How do we process personal data upon the privacy policy in the mobile application MyTelenor

We process data to provide access to the Application

We process user data to provide a convenient, reliable, and secure way to log in the Application.

We process user data to provide a convenient, reliable, and secure way to log in the Application. (Amended and supplemented on March 20, 2019, amended on October 13, 2020, amended on 21.04.2021) In the initial MyTelenor registration process, the user is referred to a Yettel page, and not to a CONNECT page. On our page, the user enters his mobile number (MSISDN) and an email address, then validates the email address and receives an SMS from us containing a PIN that is at least four digits long. Once the user has entered this PIN onto our page, we receive information about the mobile number and the unique code generated by authentication service. Based on these, Yettel generates its own unique token, which is used to help the user avoid the need from entering his mobile number and PIN each time he wants to access the Application.
The unique code is periodically updated and is stored by Yettel until: (a) the User exits the Application by choosing "Exit"; (b) the expiration of three months from the last activity and use of the Application by the User; or (c) the termination of the contract for the mobile number or deactivation of the prepaid card.
The app allows you to set an additional PIN. The 4-digit PIN to protect access to the User Defined Application is required and should be entered by the user each time the application is opened. Upon five unsuccessful attempts to enter the additional PIN, the relevant session for the mobile number registered on the respective device is terminated and all data stored on the device is deleted.

We process data to enable users to receive certain information about mobile services through the Application.

One of the main uses of the Application is to enable Yettel mobile users to receive certain information about them (e.g. current bill, available credit, past unpaid debts, payment history, Yettel's nearest stores, etc.). Without processing personal data about users, this would be impossible.

The data we process to enable users to receive information through the Application are:
•User data;
•Bills data;
•Credit data;
•Current consumption data;
•Payment data;
•Data on the current status of packages or services;
•Location data.
•(Supplemented on May 16, 2019, supplemented on October 13, 2020) Plan data and others.

(Supplemented on January 3, 2019) If they are with version 1.11.0 or newer, the users of the Application that are on a mobile services subscription plan may avail of the „Usage details” functionality which enables them to download a file, containing information abouth the charged services and usage under a particular invoice issued for the mobile number with which the Application is used, on their mobile device. If the users have applied for and use the “Detailed information” service, the file will also contain detailed information about the calls, text messages and mobile internet. The file will not be stored in or otherwise processed in the Application: whenever a user activates the “Usage details” functionality, the file will be generated and sent directly to the device of the respective user, and from the moment of download the user will have complete responsibility for the file’s storage and further use.

We process data to service user requests for activation and deactivation of packages/ services through the Application.

(Amended and supplemented on May 16, 2019) In order for users to activate or, respectively, change or deactivate packages and/ or services through the Application, we need to process their personal data. Without them, we will not be able to provide the package or service, or it will be impossible to discontinue its provision.

The data we process to enable users to activate/ deactivate additional packages and/ or services through the Application are:
•User data;
•(Supplemented on May 16, 2019) Plan data;
•Query data.

(Supplemented on May 16, 2019) We process data to enable the users to manage their Application settings.
For the users to manage certain functionalities in the Application and/or the manner in which content is presented in it, we need to process users’ data. Without such processing it will not be possible to conform to their preferences.
The data we process for that purpose are:
•User data;
•Settings data.

(Supplemented on December 4, 2020) We process data to enable the users, upon their request, to access our offers to them and to allow them to electronically sign documents through the Application.

(Supplemented on December 4, 2020) In order for our users to access offers selected for them, to view the offers, and to consider whether they meet their needs, and to be able to sign electronically documents through the Application (e.g. by renewing their contracts by signing additional agreement), we have to process their personal data. Without such processing it will be impossible to service the signature process or to provide the electronically signed documents on durable medium.

The data processed in such situations include:
•User data;
•Offers data;
•Data relating to generating documents;
•Electronic signature data.

We process data to enable users to pay bills and/ or charge prepaid cards through the Application.

In order for the users to be able to make account payments or recharge prepaid cards via the Application, we need to process their personal data. Without them, it will be impossible to service the corresponding account or prepaid card recharging.

