PRIVACY SUBRA PREMIUM CLUB

PRIVACY NOTICE

(CLUB CARD SUBRA)

(information provided pursuant to Article 13 of the GDPR)

 

Name and address of the data controller

Alta Mar Ltd.

gr. Sofia, bul. "Bulgaria" № 118, Abacus Business Center, fl. 3

Tel: 02/854 97 01

DLDD: gdpr_contact@subra.bg

Who we are and what we offer

Alta Mar Ltd. is a trading company that offers its customers a value-added service consisting in the provision of preferential conditions for the purchase of products on the spot in retail outlets operating under the brand name "SUBRA Pharmacies".

Customers may use preferential terms for the purchase of certain goods or products in the specified outlets, based on the possession of an active club card "SUBRA" and in accordance with the conditions for its use.

The club card can be requested digitally via the Subra Pharmacies website www. Subra.bg using a QR code.

In essence, this is a contract with you under which Alta Mar Ltd. provides you with preferences ("loyalty program") provided that you shop at the outlets united by the SUBRA brand.

This privacy notice applies only to your use of a SUBRA Club Card and the rights you have in relation to it.

In case you want to shop in the e-pharmacy at - subra.bg, please read the following privacy notice.

It also contains the necessary information regarding the use of the website on which you register your Club Card, insofar as specific information relating to the registration of the Client Card on that website is not contained in this Privacy Notice.

What we process your personal data for

We are required by law to identify on which lawful basis we process different categories of personal information and to notify you of the basis and our purposes in relation to each category of personal data processed.

If the basis on which we process your personal information is no longer applicable, we will immediately stop processing your data.

If the basis changes, then, if required by law, we will notify you of the change, as well as any new basis on which we have determined that we can continue to process your information.

Processing of personal data based on a contractual or pre-contractual relationship

When you register your Subra card, or request a Subra digital card, purchase a product or service from us or otherwise use the website - subra.bg, you agree to our terms and conditions as a prerequisite for entering into a contract between you and us.

In order to enter into this contract, and to perform our obligations under it, we need to process certain information, including information that is provided by you. Some of this information may be personal data.

We may use the data you provide to:

  • making a sale or supplying products that we offer;
  • provide you with other ancillary services;
  • send you suggestions or advice about our products, services, including how to make the most of the features available when using our website.

We will continue to process this information until the contract between us ends or is terminated by either party in accordance with the terms of the contract. We may continue to process some personal data in order to comply with legal requirements (e.g. for tax purposes).

Based on consent

By taking certain actions that do not arise from a contractual relationship between us, for example when you ask us to provide you with more information about our business, including our products and services, through direct marketing, you consent to us processing information that may constitute personal data.

For example, when using the Subra Club Card, we may process your personal data for direct marketing purposes, but only after obtaining your consent.

Sometimes you may give your consent indirectly, such as when you send us an email to which you reasonably expect us to respond.

Except where you consent to the use of your information for a specific purpose, we do not use your information in a way that personally identifies you.

We continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists.

You can withdraw your consent at any time by informing us in the following ways: send an email to marketing@subra.bg

However, if you do so, you may not be able to use our website or our services as fully as you did before you withdrew. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.

Based on a legal obligation

Sometimes we need to process your information to comply with a legal obligation.

For example, we may need to provide information to the judicial authorities if they request it or if they have a relevant document - e.g. a warrant, search warrant or court order.

On the grounds of a legitimate interest

We may process information on the basis of a legitimate interest for you or for us. For example, we may process your data for the purposes of:

Accountability for the proper and necessary administration of our business;

  • optimizing our business processes;
  • analyses of consumer behaviour;
  • a response to an unsolicited communication from you to which we believe you expect a response;
  • protecting and promoting the legal rights of any party;
  • protect your interests where we believe we have a basis and duty to do so.

Your data may be processed in connection with the acquisition, merger, division or liquidation of the company or part of its business by third parties, in which case we rely on our legitimate interest.

It is also possible that your data may be processed within the group of companies to which Alta Mar Ltd belongs or which belong to it, for internal administrative purposes, in which case we rely on our legitimate interest. This includes hypotheses related to the use of the www.subra.bg website in connection with the registration of your card, where your data is shared with the company maintaining said website.

Categories of data we process:

  • Customer's personal details - name, phone number, email address;
  • Data on purchases of goods and services by the customer.

Legitimate interest of the controller or of a third party

When we process personal data, our legitimate interest is based on:

  • managing our business processes for the benefit of all our employees and/or owners;
  • optimizing our business processes.

