DATA PROTECTION POLICY OF UPASS LTD FOR THE DATA COLLECTED VIA THE URBO PLATFORM
1. DEFINITIONS
1.1. GDPR or “The Regulation” means Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1.2. “Employee” means a person that has a labor contract with the Data Controller
1.3. “Data” or “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4. “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
1.5. “Data subject” or “personal data subject” means any person, whose data are processed by the Controller.
1.6. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.8. “Controller” or “UPASS” means UPASS Ltd, registered with UIC 203501292, address: 3 Dobromir Hriz Street, Sofia, Bulgaria
1.9. “URBO” means a technology platform, developed by UPASS to provide services to end users, accessible via Internet and/or mobile applications for the iOS and Android operating systems.
1.10. “Client” means a person who uses or has used the services, provided by the Controller via the URBO platform.
1.11. “Policy” means this Data Protection Policy.
1.12. “The Services” mean services provided by UPASS or third party providers via the URBO platform which may include:
• arranging and scheduling transportation;
• paying for parking in paid parking zones;
• car and/or bike sharing services;
• news and current information about a town or resort;
• location and directions to important tourist attractions, administrative offices, business centers, etc.;
• offering tickets, passes or other means of access to events and/or attractions;
• other services for end users
2. GENERAL TERMS
2.1. This policy regulates the processing of data by the company UPASS Ltd, registered in the Trade Register of the Registry Agency of the Republic of Bulgaria with identification number 203501292 (“UPASS”).
2.2. As a personal data controller, UPASS follows the principles described below:
2.2.1. personal data are processed only when there are legal grounds for the processing;
2.2.2. personal data are processed only for specific and clearly defined purposes;
2.2.3. only the minimum amount of data, required for the purposes, described in the previous paragraph are processed;
2.2.4. UPASS undertakes reasonable measures to keep personal data correct and current, as well as to delete Data without undue delay after the legal grounds for the processing have expired, unless UPASS is obliged to keep the data for archival purposes.
2.2.5. personal data are processed in a manner that guarantees an appropriate level of security, including protection against unauthorized and unlawful processing and against accidental loss, deletion or damaging of data, by applying appropriate technological and organizational measures.
2.3. The Controller is responsible and must be able to prove the keeping of the principles, described above.
2.4. The Controller processes personal data for the purposes of identifying and communicating with the Clients, entering into, managing and performance of contracts for the provision of the services that UPASS provides, undertaking own activities (direct marketing), performing the legal obligations of the Controller and prevention, detection, investigation or prosecution of any sort of breach or violation of applicable rules, accomplished through unlawful use of our services, that may cause harm to UPASS, its partners, clients or any other person.
2.5. This policy contains the main principles and procedures for collecting, processing and storing the personal data of the users of the URBO platform, developed, maintained and provided by the Administrator via internet or mobile applications. Before using the platform, you must carefully read this policy. When creating their user profile in the platform, data subjects be able to give consent for the processing of your personal data by the Controller. Giving this consent binds the data subject with the terms of this policy.
2.6. The data subject may not use URBO if he has not familiarized himself with the Policy and/or does not accept it. For that reason, before using the platform, the Controller requires the Clients to agree with the terms of the Policy. In case a user does not agree with the terms of the Policy or a certain part thereof, he will not have the right to use URBO and/or the services, provided via the platform.
2.7. In order to give their consent for the processing of data and to accept the terms of this Policy, the Clients must be at least 18 years old or must be considered adults according to the laws of their country. The Controller may require data for the identification of the Clients in order to ensure they are adult persons at the time of giving the consent.
2.8. The URBO platform provides services, which require the sharing of data with third parties (i.e. registration via Facebook or Google profiles). The Controller notifies the Clients in advance about the cases, when they data may be shared with third parties and points who these parties are. The Clients may check the applicable data protection terms and policies of these parties at any time.
