CONFIDENTIALITY POLICY of Yettel Bulgaria Ltd related to Online Protection service Online protect

Amended on March 1st, 2022, in relation to the change of the trade name of the operator to Yettel Bulgaria EAD and the trademark to Yettel. Throughout the text, "Yettel Bulgaria EAD" and "Yettel" are changed to "Yettel Bulgaria EAD" and "Yettel", respectively.

1.             Introduction

The security and proper use of personal data are extremely important for both our users and Yettel. Therefore, it is important for us that our users understand why and how we process their personal information related to the Service.

This Policy does not regulate rights and obligations but aims to explain what kind of personal data we process, why and how we do it, including when it is necessary to disclose personal data to third parties, related to the Service. It also provides information on the rights that individuals have in relation to the processing of personal data by Yettel.

This Policy applies only in connection with the data we process related to the Service. It does not apply to other cases in which Yettel processes personal data that are subject to the relevant policies published on www.yettel.bg/privacy.

For an easier and better understanding and for the convenience of users, in certain places on this Policy examples may be given that illustrate why and/or how Yettel processes personal data. These examples are not exhaustive.

2.           DEFINITIONS

2.1         Yettel

Yettel Bulgaria Ltd, UIC 130460283, with registered office and address of management in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, building 6. In this Policy, taking the pronouns “We”, “Us” or “Ours” will also mean Yettel Bulgaria Ltd.

2.2        User

A person who has activated the Service..

2.3        Personal data

This is any information that identifies a specific individual or that relates to an individual, which can be identified directly or indirectly.

The types of personal data which Yettel processes in accordance with this Policy are listed below.

2.4        Service

The serviceOnline protect“.

2.5        Device

Being the end device which the Service is used on.

3.           WHAT DATA DO WE PROCEED

3.1          User’s data

This is the data necessary for activating the Service, which includes names, PIN, mobile number which the service is activated from and mobile number which the service is activated for (if different).

3.2        Internet browsing data

This is the network data, which includes the IP address of the Device, requested IP addresses, server name indicator (SNI), as well as uniform resource locators (URLs) - for HTTP traffic. It is important to point out that this data does not include the content of users' Internet communication, but it can be used to determine whether a site that users want to access poses a potential threat to their security.

3.3        Device data

This is the data refering to the Device used by the User, including the Internet access provided by this Device, as well as the information that is generated, processed or stored in it.

Read more:

Examples of such data: brand, model, type, and version of the device's operating system, Internet access networks used (including SSID when using Wi-Fi), including what applications are installed on the device and what files are downloaded from and/or stored in it.

3.4        Location data

This is data about the GPS coordinates of the Device at a given time .

The Online protect application requires a url referrer in order to be installed and used. Locate the geographical location “on demand” of the phone owned by anyone in your family anytime, anywhere. Online protect application will use location in the background to show location on demand on a map. Location is active while app is running in the background. This location feature works while app is in the background/foreground. Online protect app will use location in the background to show location on demand on a map if the phone is stolen or when parents want to know child’s location on demand. Location is active while app is running in the background.

3.5        Settings data

This is data for certain parameters of the Service, which are selected by the Users or which are applied by default, in case the users have not made a choice. Thanks to them, the Users can manage certain functionalities of the Service, according to their preferences.

Read more:

Examples of such data:

-             What kind of applications can be installed and/or used through the Device;

-             What categories of sites can be accessed through the Device - by categories or as specific sites;

-             During which hours of the day the device can be used for Internet browsing.

4.           HOW DO WE COLLECT PERSONAL DATA

When providing the Service, Yettel collects data about the Users in various ways. When activating the Service and managing its settings, we receive information directly from the Users, but in most cases the data is generated automatically by the systems and platforms through which the Service is provided, in the process of using it.

Read more:

We collect data directly from our users:

-             In the process of activating the Service;

-             When Users manage the settings for using the Service;

-             When communicating with users regarding the Service, e.g. in inquiries, complaints and/or grievances.

The data which is automatically generated:

-             When the Users use the Service. As its main purpose is to provide protection against threats on the Internet, the provision of the Service is a warning to the user, in case of a threat, in order for it to function, it is necessary to monitor the user's Internet traffic, in which process certain data are automatically generated - the so-called Internet browsing data.

5.           HOW AND WHY DO WE PROCEDD PERSONAL DATA

Yettel uses personal data mainly to provide the Service to Users. Due to the nature of the Service and especially the need for monitoring and analysis of Internet traffic, the way of using the Device, including its location, in order to provide the Service to our Users we need their informed consent. This consent can be withdrawn at any time completely free of charge, but upon withdrawal we will not be able to continue to provide the Service, as otherwise we will not comply with the User's desire to stop processing his/her data.

