PRIVACY AND DATA PROTECTION DECLARATION

This Privacy and Data Protection Declaration of EPAY AD (Privacy Declaration) is based on the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Regulation (EU) 2016/679). All amendments of the Privacy Declaration shall be applied after its updated content is published and made available on our website: www.epay.bg.

Data about the controller

EPAY AD with company code 131409398, seat and registered office at 16, Ivan Vazov St, Sofia, is data controller processing your personal data in compliance with the law, in good faith and in a transparent maner. You may contact us at the registered office: 16, Ivan Vazov St, Sofia phone: +359/ 2 9210880 The Data Protection Officer of EPAY AD is Ivan Bunevski, address: 16, Ivan Vazov St, Sofia, e-mail: dpo@epay.bg.

Processed data

EPAY AD processes personal data independently or together with other controllers such as banks, Easypay AD and other providers of payment services and system operators specified by the Payment Services and Payment Systems Act (PSPSA). The data related to payments made through the systems operated by EPAY AD, as well as the client identification data, are processed jointly with Easypay AD as provider of payment services pursuant to PSPSA. Depending on the specific objectives and grounds EPAY AD processes the data indicated below separately or combined:

1. The data provided by you and necessary for identification and fulfillment of contractual obligations of EPAY AD and the client:

• Names, personal identification number, date of birth for foreignes, nationality, address, phone number, e-mail address, client’s account picture;
• Names, personal identification number, address and other data of your representative, specified in the document whereby you authorized him/her to represent you before EPAY AD;
• Identity document number, date of issue, date of expiry and issuing authority;
• Data collected upon payment – number of credit or debit card, bank account and other payment information collected upon processing the payments made by clients through the systems operated by EPAY AD – via the Internet through the ePay.bg system, other online platforms for automatic payment with payment cards or payment accounts, ATM, SMS, mobile applications and other electronic commercial channels of EPAY;
• To make transfer via Mobile number through еPayMobile, we ask you to allow access of ePayMobile to the phone contact list of your device in order to make the payment to the relevant mobile number. ePayMobile doesn’t use or store customers' phone contact list information, but uses only the recipient's mobile number in order to process the money transfer.
• Data from you account for access to our online platform – user name; data from your qualified electronic signature registered in our system; identification of your account; customer numbers and other information provided by you in connection with the payment services to registered providers;
• Video, photo and/or voice recording, provided by you as part of your customer identification or by other occasion;
• Data provided upon participation in games, lotteries and/or other seasonal or promotional campaigns organized by EPAY AD and intended for an unlimited circle of persons, including through social networks.

2. Data provided upon using the services of EPAY AD, accessible through an online platform or a mobile application:

• Data about the applications and browsers used by you, about the type of device used for access to the systems of EPAY AD. This information includes device identificator, number of application version, operational system version, information about the mobile network, including operator name and phone number, IP address; activity in the system and date, time and forwarding URL address of your request to the systems of EPAY AD.

3. Data which are not received by the individual they refer to, but are provided by third persons in connection with a specific service or product:

• Data about names, address, client number, invoice number and other data regarding payment obligations of the users/client and other numbers registered for payment through the systems operated by EPAY AD.
• Data about debit or credit cards or other payment information repated to payments through the systems operated by EPAY AD, including payments from ATM to providers and clients registered in еPay.bg.

4. Other data related to the service provision process of EPAY AD:

• Video recordings or photos made in compliance with the preliminary announced conditions for participation in games, lotteries and/or other promotional campaigns organized by EPAY AD and intended for an unlimited circle of persons, including through social networks;
• Recordings of calls made from and to the contact center of EPAY AD, e-mail, letters, complaints, applications and other feedback we receive from you.

In case of refusal to voluntarily provide the reqested personal data, EPAY AD shall not be able to provide the services selected by you.