2.9. Before requiring the consent for data processing, the Controller provides the following information to the Data subjects:
2.9.1. the identity and the contact details of the Controller and, where applicable, of the controller's representative;
2.9.2. the contact details of the data protection officer, where applicable;
2.9.3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
2.9.4. the types and categories of personal data, for which the consent is asked;
2.9.5. the recipients or categories of recipients of the personal data, if any;
2.9.6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2.10. The data are kept for periods, specified for each type of data in this Policy. The data are stored in accordance with the procedures, specified herein.
2.11. Irrespective of the terms of this Policy, the Controller has the right to transfer data to public authorities when the data are requested by such authorities when exercising their lawful rights (i.e. bodies of the Ministry of Interior Affairs, investigative authorities, prosecutors’ office or court for the purpose of civil, administrative or criminal proceedings as evidence or in any other cases, specified by law).
3. TYPES OF PROCESSED PERSONAL DATA
3.1. UPASS provides to Clients the technology platform URBO that enables users of URBO's mobile applications or websites to use the Services, provided by URBO or third party providers of such services. Unless otherwise explicitly stated in an agreement between you and UPASS, the Services are provided exclusively for personal non-commercial use.
3.2. In order to provide the services, the Controller processes or may process the following Data of Clients:
• Name;
• Surname;
• Date of birth;
• E-mail address;
• Phone number;
• Data regarding the payment cards used;
• Registration number of the Client’s vehicle;
• Location of the Client or the Client’s vehicle;
• Duration of the Client’s stay or the Client’s vehicle’s stay at a certain location;
• The Client’s public profiles in social networks.
3.3. For the purpose of direct marketing the Controller processes or may process the following Data of the Clients:
• Name;
• Surname;
• E-mail address;
• Phone number;
• Address.
3.4. In order to receive information about the services, offered by the Controller, the Client must give his/her consent for the processing of his/her data for the purpose of direct marketing. This consent can be given at the moment of registration or at any time after that, when the Client enters his/her user profile and chooses the function to receive marketing messages.
3.5. The data described in Articles 3.2. and 3.3. are received directly from the Client. In the event the Client is a legal entity, they may provide the Controller with data, relating to other persons (employees of the Client). In such cases, the Client has to inform their employees for the data, provided to UPASS and provide UPASS with contact information of the physical persons – Data subjects, so that UPASS can give them the information, required under GDPR.
3.6. The legal grounds for the processing of data are:
- Article 6, paragraph 1 a) of GDPR (consent of the Client to the processing of his/her personal data for one or more specific purposes)
- Article 6, paragraph 1 b) of GDPR (processing, necessary for the performance of a contract)
- Article 6, paragraph 1 f) of GDPR (processing, necessary for the purposes of the legitimate interests pursued by the controller or by a third party)
3.7. The Controller processes the Personal data of the Clients for the following purposes:
3.7.1. identifying the Clients;
3.7.2. entering into, managing and performance of contracts for the provision of the services that UPASS provides;
3.7.3. communicating with and notifying the Clients in connection with using the services;
3.7.4. ensuring the normal functioning and use of URBO by each Client;
3.7.5. managing and supporting the Services, including detecting and solving technical or functional problems, developing and improving the Services.
3.7.6. receiving and processing signals, complaints or requests by Clients;
3.7.7. direct marketing (notifying the customers for changes in the services, new services, etc.);
3.7.8. solving disputes between Clients or between a Client and the Controller;
3.7.9. prevention, detection, investigation or prosecution of any sort of breach or violation of applicable rules, accomplished through unlawful use of our services, that may cause harm to UPASS, its partners, customers or any other person.
3.7.10. fulfilling legal obligations of the Controller.
3.8. The processing of all or some of the abovementioned Data may be necessary for the purposes, described in Article 3.7.