In addition, Yettel processes data for purposes defined as "legitimate interest". In such cases, it is mainly a matter of data processing, which is carried out in order to provide quality and timely service to users, including to resolve disputes with them.

There are also cases in which we are obliged to process personal data of users in order to fulfill obligations arising from a regulatory act (such obligations may consist in providing assistance to competent authorities, including by providing personal data for certain Users).

It is important to point out that Yettel does not carry out automated decision-making activities based on consumer profiling, which has legal consequences for consumers or similarly affects them significantly.

Read more:

5.1         Processing for the purposes of contract performance

Most data processing operations are intended to provide users with the ability to activate the Service, manage its settings, and use it. We also process data for compatible purposes, such as invoicing Users for the Service and administering their payments in connection with it.

5.2        Processing based on consent

In order to provide the Service, it is necessary to monitor the Internet traffic of the Users (Internet browsing data), as well as their Devices (Device Data and Location Data). As this data is particularly sensitive to Users, we do not process it without their prior informed and explicit consent.Moreover, Users may at any time withdraw their consent completely free of charge (eg through Yettel mobile application), but due to the nature of the Service, such withdrawal will terminate its provision, ie. we will deactivate it automatically to prevent unwanted processing of data by the User.

5.3        Legitimate interest

We process data to perform and improve customer service.

It is important for us to provide fast, convenient and effective assistance to consumers in case they need it. Ensuring the quality of customer service is extremely important for improving the processes in Yettel and meeting customer expectations and needs.

We process data to maintain information and network security.

At Yettel, we are committed to ensure the confidentiality, integrity and accessibility of our products and services, as well as consumer information. For this reason, we take measures aimed at preventing or detecting attempted attacks and/or unregulated access to the information and communication systems through which data is processed in accordance with this Policy. We also store records (logs) to which there is very limited access, and which are used only when it is necessary to investigate potential security incidents.

We process personal data when necessary for the settlement of legal disputes.

Sometimes, in order to exercise its rights or legitimate interests, it may be necessary for Yettel to process personal data of certain Users in order to make an out-of-court claim or to sue third parties to whom Yettel has disclosed personal data of the respective users in accordance with this Policy.

Accordingly, it is possible for the above-mentioned people, as well as the Users themselves, to file an out-of-court claim or file a lawsuit against Yettel. In such cases, Yettel may need to process personal data of certain Users in order to be able to organize and conduct protection in the relevant claim or case (thus Yettel aims to protect itself from unlawful encroachments on its property and/or reputation).

The type and volume of personal data processed depend on the nature of the out-of-court claims or lawsuits.

Examples:

-             The User claims that he has not activated the Service or that he has been incorrectly invoiced for it. This requires Yettel to conduct an internal investigation into the case to establish the validity of the Consumer's Claim, as well as to provide the necessary evidence;

-             A competent authority, to which Yettel has refused to provide data about a User, sanctioned Yettel and Yettel challenged in court the imposed sanction, which requires processing of personal data about the respective user and providing evidence before the respective court.

5.4        Fulfillment of obligations arising from a normative act

In certain cases, the applicable national and European legislation requires Yettel to process personal data about consumers for certain purposes, in a certain way and/or for a certain period of time. The following are the main cases in which Yettel processes personal data in order to fulfill its regulatory obligations.

We process personal data when, under applicable law, we are required to provide information to competent authorities.

In the presence of conditions established by law and in compliance with the prescribed procedure, the personal data processed by Yettel should be provided to the competent authorities.

For example, according to the Code of Criminal Procedure (CCP), at the request of a court, prosecutor or investigative body, Yettel is obliged to provide papers or data that are relevant to the case. The requested documents or data may contain personal data about the users who use or have used the Service.

We process personal data of users when, according to the applicable legislation, we are obliged to provide assistance to competent state and/or municipal authorities in carrying out inspections by them.

Yettel's commercial activity is subject to control by various state and municipal authorities - e.g. Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Personal Data Protection Commission and others. In the course of carrying out this control, these authorities have the power to carry out inspections, as well as to require Yettel to provide documents and information in its possession. Such required documents and information may contain personal data of users.

For example, in case of a received signal or complaint from a user, CRC, CPC and CPDP have the power to request from Yettel to provide relevant documents and information that may contain data about a given user.

We process personal data in order to fulfill obligations arising from accounting and tax legislation.

