VOD
logo
Register

Personal Data Protection Policy of "DANUBE COMMUNICATION" Ltd.

"DANUBE COMMUNICATION" Ltd. processes your personal data with maximum security in relation to the contractual relationships between you and the company, and in accordance with the regulatory obligations arising from its activities.

"DANUBE COMMUNICATION" Ltd. collects and processes personal data only in compliance with local and European legislation. The processing is related to a specific purpose and cannot be carried out without limitation.

Regarding the purposes and grounds for processing personal data, "DANUBE COMMUNICATION" Ltd. acts as a data controller. In this capacity, "DANUBE COMMUNICATION" Ltd. is committed to implementing technical and organizational measures to ensure the protection of personal information.

This "Personal Data Protection Policy" provides information on the purposes, legal grounds, and methods of processing personal data, the categories of personal data processed, the categories of recipients to whom they may be disclosed, as well as your rights regarding the processing of your personal data.

Please carefully review the content of this policy, as it is a mandatory condition for your registration on our platform and for the provision of our services.

Policy Updates and Changes

To apply the most up-to-date protection measures and comply with current legislation, we will regularly update this Personal Data Protection Policy. We encourage you to regularly review the current version of this policy to stay informed about how we ensure the protection of the personal data we process.

This Personal Data Protection Policy was adopted on 30.03.2025

I. Information about the Personal Data Controller

"DANUBE COMMUNICATION" Ltd., UIC 208055812, with its registered office and management address in Republic of Bulgaria, city of Sofia, "Ekzarch Yosif" Str. No. 93, website: https://alain-soral.com/, e-mail: [email protected]

I.I Information about the Data Protection Officer

……………………………… e-mail: https://alain-soral.com/, tel.: ………

II. Information about the Competent Supervisory Authority

  1. Name: Commission for Personal Data Protection
  2. Registered office and management address: Sofia 1592, "Prof. Tsvetan Lazarov" Blvd. No. 2
  3. Correspondence address: Sofia 1592, "Prof. Tsvetan Lazarov" Blvd. No. 2
  4. Telephone: +35929153518
  5. Email: [email protected], [email protected]
  6. Website: www.cpdp.bg

III. Purpose and Scope of the Personal Data Protection Policy

This policy follows the territorial and material scope of Regulation (EU) 2016/679 and adopts its main objectives. It is applied by all our employees.

"DANUBE COMMUNICATION" Ltd. needs to collect and process personal data to carry out its activities lawfully, appropriately, and effectively. This applies to the personal data of employees, customers, and visitors to the website/platform.

IV. Categories of Personal Data, Purposes, and Legal Grounds for Processing

"DANUBE COMMUNICATION" Ltd. processes different categories of personal data for different subjects based on specific grounds according to the pursued purposes. In compliance with Articles 13 and 14 of Regulation (EU) 2016/679 and the principles of legality, fairness, transparency, and awareness, as well as for the convenience of data subjects, this section provides detailed information on the necessary aspects of data processing.

1. Categories of Personal Data Provided by the Data Subject – Natural Person:

Data Related to Physical Identity

  • Name and surname;
  • Personal Identification Number/Date of Birth – for invoices;
  • Contact details: email and phone number;
  • Address: permanent or current;
  • IP address.

Data Related to Economic Identity

  • Payments are processed through the Revolut platform, and we do not process our clients' banking data. We receive information from Revolut regarding successful or unsuccessful payments.

3. Purposes and Legal Grounds for Processing

The personal data obtained from the data subject – natural person – will be used for the provision of our services, in compliance with contractual obligations, legal requirements applicable to the administrator, and the protection of legitimate interests, including:

  • Creating a profile on the Controller's Platform;
  • Subscription payments;
  • Payments for VOD (Video on Demand);
  • Establishing and maintaining registers for accountability;
  • Financial and accounting reporting;
  • Issuing invoices;
  • Responding to data subject requests regarding their rights under Regulation (EU) 2016/679;
  • Marketing purposes;
  • Performing other functions as required by law or contractual obligations.

The processing of the specified categories of personal data provided by you is carried out on the basis of:

  • Article 6, paragraph 1, letter "c" of Regulation (EU) 2016/679 – legal obligations applicable to the controller, as stipulated in statutory and regulatory acts governing our activities, such as the Consumer Protection Act, the Corporate Income Tax Act, the Value Added Tax Act, the Accounting Act, and others.
  • Article 6, paragraph 1, letter "b" of Regulation (EU) 2016/679 – performance of a contract to which you (the data subject) are a party, as well as taking steps at the request of the data subject before entering into a contract. An example of such steps includes creating an account in our system.
  • Article 6, paragraph 1, letter "f" of Regulation (EU) 2016/679 – protection of legitimate interests.
  • The processing of certain personal data related to your physical identity, namely names and email address, for the purposes of direct marketing will only be carried out based on your freely given, specific, informed, and unambiguous consent, in accordance with Article 6, paragraph 1, letter "a" of Regulation (EU) 2016/679.

