PRIVACY POLICY
PRIVACY NOTICE
EXCHANGE PROGRAMS
1. ABOUT THIS DOCUMENT
This Privacy Notice aims to acquaint you with the guidelines we follow when we collect and process your Personal Data in cases in which you express interest to enroll in a cultural exchange program with the USA, like Summer Work & Travel, Internship or Camp Exchange, when you are an applicant or a participant in any of the programs mentioned above or when you express interest to or have signed an agreement with us for filing and submitting your US Tax Re-turn, or simply when you visit our exchange-programs website – www.gotousa.bg.
Here you can find information about the Personal Data we collect; how and why we use it; to whom we pass it on; what your rights are being a data subject; as well as how to contact us or with Data protection supervisory authority.
2. WHO IS THE INTENDED AUDIENCE OF THIS DOCUMENT?
This Notice is intended for all natural persons who have interest in purchasing (“Interested parties”) and/or have used or will use (“Clients”) one or more services we offer:
- Cultural Exchange Program in the USA: Summer Work and Travel USA, Internship USA, Professional Career Training USA or Camp Exchange USA;
- Linked services to the Cultural Exchange Program – travel arrangements, US visa application, etc.;
- US Tax Return service – for filing and submitting the US tax forms.
The notice is also intended for visitors of our website www.gotousa.bg, regardless if they order services there or not, as well as for individuals whose information we have received from you being our Client with regard to the services listed above.
3. WHO ARE WE?
We are Usit Colours Bulgaria, registered in the Commercial Register under UIC 130881129. We collect and process your personal data as a data controller in accordance with the General Data Protection Regulation – (EU) 2016/679. We own and manage the website www.gotousa.bg, dedicated to cultural exchange programs.
You can contact us on 0700 15 115, mail us at Sofia, 35 Vasil Levski Blvd, Sofia, 1000, Bulgaria, or send an e-mail to us at office@usitcolours.bg
Furthermore, you can address all questions related to the processing of your personal data to our Data Protection Officer on 0876 11 56 11, mail them at: Sofia, 35 Vasil Levski Blvd, Sofia, 1000, Bulgaria, or send an e-mail at dpo@usitcolours.bg.
4. WHAT PERSONAL DATA DO WE COLLECT AND WHY DO WE NEED IT?
Depending on the service as per Article 2 of this document which you use or are interested in, we collect and process different categories of personal data, which we need in order to provide the service to you and, respectively, to provide more information about the service. In relation to the requirements that must be covered so we can provide some of our services described in Article 2., we also process personal data of third-parties which you disclose to us being our Client. Additionally, we gather personal information from the visitors of our websites. In all of these cases, it is possible that we also process the collected personal data for the purposes of providing better service to our current and prospective clients, as well as for the protection of our rights and legitimate interests.
4.1. Personal data we process when you participate in cultural exchange programs.
We collect and process various categories of personal depending if you only show interest or have become an applicant and/or participant (and our Client) in a cultural exchange program.
Interested Parties
If you have expressed interest in a cultural exchange program, we collect and process your name, phone number and email address. It is possible that we also collect information about your preferable US destinations. We need this data in order to send you information about the program, like terms and conditions for participation, price terms and promotions, job offers, etc. The legal grounds for processing this data is your consent, which you can withdraw at any time.
Clients
At the time of entering into an agreement for preparation of application and participation in a cultural exchange pro-gram in the USA with Usit Colours, we collect the following personal information:
- Entering into an agreement with us: at this stage we collect names, mobile phone number, email, date of birth, National ID, nationality, address, form of study, university, major and year of study, English level proficiency, work experience information, information about previous participation in a cultural exchange program in the USA or other visits in the country. This data is necessary so we can duly conclude our agreement with you; for carrying out any communication regarding your participation in the program and its accompanying services; for evaluation if you comply with the program requirements so as to propose your application to a sponsor (an organization, authorized by the US Department of State for implementing cultural exchange programs), as well as for the accurate issuance of initial accounting documents.
