How and why we process personal data

In order to provide and improve the reliability, functionality, design and information security of the Solution, we process personal data of users based on our legitimate interest.

We process data to improve customer service.

It is important for us to provide quick, convenient and effective assistance to users in case they find a problem with the Solution. Ensuring the quality of customer service is critical to improving Yettel processes and meeting customer expectations and needs.

We process data to maintain information and network security.

At Yettel, we are committed to ensuring the confidentiality, integrity and accessibility of our products and services, as well as the information concerning the customers. For this reason, we take measures aimed at preventing or detecting attacks and/or unauthorized access to the Solution and the digital services of Yettel and its partners. We also store entries (logs) with highly restricted access that are used only when we need to investigate potential security incidents.

We process data to improve the Solution and to increase customer satisfaction.

To understand how users access and use the Solution and to identify how we can improve its design and/or functionality, we use and analyze data pertaining to users. This also includes taking preventive measures to ensure the reliability of the Solution. In these cases, the data is processed in aggregated form, which does not allow the identification of a user.

We process personal data when that is necessary in order to settle legal disputes.

Sometimes, in order to exercise its rights or legitimate interests, Yettel may need to process personal data of certain users of the Solution in order to make an out-of-court claim or bring an action against:
•third parties from whom Yettel received personal data about the respective users in accordance with this Privacy Policy; or
•third parties to whom Yettel has disclosed personal data about the respective users in accordance with this Privacy Policy.
Accordingly, it is possible for the above persons, as well as the users themselves, to make an out-of-court claim or to bring an action against Yettel. In such cases, it may be necessary for Yettel to process the personal data of certain users in order to be able to organize and enforce the defense under the respective claim or case (thus Yettel strives to defend itself against unlawful encroachment on its property and/or reputation).
The type and volume of the processed personal data depend on the nature of the out-of-court claims or the legal actions.
Examples:
•A user claims that they did not enter a digital service through the Solution. This requires Yettel to conduct an internal investigation of the case in order to establish the validity of the user’s claim and to provide the necessary evidence;
•A competent authority to which Yettel has refused to provide consumer information imposes a penalty on Yettel and Yettel challenges the imposed penalty, which requires the processing of personal data for the relevant consumer and the submission of evidence to the relevant court.

In certain cases, the applicable national and European legislation requires Yettel to process personal data about consumers for certain purposes, in a specific way and / or for a specified period. The main cases where Yettel is required to personal data in order to fulfill its regulatory obligations are described below.

We process personal data when, under applicable law, we are required to provide information to competent authorities.

The personal data processed by Yettel are to be made available to the competent authorities subject to the conditions stipulated by law and in accordance with the envisaged procedure.

For example, according to the Criminal Procedure Code of (CPC), Yettel is required, upon request from a court, a prosecutor or an investigative body, to provide documents or data that Yettel holds and that are relevant to the case in question. The requested papers or data may contain personal data of users of the Solution.

We process personal data of users when, under applicable law, we are required to assist competent state and/or municipal authorities when they perform checks.

The commercial activity carried out by Yettel is subject to control by various state and municipal authorities – e.g. Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Commission for Personal Data Protection (CPDP) and others. In the course of exercising this control these authorities have the power to make inspections and to request from Yettel the documents and information that it holds. The requested papers and data may contain personal data of users of the Solution. For example, when a user has submitted an alert or complaint the CRC, CPC and CPDP have the power to request from Yettel documents and information relating to the case that may include data of a user of the Solution.

We process personal data to fulfill obligations arising from the accounting and the tax legislation.

The tax and accounting legislation in the Republic of Bulgaria requires Yettel to compile certain accounting and business information, including to keep such information for a specific period, as well as any other data and documents relevant for taxation. In fulfillment of this obligation, the relevant information and documents containing personal data of the users are kept by Yettel for the terms stipulated by the respective laws. These terms are very long (for example, the documents for tax and social security control are to be kept for eleven years).