4. SHARING PERSONAL DATA WITH THIRD PARTIES (RECEPIENTS)
4.1. In order to ensure the payment functionality for the Services, the Controller collects data for the payment cards, used by the Clients. These Data are input directly in the database of First Investment Bank, registered in the Trade Register of the Republic of Bulgaria with identification number 831094393. More details on the bank’s General Terms and Privacy Policy including data protection can be found at FIB’s website (www.fibank.bg).
4.2. For storing the processed Data, the Controller uses servers, situated in the Federal Republic of Germany, owned by Amazon Web Services, Inc. („Amazon“), registered in the United States of America with tax No NTT0415USASR008. The data are stored encrypted, so that they can’t be read by Amazon. More information about the Privacy Policy and the protection of data by Amazon Web Services can be found at https://amazonsellermastery.teachable.com/p/privacy
4.3. The Controller may share the Clients’ e-mail addresses with Facebook, Twitter, Instagram, Viber and Google for the purpose of direct marketing and organizing games and campaigns via the social networks and platforms, created and supported by these entities. These data can only be used for the purpose of campaigns, organized by UPASS and can’t not be used by any other person or for other purposes.
4.4. Data sharing is suspended at the moment of withdrawal of the Client’s consent. Within 3 days of the withdrawal, UPASS notifies the Recipients for the withdrawal and for the necessity to delete the Data shared by UPASS, unless the same Data are processed by the Recipient on other legal grounds. Sharing data with Amazon Web Services for the purpose of their storage is required for URBO’s functioning. Therefore, withdrawal of the consent for that sharing is only possible when the Client stops using the App (deletes his/her user profile).
4.5. The Controller enters into contracts with the Recipients, which guarantee providing the level of data protection required by GDPR.
4.6. A full list of the Recipients, the types of Data and the purposes, for which Data may be shared, can be found at the following address: www.urboapp.com. The Collector keeps the list up to date and notifies the Clients and asks for their consent before sharing the Data with a new Recipient, which has not been in the list at the time when the initial consent for data processing was given by the Client.
5. PROCESSING DATA ON BEHALF OF THIRD PARTIES
5.1. UPASS may process data on behalf of third parties – Service providers. In such cases, UPASS acts as a data processor within the meaning of Article 4 paragraph 8 of GDPR.
5.2. When collecting data on behalf of third parties, UPASS notifies the Data subjects of the types of collected data, identification of the data controllers and ways to contact them and the purpose of collecting the data.
5.3. In the events, described in this paragraph the third parties – Service providers are responsible for keeping their obligations as data controllers and for applying the required level of data protection.
5.4. The data described in this paragraph may include such data that UPASS does not collect and process as a data controller, i.e. data regarding users’ health or other specific categories of data. Such data are only processed after the User’s explicit consent.
6. TERMS FOR KEEPING THE DATA
6.1. The Collector keeps the Clients’ Data for as long as they have a user profile, registered in URBO’s system.
6.2. The Data are rectified or deleted in the moment the Client does the respective action within the profile settings in URBO’s app or website. Rectifying or deleting the Data and their backup copies may require technical time, in accordance with the policy of the servers’ owner, but can be no longer than 30 days from the Client’s request, made by performing the specific action within URBO’s user profile settings.
6.3. In case that at the time the Client deletes his/her profile, they have an unresolved argument with UPASS about payments or compensations for damages, the data are kept for a term of three months after resolving the matter with a written agreement or a final court judgement.
6.4. In case there is an ongoing investigation for fraud or breach of applicable laws against a Client by competent authorities and UPASS has been notified about the investigation by these authorities, UPASS keeps the Client’s data for a term of three months after the investigation is complete.
6.5. Upon the expiration of the described terms, the Personal data are deleted by the Controller in a way that doesn’t allow for them to be recovered or reproduced.
6.6. The Data, processed by URBO on behalf of third parties are processed under the terms and conditions, set by such third parties.
