PRIVACY POLICY (NOTICE)

PURSUANT TO REGULATION (EU) 2016/679 OF THE 
EUROPEAN PARLIAMENT AND OF THE COUNCIL

    INTRODUCTION:
    The present policy has been adopted by Lyubka Vasileva – Karapanova, attorney at law, member of the Sofia Bar Association with personal registration number 1000735710, BULSTAT № 180212952 (further referred to as the "Lawyer", the "Controller" or the law firm);
    The policy governs the principles and rules in conformity to which the Lawyer will process personal data in the capacity of a personal data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "Regulation").
    In executing the requirements of Article 13 of the Regulation, the present policy serves to furnish you with information on how the Controller may collect and process your personal data, including in connection with your use of the information services and resources offered on the website http://lvlawmediation.com (the “Website”) and in the corporate profiles of the law firm on the various social networks. We kindly ask you to read this policy carefully so as to get a clear understanding of how your personal data is actually processed in this context and the rights you are entitled to in relation to that processing.    
The present policy does not apply to the processing of personal data by various third parties to whose websites/platforms/applications, etc., you might have been redirected by the Website. Such third parties must have their own privacy policies made accessible on their websites/platforms/applications, etc., and we highly recommend that you familiarize yourself with their policies before using the respective services or resources.

    1. Information and contact details of the personal data Controller 
    Lyubka Georgieva Vasileva – Karapanova, attorney, member of the Sofia Bar Associations, membership registration number 1000735710, BULSTAT 180212952, further referred to as the "Controller" /or the Office/.
    Contact details: Sofia, “Lachezar Stanchev” str. 5, SBT, Bldg. A, 19th floor; office@lvlawmediatiom.com
    The Controller is entitled to process your personal data in conformity with the provisions of the currently applicable legislation and the rules and principles set out in the present policy.
    2. Information on the individuals whose personal data is being processed 
    Depending on the specific case and the nature of the relationship itself, the Controller may process the personal data of the following individuals:
    2.1. In connection with the provision of legal and mediation services, the Controller may process the personal data of:
    • Clients – natural persons or representatives of clients – legal entities;
    • Natural persons related to the client, such as members of its management bodies, beneficial owners, employees, consultants, client contractors, etc.;
    • Other individuals whose personal data has to be processed in connection with the performance of the respective service for the client /e.g., details of the opposing party in a legal dispute, legal procedure, or contract, of a witness, etc./;
    2.2. In connection with the activity of the law firm the Controller may also process the personal data of the following individuals:
    • Natural persons with whom the Controller has entered into negotiations or a contractual relationship, such as suppliers of goods or services, landlords, etc., their representatives or employees;
    • Job applicants, trainees or office employees;
    • Partners and/or their representatives or employees;
    • Officials from various institutions/organizations who contact the Controller in connection with or on the occasion of the activities of the law office, or with whom it is necessary that such a communication be established. 
    2.3. In connection with the management and maintenance of the Website, with the provision of the information resources available in it and in the profiles of the law office in the different social networks, as well as in order to respond to and maintain communication with anyone who has contacted him, the Controller may process information regarding the following categories of individuals (data subjects/you)
    • Website visitors and the users of the resources available therein;
    • Individuals making inquiries, requests, business proposals, signals, complaints, or establishing other correspondence with the Controller via the Website or any other communication channels /incl., phone, email, mail, social media profiles, etc./;
    • Third parties, information about whom is provided by visitors to the Website and/or is contained in inquiries, requests, business proposals, signals, complaints, or other correspondence addressed to the Controller, regardless of the communication channel actually used;
    • Individuals who have subscribed as receivers of certain communications sent by the Controller (marketing messages, newsletters, etc.);
    • Individuals interacting via profiles/pages of the Controller in various social networks.
  

