RULES FOR PROCESSING PERSONAL DATA
BY “MAY” EOOD
The rules were made in accordance with Regulation (EU) 2016/679 of
the European Parliament and of the Council of 27 of April 2016 on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive
95/46/EC , valid from 25.05.2018.
Information regarding the administrator of personal data:
Company name: “MAY” EOOD
Registration and management address: “Louis Eyer” str. No2, Sofia
Correspondence address: “Louis Eyer” str. No2, Sofia
1. “Administrator” of personal data is a natural or legal person,
public authority, agency or other entity that alone or jointly with
others determines the purposes and means of the processing of
personal data; where the purposes and means of such
processing are determined by EU law or the law of a Member
State, the controller or the specific criteria for determining it may
be laid down in EU law or in the law of a Member State.
2. "Personal data processor" means a natural or legal person,
public authority, agency or other entity that processes personal
data on behalf of the administrator.
3. "Processing of personal data" means any operation or set of
operations performed with personal data or a set of personal
data by automatic or other means such as: collecting, recording,
organizing, structuring, storing, adapting or changing, extracting,
consulting, using , disclosure by transmission, dissemination, or
other means by which data is made available, sorting or
combining, restricting, deleting or destroying.
I.Subject and scope
Art.1 This document defines the rules and procedures of “May” EOOD
as an administrator of personal data (hereinafter Administrator)
regarding the protection of individuals with regard to the processing of
personal data. The Rules also define the procedures for informing and
exercising the rights of individuals with regard to access, correction
and protection of their personal data.
Art.2 Individuals whose data is collected and processed by the
Clients of restaurant “Umami” and / or users of the website
Employees of “May” EOOD
Third parties - partners, consultants, contracting parties etc. ;
Art.3 These Rules are applied by “MAY” EOOD for the processing of
personal data in whole or in part by automatic means, as well as for
the processing by other means of personal data that are part of a
personal data register or which are intended to form a part of a
personal data register.
Art.4. The rules are binding for all categories of employees of “May”
EOOD, in accordance with the need for personal data collection and
processing of personal data arising in the performance of their duties.
Art.5 When processing personal data the following principles are
observed by “May” EOOD:
(1) Personal data is processed lawfully, in good faith and in a
transparent manner in relation to the data subject ("legality, integrity
(2) Personal data is collected for specific, explicit and legitimate
purposes and is not further processed in a manner incompatible with
those purposes. Further processing for purposes of archiving in the
public interest, for scientific or historical research or for statistical
purposes, in accordance with Article 89 (1), shall not be considered
incompatible with the original purposes ("purpose restriction");
(3) Personal data is relevant, connected with and limited to the
required in relation to the purposes for which they are processed.
(4) Personal data is accurate and where and however necessary kept
up-to-date. Every reasonable measure should be taken to ensure the
timely erasal or correction of inaccurate personal data, keeping in
mind the purposes for which it is processed (“accuracy”);
(5) Personal data is stored in a way which allows the identification of
the data subject for a period no longer than the required for the
purposes for which this data is being processed. Personal data may
be stored for longer periods, insofar as they will be processed solely
for the purposes of archiving in the public interest, for scientific or
historical research or for statistical purposes in accordance with Article
89 paragraph 1, provided that the appropriate technical and
organizational measures are in place to guarantee the rights and
freedoms of the data subject ("storage restriction");
(6) Personal data is processed in a manner that guarantees an
adequate level of personal data security, including protection against
unauthorized or unlawful processing and against accidental loss,
destruction or damage, by applying appropriate technical or
organizational measures ("integrity and confidentiality" );
(7) “May” EOOD as an administrator is responsible and capable to
prove adherence to the aforementioned principles (“accountability”).
II. Information about the persons whose personal data is stored and
Art. 6. (1) The personal data registers maintained by the Administrator
are structured sets of personal data that perform a specific function of
guaranteeing the professional performance of the Administrator's
activities, access to which is granted according to certain
(2) The client register of restaurant Umami comprises of the data
collected as follows:
(A) From the users of http//umami.bg//
The amount of information which is registered comprises of:
- Names, phone number, city, country, postal code, address;
● Delivery address - country, city, postal code, address;
● Delivery phone number;
● Delivery preferences;
● Payment method;
● Order number;
● Payment status;
● Delivery status;
● Payment amount;
● Order history;
Way of collecting the information and purpose for processing it:
Profile registration at http//umami.bg//
(B) Data collected with delivery orders via phone or through
● Names, phone number, city, country, postal code, address;
● Name and Surname of the person for delivery.
