Privacy Policy of “Smart Innovative Technologies” Ltd.
For “Smart Innovative Technologies” Ltd. (hereinafter referred to as “the Company”, “Smart IT”, “we”, “us”, or “our”), the protection of your personal data is of paramount importance.
We therefore wish to inform you on what legal grounds, for what purposes, within what timeframes, and by what means your personal data is processed when you visit our website https://smartit.bg/ or apply for employment with us. We strictly adhere to all applicable data protection laws in every operation involving the processing of personal data. The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) guarantees your rights and imposes detailed obligations on us as a data controller, which are explained in this Privacy Policy (“the Policy”).
I. Introduction
In this Privacy Policy, “Smart IT”, “we”, “us”, and “our” refer to “Smart Innovative Technologies” Ltd., while “you”, “your”, and “user” refer to visitors of our website https://smartit.bg/.
This Privacy Policy explains and governs:
- how and when we collect your personal data and what information we collect;
- how and why we use your personal data; and
- your rights to control your personal data.
Please read this Privacy Policy carefully. By accessing and using our website and services, you confirm that you have had the opportunity to read this Policy, that you understand it, and that you agree to be bound by it. If you do not agree, you must immediately discontinue using our website and any services through which we may process personal data.
We may amend this Policy from time to time in order to comply with applicable laws and regulations or to respond to changing business requirements. We encourage you to review this page periodically for the latest information about our privacy practices and any updates to this Policy. Whenever we make changes, we will promptly inform you of any significant effects of such changes and provide a summary of the modifications on our website https://smartit.bg/.
II. General Information
1. Definitions
For the purposes of this Policy, the following terms shall have the meanings set out below:
- “Personal Data” – any information relating to an identified or identifiable natural person which, alone or in combination with other information, can lead to the identification of that person.
- “Data Subject” – a living natural person who is identified or identifiable by means of the personal data being processed.
- “Processing of Personal Data” – any operation or set of operations performed on personal data, including but not limited to collection, storage, analysis, modification, or destruction.
- “Data Controller” – with respect to the personal data it administers, “Smart IT” acts as the controller. We determine the purposes and legal basis for processing your data and, in general, the means by which such processing is carried out (e.g., technical infrastructure and applications). The obligations relating to the security and protection of your personal data rest with us.
- “Data Processor” – a third party that processes your personal data on our behalf, in accordance with our explicit instructions defining the purpose and means of processing, and after verifying that the processor meets GDPR requirements. “Smart IT” may also act as a data processor when engaged by other companies to manage their systems.
- “Personal Data Breach” – a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
- “Digital Assets” – the website https://smartit.bg/, all landing pages maintained by the Company, and any web, native, or mobile applications available to clients.
- “Group of Companies within Management Financial Group” (“MFG Companies”) – the corporate group of companies and other corporate entities owned and/or controlled by “Management Financial Group” AD, a joint-stock company incorporated and existing under the laws of the Republic of Bulgaria, UIC 207343548. For the purposes of this Policy, the MFG Companies are those registered and operating within the territory of the Republic of Bulgaria. An up-to-date list of the companies within the MFG structure can be found here: https://mfg.bg/our-companies/.
2. Who We Are
“Smart Innovative Technologies” Ltd. is a technology unit engaged in the development and maintenance of innovative technologies and information systems within the group of subsidiaries of “Management Financial Group” AD, as well as for other companies that have contracted “Smart Innovative Technologies” Ltd. to maintain their systems.
3. Contact Information
“Smart Innovative Technologies” Ltd.
Registered office and management address:
BULGARIA, Sofia 1324, Lyulin District, Lyulin 7 Residential Complex, Jawaharlal Nehru Blvd., No. 28, ATC Silver Center Building, 2nd Floor, Office 72–74
Phone: 0700 20 140
You may contact us by visiting the address above or through our website https://smartit.bg/.