 3. Types of personal data that are or may be processed (as the case may be):
    3.1. In the cases mentioned in item 2.1. and 2.2. above and depending on the case at hand, the Controller may process the entire or a part of the following personal data:
    • Personal identification data such as: name, personal identification number/personal ID number of a foreigner, data from an identity document, incl., nationality, citizenship, address;
    • Occupation, place of work, official post;
    • Contact details such as: address, email, phone, Viber, WhatsUp, Web, etc.;
    • Data provided when effecting payment obligations, such as: name and surname, address, personal identification number, professional occupation, institution/organization represented by the person making the payment or the person on whose behalf the payment is made, method of payment details, the bank account from which it is made, etc., depending on the information provided by the payment system used;
    • Details on the bank account and the origin of the funds;
    • Other data necessary for the identification of a client, his/her related persons, and/or beneficial owner (if and when necessary); for the conclusion of a contract and/or the establishment of communications/business relationship; or for the performance of a given job assigned by the client and/or a legal or contractual obligation of the Controller.
    In each specific case, the data thus collected and processed shall be limited to the volume and specifics that are strictly necessary for the purpose for which it is collected. (For instance, we will not ask you to provide any bank account details unless we have to make a payment to your account or, in the capacity of your representative, to require  a third-party payment to that account.)
3.2. When a request to the Controller is made or when the Website and the resources available therein or through it are used, the Controller, depending on the case at hand, may process some of the following kinds of data: 
•     Data provided in the contact details or feedback form, subscription, or other means of correspondence with the Controller, whether through the Website, or through some other communication channels. Such data may consist of: name and surname; telephone; e-mail address; postal address, city; profession; institution/organization represented by the person carrying out the communication or a person for whom the data provides information or the person in charge of the employee; information on where the subject has obtained information  on the Controller and the services provided thereby; non-structured information regarding the user's inquiry/request; information on third parties contained in the messages/inquiries/requests made by the users of the Website; data related to the receipt of the initial and any subsequent correspondence with the Controller such as time log (date/time) and source (IP address) of the respective correspondence, the channel through which correspondence was transmitted, etc., as well as any additional information collected or created in connection with the processing, the status and the final result from the correspondence exchange.
•    Information that is automatically collected when using the Website and is technologically necessary for its functionality without the ability to directly identify its visitors. Such information includes, or may include, the date and time of accessing the Website, the IP address from which the connection was made, the server and system logs (to detect technical problems and/or identify malicious actions) and, where applicable, logs for making legal statements (such as the user`s confirmation of becoming familiar with the privacy policy, the cookie policy, newsletter subscriptions, etc.).
•     Information which may be obtained when interacting with the business profiles or pages of the Controller in various social media (e.g., when liking, sharing, or in other form interacting with the published content). Depending on your privacy settings in the respective social network, such information may include: name and username, profile information on the respective social network (e.g., photo, gender, age or age range, language, country, friend`s list, list of pages liked/followed, etc., sub.); any/all other information you may have given access to and which the social network is entitled to provide. The social medias/networks in question are not subordinated to the Controller and their processing of personal data cannot be controlled by him.
    The persons/entities maintaining the respective social networks have adopted their own rules and procedures for protecting your personal data, including the collection of information via a number of tools (such as cookies), which is why we highly recommend that you pay particular attention to their specific rules and data protection policies.
    • “Cookies” and similar technologies 
    In the process of managing and maintaining the Website, we may use cookies and other similar technologies (e.g., beacons, web bugs, pixel tags, clear GIF technologies) in order to ensure its reliable and efficient functioning. More about the different types of cookies we use on the Website and your options for controlling them may be found in the “Cookie Policy” published on the Website. The “Cookie Policy” is an integral part of the present document unless explicitly stated otherwise. 

    4. Personal data processing: purpose and legal grounds 
    Depending on the legal basis for the personal data processing, the     purposes for this activity may be:
4.1. Purposes necessary for compliance with the legal obligations of the Controller. Such purposes could be:
    • Where applicable, the performance of activities to comply with legal obligations related to the provision of information to competent state and judicial authorities, assistance during inspections performed by such authorities, etc.;
    • Execution of the Controller`s obligations as per the “Measures against money laundering” act (e.g., customer identification, identification of the beneficial owner of a client, clarification of the source of the client`s property, etc.), or other legal obligations imposed on the Controller in conformity with the currently acting legislation;
    • Handling inquiries, requests, incl. for the exercise of rights, etc., addressed to the Controller and the preparation of the respective answers;
    • Where applicable, documenting the electronic statements addressed to the Controller which relate to the fulfillment of its legal obligations, such as confirmation of the awareness of the personal data protection policies, the “cookie” policies, etc.
    For the purposes listed above and in other similar cases, the basis for the processing of personal data is the provision of Art. 6, par. 1, item "c" of the Regulation, namely "processing is necessary for compliance with a legal obligation to which the controller is subject," and for such purposes all or a part of your personal data may be subjected to processing.
 
