Privacy Policy

Privacy policy

Effective from 2022

I. General information about the Administrator and processing

Here you can find information about the policy on personal data protection processed by EVROBUL Ltd., incl. in connection with the https: // www provided by the website. services. With this privacy policy we strive to provide you with comprehensive information regarding the processing of your personal data in accordance with Art. 13 and Art. 14 of Regulation (EU) 2016/679 in a transparent, accessible and easily understandable way.                                                                                                         

1. Personal data administrator 

Evrobul Company Ltd., with UIC: 040957193, with address: Sofia, 102 Bulgaria Blvd., 2nd floor, office 20, e-mail:, tel./fax: 02/8548000 (“Data Controller”) processes personal data of individuals (“data subjects”) in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Personal Data Protection Act and The company’s data protection policy.  


If you have any questions, need additional information or suggestions related to the processing of personal data or their protection, you can contact us at the above coordinates.

This policy will provide information on:

  1. General information about the Administrator and processing
  2. Terms used and their meaning
  3. Categories of data, purposes of processing, legal bases and retention periods
  4. To whom personal data is transferred or disclosed
  5. Security measures
  6. What rights do you have and how to exercise them
  7. Information on the supervisory authority
  8. Social media

EVROBUL Ltd. processes the personal data related to you lawfully, in good faith and in a transparent manner, making significant efforts to ensure an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage to your data. For this purpose, the company applies appropriate technical and organizational measures.

2. Natural persons whose personal data are processed by the company

In connection with the services provided by him, EVROBUL Ltd. processes personal data concerning the following data subjects: 

(a) Natural persons, contractors or potential contractors of the company – customers and suppliers of goods and services, respectively their employees. 

(b) Staff – current and former employees of the company, as well as job applicants. 

(c) Natural persons submitting requests, requests and any other documents to EVROBUL Ltd. (including applications for exercising the rights and electronic communications provided for in Articles 15-22 of the Regulation). 

(d) Visitors to the company’s website: https: // www.

The administrator does not process personal data of persons under 14 years of age. If you find such processing, please inform us immediately so that we can take the necessary action.

II. Terms used and their meaning

For the purposes of this policy, the terms used in it have the following meanings:

  • ‘Controller’  means a natural or legal person, public authority, agency or any other body which alone or jointly with others  determines the purposes and means of the processing  of personal data;
  • “Personal data”  means any information relating to or identifying an individual, including identifiers such as name, identification number (PIN, PIN, etc.), location data (geolocation), online identifier (eg IP) or one or more characteristics specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
    The processing of special categories of personal data is prohibited, except in a few explicit hypotheses described in Art. 9, § 2 of the Regulation. Such data are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data or data on the sexual life or sexual orientation of the individual.
  • “Supervisory authority”  means an independent public body responsible for monitoring the application of the Regulation in order to protect the fundamental rights and freedoms of individuals with regard to the processing and to facilitate the free movement of personal data within the Union;
  • “Breach of security of personal data”  means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data which are transmitted, stored or otherwise processed;
  • “Processing”  means any operation or set of operations carried out with personal data or a set of personal data by automatic (electronic) or other means (paper) such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or other means of accessing data, arranging or combining, restricting, deleting or destroying;
  • “Processor”  means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • “Risk”  means the possibility of material or non-material damage to the data subject under certain conditions, assessed in terms of its severity and probability.
  • “Data subject’s consent”  means any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clear confirmatory action expressing his or her consent to the processing of personal data relating to him or her;
  • “Data subject”  within the meaning of this Privacy Policy is a natural person whose personal data are subject to processing by the personal data controller within the activities of EVROBUL Ltd;
  • “Destruction”  means the irreversible physical destruction of a material medium.

Terms not defined in the text above have the meaning given to them in Regulation (EU) 2016/679. 

III. Categories of data, purposes of processing, legal bases and retention periods

The processing of personal data for the purposes of human resources management, incl. of personnel selection and processing of personal data of current and former employees of EVROBUL Ltd, the Policy of the personal data protection company with which the respective persons are acquainted is described in detail, in view of which this category of data subjects will not be covered by current policy.

Except in respect of its employees on the basis of a legal obligation, EVROBUL Ltd. does not process personal data included in the scope of special categories of personal data, namely: personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data solely for the purpose of identifying an individual, health data or data on the individual’s sexual life or sexual orientation.