Objectives and legal grounds for processing data:

EPAY AD processes your data for the following purposes:

1. To perform contractual obligations and services, as well as to manage our relations with clients in terms of services provided by EPAY AD:

• Client identification upon registration for service use as per the General Terms /contracting an agreement/, amendment and termination of a service agreement; responding to requests for provision of information and explanations about the services used, making payments through the systems operated by EPAY AD, using information services such as card balance statements, registration of debit or credit card via the internet and the mobile application of еPay.bg, sending payment-related information (including one-time password, confirmation code, access code) by SMS to a mobile phone number or an e-mail provided by the client
• Clients may be identified through different channels – at the central office of EPAY AD, in certain offices of EASYPAY AD, by EPAY AD customer service telephone or e-mail, by providing information about personal data related to the client’s account in еPay.bg, (client identification number in еPay.bg, personal identification number, date of birth, e-mail and/or other identifying information);
• Updating your personal data provided upon registration/contracting an agreement for using the services of EPAY AD.
• Verification of the type of registered and used services at your request/complaint/objection or with a view to protecting the clients of EPAY AD against fraud and abuse by third parties. Provision of information about the services used;
• Considering reports, objections, complaints received, carrying out controls, feedback provision; Technical assistance for creating account/s and recovery of forgotten passwords and other data for access to еPay.bg. Blocking/unbloking the access to a client’s account, deletion of еPay.bg registration. Recovery of access to applications, etc;
• Settling disputes before the competent authorities (court, arbitration, conciliation commission, administrative bodies, etc.) regarding the activity of EPAY AD.
• Management of anti-fraud activities. EPAY AD processes personal data when carrying out activities related to fraud prevention, detection, investigation and management.

2. In fulfillment of legal obligations EPAY AD processes your data for the following purposes:

• To meet the legal obligations related to the provision of payment services by Easypay AD to clients using payment services systems of EPAY AD (Payment Services and Payment Systems Act, Measures Against Money Laundering Act, Measures against the Financing of Terrorism Act, the other applicable laws and regulations regarding the activity of Easypay AD);
• Provision of information about clients and the service used by them upon request/ demand/control on the part of the competent authorities;
• Issuing invoices, if applicable for specific services.

3. EPAY AD processes the respective data provided with the consent of the client for the following purposes:

• To receive notices regarding the services used to the e-mail address specified by you – information about products and services of EPAY AD or third parties; Through your client’s account or еPay.bg registration for the specific service you could give, or withdraw respectively, your consent to receive certain information via e-mail.
• To include your name, photos, video and other forms of presence in advertising and media publications of EPAY AD as a result of your participation in lotteries and games, or such of our partners and/or the social networks.

4. EPAY AD processes your data for the following legitimate interests:

• Preparing and keeping statistical information and aggregate data - EPAY AD performs the above analysis to develop and improve the services provided and the customer service;
• When providing data to third parties: when performing legal or contractual obligations of EPAY AD or on other valid legal grounds.

Categories of third persons - recipients of personal data:

In compliance with the requirements of Regulation EU 2016/679 EPAY AD has the right to disclose personal data they process to the following categories of recipients:

• Natural persons to whom the data refer;
• Natural persons, legal entities, recipients of payments ordered by you through the systems operated by EPAY AD, including applications for online payments which are approved by you;
• Third parties, natural persons, legal entities, public bodies and institutions, when performing legal or contractual obligations of EPAY AD or on other valid legal grounds, for instance, detecting, preventing or performing other activities regarding fraud, technical or security-related problems.
• Banks, providers of payment services and/or system operators as per PSPSA regarding the payments made by you.
• Persons assigned by EPAY AD to support equipment and software used for processing your personal data;
• Security companies licensed to carry out private security activity which are processing video recordings from offices of EPAY AD in the process of controlling the access to these sites;
• Persons providing services related to the organization, safekeeping, indexing and deletion of hard or soft copy archives; Subcontractors of EPAY AD processing personal data. Personal data processors perform their tasks in compliance with a contract/another legal document and according to the instructions of EPAY AD. Subcontractors of EPAY AD provide sufficient warranties for the application of adequate technical and organizational measures ensuring that Regulation 2016/679 is met.

The term of retention of your personal data depends on the purposes of the processing for which they were collected:

• The personal data processed in order to provide the services accessible through the sytems of EPAY AD are kept for a period of up to one year as of the date of termination of the contract/registration in ePay.bg or other online platforms and applications supported by EPAY AD. The personal data related to payments made through the systems supported by EPAY AD are retained in compliance with the statutory time limits as per the legislation in force;
• The personal data processed in order to issue accounting/financial documents are kept for at least 5 years after expiry of the repayment term regarding the public receivables, unless the legislation in force provides for a longer term;
• EPAY AD may retain some of your personal data for a longer period until expiry of the respective repayment term for protection from possible clients’ claims regarding the performance of services/termination of a registration/contract for provision of services, etc., as well as for a longer period in case of a legal dispute until its final settlement by a court decision entered into force;
• Personal data for which there is no explicit statutory obligation for retention shall be deleted after the objectives for which they were collected and processed are achieved;
• Telephone call recordings – up to two years after the conversation was held;
• Picture (video recordings) of visits to the central office of EPAY AD – up to one year as of the date of the recording.