It is important to note that Yettel does not process or store card data and payment authorization data (e.g. CVV). Such data is provided by the user only on the webpage of the bank card or payment institution for online payment - our partner who deals with payments through the Application; Yettel does not have access to the content of confidential data exchanged between the cardholder and the bank.

(Amended on October 13, 2020) Limited details for a consumer's debit and/ or credit card are only stored by Yettel if the user has chosen to keep information about them in the Application for subsequent payments.

The data we process to enable users to pay bills and/ or recharge prepaid cards through the Application are:
•User data;
•Payment data.

We process data to support the Application.

In order to be able to prevent, detect, locate, and correct malfunctions and software errors in the Application, we need to process data about how users use it.

The data we process to support the Application is:
•MyTelenor usage data;
•Device data;
•Analytical error data in the Application.

Users may at any time, and completely free of charge, cancel the processing of analytical data related to them for bugs in the Application using third-party tools (Firebase Crashlytics), through the Application itself in the menu Privacy Settings from the User’s profile.

(Supplemented on June 17, 2020) We process data to enable Users to manage the travel insurance "Smart Tourist" through the Application.

For Users to be able to conclude, manage and terminate travel insurance "Smart Tourist" through the Application, to add or remove Insureds, to refuse coverage for certain trips, etc., it is necessary to process the following data:
•User data;
•Query data;
•MyTelenor usage data;
•Data for insurance "Smart Tourist";
•Country and stay roaming data – these data are processed by Yettel, including provided to the insurer Chubb European Group CE in order to provide insurance coverage for the travel insurance "Smart Tourist", only with the consent of the User.

(Supplemented on June 17, 2020) We process data to ensure the possibility for the Users and the Insureds to receive coverage under the travel insurance "Smart Tourist".

To verify whether the conditions for providing insurance coverage under the travel insurance "Smart Tourist" are met, as well as for the provision of such coverage by the insurer Chubb European Group SE, we need to process the following data:
•User data;
•Data for insurance "Smart Tourist";
•Country and stay roaming data – these data are processed by Yettel, including provided to the insurer Chubb European Group CE in order to provide insurance coverage for the travel insurance "Smart Tourist", only with the consent of the User.

(Supplemented on June 17, 2020) We process data to enable calculation of the due premiums for the travel insurance "Smart Tourist".

To calculate and invoice the due premiums for concluded travel insurance "Smart Tourist", it is necessary to process the following data:
•User data;
•Data for insurance "Smart Tourist";
•Country and stay roaming data – these data are processed by Yettel, including provided to the insurer Chubb European Group CE in order to provide insurance coverage for the travel insurance "Smart Tourist", only with the consent of the User.

(Supplemented on June 17, 2020) We process data to inform Users about certain circumstances relevant to the coverage of the travel insurance "Smart Tourist", through the Application or via SMS.

To inform Users about important circumstances that are relevant to the provision of insurance coverage under the travel insurance "Smart Tourist" (e.g. for lack of coverage for the territory of the country where the User is roaming, for the User or an Insured exceeding the maximum age eligible for insurance coverage, etc.), it is necessary to process the following data:
•Data for insurance "Smart Tourist";
•Country and stay roaming data – these data are processed by Yettel, including provided to the insurer Chubb European Group CE in order to provide insurance coverage for the travel insurance "Smart Tourist", only with the consent of the User.

In some cases, the applicable national and European laws require Yettel to process personal data about its users for certain purposes, in a certain manner and/ or for a specified period. Below are the main instances in which Yettel processes personal data to fulfill its statutory obligations.

We process personal data where, under applicable law, we are obliged to provide information to competent authorities

The laws of the Republic of Bulgaria requires Yettel to store certain personal data about users for a certain period of time. Where legal prerequisites exist, such personal data processed by Yettel should be provided to the competent authorities.

Example:
•Pursuant to the Penal Procedure Code (PPC), at the request of a court, prosecutor or investigative body, Yettel is obliged to provide the papers or data that are relevant to the respective case. The requested papers or data may contain personal data about users.