4. The Controller does not apply "automated individual decision-making, including profiling.

5. "DANUBE COMMUNICATION" Ltd. does not collect or process personal data solely for the purpose of identifying the subject when it pertains to:

  • Racial or ethnic origin;
  • Political, religious, or philosophical beliefs, or trade union membership;
  • Genetic data, data concerning sexual life or sexual orientation.

6. The Controller does not collect or process personal data of minors.

7. This policy does not apply to the processing of personal data of a data subject (natural person) within the scope of their purely personal activity or household-related matters.

V. Categories of Recipients of Personal Data

"DANUBE COMMUNICATION" Ltd. may provide your personal data to third parties, primarily to protect your interests and security in relation to the fulfillment of legal and contractual obligations or specific tasks. Personal data is not provided to third parties without ensuring that all technical and organizational measures for data protection have been taken, with strict control over the enforcement of these measures. Where applicable, we ensure that your data is processed only according to the instructions provided on behalf of the controller – "DANUBE COMMUNICATION" Ltd.

1. Recipients of Data, Outside the Controller:

Entities Requiring Information on a Legal Basis

  • State and municipal authorities, agencies, institutions, and other competent regulatory bodies, in accordance with their powers (ministries, directorates, agencies, commissions, etc.);
  • Judicial authorities (courts, prosecution offices, etc.);
  • Regulatory bodies (Commission for Personal Data Protection, Commission for Protection of Competition, Consumer Protection Commission, etc.);
  • Auditors and accreditation bodies;
  • Experts and judicial officers.

Entities Requiring Information on a Contractual Basis

  • Service providers (consultants, experts, accountants, appraisers, auditors, lawyers). Such data disclosure occurs only when there is a legitimate reason and based on a written agreement ensuring that recipients provide an adequate level of protection;
  • Companies providing cloud services – AWS.
  • Marketing agencies, only upon your explicit consent;
  • Entities contracted to maintain equipment, software, and hardware used for processing personal data and essential for the company's operations;
  • Courier companies.

2. Recipients of Data Within the Controller

  • Internal sharing among employees, with full compliance with the implemented technical and organizational security measures.

VI. Technical and Organizational Data Protection Measures

To ensure adequate protection of the data of its employees, clients, and partners, "DANUBE COMMUNICATION" Ltd. applies all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679, both in terms of data protection by design and data protection by default.

Data protection by design is implemented through appropriate technical and organizational measures introduced by "DANUBE COMMUNICATION" Ltd. before the start of personal data processing (during the stage of determining the purposes and means of processing) and ensuring their application throughout the entire data lifecycle.

Personal data protection is ensured through mechanisms that, by default, guarantee compliance with the following requirements:

  • Only the minimum amount of personal data necessary to achieve a specific purpose is processed, and only essential processing operations are performed;
  • Licensed software and electronic security certificates are used for system and internet platform/website protection;
  • Encrypted email services with paid, private domains are used. Documents containing personal data and classified information are not sent to public domain email addresses;
  • Only employees who need access to perform their official duties can access personal data;
  • Personal data is not shared with other employees unless necessary for fulfilling their job responsibilities;
  • Employees must handle data with care and responsibility during their work and while accessing the platform, ensuring that their devices are never left unattended;
  • The company's office does not store documents related to personal data processing. All information is entirely digital and stored in cloud systems, following cloud service providers' policies. However, due to legal obligations, certain documents containing personal data must be stored on paper, which is done in a designated, locked cabinet;
  • Cloud service access is secured through an HTTPS connection, and every employee is informed about IT and information security policies. Employees are notified of any updates relevant to their role;
  • For internal operations and customer data processing, we use cloud platforms that provide remote access with user-level permissions and strict data security policies;
  • Data access is granted to specific employees through a personal work account for completing a specific task;
  • If an employee leaves the company, they immediately lose access to all related data;
  • A password policy and user rights management system are in place;
  • Employees undergo training on the correct implementation of Regulation (EU) 2016/679 and the application of introduced technical and organizational measures and procedures;
  • Data is stored for the minimum period necessary to achieve processing objectives and is deleted afterward in compliance with relevant rules and procedures;
  • Data that is no longer legally required is irreversibly destroyed, with a deletion protocol;
  • Data access, transfer, or sharing is only allowed when a valid legal basis exists (e.g., contract, data subject's consent, or legal obligations);
  • Downloading, sharing, or storing any confidential data accessed by employees for work purposes is strictly prohibited on personal devices (e.g., laptops, tablets, mobile phones, cameras, or smartphones), nor can it be recorded in any way (e.g., photos, videos, screenshots, or other images);
  • Highest levels of information and hardware security are applied in accordance with Regulation (EU) 2019/881;
  • 24/7 system maintenance is conducted to minimize security breaches, data leaks, and identity fraud;
  • A full internal audit and system check is conducted every 12 months;
  • If there is evidence of a security breach, the service may be temporarily or permanently suspended to prevent unauthorized actions by third parties;
  • The controller ensures that data processors and any individuals acting under the controller's guidance process personal data only as instructed and for the specified purpose;
  • In case of a personal data security breach, the controller will promptly notify the competent supervisory authority (Commission for Personal Data Protection – CPDP) and, if necessary, the affected data subject.