Recipients or categories of recipients of your personal data

These can be:

  • Employees of Alta Mar Ltd;
  • Data processors on behalf of Alta Mar Ltd;
  • Alta Mar Ltd related companies;
  • Entities that maintain our information systems;

(The categories referred to here also include those who process data on the website on which the club card registration takes place, as well as those who process data in the outlets using the Subra trademark)

Transfer of data to a third country or to an international organisation

Alta Mar Ltd does not transfer your data to a third country or to an international organisation.

Period for which the personal data will be stored

Unless otherwise stated in this privacy notice, we only retain your personal data for as long as required by us:

  • provide you with the goods/services you have requested;
  • comply with other laws, including for the period required by tax or other public authorities;
  • in connection with a possible claim or defence in court.

Special cases of deletion of data

In the event that your Club Card becomes invalid (in accordance with its terms of use), the personal data associated with it and provided by you will be deleted. Your purchase data will also be deleted on the basis that it has expired.

Right in respect of consent

You, as our customer, have the right to withdraw the consents you have given at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

Rights you have in relation to the personal data you provide

You, as our customer, and in relation to the personal data you have provided to us, have the right to request from us access to, rectification or erasure of your personal data, or restriction of its processing, as well as the right to object to the processing of your data, and also the right to data portability.

The right to complain to a supervisory authority

You have the right to complain to a supervisory authority. The supervisory authority in the Republic of Bulgaria under the applicable law is the Commission for Personal Data Protection.

Provision of personal data

The provision of personal data derives from a contractual requirement in view of the need to perform the services originating from the club card.

Information when registering your club card via the www.subra.bg website.

Cookies

The website www.Subra.bg use cookies. "Cookies are text files that are stored on a computer system via an internet browser.

Many websites and servers use cookies. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that can be assigned by websites and servers to the specific Internet browser in which the cookie is stored. This allows the visited websites and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified by the unique identifier of the cookie.

Through the use of cookies, we can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.

With the help of a cookie, the information and offers on our website can be optimized with regard to the data subject. "Cookies allow us, as already mentioned, to recognize users of our website. The purpose of this recognition is to make it easier for users to use it. The data subject of a website that uses cookies, for example, does not need to enter access data each time the website is called up, because this is taken over by the website and so the cookie is stored on the data subject's computer system. Another example is the cookie on a shopping cart in an online store. The online shop remembers the products that the customer has placed in a virtual shopping cart via a cookie.

The data subject may, at any time, stop the use of cookies on our website by setting the Internet browser used accordingly and thereby permanently refuse the setting of cookies. In addition, cookies that have already been set can be deleted at any time via an internet browser or other software programs. This is possible with all popular internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website can be used in full.

Collection of general data and information

The website collects a series of general data and information when a user or automated system calls up the website. This general data and information is stored in the server log files. The data collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which our website is accessed (the so called. References), (4) sub-pages, (5) the date and time of access to the website, (6) the Internet Protocol address (IP address), (7) the Internet service provider of the access system and (8) any other similar data and information that can be used in the event of attacks on our information technology systems.

When using these general data and information, the controller of the www.subra.bg website Flavia Pharma Ltd does not draw any conclusions about the data subject. Rather, this information is necessary in order to (1) provide our website content correctly, (2) optimize our website content as well as our website advertising, (3) ensure the long-term viability of our information technology and web technologies , and (4) provide law enforcement with the necessary information needed to prosecute a cyber-attack. Therefore, Flavia Pharma Ltd analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous server log data is stored separately from any personal data provided by users.

Registration on our web page

The data subject has the possibility to register on the website of the controller by providing personal data. Which personal data is transmitted to the controller is determined by the respective input mask used for registration. The personal data entered by the data subject shall be collected and stored exclusively for the controller's internal use and for the controller's own purposes. The controller may transfer data to sub-providers (e.g. courier services) who also use personal data for an internal purpose that is inherent to the controller.

By registering on the administrator's website, the IP address assigned by the Internet Service Provider (ISP) and used by the ISP is also saved, as well as the date of registration. The storage of this data is conditional, as it is the only way to prevent the misuse of our services and, if necessary, to enable the investigation of crimes committed. The storage of this data is necessary for the security of the controller.

The purpose of the voluntary registration of the data subject is to enable the controller to provide the data subject with content or services that can only be offered to registered users. Registrants may change the personal data provided at the time of registration at any time or have them deleted from the controller's records completely.

The controller shall at all times provide information on request to any data subject as to what personal data is held about the data subject. The data controller shall rectify or erase the personal data at the request or indication of the data subject, insofar as there are no legal obligations to retain.

Subscribe to our newsletter

On the website www.subra.bg of Flavia Pharma Ltd, users are given the opportunity to subscribe to our company newsletter. The input mask used for this purpose determines which personal data is transmitted as well as when the newsletter is requested.