- Submitting application to the Sponsor of the program: in addition to the provided information at the stage described above, at this stage we also collect and process passport information, additional information related to your student status, information from your job contract with a US employer, emergency contacts’ information, information about your health condition, etc. All this data is collected on the basis of a requirement of the US Department of State and of the sponsoring organization and are necessary for an evaluation by the Sponsor of your application for participation in the program, for the issuance of DS 2019 form (certifying participation in the program, and serving as a basis for issuance of a special type of visa for the United States), medical insurance for the USA, etc. When you provide us with third-party data – for example emergency contact information – it is your responsibility to obtain consent from the third parties for sharing this information with us; in such case we consider that you have obtained in advance the third parties’ valid consent that their personal data be shared with USIT COLOURS and that it be further transferred to the Sponsor of the Program.
- At approval of your application by the Sponsor and regarding your participation in the program we process information like: your DS 2019 number; the number, date of issuance and expiry date of your US visa, the number of your insurance policy.
Our legal grounds for collecting and processing all of the categories of personal data listed above is its indispensability for complying with our obligations in accordance with our agreement with you for preparation of your application for a cultural exchange program in the USA. To the extent your application before the Sponsor for a cultural exchange pro-gram requires any transmission of sensitive personal data, we shall process such data only after having obtained your explicit consent. If we do not receive the above-mentioned information and your consent, we will not be able to per-form the service under our contract with you.
4.2. Cultural Exchange Programs‘ Accompanying Services
When you are a participant in a cultural exchange program in the USA, we collect and process your personal data with respect to program’s accompanying services:
Documents for visa application
When you are a participant in a cultural exchange program in the USA, part of our obligations under the contract for preparation of your application and participation in the program is to assist you in preparation and submitting of documents for US visa application. A requirement of the Consular section to the US Embassy in Bulgaria states that the participants in cultural-exchange programs submit their visa applications through the company which prepares and coordinates their program participation.
In order to provide the visa service to you, in addition to the information described in Section 4.1, we also collect personal data which we need for completing a visa application form, namely information about: marital status, secondary-education (high school information), military service (for male applicants only), as well as a lot of other personal data, including sensitive personal data like ethnicity, philosophical beliefs, membership in union organizations; or data which without being defined as sensitive might reveal such. In order to process those sensitive personal data categories, we request your explicit consent. You have the right to withdraw this consent at any time. This will not affect the lawfulness of the processing so far, but will prevent us from providing you the visa service.
The visa application form asks for personal data of parents, siblings, children and marital status. It is the Client’s responsibility to collect consent from them for sharing this information with us and with the US Embassy; in such case we consider that you have gathered in advance these categories of individuals’ valid consent that their personal data be shared with USIT COLOURS and that it be further transmitted by us to the US Embassy.
In any event, we collect and process the respective categories of personal data as indispensable requisites of the US visa application form. It is mandatory that we have this data provided by you in order to provide you the visa service. If we do not receive this data, we cannot provide the service. The legal grounds for processing of the data provided is that it is necessary for our performance of the agreement with you for application and participation in a cultural ex-change program in the USA, in its US visa service provisions.
Airline Ticket booking and issuance
In relation to the service of airlines ticket booking and issuance we collect the following data:
- Ticket booking stage: at this stage we collect the client’s names, mobile phone number and email address. This data, required by the airlines and the booking systems we use, respectively, is necessary so we can make a booking and secure the offered ticket price for a definite period.
- Purchase and issuance of the airline ticket stage: In addition to the data collected at the time of booking, at this stage we also process: ISIC card number and DS 2019 number – both necessary for verifying the right of the client to be granted special tariff conditions for students and participants in the Program. In accordance with the requirements of the airlines for travel to the USA, we collect and process information about: citizenship, date of birth, number and validity of international passport, visa number, visa issue and expiration date, accommodation address at the ticket’s final destination in the US; to issue the initial accounting document, we also process a physical ad-dress and National ID of the Client. Furthermore, if the client possesses a Frequency Flyer Card (loyalty program card) for an airline in the ticket, we process its number for the purposes of points accumulation and benefits for the Client.
