Privacy Policy


With this Privacy Policy, the American Bulgarian Business Association, a non-profit organisation registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code (UIC) 207268647 with its seat and registered address in Republic of Bulgaria, Sofia, 149 Tsarigradsko shose, fl. 1, in its capacity of the controller (herein after referred to as “controller”, “we”, “us”, “our”), we would like to inform you about the processing of your personal data.

By virtue of this document we fulfil our obligations as per the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and the local Personal Data Protection Act (“PDPA”) and the relevant Bulgarian legislation and sub legislation.

Тhis Privacy Policy is aimed to enlighten our members and potential members, partners, consultants and visitors in regard to the specifics when we collect your personal data related to all kinds of communications received and sent through our website.

Detailed information on personal data processed through cookies on the website is contained in the “Cookie Policy”.

Your personal data can be collected under two different scopes, by filling out the Membership application of the Contact Form on our website. In this context, your personal data regarding your identity, contact details and other information about yourself, which you may have provided us via the Contact Form, are processed.

This Privacy Policy will inform you as regards to the following main questions concerning the processing of your personal data:




Regardless of the way under which you have send us communications (via the respective Contact Form on our website and/or by virtue of submitted Membership Application), we obtain directly and automatically from you or we may ask you to provide us with certain information about yourself.

Your personal data collected in regard to communications handled may include the following categories:

  1. Personal data related to your identity: names, date of birth;
  2. Contact information: e-mail address, telephone number, city and country of residence;
  3. Personal data about you, which you may have provided us via the Conctact Form of Membership Application: Professional experience, position in the organisation/company, nationality.

Considering that we are processing your personal data in order to manage and respond to all of the communications which you have sent us, this processing appears necessary to fulfil those purposes. If you do not provide us with the respective information – for example, your names, contact information, etc., as the case might be, we will not be able to exercise our assistance in view of your requests or complaints. In any case, when collecting your personal data, we shall explicitly inform you whether providing the respective data is necessary and what shall be the consequences if you refuse.



  1. Your personal data obtained within the scope of the Contact Form may be processed for the following purposes:
  • Managing and preparation of responses in relation to messages received by you for the purposes of provision the information or other assistance requested by you;
  • Managing, planning and implementation of all types of communication activities for all members and candidate members;
  • Preparation of responses and providing information, in case of received requests regarding the exercise of rights by a data subject or other specific requests/signals.
  1. Your personal data obtained from Membership Application can be processed for the following purposes:
  • Provision of an email to inform the person whether the application has been approved, resp. rejected;
  • Administration of our database with information about members and candidate members with view to ensure compliance with legal rights and obligations;
  • Communicating with you regarding missing information and obtaining additional information essential for the membership application.




Your personal data, depending on the nature of the activity performed, for which processing personal data appears necessary, may be transferred to any of the following third parties:

  1. Companies and organizations, including within our corporate group, from which we receive various information technology services (e.g. Microsoft as a provider of cloud services serving for personal data storage), or cooperate with in compliance with the applicable legislation and for the purposes specified in this Privacy Policy.
  2. Companies and organizations – suppliers of goods and services (for example, lawyers, accountans, etc) with which explicit contracts have been concluded;
  3. Public bodies and institutions, courts, prosecution, upon explicit request thereof, and in performance of our legal obligations under the respective applicable legislation;

Your personal data are not transferred to third parties located outside the European Union, except to our representatives and members of the Managing Board, who live in the USA or to the moment of transfer of the data are in the USA.

Additionally, the partner organizations which provide us with the respective information technology services (provision and support of IT systems, etc.) utilize Microsoft-based software products, as well as take the highest level of organisational and technical measures to ensure the protection of your personal data. We shall only transfer to these partner organizations the personal data they need in order to provide us the contracted services to us, without further allowing them to use your personal data for their own purposes.

Your personal data, received by the Membership application on our website may be shared with the members of our Managing Board, who live in the USA for the purposes of decision making whether your application will be approved or rejected and as well for the purpose of identification how we can assist you in case you or the organisation, which you represent become our member. In any case we shall ensure the appropriate safeguards with respect to the protection of personal data transferred

Please note that the said transfer is within our organization and not outside ABBA to third parties in country outside the EU.




