"Eldrive Charging" EAD
PRIVACY POLICY

1. MAIN DEFINITIONS

1.1. "Responsible person" means the employee of the Data Controller who, due to the nature of his work, is entitled to perform the specific functions related to processing.

1.2. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)

1.3. "Employee" means a person who has entered into an employment contract or a similar contract with the Data Controller.

1.4. "Data / personal data" means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

1.5. "DPA" means a data processing agreement to be signed with each Data Processor in accordance with the conditions set out in Section 3 below;

1.6. "Recipient" means an individual or a legal entity, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not.

1.7. "Data subject" means a customer or employee of the Data Controller or any other person whose personal data is processed by the Data Controller.

1.8. "Processing" means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying it;

1.9. "Data processor" means an individual or a legal entity, public authority, agency or any other body which processes personal data on behalf of the Controller;

1.10. "Controller" means "Eldrive Charging" EAD, registered in the Commercial Register at the Registry Agency with UIC 205175105 and address: 11-13 "Yunak" street, fl. 4, Krasno selo, 1612, Sofia.

1.11. "Customer" means a person who uses or has used the services provided by the Controller. 

1.12. "Policy" means this Privacy Policy.

1.13. „Mobile Application Owner" means Ampeco LTD, registered in the Commercial Register at the Registry Agency with UIC 205394857, with place of business the Republic of Bulgaria and address: Dragan Tsankov Blvd. No. 36 , entrance A, floor 5, Sofia 1113.

Bulgaria (“Ampeco”)

1.14. "Site holder" means Eldrive Charging EAD, registered in the Commercial Register at the Registry Agency with UIC 205175105 and address: 11-13 "Yunak" street, fl. 4, Krasno selo, 1612, Sofia.

1.15. For the purposes of this Policy, the other terms shall have the meaning set out for such terms in the GDPR, the Bulgarian Personal Data Protection Act (hereinafter "PDPA") and the Bulgarian Electronic Document and Electronic Signature Act (hereinafter "EDESA").

2. GENERAL PROVISIONS

2.1. The controller collects certain personal data for the purposes of administration, conducting its own activities and exercising its legal obligations.

2.2. This policy contains the basic principles and procedures for the collection, processing and storage of personal data of users of the website https://www.eldrive.eu/, administered by the Controller (hereinafter referred to as the "website") and the ELDRIVE mobile application (hereinafter referred to as the "mobile application"). Before you start using the Website and / or the mobile application, you must carefully read and familiarize yourself with this policy. By using the services provided by the Controller, you confirm that you agree to abide by this Policy.

2.3. The Data Subject is not entitled to use the Website and / or the Mobile Application if he has not read and accepted the Policy. In cases where the Data Subject does not agree with the Policy or the relevant part thereof, he shall not use the Website and / or the Mobile Application. Otherwise, it is considered that the Client has read and unconditionally accepted the Policy and has explicitly agreed to it upon registration.

2.4. The controller must respect the privacy of personal data. This policy explains the acceptable practice regarding privacy applicable in our company. It explains how we collect and use your Personal Data and the rights you may exercise.

2.5. The use of third-party services, such as the services of the social network Facebook, may be subject to the general terms and conditions of third parties. For example, all Facebook users and visitors are subject to the Privacy Policy. Therefore, for the purpose of using the services of third parties, it is recommended that you familiarize yourself with their applicable terms and conditions.

2.6. The data controller has to ensure that it complies with the following basic data protection principles:

2.6.1. Personal data is processed lawfully, in good faith and in a transparent manner with respect to the Data Subject (lawfulness, good faith and transparency);

2.6.2. Personal data is collected for specific, explicit and lawful purposes and is not processed in a way that is incompatible with those purposes; the subsequent processing of personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes (purpose limitation);

2.6.3. Personal data must be appropriate, related to and limited to those data that are necessary for the purposes for which they are processed (data minimization);

2.6.4. Personal data must be accurate and, if necessary, updated; all reasonable measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or corrected immediately (accuracy);

2.6.5. Personal data kept in a form that allows the identification of data subjects shall be stored no longer than necessary for the purposes for which the personal data are processed; Personal data may be stored for longer periods insofar as they will be processed solely for the purpose of archiving for public interest, scientific or historical research or statistical purposes in accordance with Article 89 (1) GDPR, provided that the appropriate technical and organizational measures required by the Regulation to protect the rights and freedoms of the Data Subject (restriction of storage) have been introduced;

2.6.6. Personal data shall be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality).

2.6.7. The controller is responsible and should be able to demonstrate compliance with the principles set out above (accountability).