Security measures of EPAY AD for personal data protection

The protection of clients’ information and data is main priority of EPAY AD. The company applies and is constantly updating the technical and organizational measures ensuring the protection of clients’data.

• Each year the company undergoes certification procedures as per the PCI DSS (Payment Card Industry Data Security Standard) standard for retention, processing and transfer of payment data of cardholers;
• Additional functions for protection of clients’ accounts are also available on еPay.bg (the information is available in the safety instructions published on the website еPay.bg);
• All procedures and rules for data collection, retention and processing are reviewed on a regular basis, including the physical security measures of the systems.

What are your rights regarding personal data processing by EPAY AD:

As a client and in terms of your personal data you have the following rights:

1. To receive information about your personal data processed by EPAY AD.

• When you log in your account on еPay.bg, you can always review and update your information, for example: in the Settings menu you may edit data such as e-mail, phone number for receiving one-time passwords and confirmation codes for services/payments, contact phone, give or withdraw your consent for receiving notices via e-mail; in the Information menu you may review the information related to your visits to еPay.bg and the payments made; in the Cards and Microaccoutns menu you may review and edit the information about the debit and credit cards registered in your account; in the Bill Payments menu you may review, edit/delete data about client’s numbers and other bills added to your client’s account. Some of the personal data provided by you, such as personal identification number/date of birth, ID number and date of issue (if ID information is required), are not available for review through your client’s account. This information may be requested by filing a written request to EPAY AD at the central office of EPAY AD or in certain offices of EASYPAY AD after identifying yourself by presenting an ID;

2. To require that your data be corrected when incorrect or incomplete for processing purposes: for data that you are not able to correct yourself through your client’s account in ePay.bg or another online platform/mobile application operated by EPAY AD you have to file a request with EPAY AD according to the established procedures.

3. To require that your personal data be deleted only in any of the following cases:

• They are not necessary any more for the purposes for which they were collected or processed;
• After withdrawing the express consent when personal data are processed only based on the express consent of the subject;
• There is no legal or contractual grounds for data processing;
• The data processing is declared illegal;
• The national or European legislation require it.

4. To require that the processing of your personal data be restricted in any of the following cases:

• Illegal processing, but you only want to restrict the processing of your data instead of having them deleted;
• In compliance with the rights of the data subjects as per Regulation EU 2016/679.

5. To request transfer of your personal data that you provided to EPAY AD as per the rights of the data subjects pursuant to Regulation EU 2016/679 according to the rules and procedures of EPAY AD. Your right to transfer applies to personal data under the following conditions:

• а) the data processing is based on your express consent or a contractual obligation and
• b) the processing is automatic.

6. To object at any time and for your personal reasons to EPAY AD processing personal data specified as processed on the grounds of a legitimate interest of EPAY AD. When the objection mage is against the processing of your personal data for the remaining purposes, EPAY AD shall respond within a reasonable term, not longer than one month, whether they consider your objection justified and whether they will stop processing the respective personal data for these purposes.

7. To withdraw your consent for the processing of your personal data when this processing is only based on your consent.

8. To file a complaint with the Commission for Personal Data Protection if you consider that your rights regarding the processing of your personal data are violated.

Filing a request

EPAY AD provides the following possibilities for filing requests as per Regulation EU 2016/679:

• For information which is not accessible or cannot be edited through the client’s account on the respective online platform or mobile application – a standard form is to be filed at the central office of EPAY AD or at certain offices of Easypay AD;
• By means of a standard e-form through your account in еPay.bg.

In order for you to be duly identified and for EPAY AD to provide you with a specific response, you need to provide certain obligatory details in the standard request/application such as your ID data, phone number, if you want to provide contact information, optionally the number of your client’s account in еPay.bg or a mobile application of EPAY AD, as well as in what capacity you would like to file a request for the exercise of your rights as per Regulation EU 2016/679 – for instance, client/former client, legal representative, actual owner, etc. If the information provided is incorrect and/or incomplete, we may not be able to meet your request or part thereof.