Flights preferences. When you purchase airline tickets from us, it is possible that we assist you in expressing your meal preferences during the flight (if the airline offers such choice), as well as in requesting а „meet and assist” service when you will be aided in reaching to and from the aircraft. There is a chance that the meal you choose to dis-close your religious beliefs, and the need for assistance – information about your health condition. As these are special (sensitive) categories of personal data, we process such requests for assistance, only after you give us your explicit consent for processing your preferences information through requesting them. You have the right to with-draw this consent at any time. This will not affect the lawfulness of the processing so far, but will prevent us from assisting you with your flight preferences.
The legal grounds for processing of the data provided is that it is necessary for our performance of the agreement with you for application and participation in a cultural exchange program in the USA, in its airline tickets arrangement provisions.
It is mandatory that we have this data provided by you in order to issue you the airline ticket. If we do not receive this data, we cannot issue the desired airline ticket or apply special tariff conditions; furthermore, we cannot meet our obligations to guarantee that the program participants travel to the USA with return tickets for travel dates corresponding to the program dates. All this could result in obstruction of your participation in the program.
4.3. Data we process when filing US Tax Return
When you express interest or have signed an agreement with us for filing and submitting your US tax Return, we process your personal data, as follows:
Interested Parties
We collect and process the following personal data from the people that have interest in receiving information about the taxes they owe to the US Tax Authorities or the taxes the US Tax Authorities owe to them: name, mobile phone number and email, US state where the participant worked, income and taxes withheld in the USA for the respective tax year.
The legal ground for processing of this data is the consent of the interested party, which could be withheld at any time..
Clients of the service
For the purposes of entering into an agreement for submitting a US tax return form and consulting in filing it, we collect and process the following personal data of the Client: name, phone number and email, National ID number, address, ID card number – all necessary to enter into an agreement with the Client and issuance of the initial accounting documents.
With regard to providing the tax return service itself, we also collect and process: number and validity of the client’s international passport, US visa type, US sponsoring organization for the program, US social security number, US employ-er/s, income and taxes paid to the USA for the respective tax year and US bank account information – in case the client has requested that the refund be made to his/her personal bank account. We also collect and process the copies of the following documents: social security card, visa, DS 2019, paychecks and/or W2 form – a US Tax form, prepared by the employers, stating the total income and taxes withheld.
The legal grounds for processing of the listed categories of data is that it is necessary for our performance of the agreement for providing Tax Return service to the Client. If we do not receive the above-mentioned data and your explicit consent that we send your personal data to the USA, we will not be able to perform our contractual obligations to you.
4.4. Data we process when you visit our website.
When you visit our website www.gotousa.bg, regardless if you decide to purchase any of the services we provide, it is possible that we collect usage data – about your use for our websites – by means of the so called “cookies”. The “cookies” are small text files which are downloaded in your computer or mobile device at your first visit of a website.
Some of the “cookies” used are unconditionally necessary for the functioning of our website (without them it will not function at all); others are necessary to help us improve the functioning of our website (the collect only anonymized information of user behavior in our website – for example if some sections are more visited than others). The categories of “cookies” described above do not collect personal data.
Other “cookies” are used for improving the user experience in our website (they record your preferences, for e.g. selected language version, location, font size). They do not track your visits of other websites.
The last “cookies” category, the so called “advertising cookies”, collect information about your web-surfing habits, including about the websites you visit, so that we can offer you products we assume to be of interest to you (for e.g. by serving you ad banners or other ads in Facebook or other websites you visit). We use the last two “cookies” categories on the basis of our legitimate interest to determine our clients’ preferences so we can offer them products which cor-respond the most to their needs and wants.
On your first visit of our websites you are given the option to allow all “cookies” by consenting explicitly or to actively choose which ones of them you agree to be used. Besides the “cookies” which are unconditionally necessary for the functioning of the website, all other “cookies” categories could be disallowed from the “cookies” settings menu.
You can find more information about “cookies” usage and their functioning from our Cookies policy page.
4.5. Data we process in order to offer our clients better service and for protection of our rights and interests
- Phone Calls
Our consultants accept phone calls in order to respond to any requests of Interested parties or Clients of a service.