Flavia Pharma Ltd. informs its customers and business partners on a regular basis via a newsletter about offers. The enterprise newsletter may only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject has opted in to receive the newsletter. The confirmation e-mail address will be sent to the e-mail address registered by the data subject for sending the newsletter. This email will also contain a link to unsubscribe in case of a wrong email being submitted. This confirmation email is used to prove whether the owner of the email address as data subject is authorised to receive the newsletter.

At the time of registration for the newsletter, we also store the IP address of the computer system assigned by the Internet service provider (ISP) and used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to understand the (possible) misuse of the data subject's e-mail address at a later date, and serves the purpose of the controller's legal protection.

The personal data collected as part of the newsletter registration will only be used to send you our newsletter. In addition, subscribers to the newsletter may be informed by e-mail insofar as this is necessary for the operation of the newsletter or the registration in question, as this may occur in the event of changes to the newsletter offer, or in the event of a change in technical circumstances. There will be no transfer of personal data collected by the newsletter to third parties. Subscription to our newsletter may be terminated by the data subject at any time. The consent to the storage of personal data, which the data subject has provided for the sending of the newsletter, may be withdrawn at any time. For the purpose of revoking consent, a corresponding link is provided in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly on the website of the controller, or to communicate this to the controller by another means.

Newsletter tracking

The Flavia Pharma Ltd newsletter contains so-called tracking pixels. A tracking pixel is a miniature image embedded in such emails, which are sent in HTML format to allow the recording and analysis of records. This allows statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, Flavia Pharma Ltd can see if and when an email was opened by a data subject, and which links within the email were called up by data subjects.

Such personal data collected in tracking pixels contained in newsletters shall be stored and analyzed by the controller in order to optimize the sending of the newsletter, as well as to further tailor the content of future newsletters to the interests of the data subject. These personal data will not be transferred to third parties. Data subjects have the right to revoke the respective individual declaration of consent issued via the double opt-in procedure at any time. After cancellation, these personal data will be deleted by the controller. Flavia Pharma Ltd automatically regards a withdrawal from receiving the newsletter as a revocation of the subscription.

Possibility of contact via the website

The website of Flavia Pharma Ltd contains information that allows a quick electronic contact with our company, as well as direct communication with us, which also includes a general address of the so-called e-mail marketing@subra.bg. If the data subject contacts the controller via e-mail or via a contact form, personal data transmitted by the data subject will be automatically stored. Such personal data transmitted voluntarily by a data subject to the controller shall be stored for the purpose of processing or contacting the data subject. There shall be no transfer of such personal data to third parties.

Flavia Pharma Ltd's website also provides the ability to be contacted via a third party application provided by Zendesk. In this case, Flavia Pharma Ltd continues to be the controller of the personal data submitted through the application and has taken all possible measures to ensure Zendesk's eligibility as a data controller. Zendesk also use cookies to enable the provision of the service.

Add products to "Favorites"

The data subject may register his or her own preferred products on the page that are associated with his or her profile. The storage of this data helps the user to navigate the page more easily, as well as to target special offers, when and if available, for the products he prefers. The control of the content in "Favorites" is with the user. It is possible for the administrator to delete products, which also breaks the link between the data subject and the product placed in the "Favourites".

Routine erasure and blocking of personal data

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of the storage or for as long as specified by the applicable legislation.

If the retention purpose is not applicable or if the retention period specified in a legal act expires, the personal data is routinely blocked or deleted in accordance with legal requirements.

Data protection provisions on the application and use of Facebook

On this website, the administrator uses integrated components of the company Facebook. Facebook is a social network.

A social network is a social meeting place on the Internet, an online community that typically allows users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences or enable the Internet community to provide personal or business related information. Facebook allows social networking users to include the creation of private profiles, upload photos, and build a network of acquaintances through friend requests.

The address of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

Each time you access one of the individual pages of this Internet website, which is operated by the controller and in which a Facebook component (Facebook plug-ins) is integrated, the web browser of the information technology of the data subject is automatically prompted to download the display of the corresponding Facebook component from Facebook via the Facebook component. An overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/. During this technical procedure, Facebook is informed which specific sub-site of our website has been visited by the data subject.

If the data subject is logged in to Facebook at the same time, Facebook detects each time the data subject calls up our website - and for the entire period of residence on our website - which specific sub-site of our website was visited by the data subject. This information is collected via the Facebook component and associated with the respective Facebook account of the data subject.

Facebook always receives, via the Facebook component, information about a visit to our website from the data subject when the data subject is logged in simultaneously on Facebook at the time of selecting our website. This takes place regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is undesirable for the data subject, he or she may prevent this by logging out of their Facebook account before accessing our website.

