The following data protection notices are designed to inform you about the processing of your personal data and your rights regarding this processing according to the General Data Protection Regulation (“GDPR”) and additional data protection laws.
b) Controller
We, the METRO Cash & Carry Bulgaria, Tsarigradsko Shausee 7- 11 km., 1784 Sofia, Bulgaria are the controller according to the GDPR and therefore responsible for the data processing explained below. For questions or requests concerning the data processing, please contact our data protection officer, whose contact details you can find below.
c) Data Protection Officer
You can contact our data protection officer at any time by using the following contact details:
We will process the personal data which are collected by the customer registration form and during upcoming business transactions for the purpose of entering into and performing the customer contract and the printing of your customer card. Because we are only concluding contracts with business customers, a customer card is necessary to visit our shops and purchase goods from us. This processing is based on Art. 6 paragraph sentence 1 letter b) GDPR.
b) Customer Analysis and Marketing
We will process all of your personal data which are collected by the customer registration form and during every upcoming business transactions also for the purposes of customer relations and analysis. This includes market research, customer feedback surveys, customer analysis, customer segmentation and profiling to predict customer behavior and activity, i.e. customer churn, repeated purchase of certain goods and dates of purchase. We will also contact you for these purposes by e-mail, SMS, telephone, fax, post. For the abovementioned purposes, your data will be stored in our data warehouse and enriched with data which we collect from public sources, i.e. trade register. This processing is legally based on Art. 6 paragraph 1 sentence 1 letter f) GDPR. It is necessary to pursue our prevailing legitimate interests to improve our services and the customer relationship with you, which is a key factor for our business success. The data, which we collect and store, help us to learn more about your interests and needs. This enables us to consider them and act accordingly, i.e. by personalized communication.
All of your personal data which are collected by the customer registration form and during every upcoming business transactions will also be processed by us for the purposes of providing you information on advertising and marketing campaigns by post and physical visit. This processing is based on Art. 6 paragraph 1 sentence 1 letter f) GDPR. It is necessary to pursue our prevailing legitimate interests of informing you about our offers and services and expand the customer relationship with you. If you have given us your prior consent, we will also use your personal data to provide you our marketing information via e-mail, SMS, telephone or fax. This processing is legally based on Art. 6 paragraph 1 sentence 1 letter a) GDPR.
c) Data Recipients
We are part of the METRO Group, which is internationally active. To achieve the purposes mentioned above under 2.a) and b), we use service providers, i.e. as data processors according to Art. 28 GDPR, for example our service providers for cloud hosting, platform and maintenance services, for printing the customer card, which you receive from us, or our service providers for the sending of e-mails, SMS, Viber, contact by telephone, printing of personalized advertising or online targeting. These are external service providers and also service providers within the METRO Group, like METRO Group shared service centers, which are located in countries within and outside the European Union (EU) and the European Economic Area (EEA) (i.e. the international data center of the METRO Group, which is operated by the METRO Systems GmbH). We ensure i.e. by contractual regulations, that these service providers process personal data in accordance with European data protection law to guarantee a high data protection level, even if personal data are transferred into a country, in which another data protection level is common and for which no adequacy decision of the Commission of the EU exists. Another transfer of personal data to other recipients is not performed, except where we are obliged to do so by law. For more information about appropriate safeguards for the international data transfer or a copy of them, please contact our data protection officer via e-mail under: dpo@metro.bg
d) Mandatory/Voluntary Data Provision
The provision of the following data is required to enable us to enter into a contract with you and in order to process your customer registration: customer name (= name of your business), industry, legal form, billing address, business telephone number, tax number (concerning customers within the EU: VAT registration number), at least the data of one purchase authorized person (i.e. business owner), Position of the purchase authorized person (i.e. business owner or Purchaser), proof of the existence of your business. The rest of the data we collect within the customer registration are provided voluntarily by you. You are neither obliged to provide these personal data to us, nor is this provision necessary to fulfill a statutory or contractual requirement or a requirement necessary to enter into a contract. If you do not provide these personal data to us, this will not result in any consequences for you.
e) Retention Period
Your personal data will only be stored until the customer relationship has ended and you have given back your customer card, except where we are legally obliged by law to further store your data for the purposes of submitting it to public authorities, for example to tax authorities. This storage and transfer of your personal data to public authorities for the purpose of fulfilling a legal obligation is legally based on Art. 6 paragraph 1 sentence 1 letter c) GDPR.
3. Your Rights
As a data subject, you can contact our data protection officer at any time with a formless notification under the contact dates mentioned above under 1. c) to exercise your rights according to the GDPR. These rights are the following:
The right to receive information about the data processing and a copy of the processed data;
The right to demand the rectification of inaccurate data or the completion of incomplete data;
The right to demand the erasure of personal data and, in case the personal data have been made public, the information towards other controllers about the request of erasure;
The right to demand the restriction of the data processing;
The right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format and to request the transmittance of these data to another controller;
The right to object the data processing in order to stop it;
The right to withdraw a given consent at any time to stop a data processing that is based on your consent. The withdrawal will not affect the lawfulness of the processing based on the consent before the withdrawal
The right to lodge a complaint with a supervisory authority if you consider the data processing to be an infringement of the GDPR.
Because of possible changes in law, a change of these data protection notices might become necessary. In this case, we will inform you about such changes. In so far as the changes affect a processing which is based on your consent, we will ask you for a new consent, where necessary.