2.7. The data is processed by sending a proper privacy notice to the Data Subjects. Users of the mobile application must explicitly agree to the notification and the data protection policy of the Controller before registering and installing the application.

2.8. The data shall be kept for the periods specified for each type of personal data provided for in this policy. Storage shall be carried out in accordance with the procedures set out in Section A hereof.

2.9. The rights of the Data Processor with regards to the data will be revoked in case of termination of the contract concluded with the Controller.

2.10. The data shall be transmitted to the Controllers and the recipients, where the legal regulations provide for the right and / or the obligation to do so on the relevant grounds.

2.11. The controller will have the right to provide personal data to the bodies of investigation, prosecution or court for the purposes of administrative, civil, criminal proceedings as evidence or in other cases provisioned by law.

3. PROCESSING PERSONAL DATA FOR PROVIDING AN ELECTRIC VEHICLE CHARGING SERVICE

3.1. The Data Controller offers his clients the service of charging electric vehicles in his network, to which end the following groups of Customer Personal data (personally by the Data Controller, or the Mobile Application Owner or via their subcontractors, who are mandated to comply with GDPR regulation in their operations):

3.1.1. Personal data such as:

  • Name, Surname

3.1.2. Contact Personal data such as:

  • Home address
  • Office address / Workplace (in case of the registration been created on behalf of the user’s employer)
  • Address for delivering a service / a product
  • Mobile or other telephone number
  • Email address / Fax number

3.1.3. Transactional details such as:

  • Purchase history or service use history
  • Client ID
  • Information on service transactions and payment history
  • Bank account number
  • Credit / Debit card number
  • Details concerning the communication between service provider and client

3.1.4. Security data such as:

  • Usernames and passwords
  • Information on the monitoring of the facilities and the system 
  • Information about security beaches

3.1.5. IT management data such as:

  • IP address, operating system data, location, etc. non-identifying data for the mobile device, which is obtained during the installation of the mobile application
  • Details of equipment data related to the services provided, including technical identifiers, location, communication data and metadata
  • Technical events related to the services provided, including system and application logs

Note: For the purposes of providing the service, the customer must provide information about his payment card by directly registering on the site of the payment transactions administrators.

3.2. The data specified in paragraphs 3.1.1 - 3.1.5 are provided directly from the Client, but part of the data stored in the system may also be obtained from the Client's employer, if the latter uses the services of the Controller as a customer or employee of the relevant company.

3.3. For the purposes of registration and entry of the Clients, conclusion, administration and execution of a contract, compliance with the legal requirements for accounting, protection and control over the assets owned by the company, the Controller additionally ensures the availability of the following Data:

3.3.1. time of the electric vehicle charging session start and end; 

3.3.3. Charged fee;

3.3.4. Data on the liability;

3.3.5. Data on liabilities (level of liability, amount of liability, date of occurrence of the liability, deadline, date of payment).

3.4. The data of the former Clients are provided only to the law enforcement bodies according to the procedure established in the law.

3.5. The legal grounds for the processing of personal data are Article 6 (1) (b) and Article 6 (1) (c) GDPR.

3.6. Upon the data subject's consent, data on the location of the mobile device may also be obtained while the mobile application is being used, in order to notify the client of the available charging stations in the immediate vicinity while the application is being used. The data subject reserves the right to withdraw the consent given at any time by changing the settings of his mobile device.

3.7. Based on the legitimate interest for protection and control of the assets owned by the Controller and business development (Art. 6, para. 1, lit. f) GDPR), the data may also be processed for the purpose of:

  • establishment, exercise and protection of legal claims;
  • statistical analysis and marketing research of the services used by our clients after anonymization and removal of the personal data identifying the Clients.

3.7. In order to ensure a smooth and high-quality settlement of the payment for the services provided, the owner of the mobile application must conclude a subcontract with the payment service providers who mediate the execution of payment transactions.

3.8. In order to ensure the functioning of the electric vehicle charging system at an appropriate quality level, the owner of the mobile application must enter into a subcontract with a Data Processor, who will administer the electric vehicle charging platform, perform system programming and support.

3.9. The controller confirms that in order to ensure data protection, all technical and organizational measures for data protection have been duly implemented.

