Privacy Policy

PRIVACY POLICY

Thank you for visiting our website and/or using our products or services. The protection and confidentiality of your personal data is of particular importance for us.

With this policy, we aim to inform you about the processing of personal data that we collect from our users and customers of our software products, services and website (https://www.chaosgroup.com/), hereinafter reffered to as “the Products”, “the Services” or “the Website”.

Personal data covers all information related to an identified or identifiable individual. This includes information such as name, address, email, billing address or telephone number. Information that is not directly related to your identity, for example, the number of users on the Website does not fall within this category.

We respect the privacy of all users and customers. This Privacy Policy describes the ways and conditions under which we process and use your personal data. We recommend that you read this Privacy Policy to get more information about the processing of your personal data.

Governing law applicable to this Privacy Policy is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’ or ‘GDPR’) and the Bulgarian law.

Who is responsible for the processing of your personal data?

The data controller (hereinafter referred to as “Chaos Group”, “The Company” or “We”) in the sense of the GDPR and other national data protection laws of the member states as well as other data protection regulations is:

Chaos Software Ltd., UIC 131375768, a limited liability company incorporated under the laws of Republic of Bulgaria. 

Address: Bulgaria, Sofia 1729, Mladost district, Bld. 548, entr. B, fl. 2

Email: dpo@chaosgroup.com 

How to contact us?

If you have any questions and / or requests related to your personal data that the Company processes, you can contact us at: 147, Tsarigradsko shose Blvd., Inter Expo Center, 4th floor, 1784 Sofia, Bulgaria.    

You can contact our Data Protection Officer at the following email: dpo@chaosgroup.com 

Chaos Group respects the privacy of your personal information. The protection of your personal information throughout the entire process of processing personal data, as well as the security of all data processed by the Company, is an important issue for us. We process personally identifiable information collected during your visit to our Website and/or use of our Products and Services in accordance with national and European law.

Special Notice - if you are under 14 years old.

Our Products and Services are not aimed at children under 14 years old and we will not deliberately collect, use, provide or process in any other form any personal information of children under the age of 14. We therefore also ask you, if you are under 14 years old, please do not send us your personal information (for example, your name, address and email address).

If you are under 14 years old, and you nevertheless wish to ask a question, buy our Products or use our Services in any way which requires you to submit your personal information, please get your parent or guardian to do so on your behalf.

What is the nature of this Privacy Policy?

This Privacy Policy aims to provide you with comprehensive information in a clear and understandable language about what actions are taken with the personal data you provide to us, including:

  • What personal data do we process?
  • For what purposes do we process your personal data?
  • For how long do we keep the personal data you provide?
  • Whom we share your personal information with?
  • What are your rights regarding your personal data and how you can exercise them? 
  • How we notify you of a change to our Privacy Policy?

With this Privacy Policy, Chaos Group declares that it has implemented all technical and organizational measures to protect the personal data of individuals prescribed by law or regulation at national and European level.

What is “personal data”?

Any information and data by which an individual can be identified falls directly or indirectly under the definition of “personal data”.

For example, indirect identification is your mobile number. Direct identification is achieved when you provide a unique identifier such as Personal Identification Number (PIN), passport number, etc.

"Special categories of personal data" means data revealing racial or ethnic origin, political views, religious or philosophical beliefs or membership of trade unions, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data or data about the sexual life or sexual orientation of the individual. 

Categories of personal data Types of personal data
Information about youName, surname, family name
Contact detailsEmail, telephone number, fax
Personal identificatorsPersonal Identification Number (PIN) or other type of unique identification, required only for invoicing upon request of the customer
Information about your employer and your interestsName of the company you work for and information about the industrial interest you have in software products (e.g. Film, VFX, Television, etc.)
Data about the persons who are eligible for discountsCopy of documents evidencing that the person is an active student in an university
Address detailsBilling address, country, city, ZIP and/or postcode
Bank dataPartial data about your bank account
Purchase historyData about purchased or used Products or Services
Internet dataData about your IP address, location data, cookie data, etc.
Copy of communication on our websiteCopies of emails or other forms of communication you might have while using our Website, Products, Services and our communication system tools
Other dataOther types of personal information, which you may provide by contacting us and/or making a request / inquiry

Chaos Group does not collect any special categories of personal data as such are not required for the use of our Website, Products or Services. If sensitive categories of personal data are provided by you in the course of your communication with the Company or use of our Website, Products or Services, it will be deleted as soon as possible after the processing of such data is established. 

