Privacy Policy


This Policy has been drafted and is based on the Regulation (EC) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation GDPR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the Regulation.


Administrator “Peak Porter” AD, a joint stock company incorporated in Bulgaria under company number 206566391 and having its seat and registered office at: Bulgaria, District: Kardzhali, Municipality: Kardzhali, town of Kardzhali, postal code 6600, 15 “Deveti May” St.

Contact person: Mehmet Okta,


  1. Legitimacy – Prior to the personal data processing, the legal basis on which such processing shall be carried out should be identified. It is often referred to as “grounds for processing”, such as “consent”.
  2. Good faith – in order for the processing to be in good faith, the data administrator must provide certain information to the data subjects as far as that is practicable. This shall apply irrespective of whether personal data is obtained directly from the data subjects or from other sources.
  3. Transparent personal data processing – The General Regulation includes rules on the provision of confidential information to data subjects. They are detailed and specific, emphasizing that privacy notices are comprehensible and accessible. The information must be communicated to the data subject in a comprehensible form, using clear and comprehensible language.
  4. Data protection at the design stage;
  5. Default data protection. Ensure data privacy and confidentiality observance by data administrators and processors;
  6. Minimization of data processing;
  7. Personal data are collected for specific, precise and legitimate purposes and they are not processed in a way incompatible with these purposes;
  8. The data must be relevant, related to and not exceeding the purposes for which they are processed;
  9. They should be accurate and, if necessary, updated;
  10. They may be erased or corrected;
  11. The data shall be maintained in a form permitting the subjects identification for a period no longer than is necessary for the purposes for which such data are being processed.
  12. Strict accountability shall be kept at every stage of processing. The consent of the subjects shall be required when the principle of legality is not applicable.
  13. Security improvement in all regard – technical, physical, etc.


  1. The data we collect are as follows:
  • On physical identity– Full name, phone number, email address, job role
  • On social identity– Company name, industry, request type information
  1. Personal data use

The personal data provided by the subjects are necessary for the identification and implementation of regulatory requirements or contractual obligations arising from contracts concluded between them and the Administrators. The data are necessary for the conclusion of employment contracts, civil contracts, commercial contracts, providing legal basis for carrying out labour activities, social security, health care, fulfilment of certain tasks under commercial contracts, CCTV in public places in properties owned by the Administrators to ensure the security, etc. In summary, personal data are collected for activities such as human resources management, financial accounting, public order and private security activities, property management.

As a data administrator, the Company processes personal data through a set of actions that can be performed on the personal data with automatic or other non-automated means such as collecting, recording, organizing, storing, adapting or modifying, restoring, consulting, using, disclosure by transmission, dissemination, provision, updating or combining, blocking, deletion and destruction, subject to the above principles.

The purpose of personal data processing is to uniquely identify the individuals, present and future employees/contractors of the Company, etc. related persons. The legal basis for the personal data processing is in most cases subject to the requirement of a law, as well as a specific legal framework. If we need additional personal data beyond the required minimum, we as an Administrator shall require the subject’s consent. Processing is also required in connection with the execution of a contract to which the entity is a party, or to take steps upon our request as an Administrator before entering into a contract.

In our capacity as an Administrator, we maintain the following Data Processing Registers – “Employees” and “Counterparties”


The Company, as a Personal Data Administrator, is entitled to disclose the processed personal data only to the following categories of persons, listed exhaustively:

  1. natural persons to whom the data relate;
  2. persons, for whom the right of access is provided in a regulation;
  3. Persons who process the data.


When assessing the appropriate technical measures for personal data protection, the following options were considered:

  • Password protection
  • Automatic locking of idle workstations in the network
  • Access rights based on roles, including those assigned to temporarily employed staff;
  • Protection of devices leaving the organization’s premises, such as laptop, etc.;
  • Security of local and wide-area networks.

When assessing the appropriate organizational measures for data protection, we will take the following into account:

  • The levels of appropriate training in the company;
  • Measures, taking into account the reliability of employees (e.g. appraisal assessments, recommendations, etc.);
  • The inclusion of data protection in employment contracts;
  • Identification of disciplinary measures for violations in relation to data processing;
  • Regular inspection of the staff on the compliance with relevant security standards;
  • Control of the physical access to electronic and paper based records;
  • Adopting the “clean job” policy;
  • Adopting clear rules for password creation and use;
  • Regular backup of personal data and physical storage of media with copies outside the office;
  • Imposition of contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
  1. All employees handling personal data shall be responsible for ensuring the security of the storage of the data they are in charge of and which the Administrator holds, and for the data to be safely stored and not disclosed to third parties in any circumstances, unless the Administrator has given such rights to those third parties by entering into a contract or signing a confidentiality clause.
  2. All personal data shall only be accessible to those who need them and access can only be granted in accordance with the established access control rules. All personal data must be treated with the utmost security and stored:
  • using signaling-security equipment;
  • in a separate room with controlled access; and/or in a locked cabinet or in a filing cabinet;
  • if it is computerized, it should be password protected in accordance with the internal requirements set out in the organizational and technical measures for information access control;
  • stored on portable computer media, protected in accordance with the organizational and technical measures for information access control.
  1. Paper-based records should not be left where they can be accessed by unauthorized persons and cannot be removed from the designated office premises without explicit permission. As soon as paper documents are no longer required for ongoing customer support work, they must be destroyed in accordance with the established procedure/rules and the relevant protocol.
  2. Personal data are stored in the Company for a strictly limited and regulated period. Paper records for which the deadline of storage has expired must be shredded and destroyed as “confidential waste”. Data on hard drives on waste personal computers should be erased, or the disks – destroyed.
  3. An organization should be established to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees of the respective administrator. All employees are required to be trained and to accept the relevant contractual clauses/declarations of compliance with the organizational and technical measures of access, as well as the rules for workstations locking, before they are given access to information of any kind.