● Delivery address - country, city, postal code, address;
● Delivery phone number;
● Payment method
Way of collecting the information and purpose for processing it:
Delivery request made through http/umami.bg//
C) Data of clients participating in the customer loyalty program, like
the club cards “Umami” , in which cases the following personal data is
● Name, Surname, Family name
● Date of birth
● City, country, postal code, address;
● Telephone number;
Way of collecting the information and purpose for processing it:
Filling in a registration form.
(3) Employee register of “May” EOOD
The employee register contains personal data of employees on civil
and on working contracts. The register is kept both in paper and
electronic form. Personal data required to perform the lawful duties of
“May” EOOD as an employer can be stored, processed and provided
to state institutions via electronic accounting software, official
automated systems and applications for the purpose of fulfilling the
employer’s and employees’ tax and social security obligations.
Personal data which is stored and processed in this register is:
- Names (First name, Surname, Family name)
- Correspondence address
- Residence address
- CIN (Civil identification number)
- ID card number, date and place of issue
- Phone number
- Copy of completed educational degree, for acquired academic
degree, for acquired post-graduation qualification and
specialization, copies of language and digital skills certificates.
The register also collects and processes the personal data of
candidates for open job positions. Personal data of these candidates
is destroyed in a period of 30 days after the selection process is
Personal data of employees with terminated contracts is stored in the
register with the purpose of maintaining an archive and performing the
lawful obligations of “May” EOOD as an employer.
Way of collecting information and purpose for processing it:
Labour code, Social security code, regulations in the field of labour
and tax legislation.
(4) In relation and in regard with signing a contract, as well as its
execution “May” EOOD stores and processes, in line with its duties,
personal data of people who are representing the counterparty of a
contract. In that relation the company may acquire personal data for:
- Managers, Executive directors of companies or other people
which lawfully represent legal entities.
- People who are empowered in a way stated by the law / by
power of attorney / to represent legal entities.
- People who mediate the correspondence and contacts with third
parties and the counterparty of a contract.
- People who, as employees of the counterparty, need to be
identified when performing their duties in relation to the contract.
Way of collecting information and reason for processing it: Signed
contract. Websites of governmental bodies providing information.
Regardless of the stated, the collection and volume of stored
information is specific to each individual case - what should be taken
into consideration is: the contract clauses, the needs of the parties to
the contract and the law possibilities and requirements. In that regard
different hypotheses can be given as example: when making contact
with the counterparty the company needs to have contact person
information; it should also be known which people can validly express
the will of the other party to a contact etc.
Article.7 (1) Entry into the register of personal data for the purpose of
further processing shall be subject to the consent of the data subject,
expressed in a free manner, after being informed for the purposes of
collection and processing. Consent is a specific and unambiguous
statement or affirmative action.
(2) The Administrator keeps an archive with the written consents for
processing data and ensures the use of adequate technological
solutions for proving consent expressed through specific actions (for
example placing a tick in a checkbox prior sending data electronically
through the website of the Administrator).
(3) Inclusion in a register with personal data without explicit consent
can only be made for the reasons stated in Regulation (EU) 2016/679.
Art. 8. When data processing is required for the execution of contract
in which the data subject is a party (e.g., processing and submitting
personal data to the tax administration for the purpose of compiling
payroll, fee bills, declarations of taxes and social security
contributions, issuing business notes) the explicit consent of the data
subject is not required.
Art. 9. Where data processing is necessary to take steps at the
request of the data subject prior to the signing of a contract (e.g.,
submission of CVs and supporting documents when applying for a
position in “May” EOOD), the Administrator shall endeavor to ensure
easy access to these Rules tailored to the communication channels
that the data subject requests.
Art. 10. (1) When the same data is included and processed in different
registers by the Administrator, the consent may be expressed on a
one-off basis insofar as the information provided to the data subject
prior to granting consent clearly indicates the purpose of the data
processing and inclusion in separate registers does not change this
(2) The inclusion of the same data in more than one register may be
done without the explicit consent of the data subject on the grounds
laid down in Regulation (EU) 2016/679.
