Personal data protection policy
"SHKOLO" Ltd ("Company", "Administrator") is aware of the need to implement adequate protection of the personal data of data subjects, striving to respect privacy. This Privacy Statement ("Statement") has been created to help data subjects understand how and for what purposes the Company processes, uses and protects their personal data.
For the purposes of its activity, the Company processes personal data in strict compliance with Regulation (EU) 2016/679 ("General Data Protection Regulation", 'GDPR'), the Personal Data Protection Act and other applicable legal acts and the Declaration.
This Declaration provides information regarding:
“Personal Data” means any information relating to a specific individual or an individual who can be directly or indirectly identified;
“Processing” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means;
“Administrator” means “Shkolo” OOD, which alone or jointly with others determines the purposes and means of processing personal data;
“Processor of personal data” means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the controller;
“Recipient” means a natural or legal person, public body, agency or other structure to which the personal data is disclosed, whether or not it is a third party;
“User” means a natural person who is a user of the Website and has performed the relevant registration on it;
“Visitor” means a natural person who is a user and has completed the relevant registration on the “Online platform” and/or “Shkolo Lessons” platform;
“Data subject” means a user or visitor of Shkolo or a commercial partner of the Company;
“Shkolo” means the website: www.shkolo.com and its subdomains: app.shkolo.com, lessons.shkolo.com, vs.shkolo.com and other subpages;
“Online platform” means the subdomain app.shkolo.com, representing an electronic diary for student training;
“Shkolo Lessons” means the website: www.lessons.shkolo.com, representing an online platform for providing services;
“Stripe” means the electronic payment system at www.stripe.com.
This Declaration on the protection of personal data is applied in the relations between “SHKOLO” OOD on the one hand and the users and visitors of Shkolo on the other. The purpose of the declaration is to inform data subjects of their rights in accordance with Art. 12 et seq. of Regulation (EU) 2016/679.
The administrator of the personal data is “SHKOLO” OOD with EIC 204224132, with address: Bulgaria, city of Sofia, “Lozenets” district, 15 Lyubata Street, e-mail: [email protected], phone +359 999 989 996 or +359 999 996,995.
The data protection officer of “SHKOLO” OOD is Adv. Teodora Dimitrova (“GP Management” Ltd.) with address: Bulgaria, city of Sofia, “Ovcha Kupel” district, “Voivodina Mogila” Str. No. 42, ground floor, apartment. 1; e-mail: [email protected]; phone number: +359 879 323 259.
The Company collects directly from data subjects the following categories of personal data:
When registering Users in Online platform:
When a data subject registers and creates his own user profile in Online platform, he provides the Administrator with the following categories of personal data: phone number, names, e-mail, username, password, date of birth, IP address. The company processes additional information according to the Cookies Policy of Shkolo.com.
An opportunity has been created for Users to register and access their user profile by logging in through Microsoft Office 365, Facebook and Google. In this case, Microsoft Office 365, Facebook and Google share names and email with the Company for verification purposes.
When registering Users in Shkolo Lessons:
The data subject registers and creates his own user profile in Shkolo Lessons as a trainer or learner. When the User registers as a trainer, he provides the Administrator with the following categories of personal data: names, date of birth, address, phone number, e-mail, username, password, photo. When the User registers as a learner, he provides the Administrator with the following categories of personal data: names, phone number, e-mail, username, password.
The company has integrated Stripe into Shkolo lessons, as a payment instrument for making money transfers to a User who has registered as a trainer. When filling out the registration form, information is required from these Users - trainers about: bank account number, bank account holder, copy of identity card and proof of use of the bank account. These personal data are not processed by the Company. This personal data is received by Stripe via an encrypted connection, and Shkolo has no control over and does not access this personal data in any way. The Company does not store the bank card number and its three-digit code of a User who has registered as a learner. This data is sent to and stored by Stripe. For more information on the grounds and purposes of personal data processing by Stripe, you can read here.
For Shkolo Visitors:
Visitors can view Shkolo and use its functionalities according to their access and access to online platforms. They have the option to write comments under Shkolo posts, in which case names, e-mail and IP address are collected.
When sending an inquiry:
When a data subject sends an inquiry to the Administrator through the contact form with him, he provides names, e-mail and a comment on his inquiry.
When participating in events and initiatives:
The Company may ask the User to take part in a survey, contest, competition or other event organized by the Administrator, in which case the data subject may provide e-mail, names, telephone number, address for the fulfillment of these purposes. In these cases, the Company will take the necessary measures to inform the data subject.
When working with contractors and potential contractors whose services are published on Shkolo:
The company processes the following categories of personal data of contractors/potential contractors or their representatives: names, passport data, telephone number, e-mail.
Protection of legal interests:
In case of legal disputes, the Company may process the following categories of personal data of data subjects, namely: names, e-mail, passport data and other data from the registration form.
The administrator may process personal data for marketing purposes where applicable. In this case, it collects names, e-mail, telephone number from the data subjects in an appropriate manner.
When personal data is provided by the data subject to the Personal Data Administrator without a legal basis under Art. 6, paragraph 1 of Regulation (EU) 2016/679 or contrary to the principles of Art. 5 of the same regulation, within one month of learning, the Company returns them, and if this is impossible or requires disproportionately large efforts, deletes or destroys them. Deletion and destruction shall be documented.