The data protection guide published by Facebook, which is available at https://facebook.com/about/privacy/, provides information on the collection, processing and use of personal data by Facebook. There you can also find what setting options Facebook offers to protect the privacy of the data subject. Various configuration options are available that allow the removal of data transmission to Facebook. These applications can be used by the data subject to remove data transmission to Facebook.

Data protection provisions regarding the implementation and use of Google Analytics (with anonymisation feature)

On this website, the administrator has integrated the Google Analytics component (with the anonymity feature). Google Analytics is a web analytics service. Web analytics is the collection and analysis of data about the behaviour of visitors to websites. The web analytics service collects, along with other data, data about the website from which a person came (the so-called referrer), which sub-sites were visited or how often and for what duration the sub-sites were viewed. Web analytics are mainly used to optimize a website and to perform cost-benefit analysis of Internet advertising.

The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

For web analytics via Google Analytics, the administrator uses the "_gat. _anonymizeIp". With the help of this application, the IP address of the Internet connection of the data subject is shortened by Google and anonymised when accessing our websites from a Member State of the European Union or from another country under the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyze traffic on our website. Google uses the data and information collected, including to evaluate the use of our website and to provide online reports that show the activities on our websites and to provide other services related to the use of our website for us.

Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. By setting the cookie, Google can analyse the use of our website. Whenever you call up one of the individual pages of this website, which is operated by the controller and in which a Google Analytics component is integrated, the Internet browser of the information technology of the data subject will automatically send data via a Google Analytics component for the purposes of online advertising and the settlement of Google commissions. During this technical procedure, the Google enterprise acquires knowledge of personal information, such as the IP address of the data subject, which serves Google, among others, to understand the origin of visitors and clicks.

"The cookie is used to store personal information, such as the time of access, the location from which access was made and the frequency of visits to our website by the data subject. Whenever you visit our website, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may transmit these personal data collected through the technical procedure to third parties.

The data subject may, as stated above, prevent the setting of cookies via our website at any time by making the appropriate adjustment to the web browser used and thereby permanently refuse the setting of cookies. Such a setting in the Internet browser used would also prevent Google Analytics from setting a cookie in the information technology system of the data subject. In addition, cookies already used by Google Analytics can be deleted at any time via a web browser or other software programs.

Furthermore, the data subject has the possibility to object to the collection of data generated by Google Analytics, which is related to the use of this website, as well as to the processing of this data by Google and the possibility to exclude such processing.  For this purpose, the data subject must download the browser add-on under the link https://tools.google.com/dlpage/gaoptout and install it. This browser add-on instructs Google Analytics via JavaScript that all data and information about website visits should not be transmitted to Google Analytics. Installing the browser add-ons is considered an objection to Google. If the data subject's information technology system is later deleted, formatted or newly installed, then the data subject must reinstall the browser add-ons to disable Google Analytics. If the browser add-on has been uninstalled by the data subject or another competent person, or disabled, it is possible to perform a reinstallation or reactivation of the browser add-ons.

Further information and the applicable Google data protection regulations can be downloaded at https://www.google.com/intl/bg/policies/privacy/ and at http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following link https://www.google.com/analytics/.

Data protection provisions regarding the application and use of Google+

On this website, the administrator has integrated the Google+ button as a component.

Google+ is a social network.

A social network is a social meeting place on the Internet - an online community that typically allows users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences or enable the Internet community to provide personal or business-related information. Google+ allows users of the social network to include the creation of private user profiles, upload photos, and build a network of acquaintances through friend requests.

Google+ is operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Whenever you call up one of the individual pages of this website, which is managed by the controller and on which a Google+ button is integrated, the Internet browser of the information technology of the data subject automatically downloads a screen with the corresponding Google+ button of Google via the corresponding Google+ button component. During this technical procedure, Google is informed which specific sub-site of our website has been visited by the data subject. More detailed information about Google+ can be found at https://developers.google.com/+/.

If the data subject is logged in to Google+ at the same time, Google recognizes at each call-up to our website the data subject and, for the entire duration of his or her stay on our website, which specific pages of our website were visited by the data subject. This information is collected via the Google+ button and Google compares it with the corresponding Google+ profile associated with it.

Via the Google+ button, Google receives information that the data subject has visited our website if the data subject is logged in to Google+ at the time of calling up our website. This occurs regardless of whether or not the data subject clicks on the Google+ button.

If the data subject does not wish to transmit personal data to Google, he or she may prevent such transmission by logging out of his or her Google+ account before calling our website.

Further information and Google's data protection regulations can be retrieved at https://www.google.com/intl/bg/policies/privacy/ . Additional references from Google for the Google+ button can be obtained at https://developers.google.com/+/web/buttons-policy.