1. Personal data received from the subject (described in the table below)

Category of subjects Categories and types of personal data Purpose of processing Grounds and storage period
Data on your physical identity (for concluding contracts with  individuals ): three names, PIN / PIN, etc. identifier, passport data, address, telephone, e-mail; For contractors –  legal entities : three names of the legal representative of the company, two names of the contact person under the contract, e-mail and telephone, respectively. data on his social identity:   place of work and position; 1. Individualization of the legal relations with the respective persons;
2. Information support of activities related to the existence, amendment and termination of legal relations and preparation of all types of documents in this regard (contracts, protocols, invoices, etc.);
3. Making correspondence related to the fulfillment of contractual obligations;
4. Fulfillment of the normative requirements of the Commercial Law, the Accounting Act, the Corporate Income Tax Act, etc.
Under items 1 – 3: Conclusion or execution of a contract according to art. 6, § 1, letter “b” of the Regulation;  Term : up to 5 years from the termination of the contractual basis;
Under item 4: Legal obligation according to art. 6, § 1, letter “c” of the Regulation; Term: depending on the respective obligation: e.g. Art. 12, para. 1 of the LSA.
Visitors to the website using the contact form, online application forms or direct inquiries to the company’s email;
Other persons making inquiries and initiating correspondence;
Information about your physical  identity: two or three names; Contact details
:  telephone and / or email address. Other information that you provided in your inquiry ( which cannot be identified in advance ).
Processing the inquiry and providing an answer and assistance in connection with the subject of the correspondence; In certain cases – clarification of contractual relations; Pre-contractual relations – art. 6, § 1, letter “b” of the Regulation
Legitimate interest – art. 6, § 1, letter “e” of the Regulation
Term : Up to 1 year, unless the correspondence concerns pre-contractual relations;
Persons exercising their rights under the Regulation, as well as persons affected by a security breach Information about  your physical  identity: three names, PIN / PIN or other similar identifier; Fulfillment of normatively established obligations in accordance with Regulation (EU) 2016/679 and LPPD. Legal obligation according to art. 6, § 1, letter “b” of the Regulation; Deadline : 5 years from the last action taken.

In case the statutory term for a specific type of documents is longer than the one indicated in the table above, the administrator shall apply the statutory term. If you wish to receive information about the retention period of a specific document, do not hesitate to contact us at the coordinates specified in this policy.

The company  does not implement or use technologies for automated decision making or profiling .

After the expiration of the deadlines for processing personal data, they shall be anonymized or deleted / destroyed, unless:

  • are required for pending judicial, arbitration, administrative or enforcement proceedings, or
  • the subject concerned has exercised his / her right to request a restriction on the processing of personal data concerning him / her.

2. Personal data obtained through the use of cookies

More information about the cookies used at https: // www., you can find at

3. Possible consequences if personal data are not provided

In case the client does not provide the required information, including the necessary personal data, the company will not be able to conclude a contract with him, respectively will not be able to provide the requested service.   

IV. To whom personal data is transferred or disclosed

The personal data of the company’s clients are provided to:

(a) Transport companies and other suppliers and / or subcontractors for the purposes of the contract / application;

(b) Clients of forwarding services for the purposes of the contract / application;

(c) Customs and other public authorities for the purposes of the contract;

(d) Companies providing accounting services and information support of the company’s IT systems, as processors of personal data;

(e) Other competent public bodies in fulfillment of an obligation provided by law.   

V. Security measures for personal data

The company implements all appropriate technical and organizational measures to ensure the security of personal data, including an explicit commitment by employees to confidentiality.  

VI. What rights do you have and how to exercise them

In case EVROBUL Ltd. processes your data, you have
the following rights:

1. Right of access
You have the right to receive confirmation that we are processing personal data related to you. In the event that we process such data, we will provide you with a copy of the data as well as the following information:

  • the purposes of processing;
  • the relevant categories of personal data;
  • the recipients or categories of recipients to whom the personal data are or will be disclosed;
  • where possible, the intended period for which personal data will be stored and, where this is not possible, the criteria for determining it;
  • the existence of the right to require the controller to correct or delete personal data or to restrict the processing of personal data relating to the data subject, or to object to such processing;
  • the right to appeal to a supervisory authority;
  • where personal data are not collected by the data subject, any available information on their source;
  • the existence of automated decision making, incl. profiling (with relevant information on the logic used and the meaning and intended consequences of this processing).

In the event that the documents containing personal data about the subject contain personal data of other persons, they will be deleted in an appropriate manner.

2. Right of correction
You have the right to request that we correct the personal data we process about you in the event that it is inaccurate. In case you want us to supplement your personal data, we will need to submit a declaration / application containing the relevant information.

Once we receive your request, we will correct / supplement the data as soon as possible.

3. Right to be erased (so-called right to be forgotten)

You have the right to request the deletion of personal data related to you, which will be deleted when any of the following grounds apply:

  • personal data are no longer needed for the purposes for which they were collected or otherwise processed;
  • You withdraw your consent on which the data processing is based and we have no other legal basis for their processing;
  • You object to the processing and there are no legitimate grounds for the processing to take precedence;
    When you object to processing that is done for marketing purposes, the grounds are not analyzed and the data is deleted.
  • your personal data has been processed illegally;
  • personal data must be deleted in order to comply with a legal obligation under EU law or Bulgarian law;
  • personal data have been collected in connection with the provision of information society services.
    An information society service is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the services.

Even if any of the hypotheses described above exist, we will not delete your personal data when processing is necessary for:

  • exercising the right to freedom of expression and the right to information;
  • compliance with a legal obligation that requires processing provided for in EU law or Bulgarian law, or for the performance of a task in the public interest, or in the exercise of official powers of the administrator;
  • the establishment, exercise or defense of legal claims;
  • two more specific hypotheses set out in Art. 17, § 3, letters “c” and “d” of the Regulation.