What are our legal grounds for processing of personal data?

The processing of personal data includes the collection, storage, destruction, transfer, correction, updating, deletion and all other activities carried out with your personal data. 

Chaos Group processes personal data on the grounds of the performance of a contract with the customer (Article 6, paragraph 1, item "b" of the GDPR). We may also procees personal data after obtaining clear, free and unambiguous consent from you for the purposes of processing expressed through your voluntary registration or provision of data in our Website, Products or Services (Article 6, paragraph 1, item “a” of the GDPR). The consent you provide can always be withdrawn by contacting us or using the contact form available on our website.

Some of our processing activities are based on legitimate interest (Article 6, paragraph 1, item “f” of the GDPR), but only after we have carefully assessed that such interests does not concern the fundamental rights and freedoms of the data subject.

Lastly, in very limited number of cases we process your personal data for compliance with a legal obligation to which Chaos Grouo is subject (Article 6, paragraph 1, item “c” of the GDPR).

For what purposes are we going to use your personal data?

The personal data provided by you shall be used for the following purposes, including but not limited to:

  • Administration and maintenance of our Website and the Chaos IDs of our customers and users;
  • Sale and support of Products and Services, which our customers and users decide to purchase or use;
  • Usage of aggregated data (not including personal data) about your use of Chaos Group’s Products and Services for the purposes of making all our products and services better;
  • Marketing and advertising activities, if the legal requirements for digital marketing are met;
  • Processing of personal data for compliance with regulatory and other legal requirements;
  • Answering to claims and requests sent by our customers / users;
  • Processing orders or purchases made by our customers / users;
  • Performance of rights and obligations related to our products, contractual or pre-contractual relationship with our customers / users;
  • Anticipating and resolving issues related to our Products or Services;
  • Creating new Products or Services that would meet your needs;

Your personal data is not subject to automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR.

How do we process your personal data? 

When you visit the Website or use our Products and Services, Chaos Group processes (collects) your personal information in the following ways:

  • by completing your account registration form on our Website 
  • by filling your required billing details;
  • by processing information about IP addresses, cookies, operating system and browser type.

How long do we store your personal data?

Depending on the legal ground on which we process your personal data, the storage period of personal data may be different.

Your personal data is stored as long as we have valid legal grounds for processing it. After this period has expired and in case there is no legal ground to continue storing your personal data, your information shall be deleted. 

Do we share your personal data with third parties? 

Chaos Group respects your privacy and keeps your data secured. Subject to statutory requirements or business needs, Chaos Group may disclose your personal data to the following categories of recepients:

  • Service providers: When we use service providers related to client management systems, technical maintenance and provision of internal IT systems and operational support to our activities, Chaos Group may disclose personal data to those service providers. Please be informed that such disclosure shall commence only in case there are legitimate grounds for doing so and only based on a written agreement ensuring that the receiver provides adequate levels of protection for the personal data;
  • Our corporate partners and companies within our distribution network: Chaos Software uses a network of corporate partners and distributors who distribute our products and services in different jurisdictions and bundles. Therefore, in order to fulfill our contractual obligations, we may disclose your personal data to a distributor who is in a suitable area with you in order to provide the best quality service.
  • Other companies in our corporate group: It is possible that Chaos Group shares your data with other companies within its corporate group. Such disclosure shall be executed following the applicable legislation.
  • External companies providing services related to card payments: Chaos Group uses external companies administering card payments when purchasing products and services provided by us. Your bank details may be shared with this external providers only in case there are legitimate grounds for doing so and only based on a written agreement ensuring that the receiver provides adequate levels of protection for the personal data;
  • State and municipal authorities: In the course of compliance with its legal obligations Chaos Group may be obliged to disclose personal data of its customers to state or municipal authorities;

Is your personal data shared in countries outside the European Union and the European Economic Area?

Some of our service providers, partners and distributors are located outside European Union (“EU”) and the European Economic Area (“EEA”). In principle, Chaos Group aims not to disclose personal information outside the EU and the EEA or at least limit the cross-border data transfers to a minimum. Only in case one of our service providers, partners and distributors are located or uses servers located outside of the EU or the EЕA and it is absolutely necessary, we may transfer personal data outside of the said boundaries. However, in such cases Chaos Group shall ensure that adequate measures for protecton of your personal data are in place and that the requirements of the GDPR are met before a cross-border transfer of personal data is executed. 

What are your rights with respect to your personal data?

