PERSONAL DATA PRIVACY POLICY OF ASTERION BULGARIA AD

Bulgarian Version

This Privacy Policy is aimed at clarifying the following circumstances:

  • Who are we as data controller?
  • Whose personal data does Asterion Bulgaria AD process?
  • What kind of personal data does Asterion Bulgaria AD process?
  • On what grounds of the General Data Protection Regulation is this data being processed?
  • For what purposes this personal data is being processed?
  • What are the ways for collection of such data?
  • What are the consequences of refusal to provide data?
  • How long this data is being stored?
  • Who has access to this data?
  • What are the rights of the data subjects and how can they exercise them?

 

WHO ARE WE?

Data controller is the company Asterion Bulgaria AD (“the Company”) with UIC 175248523, having its seat and registered address in the city of Sofia, 43 Christopher Columbus Blvd., website: https://asterion.bg/, e-mail: office@asterion.bg, contact phone: +35924621189.

I. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS 

  1. The company processes personal data in its capacity of issuer of bonds and other forms of debt securities and financial instruments, including depositary receipts in respect of such securities, of personal data subjects – natural bondholders and natural persons ‘representatives of the bondholders, as well as of bondholders’ proxies, namely:

– Identification data – Three names, PIN /other unique national identification number, and if there is no such – date of birth; address, in the book of bondholders

– Financial information – number of bonds held and the percentage share in the amount of the entire bond

– Financial information on interest payments

– Identification data on the proxies contained in their proxies

  1. In its capacity of joint stock company, the Company processes personal data of data subjects – shareholders, as well as proxies of shareholders, and namely:
  • Identification data – full name, PIN/ Foreigner’s ID No/ another unique national identification number, and if there is no such number – date of birth, address, in the register of shareholders
  • Financial information – number of held shares and percentage of shareholding in the Company’s capital, in the register of shareholders
  • Data about the amount of distributed dividend
  • Identification data with regard to the proxies as set out in their powers of attorney
  1. In its capacity of issuer, the Company processes personal data of data subjects – persons on managerial positions, their closely associated persons, persons with access to information about the financial instruments within the meaning of Regulation 596/2014 on market abuse, and namely:
  • Identification data – full name and PIN of the persons on managerial positions
  • Identification data – full name and PIN of closely associated persons
  • Identification data – full name and PIN, and date of birth, personal address, personal and business phone of the persons with access to inside information
  • Financial information – information about concluded transactions with financial instruments
  1. In its capacity of public-interest entity within the meaning of the Independent Financial Audit Act, the Company processes personal data of data subjects – members of audit committees, and namely:
  • Data about professional qualification – diplomas for master’s or bachelor’s degree in accordance with the requirements of the Independent Financial Audit Act
  • Identification data – full name and PIN
  1. In its capacity of joint stock company and issuer, the Company processes data of data subjects – members of management, supervisory and control bodies:
  • Data about convictions – criminal record certificates
  • Data about professional qualification and convictions and administrative violations in the prospects
  • Identification data
  1. The Company processes personal data necessary for the conclusion and execution of contracts with contractors who are individuals or are individuals who are authorized to manage, represent or work for a legal entity – a contractor of the Company, in their capacity as contact persons, employees., managers, procurators, representatives, etc.
  • -dentification data – three names, unique identifier;
  • Contact details – address, e-mail address, telephone number;
  • Data on position held within the organization, representative authority, term of office, signature, other data generated in the course of communication between the parties or through documents exchanged between them.
  1. The company processes personal data of users of the official website, for example:

– When filling out inquiry forms, registration, and any contact form that requires the provision of feedback data such as name, e-mail, telephone number. In all cases of using the website, it is possible to collect data through cookies. Up-to-date information about the processing of data through cookies is available on the website via a link in the cookie message that the user sees on his first visit to the website.

Certain forms for completing the Website may contain free text fields in which you may choose to provide information that may constitute personal data relating to you or a third party. Insofar as the provision of such information is not mandatory, personal data for which there is no legal basis for processing by the controller will be deleted within 1 month of receipt.