4. Right to restrict processing
You have the right to ask us to restrict processing when one of the following applies:

  • You dispute the accuracy of the personal data. In this case the restriction is carried out for the period necessary for EVROBUL Ltd. to check the accuracy of the data;
  • The processing is illegal, but you want the use of personal data to be restricted instead of deleted;
  • EVROBUL Ltd. no longer needs personal data for the purposes of processing, but you require them for the establishment, exercise or protection of legal claims;
  • You have objected to the processing and are awaiting verification as to whether the legitimate interests of EVROBUL Ltd. take precedence over your interests;

The controller will inform any person to whom data have been disclosed that have been corrected, deleted or restricted, except in cases where this is not possible or requires a disproportionate effort. If you wish, we will let you know who these people are.

5. Right of portability
You have the right to receive the personal data you have provided to us in a structured, widely used and machine-readable format, as well as to request that we transfer them to another administrator of your choice. In order to take such action, the following two prerequisites must be met:

  • the processing is based on consent or a contractual obligation; and
  • data to be processed in an automated manner.

6. Right of objection

You have the right to object to the processing of your personal data when it is based on:

  • performing a task in the public interest or in the exercise of official powers conferred on the administrator, or
  • legitimate interest.

We will stop processing your data immediately if we are unable to prove that there are compelling legal grounds for processing that take precedence over your interests, rights and freedoms, or for establishing, exercising or defending legal claims.

When we process for marketing purposes, we will stop processing your data as soon as we process your request.

7. Right to withdraw consent

When the processing of your data is based on consent, you have the right to withdraw the consent given at any time by notifying us to the specified contacts.

How to exercise the rights described above?

1. If you wish to exercise any of your rights, please download the application HERE and fill in the required information. The application is designed for your convenience, but is not required.

If you prefer, you can also send us a request in free form, which must contain the following information:

  • your three names;
  • PIN / PIN or other similar identifier ( only if you have provided us with such information so far );
  • address;
  • mailing address;
  • description of the request;
  • preferred form of response and information;
  • signature;
  • Submission date.

2. Please send your application in one of the following ways:

  • by e-mail to under the terms of the Electronic Document and Electronic Certification Services Act (EESA), the e-Government Act (EES) or the E-Identification Act (EIA).
  • by mail or in person at the address: Sofia, 102 Bulgaria Blvd., 2nd floor, office 20.

Where the application is submitted by an authorized person, a power of attorney must be attached  .

3. After reviewing your application , we will analyze its content and, if necessary, ask for additional information. You will receive information about its processing within one month of sending it in the manner specified by you as preferred for communication.

4. In case you need assistance  in filling out the form we offer, you can contact us at the contact details provided in this policy. 

You should keep in mind that EVROBUL Ltd. may refuse to fully or partially satisfy any of the rights described above, where the satisfaction of them would pose a risk to public order and security, the prevention, investigation, detection or prosecution of crimes or the execution penalties imposed, including the prevention of and prevention of threats to public order and security, other important objectives of general public interest and in particular an important economic or financial interest, including monetary, budgetary and fiscal matters, public health and social security, the data subject or the rights and freedoms of others or the enforcement of civil claims.

In addition to the rights described above, you have the opportunity to:

1. File a complaint with a supervisory authority

Every data subject has the right to lodge a complaint with a supervisory authority if he / she considers that the processing of personal data concerning him / her violates the provisions of the Regulation or the LPPD. If the subject has a place of work or habitual residence in the Republic of Bulgaria, as well as when the violation was committed in the Republic of Bulgaria, the latter should refer to the Commission for Personal Data Protection (CPDP) within 6 months of learning of the violation. – no later than 2 years from its implementation, by submitting a complaint by letter, fax or electronically by the order of ZEDEUU.

Following the entry into force of the Regulation, personal data subjects may also lodge complaints with other supervisory authorities in the territory of the European Union, where this is provided for in the Regulation.

2. File an appeal with the competent administrative court

Without prejudice to your right to appeal to the CPDP, described in item 1, you have the opportunity to appeal to the competent administrative court when you believe that your rights under the Regulation / LPPD have been violated as a result of the processing of your personal data. .

3. Right to compensation and liability for damages

In case you have suffered material or non-material damages as a result of violation of the Regulation, you have the right to receive compensation from the administrator for the damages.

VII. Information about the supervisory authority

In accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 (General Data Protection Regulation), any natural person who considers that his right to protection of personal data has been violated may lodge a complaint by Commission for Personal Data Protection at the address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov ”№ 2, website:  

VIII. Social media

We use social networks to communicate with our customers and provide information about the services offered. Each platform has its own privacy policy regarding the processing of your data, which we recommend that you read.


Facebook’s privacy policy:


LinkedIn Privacy Policy:


+359 2 854 8000

Any questions?

Имате въпроси? Свържете се с нас.

0895 697 410

Имате въпроси? Свържете се с нас.