4. Data Protection Officer
Our appointed Data Protection Officer (DPO) can be reached at: dpo@smartit.
5. Type, Purpose, and Legal Basis of Personal Data Processing
| Personal Data | Purpose of Processing | Legal Basis |
|
Names, unique identifiers, date of birth, address, and other data from identification documents |
|
Legal obligation |
| Video surveillance | Protection of company property and infrastructure; protection of employees’ rights | Legitimate interest |
| Telephone |
|
Contract performance |
| Address |
|
Legal obligation |
| Email / SMS |
|
Consent / Contract performance |
| Handwritten signature or fingerprint (for illiterate or physically disabled persons unable to sign) | Signing of employment contracts | Legal obligation |
| Full name, phone number, email address, and other personal data provided voluntarily through chat, contact form, email, or in writing at the Company’s address | Processing and responding to rights requests, inquiries, complaints, or grievances |
Legitimate interest |
| Images of clients, employees, and office visitors | Protection of information systems; safeguarding employee health; ensuring employee rights | Legitimate interest |
Your personal data will be processed by “Smart Innovative Technologies” Ltd. solely in accordance with the applicable data protection legislation. By corresponding with us through any communication channel, you confirm that the data you have provided is accurate, correct, and up to date.
Please note that any consent given for the processing of your personal data may be withdrawn at any time by submitting a written request to
6. For how long will my personal data be stored?
Personal data is stored for the periods necessary to achieve the purposes for which it was collected. After the purposes for which the personal data was collected have been fulfilled, we will immediately destroy it. In cases where, after achieving our objectives, we decide to retain the processed personal data for statistical purposes, this will be done in the form of storing anonymized data, which cannot identify you in any way.
“Smart Innovative Technologies” Ltd. takes all necessary technical and organizational measures to destroy personal data that is no longer needed, except in cases where there is a legal basis for its longer retention. If you make a request to restrict the processing of your data according to your rights (described below), or if the processing is necessary for a purpose compatible with the original purpose for which it was collected, you will be promptly informed.
“Smart Innovative Technologies” Ltd. stores collected personal data for the following periods:
a) When the data is processed on the basis of an application for a position in the company – for a maximum period of six months after the end of the recruitment procedure for the respective position.
b) When the data is processed on the basis of a concluded contract for software maintenance or development – for the duration of the contract, unless otherwise agreed.
c) When the data is processed on the basis of received consent – until the explicit withdrawal of the consent.
d) When the data is processed for the protection or exercise of rights and interests of the Company, which have a legitimate precedence over the interests of individuals – until the right expires and/or the interest ceases to exist.
e) Video surveillance recordings are kept for up to 90 days from the date of recording.
After the expiration of the indicated periods, if there is no other legal basis for processing the data, it will be deleted. For the purpose of obtaining and analyzing information, as well as meeting specific regulatory requirements, the Company may delete only part of the data. In such cases, it continues to store only that portion of the data which does not allow the subsequent identification of individuals.
7. Will my personal data be accessible to third parties?
Smart Innovative Technologies” Ltd. will not disclose personal data to third parties[1], except when it is shared with affiliated entities for the purpose of preventing fraud and/or fulfilling legal obligations.
7.1. In view of the above, we must inform you that “Smart Innovative Technologies” Ltd. has entered into joint controller agreements with the companies of the MFG group, including “Easy Asset Management” AD, “Fintrade Finance” AD and “Viva Credit” AD but not only. These agreements have the following key characteristics:
- The joint controllers exchange personal data regarding the existence and number of loans with affiliated entities, delays in payment of such loans, their transition into enforcement proceedings, or complete non-fulfilment of payment obligations.
- The exchange of personal data mentioned above takes place automatically, during the processing of personal data collected from the loan applicant and/or third parties during the assessment of their creditworthiness, through specialized software.