7. DATA SUBJECTS’ RIGHTS
7.1. The data subject has the following rights, according to GDPR:
7.1.1. Right to be informed – to receive information as to whether or not personal data concerning him or her are being processed by the Controller, and, where that is the case, the term for keeping the data and the Recipients they are shared with;
7.1.2. Right to access – to receive a copy of the Data concerning him/her, processed by the Controller;
7.1.3. Right to erasure, when one of the requirements of Article 17, para 1 of GDPR is met;
7.1.4. Right to rectification – to request from the Controller to rectify without undue delay any data, concerning him/her;
7.1.5. Right to request the restriction of processing the Data by the Controller in any of the cases, described in Article 18, para 1 of GDPR;
7.1.6. Right to portability - to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;
7.1.7. Right to object to the processing of Data concerning him/her which is based on point (e) or (f) of Article 6, paragraph 1, including profiling based on those provisions;
7.1.8. The right not to be subject to a decision based solely on automated processing, including profiling.
7.2. When Clients exercise the rights, described in 6.1., the Controller fulfills his obligations according to GDPR in the following terms after receiving a request from a Data subject: Request from the data subject Term Right to information 14 days Right to access 14 days Right to rectification In the user profile - immediately On the servers, used by UPASS – the technical period, required for the rectification, but no longer than 30 days Right to erasure In the user profile - immediately On the servers, used by UPASS – the technical period, required for the erasure, but no longer than 30 days Right to restriction of processing 3 days Right to data portability 14 days Right to object 14 days
7.3. Exercising the rights of Data subjects, described above, is free of charge.
7.4. When the requests from a Data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller has the right to refuse to act on the request of the Data subject or to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested.
7.5. Request for exercising the rights of Data subjects under GDPR are sent to the data protection officer and where no such person is appointed – to the person mentioned in Article 10.1.
7.6. In order to ensure the grounds of a request and to protect the data of third parties, the Controller may request the names, personal ID number and/or ID card number of the Data subject when he/she exercises one of their rights according to GDPR, for the purpose of identifying the Data subject. These data are kept by the Controller for one year after the filing of a request for exercising a right under GDPR and may be used only for the purpose of identifying the Data subject in the event of a signal for any breach or fraud, committed by him/her in connection with the request.
7.7. The Controller notifies for every rectification, erasure or restriction of processing each Recipient, with whom Data have been shared, unless this is impossible involves disproportionate effort. The controller informs the Data subject about those Recipients if the Data subject requests it.
8. DATA PROTECTION OFFICER
8.1. In the event a data protection officer is appointed, the Controller notifies the Data subjects and informs them about the contact data of the data protection officer.
8.2. The data protection officer has the rights and obligations, described in GDPR and this Policy, as well as in his/her job description, in case the officer is an employee of the Controller or in the service contract, in case the officer performs his/her activities under a service contract.
9. DATA SECURITY BREACH
9.1. In case the Controller’s employees, who have access to Data, notice any security breach (action or inaction by any person that may lead to or has led to a risk for the security of Personal data), they immediately inform the Controller and the specified contact persons, as well as the data protection officer, where there is one.
9.2. The Controller makes the decisions regarding the necessary measures for coping with the data security breach and its consequences, as well as notifying the concerned subjects, where applicable, by taking into account the possible risks of data security breach, the impact of the breach and the possible implications and damages, resulting from it.
9.3. Where applicable, the Controller notifies the Commission for Personal Data Protection immediately, but no later than 72 hours from becoming aware of the breach. The notification includes:
9.3.1. a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
9.3.2. contact details of the data protection officer or other contact point where more information can be obtained;
9.3.3. a description of the likely consequences of the personal data breach;
9.3.4. a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.4. In the events described in the previous article, the Controller notifies the affected Data subjects about the breach without undue delay but no later than one week after becoming aware of the breach.
9.5. Where the affected Data subjects cannot be determined, the Controller notifies those Data subjects, which are most likely to be affected by the breach.
