effective from 25.05.2018
“Single Step” Ltd, UIC: 205022440, with registered office and address of management Sofia, 12 Bratya Miladinovi Str. The Company (hereinafter referred to as “the Company”) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council, which entered into force on 25 May 2018, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.
1. Basis for collecting, processing and storing your personal data:
The Company collects and processes your personal data in connection with the use of the websites https://www.thestep.bg/ and https://singlestep-shop.bg/, as well as the conclusion of contracts with the Company on the basis of Art. 6 para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:
– explicit consent obtained from you as a user of the website;
– performance of the association’s obligations under a contract with you;
– compliance with a legal obligation applicable to the Company;
– for the purposes of the legitimate interests of the Company or of a third party;
2. Collection of personal data and purposes
2.1 Single Step Ltd collects personal data of:
– natural persons or representatives of legal entities – providers of specific services, relations with which are regulated by contract;
– natural persons – employees, customers and/or official representatives or contact persons of legal entities;
– donors, volunteers and partners of the Company;
– consumers of goods and services provided by the Company.
For the purposes of:
– concluding an employment contract with the employee, pursuant to Art. 62, par. 7 of the Labour Code and Ordinance No. 4 on the documents required for the conclusion of an employment contract;
– entering into a civil or other contract for the provision of various services, including health and social services to third parties and individuals on behalf of Single Step Ltd;
– creating a user profile on the Company’s websites, registering on our websites, buying a product, entering into a contract – your name; email address; delivery and billing address for the goods and services you have ordered, postcode, payment methods, telephone number, information regarding date, amount and frequency of orders;
– the formation, operation and termination of the Company’s legal relationship;
– receipt and making of donations, receipt of volunteer labor or partnership to raise public awareness, and any voluntary cooperation for which both parties have formal or informal correspondence and acknowledgement;
– protection of the rights of the individual, mediation for the protection of the rights of the individual.
2.2. Personal data collected and processed by the Company shall be kept for as short a period as possible after the grounds for processing have ceased to exist. Once the basis for processing the data has ceased to exist, the data shall be destroyed in accordance with the procedure laid down in the Company’s internal rules on the processing of personal data.
2.3. The personal data processed by the Company may be disclosed to the following categories of recipients:
– the natural persons to whom the data relate;
– persons for whom the right of access is provided for in a legal act, such as public authorities, institutions, etc.
– donors of the Company – only statistical data from the processing of personal data (statistics by gender, age, place of residence) shall be provided to these persons if at least one of the following prerequisites is met:
– explicit consent of the data subject;
– a statutory obligation of the data controller;
– the protection of a vital interest;
– where necessary for the purposes of a criminal prosecution.
3. Purposes and principles for the collection, processing and storage of your personal data on the https://www.thestep.bg/ and https://singlestep-shop.bg/ websites
3.1. We collect and process the personal data you provide to us in connection with your use of the website for the following purposes:
– creating an account (if applicable) and providing full functionality when using https://www.thestep.bg/ and https://singlestep-shop.bg/
– submitting alerts/complaints/inquiries from you via a form on the Company’s website;
– statistical purposes;
– marketing purposes;
– participation in online survey and other marketing activities;
– information security protection;
– sending of newsletters if you so request;
– involvement in Company campaigns;
– order products and services offered by the Company;
– delivery of products offered by the Company;
– issuing an invoice and processing it;
– posting and invoicing purchases from the e-shop based on our legal obligation to do so;
– activities related to the management of your account on our websites;
3.2. We comply with the following principles when processing your personal data:
– lawfulness, fairness and transparency;
– limitation of the purposes of processing;
– relevance to the purposes of the processing and minimisation of the data collected;
– accuracy and timeliness of data;
– limitation of storage to achieve the purposes;
– integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
3.3. In processing and storing personal data, the Association may process and store personal data in order to protect its following legitimate interests: the performance of its obligations to the National Revenue Agency, the Ministry of the Interior and other state and municipal authorities.
3.4. Through its websites https://www.thestep.bg/ and https://singlestep-shop.bg/, the Company does not collect or process personal data that relates to the following: revealing political, religious or philosophical beliefs, or trade union membership; genetic and biometric data.
3.5. The Company does not carry out automated decision-making with data.
3.6. The Company’s websites use so-called “cookies” for the purposes of providing full website functionality, improving user experience, statistical purposes, ease of access, etc., which you agree to by using our website. You can control and/or delete cookies at any time through the settings of the browser you are using. “Cookies do not constitute personal data and are not used to identify visitors and users of the website.
4. Duration of storage of your personal data
4.1. The Company shall keep the personal data that it is required to keep under applicable law for the relevant period provided for, which may exceed the duration of your account on the Website.
4.2. The Company retains the personal data of the legal representatives of its business partners for the duration of the performance of the contract, in order to comply with the legitimate interests and legal obligations of the Company, which period may exceed the duration of the concluded contract.
5. Transfer of your personal data for processing
5.1. The Company may, at its discretion, transfer some or all of your personal data to processors for the performance of the processing purposes to which you have consented, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
5.2. The Company shall notify you in case it intends to transfer some or all of your personal data to third countries or international organisations.
6. Social networks
Your access to social networks such as Facebook, Google+, YouTube, Twitter and other such sites requires separate registration and acceptance of the terms and conditions of these sites. The Company is not responsible for the protection of your personal data upon acceptance of these terms and conditions.
7. Withdrawal of consent
7.1. Withdrawal of consent to the processing of your personal data – if you do not wish the personal data you have provided to be processed for marketing purposes and to receive the newsletter, you may withdraw your consent to processing at any time by completing a withdrawal of consent form or by making a free text request and emailing it to us.