II. GROUNDS FOR PROCESSING

а) The personal data of the bondholders and the proxies of the bondholders – the processing is necessary for the performance of a contract to which the data subject is a party or related to the exercise of representative power and for compliance with a legal obligation applicable to the controller under the Commercial Act, Public Offering of Securities Act;

  1. b) Personal data of persons in management positions, persons closely related to them and persons with access to inside information about financial instruments – processing is necessary to comply with a legal obligation that applies to the controller – Regulation 596/2014 on market abuse;
  2. c) The personal data of the members of the management and supervisory bodies – the processing is necessary for the performance of a contract to which the data subject is a party (management and supervision contracts) and for compliance with a legal obligation applicable to the controller under the Commercial Act, Public Offering of Securities Act, Regulation (EC) No 809/2004 on the application of Directive 2003/71 / EC of the European Parliament and of the Council as regards the information contained in prospectuses and the format;
  3. d) Personal data of members of the audit committees – legal obligations under Independent Financial Audit Act
  4. e) Personal data of counterparties – the processing is necessary for the performance of a contract to which the data subject is a party and for compliance with a legal obligation that applies to the controller for compliance with the requirements for tax accounting;
  5. f) Personal data of users on the website in inquiry forms – the processing is necessary for the provision of services, relevant information about services and products, respectively to take steps at the request of the data subject before entering into a contract. In any case, in the absence of any other legal basis, there is a legitimate interest of the Controller (for example to ensure the security of information technology and network security) when it requires the provision of data in feedback forms on the website.
  6. g) Processing for some purposes may be based on consent, given in an explicit and informed manner, collected by means of the banner cookie, with a specific tickbox on the website, and/or where appropriate. It is not mandatory to give consent to a Controller for use of Personal Data, and the person will suffer no consequence if chooses not to. Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).

III. PURPOSES OF PROCESSING

Purposes of processing are as follows:

  • Issue of prospectuses and public offering of financial instruments
  • Accounting and preparation of reports
  • Payment of dividends and interests
  • Increase or decrease of capital
  • Participation in general meetings of shareholders
  • Meeting the legal provisions of the Commerce Act, the Public Offering of Securities Act, the Independent Financial Audit Act and Regulation 596/2014 on measures against market abuse with financial instruments and their related legal regulations and any other applicable legislation
  • Entering into and performance of management contracts, as well as other contracts and transactions related to the respective data subjects
  • If certain categories of data are processed on the basis of protecting the legitimate interests of the controller or third parties, the purposes may be some of the following: fraud prevention, misuse of services, information security and network security, enforcement of legal claims, including out-of-court debt collection.

IV.WAYS FOR COLLECTION OF PERSONAL DATA

Personal data is collected as follows: 

  • Personal data provided by the data subjects;
  • Personal data from other sources – employer or legal entity that the data subject represents, manages or controls and data from a publicly available source.

V. CONSEQUENCES FROM REFUSAL TO PROVIDE PERSONAL DATA

The explicit consent of natural persons whose data are processed is not always necessary if the Controller has another legal grounds to process personal data.

In case of refusal to provide personal data on voluntary basis, Asterion Bulgaria AD will not be able to perform its statutory obligations and may not be able to provide any of its services.

VI. TIME PERIOD FOR STORAGE

The criteria used to determine the periods of retention of your personal data include the duration of our current relationship, our legal obligations, or our legal position (eg in litigation and / or regulatory investigations).

VII. ACCESS TO DATA

Certain employees of the Company have access to your personal data with view of performing their employment duties with regard to the services rendered to you.

Your data may be provided to third parties – personal data processors, on the grounds of data processing agreements we have entered into with them. Your data may be also provided to the competent state authorities with view of exercising their powers in accordance with the legal regulations, and in particular to the Registry Agency, the National Revenue Agency and the Financial Supervision Commission.

Your personal data are stored and transferred in a secure way. We will transfer data outside the European Economic Area or EIP (i.e. the European Union member states, Norway, Iceland and Lichtenstein) only if such transfer is in compliance with the personal data legislation and the means of transfer provide adequate guarantees with regard to your personal data.

VIII. WHAT ARE THE RIGHTS OF DATA SUBJECTS AND HOW THEY CAN EXERCISE THEM?

Data subjects have the right to:

Access to a personal data relating to a data subject processed by the Company and the right to require the Company to correct and update such personal data.

Withdraw at any time the consent the subject has provided for the processing of personal data in cases where it is processed only on the basis of consent. Withdrawal of the consent does not affect the lawfulness of the data processing so far.

Submit a request for deletion of personal data, which is stored and processed by the Company, in cases where there is no longer any reason to process it.