    4.2. Purposes related to the steps taken by potential counterparties or clients, incl., user(s) of the Website prior to the conclusion of a contract between them and the Controller or in connection with the performance of a contract already concluded between a counterparty/client/user(s) and the Controller, e.g.:
    • Initial consideration of requests for legal services, assistance, or mediation and establishing contacts with the user or the contact person specified in the request in connection with the possibility of providing the requested services as well as in relation to the manner of continuing the communication related to the request  In the event that such a request is made on behalf of a legal entity, the processing of any personal data  included in or relating to the request constitutes our legitimate interest, namely to provide our services, and in  those cases we process that data on the basis of legitimate interest.. The above said applies to the processing of the personal data of an individual other than the natural person submitting the request/inquiry (e.g., a party to a dispute when a request for mediation is submitted by the other party);
    • Considering offers made by counterparties and establishing contacts with the proposing party;
    • Providing or receiving the necessary pre-contractual information;
    • Concluding a contract.
    • Provision of services under an already concluded contract between the client/other contracting party and the Controller.
    In these, and in other similar cases, the legal basis for data processing is art. 6, para. 1, letter "b" of the Regulation, namely “the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract” . For the realization of the purposes listed above we may process some, or all of the personal data referred to in the present Policy.
4.3. Purposes related to the legitimate interests of the Controller or of any third parties, including:
4.3.1. Purposes connected with the legitimate interest in providing the service for which a request/inquiry has been made. For example:
In case of a request for mediation by one of the parties to a dispute, we need to contact the other party to the dispute in order to inform it of the received request for mediation, obtain that party`s consent to participate in the mediation process, and organize the procedure;
•    Establishing contacts with the individuals indicated in the inquiry: representatives, employees, consultants of the applicant, or other individuals for whom information is provided for the purpose of analyzing the case, etc.
4.3.2. Purposes connected with the legitimate interest to maintain and improve the quality of the information services and the resources provided on the Website, namely:

    • Administration, management, performance analysis and quality control of the information services and resources available on the Website;
    • Ensuring the normal functioning and use of the Website and the services and resources available on it;
    • Performing maintenance and administration activities on the Website, including, but not limited to, preventing cyberattacks and other malicious actions.
4.3.3. Purposes connected with the legitimate interest of the Controller to communicate with the users of the Website services/clients/potential clients or partners, namely: 
    • Providing the possibility to maintain correspondence/communication (including the possibility of online enquiries for legal services and assistance) through various channels;
    • Providing the possibility to interact and communicate with the Controller through its business profiles/pages in the various social networks;
    • Timely processing and responding to the initially received correspondence as well as all to the subsequent one;
    • Ensuring internal accountability and organizing the work of the Controller.
4.3.4. Purposes related to the legitimate interest of the Controller and/or third parties to exercise and protect certain legal rights and interests such as:
    • Exercising and protecting the legal rights and interests of the Controller, including via administrative or judicial procedures (e.g., by filing complaints, signals, etc., to the competent state and judicial authorities or protection against such actions);
    • Providing assistance in the exercising and protecting the legal rights and interests of third parties (e.g., employees, associates or contractors of the Controller, Website visitors, processors of personal data, etc.), including in court procedures;
    • Performing administrative and service activities related to the correspondence containing complaints, signals, etc.
    For the purposes listed above , and in other similar cases, the legal basis for the personal data processing is Art. 6 par. 1, item "f” of the Regulation, namely that the personal data processing activity is necessary for the protection of the legitimate interests of the Controller or of any third party.
4.4. Purposes for which you have given your consent.
When processing your personal data on the basis of your consent, the purposes for  that processing are explicitly stated in the respective form by which you grant your consent to the processing (e.g., for the purpose of responding to your inquiry submitted in the blank form placed on the Website or when subscribing to a newsletter, etc.). We will only process the personal data which you have provided to us in the respective consent form and only for the purposes specified therein.