Art. 11. When data processing is necessary to comply with a legal
obligation that applies to “May” EOOD as an administrator, the
Administrator shall endeavor to inform the data subjects of this type of
processing, but may not refuse to comply with the law imposed by it or
a by-law obligation or instruction of the data subject to refuse such
processing. In this case, the Administrator performs a task in the
public interest or his / her official authority, including keeping an
archive for employees.
Art. 12. (1) When there is a change in the scope of the processed
data on the basis of an obligation imposed by law or regulation, or an
instruction of a state body within its statutory powers, the
Administrator shall start processing according to the change, when
the data has already been granted with common consent for the
performance of a contract or on the basis of processing for the
performance of a public function.
(2) If the data required for the processing has not been provided to the
Administrator within the described procedures, the Administrator shall
promptly inform the data subjects about the changes and request the
submission of personal data within a reasonable time.
(3) The information to the subjects must clearly indicate the new basis
for collection and processing.
Art. 13. If the consent of the data subject is given in the framework of
a written declaration concerning other issues, the request for consent
shall be presented in a way that clearly distinguishes it from the other
issues, in a comprehensible and easily accessible form, using clear
and simple language.
Art. 14. (1) The Administrator does not collect or process personal
data related to the following:
- racial or ethnic origin;
- political, religious or philosophical beliefs, or membership in trade
- genetic and biometric data;
- Sexual life or sexual orientation.
The Administrator collects limited data regarding the health condition
of the employees on the basis of the Code for Social Insurance (CSI)
III. Grounds for storing and processing personal data:
Art.15 (1) The requirements of Regulation / EU / 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the
protection of individuals with regard to the processing of personal data
and on the free movement of such data and in repealing the Directive
95/46 / EC - General data protection regulation.
(2) “May” EOOD processes Your personal data on the basis of Art.6,
paragraph 1, b. “a”, b.”b”, b.”c” and b.”f” from GDPR which state:
- Art.6, paragraph 1, b. “a” from GDPR - Consent given for
processing of personal data for the purposes of direct marketing-
advertising, sales announcements, promotions, offers, etc. in
processed on this basis are cookies and Google Analytics,
cookies for functionality and effectiveness, essential cookies
- Art. 6 paragraph 1,b.”b” from GDPR - processing is required for
the execution of a contract.
- Art. 6 paragraph 1,b.”c” from GDPR - processing is required for
compliance with a statutory obligation that applies to the
Administrator as a business accounting accounting obligation,
etc. The data processed on this basis are: two names, telephone
number, delivery address.
- Art.6 paragraph 1, b.”f” from GDPR - processing is necessary for
the purposes of the legitimate interests of “May” EOOD, except
where such interests take precedence over the interests or
fundamental rights and freedoms of the data subject, which
require the protection of personal data, in particular when the
data subject is a child. The data processed on this basis are: two
names, email and profile.
Art. 16. The legislation of the Republic of Bulgaria and the
international normative acts.
IV. Means and ways of storing personal data:
Art.17 Storage is executed in the following ways:
1. Paper form - normatively required and / or internally organizational
for the company and / or information documents and / or documents
in direct or indirect relation to the execution of the contract
2. Electronic database - computer software and all kinds of other
software and information entered or generated from the same
V. Personal Data Protection Measures
Art.18 (1) The Company has established an internal organizational
structure that guarantees the protection of personal data and the
avoidance of its disclosure to third parties, except in the cases
described above. Security is achieved through the introduction of new
technologies, engaging professionals, encrypting files, restricting free
access, and more. Periodic updates of protection measures and
analysis of their effectiveness and efficiency shall be carried out.
The personal data processor shall undertake appropriate technical
and organizational measures in relation to the protection of personal
data, detailed in the Annex to these Rules, such as:
(a) implementation of all technical data security measures, including,
for example, but not limited to:
- use of a firewall to restrict unauthorized Internet access to the server
storing personal data;
- a system of appropriate rights and passwords restricting access to
the database stored on the server only to legitimate users and to
employees authorized to process such data;
- Physical security for access to the server, including controlled
access to the premises, locked rooms, constant video surveillance,
secure rooms, and other appropriate measures
(b) organizational measures governing the rights of data processing
VI. Rights of data subjects
Art. 19. (1) The data subject shall have the right to withdraw his/her
consent at any time by request in free text. In such a case, the
withdrawal of the consent shall not affect the lawfulness of the
processing based on the consent prior to its withdrawal. Withdrawal of
consent may not relate to data maintained in the public interest, in an
archive or in the performance of an obligation imposed by law or
regulation to the Administrator to maintain and process personal data.