We process personal data of user when, under applicable law, we are obliged to provide assistance to competent state and/ or municipal authorities when conducting inspections

Yettel's commercial activity is subject to control by various state and municipal authorities - Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Personal Data Protection Commission, National Revenue Agency (NRA) etc. In the course of this control, these authorities have the power to carry out inspections, as well as to require Yettel to provide documents and information in its possession. It is possible that such required documents and information may contain personal data of users.

Examples:
•Upon receipt of a signal or complaint by a user, CRC, CPC and PDPC may require from Yettel to provide documents and information relevant to the case, which may contain the following data: basic data, contract data, obligations data, payment data, as well as data for communication with the respective users;
•When conducting a tax audit, the NRA authorities may require from Yettel to provide accounting documents, which may also contain personal data about certain users.

We process personal data to fulfill obligations arising from accounting and tax laws

Tax and accounting laws in the Republic of Bulgaria require Yettel to compile certain accounting and commercial information, including to store for a certain period of time such information as well as any other information and documents of significance to taxation.

When fulfilling this obligation, the relevant information and documents containing personal data of the users shall be kept by Yettel for periods stipulated in the respective laws. These terms have a long duration (for example, tax and social security documents should be kept for eleven years).

We process data when conducting internal analyzes to improve the Application, including introducting new services, new functionalities and optimization

We process user data to understand how they use the Application, which enables us to improve and further develop its functionalities, to introduce new services into MyTelenor, and to optimize its design. The data is processed in aggregate form and collected both internally and using the Google Analytics analytics tool.

By analyzing aggregated data:
•(Amended on January 3, 2019) we measure the number of users using MyTelenor and receive aggregated data on their age, gender and interests;
•we measure what actions the users perform in the Application;
•we create reports that reflect trends in the use of the Application;
•we have the opportunity to visualize how users navigate through the Application, etc.

Users may, completely free of charge, cancel the analysis of their data through Google Analytics at any time, through the Application in the Privacy Settings menu itself in the User’s Profile.

We process user data to investigate the satisfaction of users from Yettel's products and services, including the satisfaction with the Application

In order to improve our products and customer service, we sometimes seek their opinion through studies that we make through the Application.

When processing the results of these studies, Yettel processes the following data of the users (the definitions are in accordance with the Privacy Policy of Yettel Bulgaria EAD : basic data; data on contracts; data on payments due; aggregated consumption data; payment data; consumer communication data.

With the user’s consent, when conducting satisfaction surveys of Yettel’s products and services, we may also process traffic data, location data, and device usage data

We process personal data for users to make appropriate suggestions for them

Yettel appreciates the time of its users and strives for the products and services of the company to be better and more appropriate. We, therefore, process the following personal data in order to be able to offer this product or service that best suits the needs and/ or preferences of users.

In order to prepare or select suggestions for our products or services that would be as user-friendly as possible, besides the data we process in accordance with the Privacy Policy of Yettel Bulgaria EAD , we also process the following data for the users MyTelenor: query data; payment data; MyTelenor usage data.

The proposals that Yettel prepares or selects are non-binding to users and do not create any commitments for them. Yettel's standard suggestions, as well as those prepared or selected for a particular user, can be obtained from a Yettel sales outlet, from a location within our partner’s network or after a call to the Customer Service Center. Suggestions may also be sent in the form of direct marketing unless the user has given up marketing messages, phone calls, or MyTelenor notifications.

In order for our suggestions to be even more relevant, in case of consent received by the users, we also process traffic data, location data, and data on the device used.

We process user data when conducting direct marketing through the Application

(Amended on 21.04.2021 Yettel processes data on users who use MyTelenor to notify them of appropriate offers about Yettel products and services via notifications through MyTelenor mobile application. Users may, at any time and completely free of charge, cancel receiving notifications from the MyTelenor App mobile application through the Privacy Settings menu in the User Profile itself.