3.10. The owner of the mobile application also subcontracts to Amazon Web Services Limited, as a Data Processor, server rental and installation services.

3.11. The Controller enters into data processing agreements with the owner of the mobile application in connection with the processing of personal data on behalf of the Controller. Processors process personal data only on behalf of the Controller for the purposes set out in these data protection agreements. In particular, each Processor should:

- process Personal Data only in accordance with the documented instructions of the Controller, including regarding the transfer of personal data to a third country or international organization, unless it is required to deviate from such instructions in order to comply with the legal requirements binding the Processor. In such a case, the Processor shall, without undue delay, inform the Controller of the relevant requirement before the processing of personal data;

- ensure that persons authorized to process personal data, have committed themselves to confidentiality and compliance with the applicable data protection regulation within the EU or are bound by a proper legal obligation of confidentiality;

- assist the Controller at his explicit written request, in order to ensure the fulfillment of his legal obligations, such as those related to the data security of the Controller, the data protection impact assessment and prior consultation set out in the General Data Protection Regulation, and, in particular, to implement appropriate technical and organizational measures to protect Personal Data falling within the scope of the Data Processing Agreements from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data. For the avoidance of any doubt, the parties hereby expressly agree that the Processor will be obliged to fulfill all its obligations as a Data Processor, in full compliance with the General Data Protection Regulation, at his own expense;

- assist the Controller by applying appropriate technical and organizational measures to fulfill the obligation of the Controller as a Data Controller, namely: to meet the requirements for exercising the rights of Data Subjects under the General Data Protection Regulation. The processor must immediately notify the Controller of any request made by a Data Subject and not respond to the relevant request before receiving the instructions of the Controller;

- provide the Controller with all the information necessary to demonstrate compliance with the Processor's obligations set out in these data processing agreements and the General Data Protection Regulation and to authorize and assist in audits, including checks carried out by the Controller or another auditor authorized by the Controller;

- maintain accurate records of all processing activities under the data processing agreement in accordance with the requirements set out in GDPR and provide the Controller with the relevant records within ten (10) working days of receiving the request of the Controller;

- ensure that no personal data is transferred, released, assigned, disclosed or otherwise provided to a third party without the prior express written consent of the Controller.

- ensure that data protection obligations similar to those set out in this document are imposed on other Data Processors who are engaged by the Processor under a contract. The Processor is responsible to the Controller for the performance of these obligations by the other Processors;

- immediately inform the Controller if an instruction of the latter violates the General Data Protection Regulation or if the personal data is or will be processed in violation of the General Data Protection Regulation or the Agreement and immediately inform the Data Controller about the complaints or audits by the supervisory data protection authorities related to data processing;

- inform the Controller without undue delay (but within 48 hours), after learning of a data breach, which means a breach of security leading to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data that is transmitted, stored or otherwise processed. The notification must describe the nature of the breach, the number of subjects concerned, the likely consequences of the breach, the measure taken or proposed, and other details related to the breach listed in Article 33 (3) GDPR; and 

- upon termination of the processing agreement or at the written request of the Controller, to destroy or return all Personal Data, unless otherwise provided in the GDPR or in the national legislation within the EU to which the Processor is subject.

3.12. To ensure the quality of the services provided, to promptly respond to the Clients' questions, the employees of the Data Controller acting as customer service specialists are responsible for the Clients' calls and provide consultations by phone 24/7. The data manager records the records of conversations between the data manager and the client, which are kept for 180 (one hundred and eighty) days

4. DATA PROCESSING FOR DIRECT MARKETING PURPOSES

4.1. The controller carries out direct marketing in relation to the Clients.

4.2. In order to receive proposals for the services provided by the Controller, the Client must give his consent to the processing of Data for the purposes of direct marketing at the time of registration or log in to his personal profile and select the function for receiving a newsletter.

4.3. The Controller processes the following personal data of the Clients for the purposes of direct marketing:

4.3.1. Name;

4.3.2. Surname;

4.3.3. E-mail address; 

4.3.4. Phone number; 

4.3.5. Address.

4.4. The Controller also performs direct marketing (sending newsletters and proposals by e-mail) to persons who have entered their e-mail address on the Controller's website eldrive.eu and/ or in the Mobile Application and requested to receive such messages. In this case, the Controller processes the e-mail address of the relevant person.