    5. Sharing your personal data
    The Controller respects your personal data and shall protect  its  confidentiality. Subject to the related legal requirements your personal data may be disclosed to the following categories of recipients:
    • Competent state, municipal and judicial authorities when necessary for the performance of the services provided to the client by the Controller /e.g., filing of a legal claim(s)/, and/or for the fulfillment of a legal obligation, or for the protection of rights or the legitimate interests of the Controller or any third parties. 
    • Financial institutions, when necessary to carry out transactions, as well as insurance companies;
    • Partners – for example, other lawyers or mediators with whom we jointly provide services to our clients – in connection with the provision of these services; employees/associates of the Controller – in connection with a response to a request or providing a service to a client; 
    • Subcontractors – processors of personal data on behalf of the Controller to whom the latter has assigned the performance of certain activities (such as the technical maintenance of the Website, colocation services for the server and the network equipment, etc.). The data provided to the subcontractors shall not exceed the volume which is strictly necessary for the performance of the assigned work and the subcontractors shall be obligated - by virtue of a contract concluded with the Controller - to process the data in strict compliance with our instructions and only for the purposes provided for in the relevant contract. 
    • Business partners and service providers – other personal data controllers (e.g., companies providing telecommunications, accounting and courier services, etc.), as well as individuals who`s assistance is necessary for the purpose of executing and protecting the legitimate interests of the Controller or of any third parties (users of the Website, employees of the Controller and its subcontractors or service providers, etc.) as private and state bailiffs, notaries, etc.). In dealing with such individuals, we require strict compliance with the applicable laws and the rules for the protection of personal data. 
    • In all other cases as per the currently acting legislation.
 

   6. Transfer of personal data outside of the European Union (EU) / European economic area
    We have no intention to transfer any personal data outside of the European Union (EU) / European economic area. It is possible, however, that in the process of transmitting data to third parties, including our business partners and service providers, your personal data may be transferred to countries outside the EU/EEA which do not provide the same level of protection as the protection granted by the laws in Europe. Such transfer is also possible if and when necessary for the provision of a service requested by the customer or for the fulfillment of legal obligations. In all such cases, the transfer will take place in conformity with the applicable legislation and on the basis of a decision taken by the European Commission (EC) on the adequate level of data protection in the third country or, in the absence of such a decision, on the basis of the standard contractual clauses pursuant to the enforced EC decisions.

  7. Personal data storage term
    7.1. The Controller can store your personal data only for a period of time limited by the necessity to achieve the purpose of the data processing. 
    7.2. Upon the expiration of the above mentioned time period, the Controller may continue to keep the personal data in its possession: 
    • In order to fulfill a legal obligation for information storage /e.g., under the Bar Act, the Accountancy Act, the Measures against money laundering act, etc./;
    • For the protection of its legitimate interests: until the expiry of limitation periods and the preclusion of the possibilities for filing legal claims or initiating legal disputes against the Controller and/or its employees or partners.
    7.3. All personal data related to and/or contained in paper documents/other carriers for which statutory storage periods are set in place shall be stored for time periods provided for in the currently acting legislation unless the present policy provides for longer periods (for example, in connection with the protection against legal claims as per the provisions of Art. 7.2, item 2 above/. 
    7.4. When no statutory storage periods are set, the personal data, including data contained in correspondence exchanged with the Controller (including but not limited to inquiries, requests, complaints and signals  - including free text correspondence - and any other communication with us) as well as information regarding the processing, status and final results from the correspondence shall be stored for a period of no longer than 5 (five) years after the end of the relevant correspondence and the expiry of the related legal relations.
    7.5. The server and system logs are stored as per the standard duration of no more than 1 /one/ year. The logs for the statements made on the Website - such as confirmations of the awareness of the present policy when using a contacts format – shall be stored for a period of up to 5 (five) years after ending the communication with us. The various cookies we use and other similar technologies shall be stored for the period specified in our “Cookie” policy published on the Website.
    7.6. The personal data provided and processed on the basis of the data subject`s consent shall be processed for the purposes and for the period for which the consent is given. If the consent is not restricted in time, the processing shall be continued until the withdrawal of the consent, or until the final achievement of the purposes of the processing. Your consent can be withdrawn at any point in time. 
    7.7. In the event that as per a requirement of the law, or any other legal act, certain information and/or paper documents or other data carriers have to be stored for a period longer than the time frames quoted in items 7.3 - 7.6 above, the longer period shall apply.
    7.8. In the event of a legal dispute or a proceeding requiring data storage and/or in the event of a relevant request from a competent state authority, data may be stored for periods longer than the above set deadlines, until the final settlement of the dispute or proceedings by any/all instances and for a period of up to 5 (five) years after their final completion.
    7.9. In the event that according to the currently acting legislation the above specified deadlines are subjected to changes the above quoted storage periods shall be changed accordingly.