9.6. In the events described in the previous article, as well as when notifying the affected Data subjects would require disproportionate effort, the Controller makes a public announcement or undertakes another similar measure to effectively inform the Data subjects.
10. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES FOR PERSONAL DATA SECURITY
10.1. The technical and organizational data security measures, taken by the Controller, guarantee a level of data security, according to the nature of data, processed by the Controller and the risks of the processing and include, but are not limited, to those described in this section.
10.2. Data security measures include at least:
10.2.1. Administrative measures (establishing a procedure for the security of documents, computer data and archives, organizing the work in different areas of activity, training the employees etc.);
10.2.2. Technical and software protection (administration of servers, information systems and databases, workplace support, operating systems defense, observation (control) of user access, computer virus protection, encrypting the memory of devices that hold personal data, etc.);
10.2.3. Contractual measures (entering into contacts or agreements with all Recipients and persons, who may get access to personal data in connection with providing services to the Controller, which guarantee that these persons apply a level of data protection in accordance with GDPR).
10.3. The Controller implements a data recovery procedure in the event of incidental loss of data. The Controller creates backup copies of the data, present in his system. Data are recovered according to the internal procedure, using Amazon Web Services software from backup libraries.
10.4. The data security measures the Controller takes include:
10.4.1. Using VPN technology for remote access to the internal network of the Controller;
10.4.2. Using a digital certificate to identify the users who gain access to the Controller’s database.
10.4.3. Registering the access to the Personal data, processed by the Controller, including access identificatory, date, time, duration, result of access attempt (successful, unsuccessful). The records are kept by the Controller for at least 1 year after each access to data;
10.4.4. Restricting the access to premises where devices, used for storing and processing Data are kept, only to persons, appointed by the Controller to perform processing activities;
10.4.5. Using security protocols and/or passwords when transferring data vie external networks;
10.4.6. Controlling the security of data stored on external drives or e-mail, erasing them after processing and transferring them to the database of the Controller;
10.4.7. Recording all actions, connected with restoring Data (who, when and by what means has performed the actions).
10.5. Personal data, collected in electronic form, are not printed and stored in paper form, unless that is specifically requested by the Data subject or by a public authority within its competence or is required in order to fulfil a legal obligation of the Controller under GDPR or the national legislation.
11. CONTACT DATA
11.1. For more information regarding personal data, processed by the Controller, regarding GDPR or this Policy, as well as for exercising the rights of Data subjects under GDPR, the Controller assigns the following contact point:
Andrey Rumenov Lilov
e-mail: office@urboapp.com
phone: 0700 70 270
12. FINAL PROVISIONS
12.1. This Policy may be amended by the Controller in the event of change in the scope of Data processed, the purposes and/or means of processing, changes in applicable data protection legislation, or other reasons.
12.2. The Policy and any amendments thereof are active from the date of their approval and publication on the Internet in such a way that makes them available to the users of URBO.
12.3. The Controller notifies the Data subjects about each change in the Policy. Insofar as such changes are unilateral acts of the Controller, an explicit consent with the changes may not be required. When the amendment is connected with a change in in the scope of Data processed, the purposes and/or means of processing, the Controller asks for the consent of Data subjects before applying the change. In case the processing is required in order for the Controller to offer services via the URBO platform, the consent of Data subjects may be required in order to access the Platform.
12.4. If they believe there is a breach of applicable data protection laws, Data subjects may file a complaint to the Commission for Personal Data Protection. More information can be found at https://www.cpdp.bg/
12.5. The Controller is not responsible for the accuracy of Data, submitted by the Clients, does not perform any checks in this respect and cannot guarantee the true identity of the physical persons, who have submitted Data. In case of uncertainty, suspected or revealed breach or fraud, Data subjects may inform the Controller without prejudice to their right to file a complaint or signal the competent authorities.
12.6. Clients are responsible for any violations they have committed of other persons’ rights, with respect to the protection of their data or any other right.