The administrator processes personal data of the following categories of data subjects:
- Users of Shkolo;
- Shkolo visitors;
- Trading partners;
The company processes personal data for the following purposes:
- For the purposes of concluding and performing a contract to which the data subject is a party. This includes the cases, but not only, when providing access and use of Shkolo`s services, when participating in events and initiatives for which the conclusion of a contract is necessary;
- For compliance with a legal obligation that applies to the Administrator;
- For marketing purposes;
- To protect legitimate interests of the Administrator, including administrative activities such as: legal service and information service and consumption analysis, information security and others.
The Company processes personal data of data subjects based on the following lawful grounds:
- The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
- The processing is necessary to comply with a legal obligation that applies to the Administrator. Such an obligation may be based on an express request for the provision of information by law enforcement bodies such as the Ministry of the Interior, the National Tax Service, the Prosecutor`s Office and others;
- The processing is necessary for the purposes of the legitimate interests of the Administrator or of a third party, except when the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail over such interests;
- The data subject has consented to the processing of his personal data for one or more specific purposes;
The Company may share personal data of data subjects with the following categories of recipients:
- State institutions and bodies with authoritative powers, when by law the Administrator is obliged to provide personal data - Ministry of the Interior, State Tax Administration, National Revenue Agency, Prosecutor`s Office and others;
- Commercial partners who serve the Administrator, in their capacity as processors of personal data, to support information security and provide services related to Shkolo, courier service providers, legal offices, accounting offices and others;
- Employees of the Administrator who process personal data in accordance with their assigned official/labor functions according to the job description and employment contract.
Shkolo and its online platforms may include links to third-party websites, plug-ins and applications. Clicking on or activating these links may allow third parties to collect or share data about the data subject. The Company does not control these third-party websites and is not responsible for their privacy statements. When the data subject leaves Shkolo, he should carefully read the privacy statement for each website he visits.
The company implements appropriate technical and organizational protection measures to guarantee the rights and freedoms of data subjects in accordance with the principle of “integrity and confidentiality”. In particular, the Administrator selects suitable recipients who have taken the necessary guarantees to protect the personal data provided to them and, in view of the existing risks, to ensure the appropriate level of security, including where appropriate:
- Pseudonymization and encryption of personal data;
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Ability to promptly restore availability and access to personal data in the event of a physical or technical incident;
- A process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
The administrator may provide personal data in countries outside the European Union. The provision of personal data in this case may be carried out in compliance with the requirements under Chapter V of Regulation (EU) 2016/679 and the applicable international agreements between the European Union and third countries. For this purpose, the Company can freely transfer personal data to countries outside the European Union, for which there is a decision of the European Commission for an adequate level of personal data protection. The same applies to cases in which the Company has concluded a contract with standard clauses for the transmission of personal data to third countries, adopted by Commission Implementing Decision (EU) 2021/914 of June 4, 2021.
“SHKOLO” Ltd. stores personal data in accordance with the principle of “storage limitation”. In particular, for the above purposes, the Company will store:
- Personal data of counterparties are stored within the terms according to the general statute of limitations;
- Personal data contained in accounting documents are stored for the periods specified in the Accounting Act, the Tax and Insurance Procedural Code and other legal acts.
- Personal data in the User Profile are stored until the User deletes them or makes a request to the Administrator to delete them;
When a data subject writes a comment in Shkolo, his data remains published until the comment is deleted by the Administrator. In this case, he can make a request to the Administrator to delete his comment.
The data subjects whose personal data are processed by the Administrator have:
- Right of access to personal data, including to receive a copy of it;
- Right to rectification;
- Right to erasure (right to be forgotten);
- Right to restriction of processing;
- Right to data portability;
- Right to object to processing.
The above-mentioned rights can be exercised by sending an application in electronic form to [email protected], signed with a qualified electronic signature in accordance with the Law on electronic documents and electronic authentication services. A written application can also be submitted in person at the Company`s office at the address: Sofia, “Lozenets” district, 15 Lyubata St.
The Company may request consent from data subjects as a lawful basis for processing personal data for one or more purposes. Some of these purposes may for example be for profiling, related tracking, behavioral advertising or others. In these cases, the Company will request the consent of the data subject in order to have a legal basis to process his personal data, for which he will be notified in a timely manner in an appropriate manner. Personal data may include more categories than those listed above, with the consent expressly indicating the necessary categories of personal data for processing for the respective purpose.
Consent must be a freely expressed, specific, informed and unambiguous indication of the will of the data subject. Consent can be withdrawn at any time in the ways described above for the exercise of rights by data subjects.
In accordance with the General Data Protection Regulation and the Personal Data Protection Act, data subjects have the right to file a complaint with the Commission for Personal Data Protection at the address: Bulgaria, city of Sofia, Prof. Tsvetan Lazarov“ No. 2.
The administrator takes the necessary measures for the security of personal data. All paper documents containing personal data are stored in locked cabinets at the Company`s office, and only authorized persons have access to them. Data in electronic form are stored in compliance with the requirements for information security and access restriction. “Shkolo” Ltd. is certified for compliance with all requirements of the information security standard OWASP ASVS and ISO/IEC 27001:2017.