7.2. Once we have received your request, we will send you a letter to the email address you have provided with detailed instructions for verifying you as the recipient of newsletters and the subject of the personal data for which consent withdrawal has been requested.
7.3. Withdrawal of consent does not affect the lawfulness of the processing of personal data that the Company has carried out up to that point.
8. Right of access
8.1. You have the right to request and obtain confirmation from the Company as to whether personal data relating to you is being processed by sending a free text request by email or completing a form to this effect.
8.2. You have the right to obtain access to the data relating to you as well as to information relating to the collection, processing and storage of your personal data.
8.3. Once we have received your request, we will send you a letter to the email address you have provided with detailed instructions for verifying you as the subject of the personal data accessed.
8.4. Once the verification has been carried out in accordance with par. 3, the Company shall provide you, upon request, with a copy of the personal data processed relating to you in electronic or other appropriate form.
8.5. The provision of access to the data is free of charge, but the Company reserves the right to charge an administrative fee in the event of repetitive or excessive requests.
9. Right of rectification or completion
You may rectify or complete inaccurate or incomplete personal data relating to you by making a request to the Company by email using the form or by a free text request sent by email to
10. Right to erasure
10.1. You have the right to ask the Company to erase some or all of the personal data relating to you and the Company has the obligation to erase it without undue delay where any of the following grounds apply:
– the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
– you withdraw your consent on which the processing is based and there is no other legal basis for the processing;
– you object to the processing of the personal data relating to you, including for direct marketing purposes, and there are no lawful grounds for the processing which override;
– the personal data have been unlawfully processed;
– the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Company is subject;
– the personal data has been collected in connection with the provision of information society services.
10.2. The Company is not obliged to erase the personal data if it stores and processes it:
-to exercise the right to freedom of expression and the right to information;
– to comply with a legal obligation requiring processing under EU or Member State law applicable to the Company or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
– for reasons of public interest in the field of public health;
– for archiving purposes in the public interest, scientific or historical research or statistical purposes;
– for the establishment, exercise or defence of legal claims.
10.3. In order to exercise your right to be erased, you need to send by email a request for erasure of your personal data processed by the Company, either by filling in a form or by a free text request, after which the Company will send to the email address you used to register a letter with detailed instructions on how to verify you as the user and subject of the personal data for which erasure is requested.
10.4. Once we have verified the identity of the person who made the request and the data subject in accordance with the instructions sent to you, we will delete any data we process about you in accordance with par. 3.
11. Right to restriction
11.1. You have the right to request the Company to restrict the processing of data relating to you by sending us a request in free text by email where:
– you challenge the accuracy of the personal data, for a period that allows the Company to verify the accuracy of the personal data;
– the processing is unlawful, but you do not wish the personal data to be erased, only for its use to be restricted;
– The Company no longer needs the personal data for the purposes of the processing but you require it for the establishment, exercise or defence of legal claims;
– You have objected to the processing pending verification that the Company’s legitimate grounds override your interests.
11.2. Once we receive your request, we will send you a letter to the email address you have provided with detailed instructions for verifying you as the user and subject of the personal data for which the restriction of processing has been requested.
12. Right to portability
12.1. If you have consented to the processing of your personal data or the processing is necessary for the performance of the contract with the Company, or if your data is processed in an automated manner, you may:
– ask the Company to provide you with your personal data in a readable format and transfer it to another controller;
– ask the Company to transfer your personal data directly to a controller designated by you, where this is technically feasible.
12.2. You may exercise the right to portability by emailing us a completed form or a free text request, whereupon the Company will send a letter to the email address you have provided with detailed instructions for your verification as the user and subject of the personal data for which portability is requested.
12.3. Once the verification has been completed in accordance with paragraph 2, the Company will send the data it processes about you to the email you have provided.
13. Right to receive information
You may request the Company to inform you of any recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested has been disclosed. The Company may refuse to provide this information if it would be impossible or would require a disproportionate effort.
14. Right to object
You may object at any time to the Company processing personal data relating to you, including if it is processed for profiling or direct marketing purposes.
15. Your rights in the event of a personal data breach
15.1. If the Company becomes aware of a breach of the security of your personal data that may pose a high risk to your rights and freedoms, it shall notify you without undue delay of the breach and of the measures that have been taken or are to be taken.
15.2. The Company is not obliged to notify you if:
– the Company has taken appropriate technical and organisational protection measures in respect of the data affected by the security breach;
– the Company has subsequently taken measures to ensure that the breach will not result in a high risk to your rights;
– notification would require a disproportionate effort.
16. Persons to whom your personal data is provided
16.1. For the purposes of processing your personal data, responding to complaints/alerts and inquiries and services received, including through our websites https://www.thestep.bg/ and https://singlestep-shop.bg/ and in view of your interests, the Company may provide the data to the following data processors: state and municipal authorities, justice authorities, bodies responsible for the protection of the rights of the individual.
16.2. The data processors shall comply with all legality and security requirements when processing and storing your personal data.
16.3. The Company does not transfer your data to third countries.
16.4. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Personal Data Protection Commission
Headquarters and registered office: Sofia 1592, 2 Prof. Tsvetan Lazarov Boulevard
Address for correspondence: Sofia 1952, 2 Prof. Tsvetan Lazarov Boulevard
Phone: 02 915 3 518
16.5 You may exercise all your rights regarding the protection of your personal data in any form that contains a statement to that effect and identifies you as the data holder or use a form for that purpose.