Request a restriction on the storage and processing of his/hers personal data by the Company and file an objection against processing.

To receive personal data concerning them and the data they have provided to the controller, in a structured, commonly used and machine readable format, and has the right to transmit this data to another controller, without hindrance from the controller.

Submit a complaint to the Commission for Personal Data Protection at the following address: 1592 Sofia, 2 Prof. Tsvetan Lazarov, tel.: 02/91-53-518, e-mail: kzld@cpdp.bg /, if  the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The Controller will respond to all requests without undue delay within 30 days of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. All requests for provision of information about personal data processing, copy of processed data, for erasure of personal data, rectification and withdrawal of consent, should be made in writing, signed by the data subject and lodged with the Company for processing by email: office@asterion.bg, or at the Company’s registered address.

IX. COOKIES

On our website: https://asterion.bg/ cookies are used.

The law states that we may store cookies on your device if they are absolutely necessary for the operation of the above site.

A cookie is a very small file containing data stored in the web browser of your computer when visiting specific web pages. The cookie does not contain or collect any information except when read from a server through a web browser; it can provide information in order to provide user-friendly services, for example by identifying errors. We do not support cookies for longer than necessary.

How to control the cookies?

You can control and/or delete cookies, depending on your wishes – for more detailed information, https://aboutcookies.org/ . You can delete all the cookies already installed on your device and set most browsers to prevent them from being placed on your device. If you do, you may need to make changes to the settings of certain preferences each time you visit the site and some of the services and features may not work properly.

How to deactivate the cookies?

Keep in mind that disabling cookies may result in site functionality violations. If you do not want to accept cookies, you can disable cookies from the settings of your browser. The following links could help you deactivate the cookies: Chrome, Mozilla Firefox, Internet Explorer, Safari и iOS.

DEFINITIONS

  1. “Personal data” (hereinafter referred to as “the data”),“Personal data processing”, “Data Controller” (hereinafter referred to as “the controller”), “Processor”, “Consent of natural person”,“Data subjects” (hereinafter referred to as “the subjects”) have the meaning given to them by Regulation 2016/679.
  2. “Person discharging managerial functions” means within the meaning of paragraph 3, item 25 of Regulation 596/2014 a person within an issuer, an emission allowance market participant or another entity referred to in article 19(10), who is:

а)            a member of the administrative, management or supervisory body of that entity; or

  1. b) a senior executive who is not a member of the bodies referred to in point (a), who has regular access to inside information relating directly or indirectly to that entity and power to take managerial decisions affecting the future developments and business prospects of that entity;
  2. “Closely associated person” within the meaning of paragraph 3, item 26 of Regulation 596/2014 means:

а)            a spouse, or a partner considered to be equivalent to a spouse in accordance with national law;

  1. b) a dependent child in accordance with the national law;
  2. c) a relative who has shared the same household for at least one year on the date of the transaction concerned; or
  3. d) a legal person, trust or partnership, the managerial responsibilities of which are discharged by a person discharging managerial responsibilities or by a person referred to in point (a), (b) or (c), which is directly or indirectly controlled by such a person, which is set up for the benefit of such a person, or the economic interests of which are substantially equivalent to those of such a person;
  4. “Inside information” within the meaning of Regulation 596/2014 means: 1. For the purposes of this Regulation, inside information shall comprise the following types of information:

а) information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments or on the price of related derivative financial instruments;

  1. b) in relation to commodity derivatives, information of a precise nature, which has not been made public, relating, directly or indirectly to one or more such derivatives or relating directly to the related spot commodity contract, and which, if it were made public, would be likely to have a significant effect on the prices of such derivatives or related spot commodity contracts, and where this is information which is reasonably expected to be disclosed or is required to be disclosed in accordance with legal or regulatory provisions at the Union or national level, market rules, contract, practice or custom, on the relevant commodity derivatives markets or spot markets;
  2. c) in relation to emission allowances or auctioned products based thereon, information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more such instruments, and which, if it were made public, would be likely to have a significant effect on the prices of such instruments or on the prices of related derivative financial instruments;
  3. d) for persons charged with the execution of orders concerning financial instruments, it also means information conveyed by a client and relating to the client’s pending orders in financial instruments, which is of a precise nature, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments, the price of related spot commodity contracts, or on the price of related derivative financial instruments.