If you are our prospective client or call us for the first time, we will record your name, phone number and the questions you ask, so that when you call again, we can remind ourselves of what we have talked in our previous communication. We process this data on the basis of our legitimate interest to keep track of the evolution of our potential clients’ interest in our services and to improve our offers to them on the basis of the feedback we receive from them. - Client Profile
If you are a Client of a service, we will keep the information about you even after we provide the particular service – your name, email address, phone number, history of your purchases. We use this data in order to identify you as an existing client of our company, to keep track of your purchasing records and to check your satisfaction level from the services used, as well as to extend you commercial offers that we assume might be of interest to you. We do this processing on the basis of our legitimate interest to offer and market our products to a pool of clients who already recognize us as a trusted partner.
If you have expressed interest in a service offered by us, it is possible that we continue processing your personal data for a certain period after you have expressed interest, so we can keep track the evolution of your interest to this particular service and/or to offer you accompanying services which might be of interest to you. We do this processing on the basis of our legitimate interest to offer and market our products to people who have already showed interest to the services we offer. - Protection against legal claims
It is possible that we continue storing all personal data of our Clients after we have provided the service to them, in view of our protection against any claims raised by the Client or any third parties (e.g. sponsoring organizations) against us with regard to the service; and for the sake of our own claims against the Client or against third parties with regard to the service.
4.6. Third-party Data which we process in relation to the services in Sections 4.1. and 4.2.
To provide the services described in sections 4.1. and 4.2. it is necessary that third party data (parents’, siblings’, etc.) is disclosed by our Client and further processed. The data we process includes three names and date of birth, and in some cases – contact information like phone number, email address, etc. Although we have legitimate interest in processing this data in order to provide the particular service to our Client, when the Client gives us third-party data, it is their responsibility to obtain a consent from the third parties that their personal data be shared with USIT COLOURS and that it be further transferred to US organizations. When such data is provided to us by a Client, we assume that the Client has gathered in advance the third parties’ valid consent, has informed them that he/she shall disclose their personal data to us and that it will be further transferred to organizations in the USA, and has acquainted them with the present privacy policy of Usit Colours, located on https://gotousa.bg/en/privacy-policy.
Any third-party personal data which we process with regard to providing the service is disclosed to us by our Client. We do not use public sources for collecting this data. If we do not obtain this data, we will be prevented from providing the service to our Client. The third parties, whose data we have received by our Client, have all rights available to the data subject as per Article 10 of the current document.
We use your personal data only for the purposes specified in the current notice.
When the financial documents we issue in accordance with the law contain Client’s personal data, we process this data for the purposes of accounting and reporting, on the basis of the applicable accounting and/or tax laws provisions.
Although certain characteristics of the data you disclose to us could serve as an indication for additional personal in-formation (e.g. your name could indicate for your religious beliefs; your e-mail address could be an indication for association with a particular organization), we do not monitor for such specifics and do not perform any additional analysis or other processing of email addresses and other personal data we possess about you with the aim of profiling, extracting of additional information about you, categorizing you, or with the aim of automatic decision making, which might have any legal consequences for you or to affect you in any other way.
6. WHOM DO WE TRANSMIT YOUR PERSONAL DATA TO?
Within our organization, the following categories of individuals have access to personal data that is collected in the con-text of the arrangement of participation in cultural exchange programs, visa services and Tax Return services, as well as any linked services:
- Employees directly engaged in the process of organization of your participation in the cultural exchange programs, visa service or tax return service, have access to all categories of data collected from the Client for the purposes of providing the particular service;
- Employees who issue airline tickets have access only to the information necessary for this specific service;
- Employees in the accounting department have access to the Client’s personal data, as well as to the personal data of Clients which is visible in the accounting documents of the respective service (if such is visible);
- System administrators who maintain the software systems which we use have access to all categories of personal data collected from the Clients for the purposes of booking or providing of the respective service.
We transmit personal data to the following categories of recipients outside our organization:
- The US sponsoring organization, which independently, or together with Usit Colours, processes the Client’s personal data. To the US sponsoring organization, we transmit personal data we have collected from the Client for the purposes of his/her participation in the cultural exchange program;
- The consular section of the US Embassy – personal data we have collected from the Client for the purposes of providing the visa service.
- US Tax Authorities – personal data we have collected from the Client for the purposes of providing the US Tax Re-turn service.
- Service providers like airlines or insurance companies in the USA (when the sponsoring organization requires us to issue insurance) – personal data necessary for providing the respective service.
