Privacy Notice for Clients

INFORMATION FOR CLIENTS AND THEIR REPRESENTATIVES REGARDING THE PROCESSING OF PERSONAL DATA

pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)

 

In connection with a concluded or to be concluded legal services engagement, the Attorney is providing you with this information regarding the processing of your personal data pursuant to Regulation (EU) 2016/679.

1. DETAILS OF THE DATA CONTROLLER AND CONTACT INFORMATION

Attorney Manuela Plamenova Purnarova, registered with the Sofia Bar Association, personal number: 1600795110, law office address: Sofia, “Nadezhda” I Residential Area, Bl. 146, Entr. B, Fl. 9, Apt. 46; website: www.purnarova.com; phone: +359 988 992 816; email address: dataprotection@purnarova.com, hereinafter referred to as the “Data Controller” and/or the “Attorney”.

2. PURPOSES OF PROCESSING

Your personal data, provided to the Data Controller in your capacity as their Client or a representative of their Client, is processed for the purposes of: entering into and performing a legal services engagement; fulfilling legal obligations arising under the Bar Act and other applicable legislation; protecting your rights and legitimate interests in the course of judicial and extrajudicial proceedings.

3. CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING

The Data Controller processes the following categories of personal data (as defined by applicable data protection laws):

  • first name, middle name, last name;
  • Unified Civil Number (EGN), official personal identification number, or another unique element for establishing identity, contained in an official identity document;
  • citizenship(s);
  • date and place of birth;
  • address;
  • workplace;
  • mobile/landline phone number;
  • email address;
  • financial information (e.g., shareholdings in companies, owned financial assets, investment intentions);
  • data related to property owned or intended to be acquired;
  • marital status and family relationships (when required by law);
  • оther data, in cases where required by law.

Special categories of personal data are processed only with explicit consent or under the conditions set out in Article 9 of the GDPR.

4. LEGAL BASIS FOR PROCESSING

The processing of personal data is carried out by the Data Controller on the basis of Article 6(1)(b) of Regulation (EU) 2016/679 – for the purpose of performing a contract for legal assistance and representation; Article 6(1)(c) – for compliance with legal obligations arising under the Bar Act and other applicable legislation, including, but not limited to the statutory obligations of lawyers to process personal data for the purposes of preventing money laundering and the financing of terrorism; as well as Article 6(1)(f) – for the purposes of legitimate interests related to the exercise of the legal profession and provision of legal assistance to clients, and the protection of the rights, freedoms, and legitimate interests of clients, counterparties, and other individuals involved in legal matters. These legitimate interests are carefully balanced against the rights and freedoms of the data subject, and the processing is limited to the specific purposes mentioned in item 2 above.

5. RETENTION PERIOD FOR YOUR PERSONAL DATA

Your personal data is retained only for the period necessary to fulfill the purposes for which it is processed. The principle of storage limitation is applied when defining the specific terms, meaning that data is kept in a form that allows identification no longer than necessary for the processing purposes.
Your personal data will be stored for a period of five (5) years after the completion of the respective proceedings, legal matter and/or contract termination, unless a longer retention period is required under another applicable legal act.
When the processed personal data is contained in documents or other information carriers for which the applicable legislation prescribes a retention period, the data is stored for that statutory period. If there is another lawful ground for retention in a particular case (e.g., the protection of legal claims), the period may be aligned accordingly.

6. CATEGORIES OF RECIPIENTS OF YOUR PERSONAL DATA

Your personal data may be disclosed to a limited circle of recipients, including courts, public authorities and institutions (where required by law or where necessary for the provision of legal services), banks, notaries, certified translators, expert witnesses, accountants, IT service providers, subcontractors, and other persons depending on the purposes of the processing, subject to compliance with the requirements of Regulation (EU) 2016/679.
Personal data is not disclosed to recipients in third countries and/or international organizations.

7. YOUR RIGHTS IN RELATION TO THE DATA PROCESSING

As a data subject, you have the following rights, which you may exercise by submitting a written request to the Data Controller using the contact details provided in Section 1 of this Schedule. A sample request form for exercising a specific right can be obtained upon request to the Data Controller at the email address provided.

  • Right of access (Article 15 GDPR)
    You have the right to obtain confirmation as to whether your personal data is being processed by the Attorney, to access such data, and to obtain additional information.
  • Right to rectification (Article 16 GDPR)
    You have the right to request the rectification or completion of your personal data if it is incomplete or inaccurate.
  • Right to erasure (“right to be forgotten”) (Article 17 GDPR)
    Where the legal grounds/conditions are met, you have the right to request the erasure of your personal data.
  • Right to restriction of processing (Article 18 GDPR)
    Applicable law provides the option to restrict the processing of your personal data if the conditions for restriction under the GDPR are met.
  • Right to notification of third parties (Article 19 GDPR)
    Where applicable, you have the right to request that the Attorney notify third parties to whom your personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or requires disproportionate effort.
  • Right to data portability (Article 20 GDPR)
    You have the right to receive your personal data, which you have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from the current Data Controller. This right applies when the processing is based on your consent or a contractual obligation, and is carried out by automated means. Where technically feasible, you also have the right to request the direct transfer of your personal data to another controller.
  • Right not to be subject to automated decision-making, including profiling (Article 22 GDPR)
    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such processing is permitted by applicable law and appropriate safeguards are in place to protect your rights, freedoms, and legitimate interests. The processing activities described in this Schedule do not involve automated decision-making, including profiling, as defined in Article 22 of the GDPR.
  • Right to object (Article 21 GDPR)
    You have the right to object, at any time and on grounds relating to your particular situation, to the processing of your personal data where such processing is based on the legitimate interest of the Data Controller. If you raise such an objection, your request will be considered and processing will be stopped unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
8. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

If you believe that the processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg

You may also lodge a complaint with another supervisory authority in an EU Member State where you habitually reside, work, or where the alleged infringement took place.
If the Data Controller refuses, in whole or in part, to grant your request to exercise your rights under the GDPR (such as access, correction, erasure, etc.), you may submit a request for assistance to the CPDP under Article 54(1)(6) of the Bulgarian Personal Data Protection Act.
In addition to an administrative complaint, you also have the right to effective judicial remedy under Article 79 GDPR.

9. Data Security

The Data Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include access control, encrypted communication, device protection, and confidentiality commitments. All safeguards are reviewed and updated regularly in accordance with the level of risk and applicable legal requirements.

 

By engaging the Attorney’s legal services, you acknowledge that you have read and understood this Privacy Notice. If you have any questions regarding this Notice or the way we process your personal data, please do not hesitate to contact the Data Controller using the contact details provided. Your privacy matters and we will take all necessary steps to protect it in accordance with applicable rules and best professional practices.