    8. YOUR RIGHTS AS A DATA SUBJECT
    Being a data subject within the meaning of the Regulation, you are entitled     to the following rights:
    8.1. The right to information (Art. 13 and Art. 14 GDPR – General Data Protection Regulation) - You have the right to receive information regarding the processing of your personal data by the Controller. The present policy aims to provide this information by informing you in detail about the processing of your personal data.
    8.2. Right of access (Art. 15 of the GDPR) - You have the right to obtain confirmation from the Controller whether your personal data is subjected to processing by the Controller and if so, the right to access that data and to the information regarding the manner of its processing and the rights you are entitled to.
    8.3. Right to rectification (Art. 16 of the GDPR) - You have the right to request a correction or completion of your personal data if it is found to be incomplete or inaccurate.
    8.4. Right to erasure (Art. 17 of the GDPR) - If the grounds / conditions provided for in the Regulation are met, you have the right to request the deletion of your personal data.
    8.5. Right to restricting the processing of your personal data (Art. 18 of the GDPR) - The applicable legislation provides for a possibility to restrict the processing of your personal data, if the grounds provided for this in the Regulation are available.
    8.6. Right to notify third parties (Art. 19 of the GDPR) - If applicable, you have the right to instruct the Controller to notify the third parties to whom your personal data has been disclosed of any corrections, deletion or restrictions on its processing unless this proves impossible or requires disproportionate effort on the part of the Controller.
    8.7. Right to data portability (Art. 20 of the GDPR) – You have the right to receive the personal data concerning yourself which you have provided to us in a structured, commonly used and machine-readable format and to provide such data to another Controller without any hindrances on our part. The right to data portability shall apply where both of the following conditions are met: the processing is based on consent or on a contractual obligation and; it is performed by automated means. When technically feasible, you shall have the right to personal data transmission directly from one Controller to another.
    8.8. Right to objections (Art. 20 of the GDPR) - You will have the right /at any point in time and on grounds related to the specific situation/ to object to the processing of your personal data on the basis of a legitimate interest. In the event of such an objection, we will consider your request and, if justified, we will comply with it. If we consider that there are legitimately compelling grounds for personal data processing or that it is necessary for the establishment, exercising or defending certain legal claims, we will inform you thereof in due time.
    8.9. The right not to be the object of a decision based solely on automated processing, including profiling (Art. 22 Art. 20 of the GDPR).
    8.10. Right to withdraw your consent to data processing (Art. 7, par. 3 of the GDPR) - You shall have the right- at any point in time - to withdraw your consent to the processing of your personal data when the processing is based on consent. Such withdrawal does not affect the legitimacy of the process until the withdrawal of your consent. Please note that in the event of the existence of a different basis for processing your personal data /e.g., a legal obligation, a legitimate interest, etc./, we shall have the right to continue processing your data even after you have withdrawn your consent.
    You can exercise the above quoted rights by sending a request to the Controller at the following email address: office@lvlawmediatiom.com or at the address specified in item 1 above.
    
RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY 
    (Art. 77 of the GDPR) 
    You shall have the right to lodge a complaint with a supervisory authority if, and when, you believe that the processing of your personal data violates the currently acting personal data protection legislation. The Bulgarian supervisory authority is the Commission for Personal Data Protection with office address in the city of Sofia 1592, Blvd. "Prof. Tsvetan Lazarov" № 2.