Privacy Notice

UPNETIX AD (“Company”) processes personal data of individuals (data subjects) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), the Bulgarian Personal Data Protection Act (“PDPA”), the Internal rules of the Company for personal data protection, as well as the information security practices of the ISO 2700 Information Security Standard, under which the Company is certified.

Name and Address of the Controller. DPO:

The Controller of personal data, within the meaning of GDPR and PDPA, is UPNETIX AD, а joint-stock company duly incorporated under the laws of Republic of Bulgaria, UIC: 204545854, having its seat and business address at Infinity Tower, 69 Bulgaria Blvd., fl. 15, Sofia 1404, Bulgaria. Email: Website:

The Company has appointed a designated data protection officer (“DPO”) that data subjects can contact directly with any enquiries relating to data protection at email:

Categories of Data Subjects and Data

In connection with its services and business activities, the Company processes personal data of the following categories of data subjects:

  • Clients, suppliers, as well as other professional experts and commercial counterparties, with whom we have business relations;
  • Complainants and enquirers, as well as individuals who contact us in any way, including via mail, phone or via the contact form provided on our website, or provide review or feedback on our website;
  • Individuals who have fallen within the scope of the video surveillance performed by the Company for safety and security purposes, as well as for protection of property;
  • Employees and job applicants.

We process personal data of the above categories of data subjects. This data may include:

  • Personal details, such as name, email and address;
  • Business activities of the data subject;
  • Services provided;
  • Financial details;
  • Education details;
  • Employment details.

We may also collect other information regarding your use of our website through cookies and other similar technologies. You can find out more about this in our Cookies Policy.

Purposes and Legal Basis for the Processing:

The Company processes personal data of data subjects for the purposes listed below where one of the alternative legal bases under GDPR exists:

  1. The Company does not process personal data for automatic decision-making or profiling;
  2. Processing is necessary for the performance of a contract or in order to take steps at the request of a data subject prior to entering into a contract;
  3. Processing is necessary for compliance with legal obligations in the field of labor, accounting, tax and social security legislation, as well as any other legal obligations applicable to the business activity of the Company;
  4. The data subject has given their explicit consent to the processing of his or her personal data for one or more specific purposes, such as for communication, direct marketing, participation in activities organized by the Company, etc.  Please, note, that any consent granted may be withdrawn by the data subject at any time;
  5. Processing is particularly necessary to process and evaluate job application, make hiring decisions, communicate with job applicants and provide information of current and future career opportunities;
  6. Processing is necessary for the purposes of the legitimate interest pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data:
  • To ensure the security of customers, employees, visitors and company’s property through video surveillance, and access control;
  • For the establishment, exercise or defence of legal claims;
  • To provide information in a merger & acquisition processes, for the reasons of business and strategic management.

Data Protection for Recruitment Procedures

Company collects and processes personal data from applicants for employment opportunities with Upnetix. The application may be submitted off-line or online via any recruitment portals or Company’s website.

Through submission of your job application, you provide personal data on voluntary basis and to the extent determined by you. However, some information (as CV, educational and employment background, contact information, job qualifications) may be necessary to the Company to complete the evaluation process and if it is not provided, Company’s ability to consider you as a candidate may be limited. You also may choose to provide Company with additional information, such as your resume, employment references and others and where this is relevant to your application, Company may collect information from third parties who are lawfully entitled to share your information with us, for example, in connection with a background or employment check and/or an employment reference.

Company may obtain information about job applicants from other sources, to the extent permitted by applicable law, such as through your contact with us, including your interactions with the Company, or from third parties such as employment agencies and other websites on the Internet. For example, you may choose to provide us with access to certain personal data stored by third parties such as social media sites like LinkedIn. By authorizing the Company to have access to this information, you agree that Company may collect, store and use this information in accordance with this Notice.

The retention period for personal data of job applicants is determined in accordance with the applicable law. For the purposes of the recruitment procedures we store job applicants’ personal data during the whole process of selection. If we conclude an employment contract with the applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the job applicant, the application documents will be automatically erased within two months after notification for rejection of the application. If the job applicants give us their consent to keep their application details and consider them for future job opportunities with Upnetix, we will store such data for 3 (three) years as of the date of receipt of job application.

To whom personal data is shared or disclosed

We may share your personal data with third parties who process your data on our behalf when they provide services to us, such as video surveillance services, insurance, legal services, audit, consultancy, development and maintenance of IT systems (including but not limited to data storage), or other services necessary for our business activities. In the performance of these services the third party suppliers may have access to your personal data but are only authorized to process such data strictly on our behalf and in accordance with our instructions.

We may also disclose your personal data to third parties, if we reasonably believe that disclosure of such personal data is necessary to comply with valid legal obligations such as court orders, governmental requests and as otherwise authorized by law, to protect our rights or property, or the safety of our customers or employees, to advance or defend against complaints or legal claims or proceedings, as well as during mergers & acquisitions, provided that the prospective buyer or seller agree to respect your personal data in a manner consistent with GDPR and PDPA.

You share your personal data with third parties when you publish reviews and feedback on our website.

Transfer of Personal Data

We do not transfer your personal data outside the European Economic Area (“EEA”). In case we are required to undertake any transfer of personal data outside the EEA, we take all reasonable necessary steps to ensure that your personal data is treated securely and in accordance with this Privacy Notice and an adequate level of protection is applied to it, in particular through the implementation of standard contractual clauses approved by European Commission or contractual clauses previously authorized by the relevant authority.

Personal Data Retention Periods

We will only keep your personal data for as long as we consider necessary for the fulfilment of a contract, the initiation of a contract, or in relation to other legal proceedings, after which we will securely delete or in some cases anonymise your personal data. We do regular status checks to review when personal data needs to be deleted and have strict data retention periods determined in our Internal rules for personal data protection.

Security of Processing

As the Controller, the Company has implemented technical and organizational measures to ensure personal data processed remains secure and is certified under the ISO 2700 information security standard. However, absolute security cannot be guaranteed, but we maintain security and incident response plans in the event of a physical or technical incident to handle this in a timely manner and limit any negative effect of such incident.

Rights of the Data Subjects

GDPR and PDPA affords data subjects the following rights summarized below:

  • Right to access your personal data: you have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and information.
  • Right to rectification of personal data: if you find that personal data that we process about you is inaccurate, you have the right to have us correct such personal data.
  • Right to erasure of personal data (right to be forgotten): under certain circumstances, such as if your personal data has been unlawfully processed or you have withdrawn your consent (if the processing of your personal data is based on consent), you have the right to request and obtain erasure of your personal data from us.
  • Right to restriction of processing: under certain circumstances, such as if you question the accuracy of your personal data or you have objected to our legitimate purpose to process your personal data, you have the right to request that we restrict the processing of your personal data until a solution has been found.
  • Right to object to processing: under certain circumstances, such as if you question our legitimate interest to process your personal data, you have the right to object, on grounds relating to your particular situation, to such processing.
  • Right to data portability: if your personal data is processed by automated means based on your consent or for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.
  • Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint regarding our processing of your personal data with the supervisory authority, which is Bulgarian Commission for Personal Data Protection with address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Website:, Е-mail:

In order to assert any of the above rights, data subjects can contact our DPO using the contact details provided above, or any other employee of the Company at any time. We will use commercially reasonable efforts to respond to your request within 30 days of receiving such request. If we cannot honour your request within the 30-day period, we will let you know the reasons why and when we expect to be able to fulfil your request.

Changes to This Notice

The notice was last updated on 25th May 2018. We may change this notice by updating this page to reflect changes in the law or our privacy practices. However, we will not use your personal data in any new ways without your prior consent.