The tax and accounting legislation in the Republic of Bulgaria requires Yettel to compile certain accounting and commercial information, including to store this information for a certain period of time, as well as any other information and documents relevant for taxation. Upon fulfillment of this obligation, the relevant information and documents, which also contain personal data of the users, shall be stored by Yettel for terms, provided in the respective laws. These deadlines are long (for example, tax and social security documents should be kept for eleven years).

6.           CATEGORIES OF PEOPLE TO WHOM WE DISCLOSE PERSONAL DATA

6.1         Those who processing personal data

Personal data processors are people who process personal data on behalf of Yettel on the basis of a written agreement. They are not allowed to process the personal data provided to them for purposes other than the performance of the work assigned to them by Yettel. Processors are required to follow all Yettel instructions.

Read more:

Yettel shall take the necessary measures to ensure that the processors involved strictly comply with Yettel's data protection legislation and instructions, and that they have taken appropriate technical and organizational measures to protect personal data.

Examples of processors of personal data are the providers of services for implementation and/or maintenance of information systems, which sometimes need to access personal data that are processed in the respective systems through which the Service is provided.

6.2        Competent authorities

The provision of data to competent authorities is described above.

6.3        Third parties realted to a transformation (eg merger or acquisition) or transfer of an enterprise

In case of transformation of Yettel, as well as in case of transfer of assets in accordance with the applicable legislation, it is possible that the personal data of the users will be provided to a third party - successor.

7.            HOW LONG DO WE STORE PERSONAL DATA

Yettel shall retain the personal data of the users for as long as necessary in order to achieve the objectives set out in this Policy or to comply with the requirements of the legislation.

As a rule, Yettel will not store Internet browsing data, Device data, Location data and/or Settings data after deactivation of the Service.

In case of active service Yettel will not store Data for internet browsing for a period longer than 6 (six) months, as of the moment of their generation.

The above deadlines will not apply (respectively the data may be stored for a longer period) if there is a valid reason for this (eg pending dispute, inspections by competent authorities, etc.).).

Read more:

After the expiration of the terms for processing personal data, they are anonymized or deleted/destroyed, unless:

-             are necessary for pending court, arbitration, administrative or enforcement proceedings, or in case of a complaint from the respective consumer, which should be considered by Yettel; or

-             the user concerned has exercised his/her right to request a restriction on the processing of personal data concerning him/her.

Yettel makes every effort to ensure that the personal data processed by users are updated (and corrected if necessary) and that data that are not necessary to achieve the objectives described above are not stored.

8.           HOW DO WE PROTECT PERSONAL DATA

Building and maintaining trust between us and consumers is a key strategic priority for Yettel. Therefore, the protection of our systems and personal data is of paramount importance to both our users and Yettel. Our main goal is to make consumers feel "safe" when using Yettel products and services. In accordance with the requirements of current legislation and good practices, Yettel takes the necessary technical and organizational measures to keep users' personal data safe.

Read more:

To ensure the protection of users' personal data, Yettel uses modern technologies combined with uncompromising management of security controls. Our framework is based on some of the most popular security standards (ISO27001: 2013, etc.).

In order to ensure maximum data protection, Yettel has adopted a number of policies that regulate data processing. Various mechanisms are applied (encryption, anonymization, pseudonymization, etc.) both for "data in transit" and for "data at rest".

Yettel has an appointed data protection officer and specialized departments that take care of information security and fraud protection. They support the processes for protection and security of personal data, as well as monitor their compliance.

9.           RIGHTS OF DATA SUBJECTS

9.1         General information on the rights of individuals

Yettel shall take action at the request of an individual to exercise a right under this section only if it is able to identify the person concerned..

Read more:

Only a person who can be identified by Yettel has the opportunity to exercise their rights under this section.

If the purposes for which Yettel processes personal data do not require or no longer require the identification of a natural person, Yettel has no obligation to maintain, obtain or process additional information in order to identify the person for the sole purpose of taking action on request of this person.

Yettel notifies individuals of the actions taken within one month of receiving a request under this section, and in certain cases this period may be extended by up to two months.

Read more:

Yettel shall provide individuals with information on the action taken in relation to their requests for the exercise of rights under this section without undue delay and in any event within one month of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. Yettel shall inform the person concerned of any such extension within one month of receipt of the request, stating the reasons for the delay.

In case of refusal to comply with a request, Yettel notifies the relevant individuals of their rights.

Read more:

If Yettel does not take action on the request of a person, Yettel shall notify him without delay and at the latest within one month of receiving the request of the reasons for not taking action, as well as of the possibility to file a complaint to the Commission for Protection of Natural Resources. personal data and seeking protection in court.