"DANUBE COMMUNICATION" Ltd. reserves the right to implement additional security measures for employees when necessary. To ensure maximum security in data processing, transmission, and storage, additional protection mechanisms may be applied.

VII. Transfer of Data to Third Countries

No personal data is transferred to third countries, and no processing occurs outside the European Union. If such a transfer is required in the future, it will be done to enhance cybersecurity, with properly signed contracts and only after verifying the implementation of appropriate technical and organizational measures, as per Regulation (EU) 2016/679. The transfer will be carried out only if a low level of risk is demonstrated, in compliance with Regulation (EU) 2019/881.

VIII. Data Retention Period

"DANUBE COMMUNICATION" Ltd. generally ceases full processing of personal data for the specified purposes after the termination of contractual relationships or upon request by the data subject. However, data is not deleted before the expiration of the legally mandated retention periods, in accordance with the storage limitation principle.

Your personal data will not be deleted or anonymized if they are required for ongoing legal, administrative proceedings, or the resolution of a complaint. Data is retained no longer than necessary. Below are the retention periods for certain categories of particularly significant data..

1. Statutory Data Retention Periods:

  • Information required for account creation – up to 5 years;
  • Data processed based on the data subject's consent – until consent is withdrawn;
  • Under the Accounting Act – retention and processing of accounting data for 10 years, starting from the year following the last payment;

2. Retention Periods Determined by the Controller:

  • The system may integrate the ability to process data and logs collected from failed identification attempts and/or terminated registration processes – retained for up to 2 years from the occurrence.

IX. Data Subject Rights – For Individuals

1. Right to Information and Access.

You have the right to request:

  • Information about whether data concerning you is being processed, the purposes of such processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;
  • A communication in an intelligible form containing your personal data being processed, as well as any available information about their source;
  • Information on the logic behind any automated processing of personal data related to you, at least in cases of automated decisions.

2. Right to Rectification.

In cases where we process incomplete or incorrect data, you have the right, at any time, to request:

  • Deletion, correction, or blocking of your personal data whose processing does not comply with legal requirements;
  • Notify third parties to whom your personal data has been disclosed of any deletions, corrections, or blocking, except where this is impossible or requires excessive effort.

3. Right to Erasure.

The right to erasure, or "the right to be forgotten," provides the ability, when you no longer wish your data to be processed and there are no legal bases for their storage, to request their deletion based on one of the following grounds:

  • Personal data is no longer necessary for the purposes for which they were collected or otherwise processed;
  • You withdraw your consent on which the data processing is based;
  • You object to the processing and there is no overriding legal basis for the continuation of processing;
  • Personal data have been processed unlawfully;
  • Personal data must be erased to comply with a legal obligation;

"The right to be forgotten" is not an absolute right. There are situations in which the controller may refuse to erase the data, namely when the processing of specific data is necessary for any of the following purposes:

  • Exercising the right to freedom of expression and information.
  • Archiving for purposes in the public interest, scientific research, historical research, or statistical purposes.
  • Establishing, exercising, or defending legal claims.

4. Right to object.

At any time, you have the right to object to the processing of your personal data where there is a legal basis for doing so. When the objection is justified, the personal data of the respective individual cannot be processed further.

5. Right to restrict processing.

You can request the restriction of the processing of personalized data if:

  • You dispute the accuracy of the data for the period during which its accuracy is being verified; or
  • Processing the data is without legal basis, but instead of deletion, you want their restricted processing; or
  • We no longer need this data (for a specific purpose), but you need it to establish, exercise, or defend legal claims; or
  • You have objected to the data processing while waiting for the administrator to verify the legality of the grounds.