4.5. The data subject may withdraw their consent at any time and refuse to receive newsletters by clicking on the link in the emails we send, changing the notification settings in their account, or sending a specific message requesting such change.

4.6. The data processed for the purposes of direct marketing is not transmitted by the Controller to the recipients.

4.7. The legal basis for data processing is Article 6 (1) (a) GDPR.

4.8. When processing data for the purposes of direct marketing, the Controller uses a platform through which newsletters are sent to Data Subjects, as well as Amazon Web Services Limited as a data processor, providing service rental and installation.

5. DATA SHARING

5.1. The controller shall keep confidential and shall not disclose personal data to third parties, except with the consent of the data subjects and in the cases permitted by law. In certain cases, the controller has a legal obligation to disclose data to third parties (e.g. NRA or other control bodies) or an obligation related to the performance of the contract with the subject.

5.2. Upon guaranteed protection and control measures, disclosure is possible to other companies part of the corporate group or to service providers in order to ensure smooth operation of the electric vehicle charging system and high service quality, as well as with the purpose of complying with the current legislation of the country when providing the services, including, but not limited to, the fulfillment of obligations regarding the accounting reporting of the Controller and compliance with the requirements introduced by the provisions of the current tax legislation (e.g. server providers, electric vehicle charging platform, sending newsletters, analyzing statistics, legal services, etc.). In this case, the service providers used by the Controller are obliged to strictly observe their contractual obligations and the current legislation for personal data protection, including by taking the necessary measures to protect the confidentiality of the received personal data.

5.3. In case of a justified need, the Controller may also disclose personal data in order to prevent fraud, to apply the general conditions for use of the mobile application, to guarantee the company's property, its rights and legitimate interests, and to protect the security, rights and interests of other customers or third parties.

6. DATA TRANSFER OUTSIDE THE EU

6.1. The transfer of personal data to a third country or international organization outside the European Union and the European Economic Area is prohibited, unless one of the following conditions is met:

6.1.1. The company is based in the United States and is certified by the US-EU Privacy Shield (https://www.privacyshield.gov)

6.1.2. There is a decision of the European Commission on the adequate level of personal data protection provided by the third country in which the data are received;

6.1.3. The data subject has given an explicit consent after being informed of the possible risks associated with the transfer due to the lack of a decision on the adequate level of protection and appropriate safeguards;

6.1.4. The transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject;

6.1.5. The transfer is required for the conclusion or execution of a contract concluded in the interest of the data subject between the Company / Group and another individual or legal entity;

6.1.6. The transfer is necessary for the establishment, exercise or defense of legal claims; 

6.1.7. The transfer is made by a public register.

6.2. Currently, data transfer outside the European Union (EU) is required only with regards to our trusted partners for newsletter and hosting services based in the United States. They are certified under the EU-US Data Protection Shield and provide an adequate level of personal data protection, which is equivalent to the General Data Protection Regulation.

7. DATA RETENTION PERIODS

7.1. The controller applies different periods of storage of personal data depending on the categories of processed personal data and the purposes of processing.

7.2. The controller applies the following periods of personal data storage:

#
Personal data categories
Retention period
1
Data related to legal claims and accounting
5 years from the date of termination of the contract or from the date of repayment of the debt, whichever is later.
2
Personal data of the clients, processed for the purposes of providing the services for electric vehicle charging
3 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation.

Data of customers whose accounts are not active will be stored for 3 years from the date of the last login
3
Data used for direct marketing purposes
3 years from the date of last login.
4
Details of the charging process
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation.

Data of customers whose accounts are not active will be stored for 2 years from the date of the last login.

7.3. Exceptions to the above retention periods may be made insofar as the relevant deviations do not infringe the rights of the Data Subjects, comply with the legal requirements and are duly documented.

7.4. The documents and data of Clients, in respect of which the Controller has initiated administrative or court proceedings, are stored and destroyed according to the instructions of the legal department for a period of 5 years after the proceedings have ended with an effective court decision or final payment of the debt.

7.5. After the expiration of the established terms, the data are anonymized or destroyed in a secure way by deleting them from the information systems and by shredding, if there are any paper copies.

