When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.
We at Diyana Aesthetic House have a long-term commitment to respecting the privacy of every user and customer with whom we have a relationship, and it is therefore very important for us to be transparent about how we manage your personal information.
Diyana Aesthetic House also processes personal data outside of our diyana.com pages, which requires a different privacy notice. That is why we explain:
In connection with the application of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, Diyana Aesthetic House adopts and implements an updated policy to protect your personal data that you have provided to us as a user of our website.
Mandatory information on the rights of data protection persons (Privacy notice)
Information about the company that processes your data:
Name “DN Innovation” Ltd. UIC / BULSTAT 206564732
Headquarters and address of management Sofia, 31 Totleben Blvd., 1st floor, apartment 3
Address for correspondence Sofia, 31 Totleben Blvd., 1st floor, apartment 3
Phone: 0887 604 641
Email: diyanaaesthetic@gmail.com
Website www.diyanahouse.bg
Information on the competent data protection supervisory authority
Name Commission for Personal Data Protection
Headquarters and address of management Sofia 1592, “Prof. Tsvetan Lazarov ”№ 2
Address for correspondence Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone 02 915 3 518
Website www.cpdp.bg.
Diyana Aesthetic House (hereinafter referred to as “Administrator”) operates in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in relation to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.
Reason for collecting, processing and storing your personal data
The administrator collects and processes your personal data in connection with the use of Facebook chatbot on the basis of Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:
• Explicit consent from you;
• Compliance with a legal obligation that applies to the Administrator;
• For the purposes of the legitimate interests of the Administrator or a third party.
Goals and principles in the collection, processing and storage of your personal data
We collect and process the personal data you provide to us for the purposes of the operation of diyana.com, including the following purposes:
• improving the presentation of publications on the platform;
• statistical objectives for improving the ballots;
• protection of information security.
We follow the following principles when processing your personal data:
• legality, good faith and transparency;
• restriction of processing purposes;
• relevance to the purposes of processing and minimizing the data collected;
• accuracy and timeliness of data;
• limitation of storage in order to achieve the objectives;
• integrity and confidentiality of the processing and ensuring an appropriate level of security of personal data.
What types of personal data our company collects, processes and stores
The company performs the following operations with the personal data provided by you as users of the chatbot platform for the following purposes:
• Registration and participation in an event
For participation in events organized by the Company, we collect personal data from persons who wish to participate and attend, to establish their identity and identify in the list of participants in the event. If you wish, we may send you information about future events that may be of interest to you. The registration for participation in the event is done on the spot in the office of the Company or by e-mail before its beginning, according to the conditions for its holding.
Conclusion of the impact assessment: Given the small volume of individuals whose data are processed and given the limited amount of personal data collected, the Data Protection Officer considers that an impact assessment is not necessary for this operation.
• Organizing games and sending prizes – For users who have won prizes in one of our games, raffles, contests, etc., we collect and process the data provided by you to send you the prize won. The prize can be sent by us or our partner, as well as through a courier company. If you wish, we may keep the data provided by you for the delivery of the prize in the future. The submission of data for sending the prize is done after we send you a notification that you have won, with a request for the necessary information.
Conclusion of the impact assessment: Given the small volume of individuals whose data are processed and given the limited amount of personal data collected, the Data Protection Officer considers that an impact assessment is not necessary for this operation.
The controller processes the following categories of personal data and information for the following purposes and on the following grounds:
• Data: Your personal data (e-mail, social network profile (Facebook), Nickname / Username, etc.)
• Purpose for which the data is collected:
Making contact with the user and sending information to him.
• Grounds for processing your personal data: – You have given your explicit consent to the processing of your personal data for one or more specific purposes – 6, para. 1, p. (a) the GDPR at the time of subscription.
• Grounds for data processing: You have given your explicit consent for the processing of his personal data for one or more specific purposes – 6, para. 1, p. (a) of the GDPR at the time of subscribing to the platform.
• Grounds for data processing:
The administrator does not collect or process personal data relating to the following:
• reveal racial or ethnic origin;
• disclose political, religious or philosophical beliefs, or trade union membership;
• genetic and biometric data, health data or data on sexual life and sexual orientation.
The company does not perform automated data decision making.
Data from social media monitoring
When you interact or communicate through channels / pages / promotions and blogs on social networks (eg when you click “like” or “share”, when you post and share comments and submit ratings and reviews), your personal data is processed.
The personal data we collect includes publicly available information provided by you in the context of social networks, by the relevant social network provider through a third party that monitors social networks, such as: name, gender, date of birth or age, starting page, profile picture, time zone, postal address, country, interests and comments and content you have posted / shared.