Individuals whose personal data are being processed have the following rights:

  1. the right to information about the data identified by the Administrator and its representative, the purposes of the personal data processing, the recipients or the categories of recipients to which the data may be disclosed, the compulsory or voluntary nature of the data being provided and the consequences of the refusal to provide them;
  2. the right of access to data relating to them. In cases where third party personal data may also be disclosed when access is granted to an individual, the Administrator is obliged to grant partial access to them without disclosing any data about the third party;
  3. the right to correct personal data when they are inaccurate and when they are not up to date;
  4. the right of deletion/the right “to be forgotten”), the right to restrict the processing, the right to rectify the personal data, the processing of which does not meet the requirements of the LPDP, as well as the right to request informing the third parties to whom the personal data have been disclosed of any deletion, correction that has been made, except where this is impracticable or involves excessive effort;
  5. the right to request the administrator to limit the processing of personal data, in which case the data will only be stored but not processed;
  6. the right of objection to the Administrator against the individual’s personal data processing, provided there is a legitimate reason for doing so, and against the processing and disclosure of their personal data to third parties for direct marketing purposes. The right to be informed before their personal data are first disclosed to third parties or used on their behalf for direct marketing purposes;
  7. the right to notify violation of personal data security;
  8. right of defence – before CPDP and in court /the right of appeal to a supervisory authority, the right to effective judicial protection against a supervisory authority, administrator or data processor/;
  9. right to compensation for damages;
  10. the right to consent withdrawal at any time, without prejudice to the processing legality pursuant to a consent given before it is withdrawn;
  11. Right of transferability – The data subject is entitled to receive the personal data concerning him/her which he/she has provided to the Administrator, in a structured, commonly used and machine-readable format and has the right to transfer this data to another Administrator without hindrance by the Administrator to whom the personal data were originally provided, when the processing is based on a consent or a contractual obligation, and the processing is done in an automated manner.
  12. the right not to be the subject of automated decisions affecting him/her to a significant extent, without the possibility of human intervention;
  13. the right to oppose automated profiling, happening without his/her consent.


Natural persons shall exercise their rights by submitting a written application to the Administrator containing at least the following information:

  1. name, address and other identification data of the individual concerned;
  2. request description;
  3. preferred form of information provision;
  4. Signature, application filing date and correspondence address.

The application filing is free of charge.

When an application is submitted by an authorized person, there should be an explicit notarized power of attorney attached to the application.

In the event of the individual’s death, his/her rights shall be exercised by his/her heirs by applying a heir certificate to the application.

The deadline for the application review and the ruling thereon is 14 days from the application filing day, respectively 30 days, when it takes more time to collect the requested data in view of possible difficulties in the Administrators’ activity.

The Company shall prepare a written reply and communicate it to the applicant personally – against signature or by post, with a receipt acknowledgment, in accordance with the information provision form preferred by the applicant.

We may refuse to process requests that are unreasonably duplicated, require disproportionate technical efforts, jeopardize the confidentiality of other users, requests which are extremely impractical or otherwise not required by law.

Where the data do not exist or their provision is prohibited by law, the applicant shall be denied access thereto.

The Administrator shall send a confirmation of the notification receipt (by email).

The Administrator shall assess whether it is necessary to notify the supervisory authority of the violation. Under Article 33, para. 1 of the GDPR, no notification is necessary unless the personal data violation is likely to pose a risk to the rights and freedoms of individuals. If it finds that there is a risk to the data subjects’ rights and freedoms, the Administrator shall notify the supervisory authority of the personal data security violation without undue delay and not later than 72 hours after the violation has been committed, by sending a notification.

The notification sending by the personal data processors to the Administrators, by the Administrators to the CPDP, the answers of the parties to the problem, the consequences and the measures taken, shall be recorded in the Register of committed violations.

The Administrator shall notify the data subject of the personal data security violation, without undue delay, when the violation is likely to lead to a high risk to the individual’s rights and freedoms, to enable him/her to take the necessary precautions.