8. DATA SUBJECT RIGHTS

8.1. The data subject has the right to exercise the following rights according to the procedure established in the GDPR and PDPA:

8.1.1. Right to be informed: before processing the data, the Controller is obliged to provide the data subject with information in the form of a privacy notice about the personal data it collects, the grounds and the purposes for which it uses them, the persons with whom it shares them, the Controller's intention to transfer data to third countries outside the EU, the retention period and security measures, the consequences of non-disclosure of data, the existence of automated decision-making, the data subject's rights, including the right to lodge a complaint with a supervisory authority. Before registering as a user and installing the mobile application, the data subject must read and agree to the privacy statement in order to use the mobile application;

8.1.2. Right of access: this right enables the data subject to receive a copy of the personal data that the Controller keeps for him, as well as information related to the processing. Access to the history of the services used by the subject and to the data provided during the registration process can be obtained through the customer account of the mobile application, and you can also submit a special request for access;

8.1.3. Right to be forgotten: this right enables the data subject to request that his personal data be deleted when there is no valid reason for the controller to continue processing them, e.g. if the purpose for which the data were collected has been achieved, or if the data subject has withdrawn his consent. If the legal requirements are met, the Controller should delete the personal data within 1 month, unless he has a legal obligation to continue their processing or data retention is necessary for the establishment, exercise or protection of legal claims;

8.1.4. Right of rectification: this right enables the data subject to request that any incomplete or inaccurate data about him be corrected. The data subject is obliged to enter in a timely manner any change in his personal data in his account or to notify us thereof;

8.1.5. Right to restrict data processing: this right enables the data subject to request the Controller to temporarily suspend the processing of personal data if, for example, he wishes to establish the accuracy of the data or the reasons for their processing;

8.1.6. Right of data portability: this right is limited to cases where the data are processed automatically and provided by the data subject on the basis of his consent or for the purpose of performing a contract, allowing the Client to require the Controller to provide the personal data of the data subject or a third-party, that are stored in an electronic form;

8.1.7. Right to object: in cases where the Controller relies on its legitimate interests as a basis for processing, the data subject may object to such processing on grounds related to his specific situation. He also has the right to object when the processing is for direct marketing purposes or the data is processed for statistical purposes;

8.1.8. Rights related to automatic decision-making and profiling: the data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for the data subject or similarly affects him significantly;

8.1.9. Withdrawal of consent: the data subject has the right to withdraw his consent at any time if he has given his consent, without prejudice to the processing so far. When consent is given for direct marketing purposes, the data subject may refuse to receive newsletters at any time by clicking on the "unsubscribe" link in the emails we send or change the settings of his mobile application. If the subject has provided access to his location via a mobile device in order to find electric vehicles nearby, he can change the settings so selected.

8.1.10 Right to appeal: If the data subject considers that any of his rights have been violated, he has the right to file a complaint to the supervisory body - the Personal Data Protection Commission - https://www.cpdp.bg/.

8.2. Requests may be submitted by the data subject or by a person authorized by him, and the Controller shall take steps to verify the identity of the data subject in order to protect the data. The controller is obliged to process the requests of the data subjects, specified in items 8.1.2 - 8.1.9 of this policy, within the terms determined in the GDPR.

8.3. The above deadlines specified in the GDPR are as follows:

#
Request of the data subject
Period
1
Right to be informed
When data are collected (if data are provided by the Data Subject) or within one month (if data are not provided by the Data Subject)
2
Right of access
One month
3
Right to update
One month
4
Right to be forgotten
Without undue delay
4
Right to limit processing
Without undue delay
4
Right to data portability
One month
4
Right to object
After receiving an objection
4
Rights related to automated decision making and profiling.
Not specified

8.4. The controller shall have the right to deny the Data Subject the exercise of his rights by stating the relevant grounds or to impose a reasonable fee under the conditions provided for in Article 12 (5) (b) GDPR.

9. DATA PROTECTION OFFICER

9.1. According to the GDPR, in cases where the main activities of the Controller consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or where the main activities of the Controller or the Processor consist of large-scale processing of special categories of personal data, the presence of a Data Protection Officer is mandatory.

9.2. The rights and obligations of the Data Protection Officer are described in detail in the GDPR, the Annexes to the Policy, the job descriptions if the position is held by an employee of the Controller, or in the service contract if the Data Protection Officer position is held by an external service provider.

9.3. In view of the above criteria and the activities performed by the Controller, the Controller is not obliged to appoint a Data Protection Officer.