Your personal data are collected and processed automatically when you provide us with the relevant information via either the Contact Form, or through the Membership application, found on our website. The respective personal data, which you have submitted under any of the two scopes, may be processed on the following legal grounds:

  • For the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract – 6, para. 1, l. “b” of the GDPR (for instance in case of membership application submission);
  • When the processing is necessary for the legitimate interests of ABBA, or by a third party, provided that it does not harm the fundamental rights and freedoms of the data subject – 6, para. 1, l. “f” of the GDPR (for instance for carry out additional checks of the identification of the individual or with respect to filing and defending against legal claims).
  • In case you provided an explicit consent – art. 6, para. 1, b. “a” of the GDPR (applicable to the processing of personal data for direct marketing purposes, a possibility that is currently not active on our website).


Pursuant to the applicable data protection legislation, we have implemented and follow an internal general data privacy policy, which sets out the retention periods for which we store your personal data. The periods concerned are based on (a) the type of information we collect and (b) the purposes for which we collect it.

We retain your personal data for as long as is necessary for the processing purposes for which the data is collected, or until the expiration of a statutory period. Your personal data are stored, respectively are erased, destructed or anonymised in compliance with the relevant legislative provisions, after being stored for the period required by either the same legislative provisions or for the purpose for which they are initially processed.

It is our legitimate interest to retain some of your personal data collected in view of contracts executed (or to be entered) for the statute limitation period for making claims – 5 (five) years as of the expiry or termination of the contract concluded with you. Furthermore, we will not delete or anonymize your personal data if it is necessary for any pending judicial or administrative proceedings on complaints you may have against us.

For all other cases regarding personal data collected on the grounds of explicit consent (for example, personal data obtained via the Contact Form on our website in view of an offer or request you may have), we shall limit the retention period to 2 (two) years as of the time of obtaining the relevant implicit consent (the moment of receiving the electronic communications in our systems).



In performance of our legal obligations as per the GDPR and the local applicable data privacy legislation, we have implemented appropriate technical and organizational measures to ensure a high level of security to the personal data we process.

In view of the above, we have adopted all the necessary internal policies and procedures, while defining the respective data protection records to be maintained, including on paper, the persons who are responsible for their protection, as well as those who may access them. We have also explicitly stipulated the rules regarding the storage periods of the personal data processed, and the procedures for their destruction.

Furthermore, we utilize appropriate antivirus and cybersecurity software products, ensuring the necessary level of protection against security breaches and malicious attacks.

On a physical level, we have ensured a system of measures related to the protection of the buildings, premises and facilities in which personal data processed and stored may be accessed, including by means of chip cards for access to premises, locks, separate cabinets, including locked cabinets, metal crates, fire alarms, equipment on the premises appropriate to the needs, purposes and level of impact of the processing of personal data.

In cases of transfer of personal data, we require our suppliers and partner organizations who have access to your personal data to use appropriate measures to ensure the protection and confidentiality of your personal data. However, you are also responsible for safeguarding your personal data that you share with us over the Internet. Unfortunately, the transmission of information over the Internet may not be completely secure, despite the measures we have taken, given the passage of the same through the networks, channels and platforms of third party electronic service providers. Therefore, please note that the transmission of your personal information over the Internet is done at your own risk.



In relation to your personal data, you have certain rights which are granted to you pursuant to the GDPR and the other applicable local legislation. Sometimes certain rights can only arise and be exercised on certain grounds for processing your personal data; other rights are subject to certain limitations and exceptions under the law. To exercise your rights or ask questions, you should direct your request to the email or contact address below.

Specifically, you have the following rights under applicable law:

  1. Right of access to your personal data processed

You have the right of access and can request more detailed information about whether we process your personal data, what categories, for what purposes, to whom we disclose it, etc. If you have requested, we will provide you with access to your personal data that is being processed in the form of a copy. The copy is free of charge. If you request further copies or individually formatted or more detailed information or disproportionately exercise (abuse) your rights, we may charge you a reasonable fee to cover our administrative costs for producing them. When you have made the request by electronic means, we will, where possible, provide the information to you in a commonly used electronic form, unless you have requested otherwise from us.