Subject to European law (GDPR), you have the following rights to your personal data processed by Chaos Group:

  1. Access your personal data that Chaos Group processes and get a copy thereof;
  2. In case of incompleteness or inaccuracy in the data that Chaos Group processes, your personal data will be corrected (right to rectification);
  3. Request the erasure of your personal data when the conditions are met. Such cases are if the purpose for which the data is collected is achieved, you have withdrawn your consent when the processing is based on consent and there is no other legal basis for processing, your data is being processed unlawfully processed, and others;
  4. In the cases specified by the law, you may require that the processing of your personal data is restricted;
  5. In the cases specified by the law, you may object to the processing of your personal data;
  6. Exercise your data portability rights and request that your data be provided in a structured, commonly used and machine-readable format;
  7. Withdraw your consent when processing your personal data is based on consent.

You can exercise any of the above rights by submitting a formal request to the following address: 147, Tsarigradsko shose Blvd., Inter Expo Center, 4th floor, 1784 Sofia, Bulgaria, or email: dpo@chaosgroup.com. In order to exercise your rights, it is mandatory to establish the identity of the claimant when submitting a request for exercising your rights. For yor convenience we have created a policy for data subjects’ rights where you can find a lot more information about your rights related to data privacy and how to exercise them.

You also have the right to file a complaint with the Bulgarian Commission for Protection of personal Data (https://www.cpdp.bg/en/index.php?p=home&aid=0) when the relevant prerequisites are in place.

Updating this Privacy Policy

This policy may be updated periodically to reflect changes in personal data protection legislation and best practices. Chaos Group undertakes to notify you of any significant changes to this privacy policy.

Last updated: May, 2020

COOKIE POLICY

Introduction

To make this website work properly, and to provide the most relevant products and services to our site visitors and registered users, we place small data files called cookies on your device. This policy provides you with information about cookies and how to control them for this website.

What is a Cookie?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie, to develop a record of the user’s online activity. Cookies on this site may be delivered in a first-party (set by the Chaos Group website) or third-party (set by another website) context and may also be set in association with emails you receive from us.

Cookies help us enhance your experience when using the website. They also help us understand how people use our site, such as which pages are most popular, so that we can better serve our site visitors and registered users.

Cookies Used on This Site

In this section you can find an overview of the cookies we use:

  1. Essential Cookies

These cookies are essential for enabling user movement around our website and providing access to features such as your profile and purchases, registered users-only resources, and other secure areas of the website. These cookies do not gather information about you that could be used for marketing purposes and do not remember where you have been on the internet. This category of cookies cannot be disabled. The list below provides more information about these cookies:

Cookie nameSourceExpirationDescription
_website_sessionChaos GroupsessionThis cookie stores UTM parameters attached to the URLs allowing them to be across pages of the website. This information is used afterwards for marketing purposes.
policyCookieChaos Group99999 DaysThis cookie controls our privacy policy notice allowing the user to hide it.
_cglocChaos GroupsessionThis cookie stores the language version of the website chosen by the user.
session_idChaos Group1 monthThis cookie stores the ID of the session started on authentication.
auth_tokenChaos Group20 YearsThis cookie is related to the logged in admin user.
origin_urlsessionThis cookie stores the URL requested by the user before authentication. It is used to return the user to the same point after the authentication proccess is done.
state-cookie120 seconds This cookie stores encrypted information used on user authentication. Once the user is authenticated the cookie is deleted.
csfrsessionThis cookie stores information needed for securely authenticating the user.
is_sso_cart_url1800 secondsThis cookie is used by Chaos Group shopping cart for security purposes.
PHPSESSID2CheckoutsessionThis cookie is a session cookie used to establish a user session and to pass state data via a temporary cookie.
__scss2CheckoutsessionThis cookie stores information what design to be displayed on the checkout page.
CART_TEMPLATE2Checkout1 monthThis cookie stores information what design to be displayed on the checkout page.

 2. Analytics Cookies

We use Google Analytics cookies to collect information about how visitors use our website. These cookies collect information in the aggregate to give us insight into how our website is being used. We anonymize IP addresses in Google Analytics, and the anonymized data is transmitted to and stored by Google on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. Google Analytics cookies are stored on your device and expire after a period of up to 2 years. The list below provides more information about these cookies:

Cookie nameSourceExpirationDescription
_gaGoogle Analytics2 YearsThe cookie is used to calculate visitor, session, and campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gidGoogle Analytics1 dayThe cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_gat_UA-1351947-1Google Analytics1 minuteThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.

