This Policy aims to provide all relevant information concerning the Processing of your Personal data by the Administrator of the platform Auxionize AD (A joined-stock company, registered in Sofia, Bulgaria, under company number 203556634) in a clear and concise way and implements the requirements of the General Data Protection Regulation (GDPR) and the applicable Bulgarian legislation.
As a general principle, your granting of any consent and your provision of any Personal data is entirely voluntary and refusing to do so will not lead to detrimental effects. However, there are circumstances in which the Administrator cannot take action without certain Personal data, for example because this Personal data is required to process registration, payment or provide you with access to a web service or newsletter, as outlined below.
For further questions or comments, you can contact us directly via the Platform’s contact form or at:
111B, Tzarigradsko bul., Sofia 1784
Tel.: +359 882 744 529
“Personal data“ shall mean any information relating to an identified or identifiable natural person (“Data subject”);
“Data subject” shall mean an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In the context of the services provided by Auxionize AD as a B2B platform, Data subject shall refer to the physical persons representing a Client, or the Client themself if they are self-employed, as well as the persons who claim an Employee account.
“Processing” shall mean any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” shall mean the legal person, which determines the purposes and means of the Processing of Personal data;
For the purpose of the present Policy, Controller of Personal data and Administrator of the Platform shall be synonymous and both shall refer to Auxionize AD (“Auxionize”, “we”, “us”)
“Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the controller;
2. Categories of Personal data concerned and purpose of use
Identification data – Includes name, surname and position in the represented company.
- We need the Data subject to provide this information in order to assign an Auxionize account to a specific Client and their employees;
- Furthermore, by creating an account, the Client enters into a binding agreement with Auxionize AD, for the validity of which we need to identify the other party;
- We also need this information for billing purposes, when a Client chooses a paid service – the billing services usually requires indicating a physical person to represent the Client, or indicating a card holder, when payment is made through Debit/Credit card.
- We need to process this data when, registered or not, you contact us through our contact form or directly by email.
Contact information – Includes email and telephone number.
- Other than the messages generated by the Platform as you are using it, email and telephone are our main ways of communication with a Client and their employees – as a Data subject, you will receive confirmations emails, when registering or purchasing a services, important notification and reminders, connected to your activity on the Platform, as well as answers to complaints or any other communication you have sent the Administrator which is why we need you to provide us this information.
- We will not use these channels for direct marketing, except by request or with the Data subject’s explicit consent.
As a physical person uses the functionalities of the Platform, the website will generate or make use of technical information that will sometimes qualify as Personal data – e.g. your device’s IP address, or information that generates in the course of using a communication channel. If the Processing of Personal data of this matter is not necessary for the correct functioning of the Platform, we shall always ask for your consent for Processing. Some of this data is also known as “cookies”- please see below §7 “About Cookies”.
If while using the Platform you are asked for additional Personal data, the Administrator shall provide information for the purpose of the request and the legal basis of the Processing.
Unrequested Personal data
If for any reason you provide us with Personal data that we have not specifically requested and have no legal basis to Process, the Administrator shall take measures to delete or encrypt it in a timely manner.
Legal compliance and Fraud Prevention
We might have to process Personal data in order to comply with legal requirements, such as – securing validity of our contract with the Client or providing data to supervisory authorities upon request.
We use Personal information to prevent and detect fraud and abuse when there is reason to suspect unauthorized activity, in order to protect the security of our Clients, their employees, the Platform and its Administrator.
3. Legal basis
Entering into a contract and performance of a contract– in accordance with Art. 6, § 1, b) of GDPR
Complying with legal obligations – in accordance with Art. 6, § 1, c) of GDPR
Where the applicable legislation requires us to process Personal data, we have no remedy but to do so. For example – for accounting purposes the legislation would require us to keep an up-to-date list of our Clients and their representatives.
Explicit consent – in accordance with Art. 6, § 1, a) of GDPR
Where your consent is needed for the Processing of certain Personal data, you will always be explicitly asked to provide it, with no negative consequences stemming from your unacceptance. It should be noted that according to the relevant legislation consent is not only an affirmative statement, but also any affirmative action, e.g. – if you yourself present us with a piece of Personal data without prior request on the side of the Administrator.
If Processing is solely based on your consent, you have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of prior Processing.
You can withdraw consent by clicking a designated active button – e.g. the unsubscribe button on e-mail newsletters, or by sending a message to firstname.lastname@example.org.
In order to protect the vital interests of the Data subject or of another natural person, or based on the legitimate interest of the Administrator or third parties – in accordance with Art. 6, § 1, c) and f) of GDPR
In occasions when Processing of Personal data is necessary to protect vital interest or legitimate interest, the Administrator shall always take into account the interests or fundamental rights and freedoms of the Data subject which require protection of Personal data.
4. Duration of the Processing
We process Personal data for a period, allowed and necessary for the completion of the purposes of Processing. When there is no longer a valid purpose or legal basis for Processing, the data shall be deleted or anonymized.
The criteria that determine the duration of Processing include (i) the length of our contract with the Client, for the term of which the Platform provides its services, (ii) the withdrawal of consent, where that was the legal basis of data Processing. However, where we are required by law to retain your Personal data longer or where your Personal data is required for us to assert or defend against legal claims, we will retain your Personal data until the end of the relevant retention period or until the claims in question have been settled.
5. Third parties & data transferring
Whenever the need to disclose or transfer data to a third party arises, data shall always be shared on a “need-to-know” basis, meaning that no more than the necessary data for providing the services shall be disclosed/transferred, adhering to the principle of minimization of Processing.