7.2. Access to your personal data may also be granted to the following categories of persons, who, on the basis of contracts with the Company, may act as data processors:
- Persons maintaining the Company’s information systems located in the Republic of Bulgaria, as well as, if necessary, customer service centers in the Republic of Bulgaria;
- Persons entrusted with the preparation, printing, packaging, and delivery (including by SMS or electronically) of written correspondence sent by the Company to its clients;
- Persons contracted by the Company to assist with servicing and collecting receivables from clients;
- Persons to whom the Company offers to sell its receivables from clients;
- Persons who, under a contract with the Company, act as intermediaries in the provision of financial products offered by the Company.
7.3. Purposes of processing and additional security measures
Your data may also be shared for the following purposes:
- Prevention and detection of fraud
- Identifying and preventing financial fraud, abuse, and security breaches, including blocking credit cards;
- Risk assessment and security checks;
- Checks in certain databases and information systems.
- Creating and maintaining a secure environment
- Establishing identity and validating the information provided by you;
- Conducting checks in official registers and databases, when permitted by law or carried out with your consent (where required).
- Fulfilment of legal obligations
- Compliance with regulatory requirements, including those under the Anti-Money Laundering Act (AMLA) and the Payment Services and Payment Systems Act (PSPSA).
7.4. “Smart Innovative Technologies” Ltd. does not transfer personal data to any third country or international organization outside the European Union.
7.5. When visiting this website, “Smart Innovative Technologies” Ltd. processes your personal data through cookies. Please review our Cookie Policy here.
8. How do we protect your personal data?
To ensure adequate protection of the data of the Company and its clients, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and the General Data Protection Regulation (GDPR).
The Company has established structures to prevent abuse and security breaches and has appointed a Data Protection Officer who supports the processes of safeguarding and securing your data.
For maximum security during the processing, transmission, and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
9. Are my personal data subject to automated decision-making, including profiling?
“Smart Innovative Technologies” Ltd. does not process personal data through automated decision-making, including profiling, that results in legal consequences for data subjects or significantly affects them. All decisions related to the provided services are made with human involvement, ensuring the protection of the rights and interests of data subjects. In cases where the decision communicated to you is unsatisfactory, you have the right to request its review by a qualified credit expert within the Company.
III. Your Rights
As a data subject whose personal data is processed by “Smart Innovative Technologies” Ltd., you have the rights described in detail below.
Please note that the provision of personal data is voluntary — it is necessary for the conclusion of a contract with the Company. If the data is not provided, the Company will not be able to offer a product or service.
“Smart Innovative Technologies” Ltd. fulfils your requests without delay, within up to 30 calendar days from their submission. In its response, the Company will either grant or refuse access and/or the requested information, always providing a justification. For this purpose, a link to this Policy is placed in a clearly visible location on the Company’s website.
In order for your request to exercise your rights to be considered, you must complete this form and submit it to us in a manner convenient for you:
- In person or through an explicitly authorized representative (with power of attorney) at the Company’s address: BULGARIA, Sofia 1324, Lyulin District, Lyulin 7 Residential Complex, Jawaharlal Nehru Blvd., No. 28, ATC Silver Center Building, 2nd Floor, Office 72–74. In the power of attorney submitted for a request, it must explicitly state the authorization: “To represent me before ‘Smart Innovative Technologies’ Ltd., UIC 203068866, with the right to submit on my behalf a request to exercise the rights for the protection of personal data.”
- As an electronic document, signed with electronic signature, sent to:
Този имейл адрес е защитен от спам ботове. Трябва да имате пусната JavaScript поддръжка, за да го видите. - By mail or courier service to: BULGARIA, Sofia 1324, Lyulin District, Lyulin 7 Residential Complex, Jawaharlal Nehru Blvd., No. 28, ATC Silver Center Building, 2nd Floor, Office 72–74.
- By calling telephone number 0700 20 140 – in this case, after the call, the form for exercising your rights must be submitted for the attention of “Smart Innovative Technologies” Ltd. using one of the methods indicated above.