 

To view an overview of the privacy of your Google Analytics cookies please go here: https://support.google.com/analytics/answer/6004245.

You may install a Google Analytics Opt-out Browser Add-on by going here: https://tools.google.com/dlpage/gaoptout.

3. Marketing Cookies

We also use a marketing database management program that deploys a cookie when a user interacts with a marketing communication, such as a marketing email or a marketing-based landing page on our website. This cookie collects personal information such as your name, which pages you visit on our website, your history arriving at our website, your purchases from chaosgroup.com, and the like. Collected information is used to evaluate the effectiveness of our marketing campaigns or to provide better targeting for marketing. The following table provides more information about these cookies:

Cookie nameSourceExpirationDescription
_website_sessionChaos GroupsessionThis cookie stores UTM parameters attached to the URLs allowing them to be across pages of the website. This information is used afterwards for marketing purposes.
scarab.visitorEmarsys1 yearThis cookie stores the visitor id which will identify the visitor through sessions.
cdvEmarsy1 year This is the 3rd-party version of scarab.visitor.
scarab.profileEmarsys1 year This cookie stores user profile information, products the user browsed, etc. It also stores performance metrics about our scripts, how fast is it loaded, executed, and so on. The information stored in this cookie is encrypted.
xpEmarsys1 year This is the 3rd-party version of scarab.profile.
scarab.mayAddEmarsys 1 yea This cookie is used for click and add-to-cart tracking. When a user clicks on a recommended item, for example, there's no time to report the click to our server (we don't want to block the user flow), so we store it in a cookie. The next time our script loads in the same browser we read these cookies and send the data to our servers.
scarab.mayViewedEmarsys 1 year Similarly, to scarab.may.Add this cookie is used for click and add-to-cart tracking. When a user clicks on a recommended item, for example, there's no time to report the click to our server (we don't want to block the user flow), so we store it in a cookie. The next time our script loads in the same browser we read these cookies and send the data to our servers.
s Emarsys 1 year This is a 3rd-party cookie used for similar purposes as scarab.mayAdd and scarab.mayViewed.

The cookies under p. 3 above are stored on your device and expire after a period of up to 1 year.

You can block these cookies by deleting these cookies through your browser settings.

4. Third Party Websites' Cookies

Third party cookies are cookies set by someone other than the website owner for purposes such as collecting information on user behavior, demographics, or personalized marketing. When using our website, you may encounter embedded content, or you may be directed to other websites for such activities as surveys, to make payments, etc. These websites and embedded content may use their own cookies. We do not have control over the placement of cookies by other websites, even if you are directed to them from our website. The following table provides more information about these cookies:

Cookie nameSourceExpirationDescription
MUIDMicrosoft 1 Year Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
_uetsid Microsoft Expires 30 minutes after the browsing session ends This cookie is used by Bing to determine what ads should be shown that may be relevant to the end user perusing the site.
IDE Google1 year This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
s_ccAdobe session Adobe Site Catalyst cookie, determines whether cookies are enabled in the browser
s_fid Adobe5 years Cookie used by Adobe to identify web application customers
s_vi_*Adobe2 years Cookie used by Adobe to identify web application customers
test_cookie Google 1 day Used to check if the user's browser supports cookies
incap_ses_{Proxy-ID}_{Site-ID} Imperva/Incapsula session Used by the web application firewall to improve the security of the website and protect it against attack.
visid_incap_{Site-ID} Imperva/Incapsula 1 Year Used by the web application firewall to improve the security of the website and protect it against attack.
IDE Google 1 Year This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
_fbp Facebook 2 months This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr Facebook 2 months The cookie is set by Facebook to show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
AA003 Facebook 3 months This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
ATN Facebook 10 seconds This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
_hjid Hot Jar 1 year Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID
_hjIncludedInSample Hot Jar session This cookie is associated with web analytics functionality and services from Hot Jar. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample
GKD2checkout 60 days The cookie is used by 2Checkout in order to track affiliate sales and commission them accordingly

 

How to Control and Delete Cookies

Many of the cookies used on our website and through emails can be controlled by disabling the cookies through your browser. To disable cookies through your browser, follow the instructions usually located within the “Help,” “Tools” or “Edit” menus in your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function. The list below provides more information about these cookies:

Cookies that Have Been Set in the Past

Collection of your data from our analytics cookies can be deleted. If cookies are deleted, the information collected prior to the preference change may still be used, however, we will stop using the disabled cookie to collect any further information from your user experience. For our marketing cookie, when a user opts out of tracking, a new cookie is placed to prevent users from being tracked.