In the context of transaction Processing, parts of your Personal data may be passed on to payment services. In such cases the passing on serves our Contract with the Client and is necessary for the fulfilment of legal obligations.
We also commission an accounting service to help us ensure correct handling of Client payments and their taxation for which reason they gain access to Personal data and act as a Processor of Personal data on behalf of the Administrator.
For ease of communication, when we send out information about the current auctions, we use SendGrid – a customer communication platform for transactional and marketing email, which requires us to share your contact information.
For the protection of our legitimate interests, we might employ outside legal counsel, to whom we might disclose Personal data. Legal counsels are bound by professional secrecy and have an obligation and take all necessary measures to keep data safe and private.
Please be mindful that the Personal data that you have made “visible” on the Platform, e.g. in the Company description, will be available to the Platform’s other Clients or Users and the Administrator cannot be held responsible for the actions of such third parties. In this regard, we advise you to carefully consider the information you chose to share.
6. Information, gathered in the process of Verification
Due to the exclusivity of this service, special rules apply to the Processing of Personal data.
The purpose of this particular Processing is to check and verify the existence of the Client as a legal entity or self-employed person, the accuracy of the Company information, and the representative power of the person operating the account. To this aim the Administrator will ask of the person claiming to represent a Client additional information, including:
- Personal identification number
- ID number, date of issue and issuing authority
- Photographic image
This data will be used for confirming the identity of the person operating the account against a personal identification document that they provide, for the performance of ID validity checks and representative authority checks.
Withholding the principle of data minimisation, we are aiming to perform a trustworthy check with the minimum amount of Personal data involved. To this end, we respectfully ask Data subjects not to send Personal data, other than the explicitly requested by the Administrator.
Because of the nature of the service, this Processing is necessary and unavoidable. As such, the legal basis of this particular Processing is the performance of a contract (in accordance with art.6, § 1, b) GDPR), to which the Administrator and the Client are party.
The Verification is performed solely by employees of the Administrator, who will consult the relevant registries. These types of Personal data will not be shared with other users of the Platform or any third parties and will be deleted as soon as the Verification is complete. We will only keep records of the results of the checks performed.
If in future there is reason to doubt the validity of the Verification, you may be asked to present the relevant Personal data again, and that is because we will not keep a copy of it after the initial check. If you deny presenting this Personal data, which you have the right to, we might retract your Verified status, depending on the reason of doubt.
The Administrator takes into account the sensitive nature of this data and shall take all necessary technical and organisational measures in order to ensure the security of Processing.
7. About Cookies
The Platform uses a number of necessary for the functioning of the Platform cookies (Functional Cookies). If you block or otherwise reject functional cookies through your browser settings some features and services may not work. For example, you will not be able to use any services that require you to sign in to your Account. You may also need to manually adjust some of your preferences every time you visit one of our services. Regardless, you can manage your cookie preferences by accessing your browser settings.
The fact that these cookies are necessary means that the Data subject does not need to give explicit consent, but has the right to be informed about their use.
Examples of using necessary cookies to provide our services:
- Recognising you when you sign-in to use our services;
- Recognising your Membership plan and providing customised features and services;
- Displaying features, products, and services which might be of interest to you;
- Keeping track of your actions on the Platform when switching pages;
- Preventing fraudulent activity;
- Improving security;
- Keeping track of your preferences such as currency and language.
These types of cookies do not generally carry Personal data. Functional cookies will remain in your browser for 1 month from your last visit to the service.
You will not be subject to automated decision-making, including profiling, resulting from your browsing data.
8. Data subject rights
As a Data subject you have a number of rights, according to the applicable legislation, which we will explain in brief:
Right to request from the Controller access to and rectification or erasure of Personal data
You have the right to obtain from the Controller (Administrator) confirmation as to whether or not Personal data concerning you is being Processed, and, where that is the case, access to the Personal data and information regarding its Processing.
Your right to rectification stems from your obligation to provide accurate, complete and up-to-date Personal data when it is required. Therefore, if you notice a technical or other error in the Personal data that we have collected and are processing, you have the right and the obligation to notify the Administrator and request rectification.
The right to erasure (right to be forgotten) is not an absolute right. If you think that your Personal data is being unlawfully processed, you are in your right to contact and notify the Administrator of the matter. The Administrator will then take the necessary steps to check the legal basis for the Processing and only if there is none, the Administrator will erase the unrightfully processed Personal data.
Right to request restriction of Processing and to object to Processing
You have the right to request restriction of Processing in cases where: (i) you have contested the accuracy of the Personal data, for a period enabling us to verify the accuracy of the Personal data; (ii) the Processing is unlawful and you have opposes the erasure of the Personal data (iii) the Administrator no longer needs the data for the purposes of the Processing, but you required it for the establishment, exercise or defence of legal claims; (iv) you have objected to automated Processing pending the verification whether the legitimate grounds of the Administrator override those of the Data subject.
You have the right to object to the Processing, depending on your particular situation, when the Processing’s legal basis is protection of the Administrator’s legitimate interest or those of a third party, when you find that your interests, rights and freedoms as a physical person and as a Data subject override the above-mentioned legitimate interest.
Right to data portability
You have the right to receive the Personal data which you have provided us and is concerning you as a Data subject, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller. You can also ask for the Personal data to be transmitted directly from one Controller to another, where technically feasible.
9. Supervisory authority
As a Data subject you also have the right to lodge a complaint to your local data protection authority about the Processing of your Personal data.