Data processing required to fulfill regulatory obligations

In certain cases, the applicable national and European legislation requires Yettel to process personal data about its users for certain purposes, in a certain way and/or for a certain period of time. The following are the main cases in which Yettel processes personal data in order to fulfill its regulatory obligations.

We process personal data when, under applicable law, we are required to provide information to competent authorities

The legislation of the Republic of Bulgaria requires Yettel to store certain personal data about users for a certain period. In the presence of prerequisites established by law, these personal data processed by Yettel should be provided to the competent authorities.

We process personal data of users when, according to the applicable legislation, we are obliged to provide assistance to competent state and/or municipal authorities in carrying out inspections by them.

In the provision of public electronic communication services Yettel is subject to control by various state and municipal authorities - e.g. Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Personal Data Protection Commission, National Revenue Agency (NRA) and others. In the course of carrying out this control, these authorities have the power to carry out inspections, as well as to require Yettel to provide documents and information in its possession. The required documents and information may contain personal data of users.
Refer to example:
In case of a received signal or complaint from a user, CRC, CPC and PDPC have the power to request from Yettel to provide relevant documents and information, which may contain the following data: basic data, data on contracts, data on obligations, data on payments, as well as data for communication with the respective users;
•When performing a tax audit, the bodies of the National Revenue Agency have the power to require Yettel to provide accounting documents, which may also contain personal data for certain users.

We process personal data because according to the applicable legislation we are obliged to ensure the security of our network and information systems (including the personal data of our users)

In order to prevent, identify, investigate and/or resolve: (a) security vulnerabilities and/or breaches; or (b) breaches of personal data security, we may in certain cases process users' personal data.

We process personal data to provide warranty support for goods, in accordance with consumer protection legislation

When a user buys a product from Yettel, according to consumer protection legislation, Yettel is obliged to provide free repair or replacement of the product if at the time of its provision it has a defect that occurs within two years after its provision to the user. In order to be able to fulfill this obligation, Yettel should process the basic data of the user (through which the right to file a complaint is established), as well as the data for the respective contract (through which it is established whether the respective product is under warranty). Refer also to data disclosure to external service centers.

We process personal data in order to fulfill obligations arising from accounting and tax legislation

The tax and accounting legislation in the Republic of Bulgaria requires Yettel to compile certain accounting and trade information, including to store for a certain period of time this information, as well as any other information and documents relevant to taxation.
Upon fulfillment of this obligation, the relevant information and documents, which also contain personal data of the users, are stored by Yettel for terms, provided in the respective laws. These terms are long (for example, invoices, which are documents for tax and social security control, should be kept for eleven years).

We process personal data in order to fulfill our obligations to provide electronic communications in case of disasters, when declaring a state of war or a state of emergency, in accordance with the Electronic Communications Act

We process personal data in order to fulfill obligations arising from the legislation in the field of electronic communications

Sectoral laws in the field of electronic communications provide for a number of obligations to companies providing public electronic communication services, such as Yettel. During and on the occasion of their implementation, Yettel may process personal or traffic data of users, including by providing them to third parties.
Refer to example:
• According to the Electronic Communications Act, Yettel must provide information on the existence of unpaid debts to a user when it receives a request for this from another company providing public electronic communication services, insofar as there are prerequisites for this;
• According to the Electronic Communications Act, before converting fixed-term contracts into open-ended ones and at least once a year, Yettel must inform its users about the best tariffs for the services they use. In fulfilling this obligation, based on the processing of their personal data, Yettel assesses which tariffs (according to Yettel) are best for them and informs them about it.