Questions?

For more information, feel free to contact our Data Protection Officer at dpo@chaosgroup.com.

POLICY FOR DATA SUBJECTS’ RIGHTS

This Policy (“The Policy”) describes the terms and conditions under which data subjects whose personal data are processed by Chaos Group ("Chaos Group", “The Company”) may exercise their rights under the personal data protection legislation.

Part 1: General Principles

1.1. Chaos Group processes and protects personal data collected throughout its activities transparently, lawfully and according to the purposes for which the personal data were collected.

1.2. The employees who process personal data for the purposes of sale of software products and services or clients’ support to users and/or customers of Chaos Group as part of their employment relationship are obliged to adhere to the following principles of data processing:

i) The personal data are processed lawfully and in good faith;

ii) The personal data are collected for specific precise and lawful purposes and are not processed additionally in a manner not compatible with those purposes. 

iii) The personal data which are collected and processed by Chaos Group are compatible, related to and limited to the purposes for which they are processed.

iv) The personal data are accurate and, if necessary, updated.

v) The personal data are being deleted or rectified when it is established that they are inaccurate or not limited for the purposes for which they are being processed.

vi) Personal data are maintained in a format, which allows identifying of the respective natural person for a period not longer than the one necessary for the purposes for which the data were collected.

1.3. The employees who process personal data are subject to an initial and periodic data privacy training and are familiarized with the applicable data privacy legislation.

Part 2: Definitions

The terms listed below shall have the following meaning:

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Applicable legislation” means the legislation of the European Union (EU) and in particular the legislation of Republic of Bulgaria, which is applicable towards the personal data protection.   

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

“Data subject” means an individual (natural person) who can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identifiers of that individual

“Regulation (EU) 2016/679“ or “GDPR” means Regulation (EU) 2016/679  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Part 3: Data subjects’ rights

The data subjects shall have the following rights regarding to their personal data processed by Chaos Group:

i) Right of access;

ii) Right of rectification;

iii) Right to data portability;

iv) Right of erasure (‘right to be forgotten’);

v) Right to restriction of processing;

vi) Right to object against the processing of personal data;

vii) Right not to be subject to a decision based solely on automated processing, including profiling.

Right of Access

2.1. When requested Chaos Group shall present to the data subject the following information:

i) information whether Chaos Group processes personal data of the data subject who made the request or not;

ii) copy of the personal data of the person which are processed by Chaos Group and

iii) explanation about the processed personal data

2.2. The explanation under item 2.1. (iii) above shall include the following information about the personal data processed by Chaos Group:

i) purposes of processing;

ii) respective categories of personal data;

iii) recipients or categories of recipients to which personal data is or may be disclosed, in particular recipients in third countries outside of the EU or the European Economic Area;

iv) when it is possible, the envisaged retention period for which the personal data shall be retained and when this is impossible the criteria used for determining such period;

v) the existing of the rights to require correction, rectification, erasure or restriction of processing of personal data related to the data subject as well as the right to object against the processing of personal data; 

vi) the right to file a complaint before the respective authorities;

vii) when the personal data are not collected through the individual full information shall be provided about the source of the collected personal data;

viii) the existence of automated decision making regardless of which this processing includes profiling and information related to the logic as well as the expected consequences from this processing to the data subject;

ix) when personal data is transferred to a third country or to an international organization the data subject shall have the right to be informed about the applicable safeguards to his/hers personal data related to the transfer

2.3. The explanation about the processed personal data contains information which Chaos Group provides to the data subject by its privacy policy.

3.1. Based on a request by the data subject Chaos Group may provide a copy of the personal data, which The Company is processing about the respective data subject.

3.2. When providing a copy of personal data Chaos Group shall not disclose to the subject the following categories of data:

i) personal data of third parties, unless the said parties have given their explicit consent for this;

ii) data which can be qualified as trade secret, intellectual property or confidential information;

iii) other information which is protected under the applicable legislation

3.3. Granting the right of access to data subjects shall not interfere negatively to the rights of third parties or lead to a breach of Chaos Group’s statutory obligation.  

4.1. When the requests for access are being manifestly unfounded or excessive, especially because of their repeatability, Chaos Group may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.