- Consolidated booking systems through which bookings are made or airline tickets are purchased – personal data, collected from the Client for the purposes of booking and/or providing the respective service, and are required by the booking system.
- Organizations which we have appointed for various tasks in data processing (e.g. organizations whose software we use to manage client information, to store and send email newsletters and so on). These are organizations who undoubtedly act only in accordance with Usit Colours’ demand and do not use our clients’ personal data for private purposes, neither do they disclose it to third parties.
- Advertising networks, whose “advertising cookies” you have allowed when visiting our website (e.g. Facebook, Google, etc.). The personal data, which could possibly be shared with such organizations, is solely data categories which the respective “cookies” collect. For more information, check our Cookie Policy and the “cookies” settings menu in our websites.
All our employees who work with personal data, including the organizations who process personal data on our behalf, are bound by strict privacy regulations. They can disclose personal data to third parties only if we have given them our permission, and, respectively, if this is necessary for us in order to provide the service purchased to the Client.
7. FOR WHAT TIME PERIOD DO WE STORE THE PERSONAL DATA COLLECTED?
We store the personal data we collect and process for different time periods, depending on the types of services, the purposes for which we collect the data, the data types and the means of processing, as follows:
- Data collected from parties interested in cultural exchange programs: up to 2 years or until withdrawal of consent (if request for such is submitted before the 2-year period);
personal data of cultural exchange program Clients, including third-party data provided by the Client in relation to his/her participation in the program – up to 5 years after completion of the Client’s participation in the program; - Airline tickets – for the purposes of our performance of our obligations for airline ticket issuance, this data is stored for a period no longer than 5 years after the trip end;
- Data collected for the purposes of visa services, including third-party data provided by the Client in relation to the visa service – up to 2 months after the visa application;
- Data collected from parties interested in the US Tax Return service – up to 6 months or until a withdrawal of consent (if request for such is submitted before the 6-month period);
personal data of US Tax Return service Clients – up to 5 years after submitting their Tax Return;
“cookies” data – all personal data which we collect through the use of “cookies” is stored up to the moment you change your “cookies” preferences and stop (forbid) the use of the respective “cookies” category. - Data in client profiles – personal data of Clients which we process by storing it in our clients data base, including for direct marketing purposes, are stored for a period of 5 years after the date of last purchase by this Client.
- Data that is part of accounting documents – all accounting documents, including those containing personal data, are stored for the minimum time period for storage of the particular accounting documents, required by the applicable accounting and tax legislation.
- Data that is part of documents which could be subject to audit by an authorized competent supervisory authority (e.g. The National Revenue Agency – „НАП“ in Bulgarian, or The Commission for Consumers Protection – „КЗП“ in Bulgarian) and/or were used as evidence in civil, administrative or criminal dispute will be stored until such date that our possible claims or obligations related to the document in question have reached their statue of limitations and/or until the closing of an administrative and/or legal proceedings with final administrative and/or judicial state-ment.
After the storage period expires, all data and documents containing them shall be deleted in a secure way.
8. DO WE TRANSFER YOUR DATA OUTSIDE THE EU?
Due to the nature of the services we deliver as per Article 2, the personal data which our Clients provide, are by defini-tion intended to reach recipients in the USA. The data of the interested parties is not transferred outside the EU.
When transferring your data to the USA, we enter into an agreement with the entity receiving your data, according to the applicable legal EU requirements or we do it on the basis of previously obtained consent from you for transmitting this data.
When submitting documents for US visa issuance, we transmit your personal data to the US embassy on the basis of your explicit written consent on this.
When submitting documents for US Tax Return, we transfer your personal data to tax authorities in the USA on the ba-sis of your explicit written consent on this.
9. HOW DO WE PROTECT YOUR PERSONAL DATA?
We put great efforts in protecting our clients, as well as our newsletter recipients, from unauthorized access or unauthorized alteration, disclosure or destruction of their personal data. With this aim we implement a number of technical and organizational measures, like:
- We use secure websites, where we collect your personal data;
- We examine and carry out regular checks on our practices for collection, storage, or otherwise processing of personal data, including on the physical security measures – aimed at prevention of unauthorized system access for the systems we use;
- Within our organization, we limit access to your personal data only to people whose job functions require access to it in order to perform the tasks for which the data has been gathered and shall be processed in the first place.