  1. Right of rectification of the inaccurate personal data related to you

When you want us to correct your personal data, you may request that we also notify the third parties to whom it has been disclosed, except where this is impossible or involves excessive effort.

  1. Right to erasure (“right to be forgotten”) of your personal data processed

You have the right to request the erasure of your personal data when:

– they are no longer necessary for the purposes for which they were initially collected or otherwise processed;

– when you withdraw your consent to the processing of your personal data and there is no other legal basis for the processing;

– when you object to processing based on a legitimate interest and it does not override your rights, freedoms and interests;

– when processing is without legal basis or the erasure of your personal data is our legal obligation under Bulgarian or European law.

Pursuant to the latter, we have the right to continue processing despite your request for erasure in order to comply with our legal obligations under the law of the Republic of Bulgaria or the European Union law that require processing of your personal data or where necessary for the establishment, exercise or defense of legal claims.

  1. Right to restriction of the processing of your personal data

Where the processing of your personal data has been restricted, we could still continue processing it in two cases:

  1. with your explicit consent; or
  2. for the establishment, exercise or defense against legal claims or for the protection of the rights of another natural person or for important reasons of public interest for the European Union or a Member State.
  3. The right to receive the personal data that you have provided to us and that concerns you and to transmit those data to another controller (“right to portability”)

The right to portability can only be exercised where the following two conditions are met:

  1. it concerns processing carried out by automated means (i.e. this right does not apply to processing of data in the form of paper files), and
  2. the processing of your personal data is based on (i) your consent or (ii) a contract to which you are a party or to take steps at your request before entering into a contract.

You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request a direct transfer of your personal data to another controller where this is technically feasible.

You should be aware that when you exercise the right of portability, this does not result in your data being deleted from our systems. You will be able to continue to benefit from our services even after the data portability operation. Data portability also does not affect the initial retention period that applies to the transmitted data. You may exercise your other rights that are set out in the legislation and we have listed here while we continue to process the data.

  1. Right to object to processing of your personal data which is based the legitimate interest of the controller, including when profiling is carried out on this legal ground

You have the right at any time to object against the processing of your personal data by ABBA as a controller through preferred way of communication – using our contact form on the website, on email or on the phone. For these purposes please use the contact details in the end of this document.

  1. Right to file a complaint before the competent supervisory authority or before a court if your rights have been violated or you have suffered unlawful processing of your personal data.

In the event of a complaint, you also have the right to contact the Commission for the Protection of Personal Data (“CPPA”):

  1. In writing to the following address: Sofia, 1592, Sofia Municipality, 2, blvd. Tsvetan Lazarov;
  2. Telephone numbers: 02/91-53-519; 02/91-53-555;
  3. Fax: 029153525; or
  4. E-mail: [email protected]

The CPPD website can be found at:

  1. Where the processing is based on consent given by you, you have the right to withdraw your consent at any time by notifying us at the addresses listed at the end of this document.


In order to exercise any of your rights listed above or to contact us if you have any questions regarding this document, you may contact us using any of the contact information below:

Contact person on data protection matters: Ms. Rumyana Yordanova

You can submit your request via e-mail address to the following: [email protected]

Address for correspondence: Republic of Bulgaria, Sofia, 149 Tsarigradsko shose, fl. 1

The controller of personal data is American Bulgarian Business Association, a non-profit organisation registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code (UIC) 207268647 with its seat and registered address in Republic of Bulgaria, Sofia, 149 Tsarigradsko shose, fl. 1

As per requests relating to the exercise of your rights, they should be generally made in person or by a person expressly authorised by you.

We shall respond to your request in the form in which you made your enquiry to us – in writing on paper or in electronic form. Where you have made a request by electronic means, where possible the information will be provided to you in a commonly used electronic form unless you have requested otherwise.

Further to the above, we will provide you with information about the action we have taken on your request within one month of receiving it. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. If such an extension is necessary, we will notify you within one month of the submission of your request, explaining the reasons for the extension.

The most up-to-date Privacy Policy can always be found on our website. In this regard, you will be always able to inform yourselves in regard to any change which have been made to this Policy.

This Privacy Policy has been adopted and is effective as of 21.04.2023