We use this personal information to get an overview of people’s opinions about us and our brand, to get an idea of the relevant online opinion leaders, to solve problems and / or improve Diyana Aesthetic House products and services / or to start a conversation with you for promotional purposes (based on questions / requests you have made to us or our competitors).
We consider that the processing of social media monitoring data in the context of the above is based on the legitimate interest of Diyana Aesthetic House and is lawful under Article 6 (f) of Regulation (EC) 5419/16.
How do we take care of the security of your personal data?
We strive to use reasonable organizational, technical and administrative measures to protect personal data within our organization. Unfortunately, no data transfer and no storage system can be 100% secure. If you have reason to believe that your interactions with us are no longer secure, please let us know immediately.
For how long are personal data stored?
We will store your personal data for as long as necessary or permitted for the purposes for which it was collected.
Transfer of your personal data for processing
The controller may, at its discretion, transfer some or all of your personal data to personal data processors for the purposes of processing you have agreed to, subject to the requirements of Regulation (EU) 2016/679 (GDPR).
The administrator notifies you in case of intention to transfer part or all of your personal data to third countries or international organizations.
Your rights in the collection, processing and storage of your personal data
Withdrawal of consent for the processing of your personal data
If you do not wish all or part of your personal data to continue to be processed by the Company for specific or all purposes of processing, you may at any time withdraw your consent to processing by requesting in free text.
Right of access
You can at any time see in your account what data is stored and processed for you.
Upon request, we will provide you with additional information regarding the collection, processing and storage of your personal data, as well as, if you wish, a copy of the processed personal data related to you, in electronic or other appropriate form.
Providing access to the data is free of charge, but the Administrator reserves the right to impose an administrative fee in case of repetitive or excessive requests.
Right to delete
You have the right to request from the Administrator the deletion of part or all of the personal data related to you, and the Administrator has the obligation to delete them without undue delay when there is any of the following reasons:
• personal data are no longer needed for the purposes for which they were collected or otherwise processed;
• You withdraw your consent on which the data processing is based and there is no other legal basis for the processing;
• You object to the processing of personal data related to you, including for the purposes of direct marketing, and there are no legal grounds for processing to take precedence;
• personal data have been processed illegally;
• personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State applicable to the controller;
• personal data have been collected in connection with the provision of information society services.
The administrator is not obliged to delete personal data if he stores and processes them:
• to exercise the right to freedom of expression and the right to information;
• to comply with a legal obligation requiring processing provided for in EU law or the law of the Member State applicable to the Administrator, or for the performance of a task in the public interest or in the exercise of official powers conferred on him;
• for reasons of public interest in the field of public health;
• for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
• to establish, exercise or defend legal claims.
In case of exercising your right to be forgotten, the Company will delete all your data, except for the following information:
• information needed to prove that your right to be forgotten has been exercised.
• technical information about the operation of the platform, which information cannot be linked in any way to your personality.
To exercise your right to be forgotten, you need to take the following steps:
• Apply through your platform account.
Upon completion of the procedure, a copy of the request will be sent to the email address you provided.
Once the procedure is completed and we verify the identity of the person making the request and the person to whom the data relates in accordance with the above steps, we will delete all data we process for you in accordance with para. 3.
Right of restriction
You have the right to ask the Administrator to restrict the processing of data related to you when:
• challenge the accuracy of personal data for a period that allows the Administrator to verify the accuracy of personal data;
• the processing is illegal, but you do not want the personal data to be deleted, only the use to be restricted;
• The administrator no longer needs personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;
• You have objected to the processing pending verification that the legal grounds of the Administrator take precedence over your interests.
Right of portability
You can at any time download the data stored and processed for you in connection with the use of the platform by requesting it from the administrator.
You can ask the Administrator to directly transfer your personal data to an administrator specified by you, when this is technically feasible.
Right to object
You may object at any time to the processing of personal data by the Administrator that relates to you, including if it is processed for profiling or direct marketing purposes.
Your rights in the event of a breach of the security of your personal data
If the Administrator finds a breach of the security of your personal data, which may pose a high risk to your rights and freedoms, we will notify you without undue delay of the breach, as well as of the measures that have been taken or are to be taken.
The administrator is not obliged to notify you if:
• has taken appropriate technical and organizational protection measures with regard to data affected by the security breach;
• has subsequently taken steps to ensure that the breach does not pose a high risk to your rights;
• notification would require a disproportionate effort.
Other provisions
The administrator does not transfer your data to third countries.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Data Protection Commission as follows:
Name Commission for Personal Data Protection
Headquarters and address of management Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Address for correspondence Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2
Phone 02 915 3 518
Website www.cpdp.bg.
You can exercise all your rights regarding the protection of your personal data by expressing your requests in any form that contains a statement to that effect and identifies you as the owner of the data.
