data
In short:
Also known as the “right to be forgotten,” this right allows you to request the erasure of your personal data under certain circumstances, such as when we no longer need them, or if you withdraw your consent (where applicable).
We will comply with your request, unless there is a reason to keep your personal data. If we have shared your personal data with others, we will notify them of the erasure where possible. If you ask us, where possible and lawful to do so, we will inform you and with whom we have shared your personal data, so you can contact them directly.
In detail:
You can ask us to erase your personal data, and we will respond to your request without undue delay, in the following circumstances:
a. The data is no longer required for the purposes for which it was collected or processed;
b. You withdraw your consent to the processing of your data, where the processing of the data is based on your consent, and there is no other legal basis for us to process your personal data;
c. You object to the processing of your data based on our legitimate interests, including profiling based on this basis;
d. Your data has been processed unlawfully;
e. Personal data must be erased to comply with a legal obligation under Union or national law.
Unless this is impossible or involves extraordinary efforts, we will notify each recipient to whom your personal data has been disclosed for the purposes of erasure. Upon your request, we will inform you of these recipients.
We reserve the right to refuse to delete your data where processing is required:
a. To exercise the right of freedom of expression and information;
b. To comply with a legal obligation that applies to us as the controller of personal data;
c. For the purposes of archiving in the public interest, scientific or historical research, or statistical purposes, to the extent that erasure of the data would render impossible or seriously impair the achievement of the objectives of the processing;
d. To establish, exercise, or defend legal claims.
-Your right to restrict us from using your data
In certain circumstances (including when we use legitimate interests as described above), you may ask us to stop processing your personal data or request that we limit the ways in which we process this data. However, in some cases, we may refuse a request – if we do, we will provide you with information explaining why we are rejecting your request.
You can request us to block and restrict the processing of your personal data in one of the following circumstances:
a. If it concerns the accuracy of the data – in this case, upon your request, we will restrict the processing for the period during which we carry out the necessary checks on the accuracy of your data;
b. If the processing of the data is unlawful and you do not want us to delete your data;
c. If we no longer need your data for processing, but your processed data is necessary for the establishment, exercise or defense of your legal claims in court;
d. If you have objected to the processing of your data based on our legitimate interest, including the creation of profiles based on this basis – in this case, upon your request, we will restrict the processing for the period during which we verify that our legitimate rights do not prevail over your rights.
If the processing of your data has been restricted, we can only store your data. Any other processing outside the place of storage will only be made:
• upon receipt of your consent;
• for the establishment, exercise, or defense of legal claims;
• to protect the rights of another natural or legal person;
• for reasons of public interest of the Union or of a Member State.
We will inform you before removing the processing restriction, as stated above.
Unless it proves impossible or involves a disproportionate effort, we will notify every recipient to whom your data has been disclosed of such restrictive processing. Upon your request, we will inform you about these recipients.
-Your right to object
You can request that we no longer process your personal data for reasons related to your particular situation, if the processing of your data is based on our legitimate interests. We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims.
-Your right to lodge a complaint with the supervisory authority
You have the right to contact the Commission for Personal Data Protection in Bulgaria (“CPDP”) if you believe that the processing of your data is not in accordance with applicable law. More information about the CPDP can be obtained by visiting https://www.cpdp.bg.
-Your right to seek judicial protection
After the deadlines for processing personal data have expired, they are anonymized or deleted/destroyed, unless:
• they are necessary for pending judicial, arbitration, administrative or enforcement proceedings, or in case of a complaint filed by the respective user, which should be reviewed by the CPDP; or
• the respective user has exercised their right to restrict the processing of their personal data.
Internal procedures: How to exercise your rights as a data subject and our procedure for submitting data requests
Submitting a request: To exercise the rights outlined above, please submit your request in writing or by email using the contact details provided above.
Identification of the requester: To properly address and handle your request, we encourage you to identify yourself as fully as possible. If we have reasonable doubts about your identity, we may request additional information to confirm your presumed identity.
Response time: We will respond to your requests without undue delay and in any event within one month of receiving your request. However, if your request is complex or we are processing a large number of requests, we may reasonably extend the response time by up to two months from the date of receipt of your request.
Provision of our response: We will provide you with our response and any requested information in electronic format unless you request another format.
Refusal: If we refuse to respond to your request, we will inform you of the reasons for this decision, as well as the opportunity to appeal to the Commission for Personal Data Protection or other competent supervisory authority and to seek judicial protection.
Fees: Exercising your rights as a data subject is free of charge. However, to the extent that your claims are manifestly unfounded or excessive, particularly in light of their repetitive nature, we reserve the right to refuse to comply with such requests.
IX. Confidentiality and Security
We are committed to keeping the personal data you provide us safe, and will take appropriate measures to protect your personal data from loss, misuse, or alteration. We do not sell your personal data for any purpose.
We have implemented policies, rules, and technical measures to safeguard the personal data we control from potential threats such as:
• unauthorized access;
• improper use or disclosure;
• unauthorized modification; and
• unlawful destruction or accidental loss.
All our employees and data processing administrators (i.e. those who process your personal data on our behalf) who have access to and are associated with the processing of personal data are required to respect the confidentiality of your personal data.
The security of the processing activities of your data is ensured by implementing adequate preventive technical measures and regularly monitoring our servers and information systems for possible vulnerabilities and attacks.
X. Updating the Privacy Policy:
This Privacy Policy is current as of May 2, 2024.
This Privacy Policy may be changed or amended due to changes in applicable legislation, at the initiative of the Company, users, or competent authorities (such as the Commission for Personal Data Protection).
The Company will inform users of the Modul about any changes or additions to this Privacy Policy.
The Company makes efforts to ensure that the personal data processed for users is updated (and corrected if necessary), and that data that is not necessary to achieve the purposes described above is not stored.