10. PROCEDURE FOR MANAGING DATA BREACHES AND DEALING WITH SUCH BREACHES

10.1. If the employees of the Controller, who have the right to access the data, notice or are informed about data breaches (omission or actions by the persons, which may lead or have led to a risk for data security), they are required to notify the responsible person and their line manager.

10.2. Taking into account the risk factors for data security breaches, the degree of impact of the breach, the damage and the consequences, following the relevant internal procedures, the Controller shall decide on the necessary measures to eliminate the data breach and its consequences and to notify the persons concerned.

11. TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA

11.1. The organizational and technical data security measures implemented by the Controller shall ensure a level of security appropriate to the nature of the data processed by the Controller and to the risk arising from data processing, including, but not limited to, the measures set out in this section.

11.2. Personal data security measures include the following:

11.2.1. Administrative (establishment of a procedure for security of documents and computer data and their archives and organization of work in various fields of activity, mandatory training on personal data protection of the staff currently employed and upon leaving work/ dismissal, declarations for confidentiality and prohibition of disclosure of personal data, procedure for granting access to information systems, etc.);

11.2.2. Technical and software protection (administration of servers, information systems and databases, workplace maintenance, protection of operating systems, monitoring (control) of user access, protection against computer viruses, etc.);

11.2.3. Administration of information systems and databases, workplace maintenance, protection of operating systems, protection against computer viruses, etc.;

11.2.4. Protections for communication and computer networks (technical and software measures for encryption and transmission of data for general use, applications, personal data, filtering of unwanted data packets, etc.).

11.2.5. Two-factor authentication (2FA), which acts as an additional security measure, is designed to ensure that the Client is the only person who can access their account, even if others know  the Client's password.

11.3. The above measures for personal data protection provide: 1) equipment of the repository for copies of operating systems and databases, control of the storage of the copying equipment; 2) technology for continuous work with data (processing); 3) strategy for restoring the functioning of the systems in emergency cases (uncertainty management); 4) system for unique user identification and password; 5) physical (logical) separation of the application testing environment from the operational processes mode; 6) registered use of data and data privacy.

11.4. The controller has to establish a procedure for Personal Data recovery in case of accidental loss of Data. The controller backs up the data available in the system. The data is retrieved according to an internal procedure using Amazon Web Services software from backup libraries. In all cases, the data archives shall be stored without prejudice to the data retention period specified in the Policy.

11.5. The controller also applies other measures to ensure personal data security:

11.5.1. VPN technology is used to remotely connect to the Controller's internal network, and for user identification using a digital certificate;

11.5.2. The access to personal data through organizational and technical data security measures, which register and control the registration and acquisition of rights attempts, are subject to proper control;

11.5.3. The following records are kept upon entering the database by the persons who have been granted the right to process personal data: identifier upon login, date, time, duration, result of the login (successful, unsuccessful). The above records shall be kept for at least 1 (one) year;

11.5.4. It is necessary to ensure the security of the premises where Personal Data is stored (access to the respective premises only by authorized persons, etc.);

11.5.5. Requests to search for personal data provided must be aimed at identifying the person;

11.5.6. Efforts need to be made to ensure the use of security protocols and / or passwords when providing personal data via external data networks;

11.5.7. It is necessary to ensure control over the security of personal data on external data carriers and e-mail and their deletion after the use of the personal data by transferring them to databases;

11.5.8 The urgent actions for recovery of personal data (when and who performed the actions for data recovery with automatic and non-automatic means) shall be recorded;

11.5.9. It is necessary to ensure that the testing of information systems is not carried out with re personal data, except in cases where organizational and technical measures are used to protect personal data, ensuring real security of such data;

11.5.10 Personal data on laptops, if the latter are not used in the data network of the Control] should be protected by appropriate measures according to the risk of processing.

11.6. The controller shall apply appropriate technical and organizational measures to ensure standardized processing of personal data, which is necessary for the specific purpose of data processing. The above obligation applies to the respective volume of Personal Data collected, the scope of their processing, the period of storage of Personal Data and the accessibility of personal data.

12. CONTACT DETAILS

12.1. You can contact us if you have any questions related to this policy and / or data protection in general using the following contact details:

E-mail: privacy@eldrive.eu

Tel. +359 2 4897 047

13. FINAL PROVISIONS

13.1. The policy is reviewed annually at the initiative of the controller and / or in case of changes ii the regulations governing personal data processing.

13.2. The policy and the amendments thereto shall enter into force on the date of their adoption.