(Supplemented on January 3, 2019) We process user data to inform them whenever a new version of the Application is available

If the users use version 1.11.0 or newer, Yettel will process data about the Application version in order to inform them of the availability of newer versions and invite them to download and install such newer versions, with a view to enabling the users to benefit from the latest services and/or functionalities, optimizations, security enhancements, etc.

We process personal data when it is necessary to settle legal disputes

Sometimes, in order to exercise its rights or legitimate interests, it may be necessary for Yettel to process personal data of certain MyTelenor users in order to make an out-of-court claim or to bring an action against:
•third parties from whom Yettel has received personal data for the relevant users in accordance with this Privacy Policy; or
•third parties to whom Yettel has disclosed personal information of the relevant users in accordance with this Privacy Policy,

Accordingly, it is possible for the abovementioned persons and the users of MyTelenor to make an out-of-court claim or bring a lawsuit against Yettel. In such cases, it may be necessary for Yettel to process personal data of certain users in order to be able to organize and carry out the defense of the respective claim or lawsuit (thus, Yettel aims to protect against unauthorized violations against its property and/ or reputation).

The type and volume of personal data processed depend on the nature of the out-of-court claims or the lawsuits brought.

Examples:
•User claims through court proceedings that he has not activated an additional package through the Application for which Yettel has charged a certain amount. This requires Yettel to conduct an internal review of the case in order to establish the merits of the consumer's claim and to provide the necessary evidence to the court;
•A competent body to which Yettel refused to provide user data sanctions Yettel and Yettel challenges the sanction imposed in court, which requires the processing of personal data for the relevant user and submission of evidence to the relevant court.

For and in connection with the use of MyTelenor, it is possible to process users’ data for other purposes, subject to consent received. The consent given may be withdrawn at any time through the Application itself. Through the Application, users can manage (i.e. give or withdraw) consents that Yettel has received under the Privacy Policy of Yettel Bulgaria EAD.

Withdrawal of consent shall not affect:
•the lawfulness of the processing of personal data based on the withdrawn consent prior to its withdrawal; and
•the processing of personal data for purposes for which consent is not required as provided in this Privacy Policy.

(Supplemented on June 17, 2020) In order to provide coverage under the travel insurance “Smart Tourist”, based on the User's consent, Yettel provides the Country and stay roaming data to the insurer Chubb European Group SE. Based on these data, Chubb European Group CE will be able to provide coverage under this insurance, and without them it will not know about the trips of the User and the Insured (if any), as well as about how long he/she has been out Bulgaria and whether he/she was located in the territory of a country for which the insurance policy provides coverage. The User can withdraw his/her consent at any time free of charge through the Application or in a Yettel store authorized to distribute the travel insurance "Smart Tourist", but must keep in mind that in case of withdrawal of consent, the User (and the Insured - if any) will not be able to use the travel insurance "Smart Tourist".

(Supplemented on October 13, 2020) То provide the “Online protect” service in accordance with the ordered add-on, by carrying out monitoring, scanning, filtering, control and/or blocking of internet traffic, applications and/or files, including through access to and/or control of the location of a device protected via the service, Yettel muse receive the user’s consent to process his/her internet browsing data, data relating to the device being used, data on the internet access of the device, as well as information generated, processed by or stored in the used device. The consent provided for the “Online protect” service may be withdrawn at any time and for free, via the Application or in any Yettel store, however, in such cases the continued use of the service will no longer be possible due to its specific nature, and the service will be automatically deactivated.

(Supplemented on October 13, 2020) Consents related to the use of MyTelenor:

 If a user has declined to receive notifications from the Application, with his or her subsequent consent, Yettel may resume the processing of personal data for the purpose of sending such notifications (see also We process customer data when implementing Direct Marketing through the Application);
 If a user has declined to process data relating to him or her using through the use of third party’s tools (Firebase Crashlytics), with his or her subsequent consent, Yettel may resume processing data for the purpose of supporting the Application (see also We process data to support the Application);
 If an user has declined to process data related to him or her using third party’s tools (Google Analytics), with his or her subsequent consent, Yettel may resume data processing for internal analysis purposes (see also We process data for internal analyzes to improve the application, including new services, new functionalities and optimization) and others;