In certain cases, Yettel may request additional information to confirm the identity of individuals.

Read more:

In the event that Yettel has legitimate concerns regarding the identity of the individual making a request under this section, Yettel may request the provision of additional information necessary to verify the identity of the person.

The actions taken by Yettel in and on the occasion of requests for the exercise of rights under this section are completely free of charge for individuals, unless their requests are manifestly unfounded or excessive.

Read more:

The actions taken by Yettel during and on the occasion of exercising consumer rights are completely free of charge. Where a person's request is manifestly unfounded or excessive (for example because of its recurrence), Yettel shall have the right, at its discretion: (a) to refuse to comply with the request; or (b) require the payment of a reasonable fee determined on the basis of the administrative costs necessary to provide the requested information or to take the requested action.

9.2        Users have the right to access personal data related to them

Users have the right to receive information form Yettel whether personal data related to them are processed. If so, users have the right to access the relevant data.

9.3        Users have the right to request the correction of personal data concerning them when they are inaccurate or out of date

9.4        In certain cases, users have the right to request the deletion of personal data concerning them.

Read more:

Users have the right to request Yettel to delete the personal data related to them, in the following cases:

-             personal data are no longer needed for the purposes for which they were collected or processed;

-             the user has withdrawn his consent on which the processing of personal data is based and there is no other legal basis for the processing of the same;

-             the user has objected to the processing of personal data based on a legitimate interest of Yettel, unless there are other legitimate grounds for the processing that take precedence over the interests, rights and freedoms of the user, or the processing is necessary to establish, exercise or the protection of legal claims;

-             the user has objected to the processing of personal data for the purposes of direct marketing and there are no other legal grounds for the processing of this data;

-             the personal data relating to the user concerned have been processed illegally;

-             personal data must be deleted by Yettel in order to comply with a legal obligation arising from the law of the Republic of Bulgaria or the law of the European Union.

9.5        In certain cases, users have the right to request a restriction on the processing of personal data concerning them.

Read more:

Users have the right to ask Yettel to restrict the processing of personal data relating to them, in the following cases:

-             the accuracy of the personal data is disputed by the user, for a period that allows Yettel to verify the accuracy of the personal data;

-             the processing is illegal, but the user does not want the personal data to be deleted, but instead requires restricting their use;

-             Yettel no longer needs the personal data for the purposes of processing, but the user requires them for the establishment, exercise or protection of legal claims;

-             the user has objected to the processing of personal data based on Yettel's legitimate interest, pending verification that Yettel's legal grounds take precedence over Yettel's interests.

9.6        In certain cases, users have the right of the portability of personal data concerning them

Read more:

Users have the right to receive from Yettel the personal data provided by them in a structured, widely used and machine-readable form, as well as to transfer this data to another administrator without hindrance from Yettel, insofar as:

-             Yettel processes this data for the purposes of concluding or executing a contract with the consumer, or on the basis of a consent given by the latter; and

-             the processing of the relevant data is performed in an automated manner.

Users have the right to ask Yettel to transfer their personal data directly to another administrator when this is technically feasible.

9.7        In certain cases, users have the right to object to the processing of personal data concerning them

Read more:

Users have the right, at any time and on grounds related to their specific situation, to object to the processing of personal data concerning them when Yettel processes their data in order to protect their legitimate interests.

9.8        Users have the right to complain to a data protection supervisory authority

Read more:

Users have the right to file complaints or signals to the Commission for Personal Data Protection (CPDP) in case they believe Yettel violates the legislation on personal data protection. Instructions for filing complaints are published on the website of the CPDP: https://www.cpdp.bg

Consumers may also lodge complaints with other supervisory authorities in the territory of the European Union, as provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

10.         CONTACT INFORMATION

Yettel Bulgaria Ltd, UIC 130460283, with registered office and address of management in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, building 6.,is the controller of personal data processed in this Privacy Policy.

For questions and inquiries regarding the processing of personal data, you can contact our Customer Service Center. The contact information for the Customer Service Center is published on the following page: https://www.yettel.bg/bg/private/online-request

Yettel Customer Service Call Center can help you contact our data protection officer.

11.           POLICY UPDATE

This Policy is valid as of [*].

This Policy may be amended or supplemented due to a change in the applicable legislation, at the initiative of Yettel, consumers or a competent authority (eg the Commission for Personal Data Protection).

Yettel shall endeavor to inform the users about the changes or additions to this Policy not less than 7 (seven) days before their entry into force, by sending a message to the Users, in case it has contact information with them.

It is recommended that users periodically check the latest version of this Policy, which is published at www.yettel.bg/privacy.