The exercise of your rights is free of charge and covers all structured and unstructured data, as well as all databases maintained by the Company.
Exceptions to the response time and free principle may apply if the same client submits more than three requests per year, requiring a significant administrative effort by the Company. In this case, a reasonable administrative fee may be imposed.
When the data subject submits a request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject has requested otherwise.
When the Company has reasonable concerns regarding the identity of the individual submitting a request to exercise their rights under this section or their proxies, the Company may request additional information necessary to confirm their identity or legitimate authority.
Please also note that withdrawing your consent does not affect the lawfulness of data processing carried out before the withdrawal. Even after consent is withdrawn, the Company may process your personal data if another legal basis for processing exists, as listed in Section 4.
You have the following rights:
a. Right to Information
As a data subject, you have the right to obtain information regarding the essential characteristics of the processing of your personal data, including, but not limited to, its purpose, duration, and legal basis, as well as the recipients and categories of recipients of personal data, and other relevant details.
In addition to the information provided above, you should be aware that you may be subject to automated decision-making, including profiling. This means that the data you provide may be used to create an appropriate “profile” about you, with the purposes of preventing fraud, diversifying the products offered by the Company, and selecting marketing, advertising, and promotional materials tailored to you.
In accordance with applicable data protection legislation, you are granted the rights set forth below. We are obliged to respond to any of your requests within one (1) month of receipt, free of charge. In the event of any difficulties in timely fulfilling such requests, the response period may be extended by an additional two (2) months, for which you will be notified within one (1) month of receipt of the request.
b. Right of Access
You may request information regarding which of your personal data we process, as well as whether we process any such data at all. You may request access to these data. We will provide you with an extract of the personal data that are being processed at the time of your request. For certain extracts, we may impose a reasonable fee based on administrative costs. When submitting a request by electronic means, we will, where possible, provide the information in a commonly used electronic format, unless you have requested otherwise.
c. Right to Rectification
If we are processing incomplete or inaccurate personal data about you, you may request their correction or completion at any time.
d. Right to Erasure
You may request the deletion of your personal data in the following cases:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- You withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
- You consider that the personal data have been processed unlawfully.
Please note that there may be other reasons preventing the immediate deletion of your personal data, such as legally mandated retention obligations, ongoing proceedings, the establishment, exercise, or defence of legal claims, and similar circumstances.
e. Right to Restriction of Processing
You have the right to request the restriction of processing if:
- You contest the accuracy of the personal data, for a period allowing us to verify the accuracy of the data;
- The processing is unlawful, but you do not wish the personal data to be erased, and instead require the restriction of their use;
- We no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise, or defence of legal claims;
- You have objected to the processing of the data pending verification of whether the legitimate grounds of “Smart Innovative Technologies” Ltd. for processing override your interests
If a restriction of processing is requested, we will inform you before lifting the restriction.
f. Right to Data Portability
You may request that we provide you with the personal data we process about you in a format that is structured, commonly used, and machine-readable, and that can be transferred to another financial institution, for example. This applies only when:
- The processing of the specific data is based on your consent or in connection with the conclusion and performance of a monetary loan agreement; and
- The processing is carried out by automated means.
g. Right to Object
You have the right, at any time and on grounds relating to your particular situation, to object to the processing of your personal data that is based on a legitimate interest — the grounds are set out in the table above, including profiling based on such legitimate interest.
Where you have given your consent for the processing of data for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for such purposes, without having to provide any reasons.
h. Right to Lodge a Complaint
If you believe that we have violated applicable data protection legislation in the processing of your personal data and, as a result, have affected your rights, please contact us. You also have the right to lodge a complaint with the Commission for Personal Data Protection, which is the supervisory authority for data protection, at the following address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. [number], tel. 02/91-53-518, e-mail:
[1] “Third Party” means any natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data (Art. 4(10) GDPR).