- We use contractual data protection clauses in all our agreements with our employees and also with third parties that we appoint for processing of your personal data;
- We delegate processing of personal data only to organizations that keep highest standards of information and data security, demonstrated by the respective certifications and by providing the possibility for regular compliance audits.
10. YOUR RIGHTS AS A DATA SUBJECT
As a data subject you have a number of rights before Usit Colours – the data controller. Your rights and how you can exercise them is described in this article.
You can exercise your rights by filing a written request to Usit Colours, signed by you or your authorized representative.
You can mail your request to our Data Protection Officer at the mailing address or e-mail stated in Art. 3. In case the request is filed electronically it should be signed with a qualified electronic signature. We shall respond to your re-quest as promptly as it is possible for us, and definitely no later than one month. Please be advised that we shall not respond to a request by you, if we cannot verify that the request was undoubtedly filed by yourself (e.g. it might be impossible to verify a request filed by mail). In such cases we might require that you personally present your request in one of our offices (in order to identify you properly).
In the event we provide data to other personal data administrators in accordance with Art. 6 of this document, you can exercise your rights as a data subject, listed below, before these other administrators by addressing them directly.
10.1. Right of access to your personal data
You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning yourself or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from you, any available information as to its source;
- the existence of automated decision-making, including profiling, as well as additional information in cases required by law.
We shall provide a free copy of your personal data undergoing processing and the information listed above. For any further copies you request we may charge a reasonable fee based on administrative costs.
10.2. Right to rectification.
If you believe the personal data we process is inaccurate, you have the right to obtain from us without undue delay the rectification of personal data concerning yourself. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
10.3. Right to withdraw a consent
In case we process your data based on your consent, you have the right to withdraw your consent at any time. After your withdrawal we shall cease all processing of your personal data based on consent, but the withdrawal of your con-sent shall not affect the lawfulness of processing based on consent before its withdrawal. Nevertheless we might continue processing same personal data as long as there is another basis for the processing (different than consent) and/or one of the exceptions under art. 10.5 are present (e.g. your personal data is necessary to provide the service you have requested from us).
10.4. Right to object
You have the right to object at any time to processing of your personal data which is based on public interest or our legitimate interests, in case you believe such processing in your particular case is incompatible to the protection of your interests and fundamental rights and freedoms. We shall no longer process the personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes (e.g. processing personal data for the purpose of sending electronic newsletters), you have the right to object at any time to processing of your personal data for such marketing, and we shall immediately cease that processing. Except the objection above, you could request the termination of processing for the purposes of electronic newsletters by unsubscribing from all newsletters using the unsubscribe link available in every newsletter we send you.
10.5. Right to erasure
General rule. You have the right to obtain from us the erasure of your personal data without undue delay and we have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you have withdrawn the consent on which the processing is based, and where there is no other legal ground for the processing;
- you have objected to the processing pursuant to Article 10(4) and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
Exceptions to the rule. Your right to obtain erasure shall not apply and we are not obliged to erase the data, to the ex-tent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Usit Colours;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the General Data Protection Regulation;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the General Data Protection Regulation as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
10.6. Right to restriction of processing
You have the right to obtain from us restriction of processing, with the exception of storage, where one of the following applies:
- the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- we no longer need the personal data for the purposes of the processing, but we are required by you for the establishment, exercise or defence of legal claims;
- you have objected to processing pursuant to Article 10(4) pending the verification whether our legitimate grounds override yours.
Where processing has been restricted as described above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
10.7. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:
- the processing is based on consent or on a contract between you and Usit Colours; and
- the processing is carried out by automated means.
In exercising your right to data portability you have the right to have the personal data transmitted directly from Usit Colours to another controller, where technically feasible.
10.8. Right to lodge a complaint with a supervisory authority
If you consider that the processing of personal data relating to you infringes applicable legislation, including, but not limited to General Data Protection Regulation and Personal Data Protection Law, you have the right to lodge a com-plaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
The competent supervisory authority in the Republic of Bulgaria is Commission for Personal Data Protection.