4.2. Chaos Group determines on a case-by-case basis whether a request for access is manifestly unfounded or excessive.

4.3. When refusing access to personal data, Chaos Group issues an official explanation for its refusal and informs the data subject of his right to file a complaint with the Personal Data Protection Commission (CPDP) in Bulgaria.

Right of rectification

5.1. Data subjects may request that their personal data processed by Chaos Group be corrected if the data are inaccurate or incomplete. 

5.2. Upon a satisfactory request for correcting personal data, Chaos Group shall notify the other recipients to whom personal data have been disclosed (such as government bodies, service providers) so that they can reflect the changes.

Right of erasure (‘right to be forgotten’)

6.1. Upon request, Chaos Group shall erase all personal information of the data subject who made the request in case any of the following grounds apply:

i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

iv) the data subject objects to the processing of personal data for the purposes of direct marketing;

v) the personal data have been unlawfully processed;

vi) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which Chaos Group is subject;

vii) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

6.2. Chaos Group is not obliged to erase and may continue processing the personal data as long as the processing is necessary for one of the following grounds:

i) for exercising of the right of freedom of expression and information;

ii) for compliance with a legal obligation of Chaos Group;

iii) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;

iv) or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing ; or

v) for the establishment, exercise or defense of legal claims.

Right to restriction of processing

7.1. The data subject has the right to request a restriction of processing when one of the following applies:

i) the accuracy of the personal data is contested by the data subject, for a period enabling Chaos Group to verify the accuracy of the personal data;

ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

iii) Chaos Group no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; 

iv) the data subject has objected to processing based on the legitimate interest of Chaos Group pending the verification whether the legitimate grounds of the controller override those of the data subject;

7.2. Chaos Group may process personal data whose processing is restricted only for the following purposes:

i) storage purposes

ii) if explicit consent is provided by the data subject;

iii) or the establishment, exercise or defense of legal claims;

iv) for the protection of the rights of another natural or legal person ; or

v) or reasons of important public interest of the Union or of a Member State

7.3. When a data subject has requested a restriction of the processing and there is one of the grounds under Art. 7.1. above, Chaos Group informs the data subject before the restriction of the processing is lifted.

Right to data portability

8.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to Chaos Group, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where.

8.2. Upon request, the personal data may be transferred to another administrator designated by the data subject where this is technically feasible.

8.3. The data subject may exercise the right of portability in the following cases:

i) the processing is based on the consent of the data subject;

ii) the processing is based on a contractual obligation;

iii) the processing is carried out by automated means.

8.4. The right of data portability cannot adversely affect the rights and freedoms of others.

Right to object

9.1. The data subject shall have the right to object against the processing of his/hers personal data by Chaos Group if the data are processed based on one of the following grounds:

i) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

ii) processing is necessary for the purposes of the legitimate interests pursued by Chaos Group;

iii) the processing includes profiling

9.2. Chaos Group shall no longer process the personal data when the right to object is exercised by a data subject unless the Company demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Right to object against processing for the purposes of direct marketing

10.1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

10.2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right of human intervention in the process of automated decision making

11.1. Where Chaos Group uses automated decision making, regardless of whether it includes profiling and this decision making process have legal consequences for, or significantly affect natural persons, in a similar way, such persons may request a review of the decision with human intervention and express their point of view.

11.2. Chaos Group provides information to natural persons subject to automated decision making about the logic as well as the meaning and envisaged consequences of such processing when a request for such information is made.

Part 4: Procedure for exercising the rights of data subjects

12.1. All data subjects may exercise the rights under this Policy by submitting a request for the exercise of the relevant right.

12.2. Requests to exercise the data subjects’ rights shall be made in one of the following manners:

i) By email to the following email address dpo@chaosgroup.com

ii) At the office of Chaos Group

iii) By mail to the following address: 147 Tsarigradsko Shose Blvd., fl. 4, Sofia Bulgaria, 1784.

12.3. The request for the exercise of rights relating to the personal data of the data subject should contain the following information:

  1. Identification of the person beyond doubt - name and personal identification number (where applicable)
  2. Contact details: address, telephone, email
  3. Request - description of the request

12.3. Chaos Group provides information on the actions taken in relation to a request for the exercise of the rights of the data subjects within one month of the receipt of the request.

12.4. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Chaos Group shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

12.5. Chaos Group is not obliged to respond to a request if it is unable to identify the data subject.

12.6. Chaos Group may request the provision of additional information necessary to verify the identity of the data subject when there are reasonable concerns about the identity of the requesting individual.

12.7. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.