6. Right to data portability.

You can request us to provide the personal data you have entrusted to us in an organized, structured, commonly used, and machine-readable format to another controller if:

  • We process the data based on the contract and the consent declaration, which can be withdrawn, or based on contractual obligations, and
  • The processing is carried out automatically.

7. Right to withdraw consent.

You have the right, at any time, to withdraw your consent for the processing of personal data if the processing is based on your consent. Such withdrawal does not affect the lawfulness of the processing based on the consent before its withdrawal.

8. Right to fill a complaint.

If you believe that we are violating applicable regulations, please contact us to clarify the issue. Of course, you have the right to file a complaint with the Commission for Personal Data Protection or with the respective court following the Administrative Procedure Code. As of May 25, 2018, you can also file a complaint with the regulatory authority within the EU.

9. Right to obtain compensation.

According to Article 39, paragraph 2 of the Bulgarian Personal Data Protection Act and Article 82, paragraph 1 of Regulation (EU) 2016/679, anyone who has suffered damages as a result of a breach of the provisions of Regulation (EU) 2016/679 has the right to obtain compensation through a lawsuit before the competent judicial authority.

X. Exercising Your Rights

Requests to exercise your rights should be submitted to one of the following email addresses – [email protected] They should be signed with a Qualified Electronic Signature (QES) or by another method verifying indisputably the will of the person submitting the request. We respond to your request within one month of its submission. When an objectively necessary longer period is required, for instance, to collect all requested data or when it significantly hampers our operation, this period can be extended with up to 30 days. In our decision, we grant or refuse access and/or the requested information, always providing a reasoned response.

The minimum information contained in the request (according to Art. 37v of the Bulgarian Personal Data Protection Act) should be as follows: name, address, Personal Identification Number (EGN)/Foreigner's Personal Number (FPN)/passport number, a description of the request, signature, and date of submission, mailing address/email (depending on the preferred form of receiving information), power of attorney.

Concerning the aforementioned rights: to information, to correction, the "right to be forgotten," to object, to restriction of processing, to not be subject to a decision based solely on automated processing, to withdraw consent, to file a complaint, and in view of the actions of the administrator in connection with these rights, a specific register is created to record all actions carried out.

The initial provision of a response to a submitted request is free of charge. In cases of excessiveness (repetition - more than 2/ two/ requests of the same substance within a period of 12/ twelve/ months) or apparent lack of merit in the requests from the same subject, the Controller may request a reasonable fee for executing the request or refuse to take action on the request.

XI. Principles of Personal Data Processing, in accordance with Regulation (EU) 2016/679

  • "Lawfulness, fairness, and transparency" - Your data is processed in compliance with applicable legislation, fairly, and in a transparent manner towards the data subject.
  • "Limitation of purpose" - Your data is collected for specific, explicitly stated, and legitimate purposes and is not processed further in a manner incompatible with these purposes.
  • "Data minimization" - The types of data we collect are suitable, related, and limited to the necessary minimum in connection with the purposes for which the personal data is processed.
  • "Accuracy" - Accurate and, if necessary, to be kept up to date, taking all reasonable measures to ensure the timely deletion or correction of inaccurate personal data, considering the purposes for which they are processed.
  • "Limitation of storage" - Your data is stored in a form that allows the identification of the data subject for a period no longer than necessary for the purposes for which the personal data is processed.
  • "Integrity and confidentiality" - Processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using suitable technical or organizational measures.

XII. Definitions

  • "Personal data" - any information related to an identified or identifiable natural person.
  • "Data subject" - an individual who can be identified directly or indirectly, especially through an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • "Processing" - any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Restriction of processing" - marking stored personal data with the aim of limiting their processing in the future.
  • "Pseudonymization" - processing personal data in a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • "Controller" - a natural or legal individual, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • "Processor" - a natural or legal individual, public authority, agency, or other body which processes personal data on behalf of the controller.
  • "Log file" – a file containing system information about the operation of the Platform and information about user actions;
  • "Consent of the data subject" - any freely given, specific, informed, and unambiguous indication of the data subject's wishes, which, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
  • "Profiling" - any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
  • "Automated decision-making" - the ability to make decisions using technological means without human intervention.
  • "Personal data breach" - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed.
  • "Recipient" - a natural or legal individual, public authority, agency, or another body to whom personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not considered recipients. The processing of such data by those public authorities complies with applicable data protection rules in line with the purposes of the processing.
  • "Third country" - any state that is not a member of the European Union or a party to the Agreement on the European Economic Area.