(2) The administrator shall assist the data subjects who have
expressed a desire to withdraw the consent, provide information on
the manner of withdrawal and the consequences thereof, and shall in
no way impede or create conditions for delay.
(3) The withdrawal of consent shall be by a procedure similar to,
corresponding to, or lighter than the procedure by which consent was
Art. 20. (1) The data subject shall have the right to request and
receive confirmation from the Administrator whether personal data
related to him / her are being processed.
(2) The subject shall have the right to access the data related to
him/her, as well as to the information concerning the collection,
processing and storage of his/her personal data.
(3) Access to the data is free of charge, but the Administrator reserves
the right to impose an administrative fee in case of repeated or
(4) Access to data in a register may be refused if for technical reasons
it is not possible to separate the visualization of all data for a particular
data subject from the data for the other data subjects, which would
lead to a violation of the rights of other data subjects. In such cases,
the Administrator shall provide a copy of the data processed in an
electronic or other appropriate form.
Art. 21. (1) The data subject shall have the right to request deletion of
the personal data related to him/her, and the Administrator shall have
the obligation to delete them without undue delay when any of the
following reasons exist:
- personal data is no longer necessary for the purposes for which it
was otherwise collected or processed;
- the subject withdraws his consent on which the processing of the
data is based and there is no other legal basis for the processing;
- the subject objects to the processing of personal data relating to
him/her, including for the purposes of direct marketing, and there are
no legitimate grounds for processing to take precedence;
- personal data was processed illegally;
- personal data must be deleted in order to comply with a legal
obligation under EU or Member State law applicable to the
(2) The administrator shall not be obliged to delete personal data if it
is stored and processed:
- to exercise the right to freedom of expression and the right to
- to comply with a legal obligation which requires processing with
grounds ing EU or Member State law applicable to the Administrator,
or for the performance of a public interest task or in the exercise of
official powers conferred on him/her;
- for purposes of archiving in the public interest, for scientific or
historical research or for statistical purposes;
- for the establishment, exercise or defense of legal claims.
(3) The administrator shall not delete the data which he has a legal
obligation to keep, including for protection in connection with legal
claims against him or to prove his rights.
Art. 22. The data subject shall have the right to require the
Administrator to restrict the processing of related data when:
- the subject disputes the accuracy of the personal data for a period
allowing the controller to check the accuracy of the personal data;
- the processing is unlawful, but the subject does not want his / her
personal data to be deleted, only their use to be restricted;
- The administrator no longer needs the personal data for the
purposes of processing, but the subject requires it for the
establishment, exercise or defense of his legal claims;
- the subject has objected to the processing while awaiting verification
that the Administrator's legitimate grounds have priority over the
Art. 23. (1) The data subject may request to the Administrator to
inform him of all recipients to whom the personal data, for which
correction, deletion or restriction of processing has been requested,
has been disclosed.
(2) The administrator may refuse to provide this information if this
would be impossible or would require disproportionate efforts.
Art. 24. The data subject may object at any time to the processing of
personal data by the Administrator concerning him, including if they
are processed for profiling or direct marketing purposes. The objection
must state the reasons for raising it.
Art. 25. The administrator shall keep a register in which he / she shall
record the applications and requests received from data subjects
concerning their rights.
Art. 26. (1) If the Administrator finds a breach of personal data
security which may create a high risk to the data subject's rights and
freedoms, he shall be obliged to notify him without undue delay of the
breach, as well as of the measures taken or to be undertaken. The
notification shall specify the nature of the personal data breach and
give recommendations to the individual concerned on how to limit the
potential adverse effects.
(2) The administrator is not obliged to notify the data subject if:
- he/she has taken appropriate technical and organizational safety
measures with regard to data affected by the security breach;
- subsequently took measures to ensure that the infringement would
not lead to a high risk to the rights of the data subject;
- notification would require a disproportionate effort.
(3) In case of doubt about the existence or applicability of the grounds
in para. 2, The administrator will accept a conservative interpretation
and proceed to notify the data subject.
Art. 27. In the event of a violation of the data subject's rights under the
applicable data protection legislation, he or she shall have the right to
file a complaint with the competent national authority - Commission for
Personal Data Protection (CPDP), website : www.cpdp.bg