SOFIA

PRIVACY POLICY

GENERAL POLICY FOR THE PROTECTION OF PERSONAL DATA OF COMPANIES IN THE TRINITY CAPITAL GROUP

This policy aims to inform you about the manner, scope, purposes, grounds, storage periods, and your rights related to the processing of your personal data.

1. WHO ARE WE?

With this Policy, we inform you that "Trinity Capital" AD (hereinafter referred to as "the Company") and its controlled companies listed below, which together with the Company form the Trinity Capital Group (hereinafter referred to as "the Group"), are Data Controllers under Regulation (EU) 2016/679 and in this capacity collect, record, store, destroy, or otherwise process personal data.

We provide the following information regarding the Group of Data Controllers for your personal data:

Name, UIC, and registered address:

  • "Trinity Capital" AD, with UIC 205573011, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str.;
  • "Trinity Asset Management" EOOD, with UIC 208025783, seat and registered address: Sofia, postal code 1142, district Sredets, 9, Zheneva Str.;
  • "Sofia East Plaza" EAD, with UIC 204915454, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str.;
  • "BDC" EOOD, with UIC 175146504, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str.;
  • "Retail Park Haskovo" EOOD, with UIC 206638353, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str.;
  • "Trade Center Yambol" OOD, with UIC 205355256, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str.;
  • "Trinity Park Sofia" EAD, with UIC 175404926, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str. 7.
  • „Trinity Asset Management“ EOOD, with UIC 208025783, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str. 9;
  • „Trinity Finance“ EOOD, with UIC 206973298, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str. 9;
  • „Trinity Park Holding“ EOOD, with UIC 208086971, seat and registered address: Sofia, postal code 1142, district Sredets, 7, Zheneva Str. 9;

Websites: https://trinitycapital.bg/; https://xopark.bg/

Email: marketing@trinitycapital.bg

2. DEFINITIONS:

2.1. Data Controller: A natural or legal person, public authority, agency, or other structure that determines the purposes and means of Personal Data Processing.

2.2. Third Party Administrator: Legal or physical persons who are not affiliated with the Company in any way other than through contracts and who determine the purposes and methods of processing the Personal Data they handle.

2.3. Group of Enterprises: According to Regulation (EU) 2016/679 of the European Parliament and of the Council, a group of enterprises includes a controlling enterprise and the enterprises controlled by it, where the controlling enterprise can exercise dominant influence over the others based on ownership or financial participation or based on rules governing its management or the ability to apply data protection rules and control the processing of personal data.

2.4. The Group: The companies listed in point 1 of this General Policy for the Protection of Personal Data of Companies in the Trinity Capital Group;

2.5. Data Protection Officer: An individual employed by the Company or a person contracted with a civil contract, appointed based on their professional qualities, particularly their expertise in data protection legislation and practices and their ability to perform the tasks specified in Article 39 of the Regulation and these Internal Rules.

2.6. Data Protection Legislation: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals concerning the processing of personal data and on the free movement of such data ("General Data Protection Regulation" or "GDPR"), as well as all laws and subordinate normative acts governing the protection of personal data;

2.7. Websites: https://trinitycapital.bg/; https://xopark.bg/

2.8. Personal Data: Any information that can identify an individual (or potentially be used for identification), establish contact with them, or locate them. Includes information that may be linked to identifying information from other sources or easily extracted from other Personal Data.

2.9. Supervisory Authority: An independent body responsible for monitoring Personal Data Processing within its jurisdiction (country, region, or international organization), providing advice to competent authorities on legislative and administrative measures related to Personal Data Processing, and handling complaints filed by Data Subjects regarding the protection of their rights concerning their personal data.

2.10. Personal Data Breach: A security breach of Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or processed in any other way.

2.11. Processing: Any operation performed on Personal Data or a set of personal data using automatic or other means, including collection, use, storage, transmission, and disclosure of Personal Data.

2.12. Processor of Personal Data: A natural or legal person, public authority, agency, or other structure that processes personal data on behalf of the Controller;

2.13. Transmission: Involves sending, delivering, transferring, providing, or closing Personal Data via any medium or method to a person or organization in any area, region, or country. Where applicable legislation provides stricter requirements than those stated in these Rules, it takes precedence over them;

2.14. Employee: Physical persons, whether in employment or another type of relationship with the Group, acting on its behalf;

2.15. Data Subject: Any individual who can be identified, directly or indirectly (particularly through an identifier or one or more specific characteristics unique to their physical, mental, emotional, economic, cultural, or social identity).

2.16. Shopping Centers Operated by the Group:

Commercial, office, warehouse, and production parks with shops, parking spaces, and internal alleys built on land owned by the Company or controlled entities and located as follows:

  • XOPark Sofia - Sofia, Kremiikovtsi district, Vrazhdebna neighborhood, Bogrovsky Pesotsy locality, Botevgradsko Shosse Blvd. No. 515-525;
  • XOPark Yambol - Yambol, Bitolya Street No. 37;
  • XOPark Haskovo - Haskovo, G.S. Rakovski Blvd. No. 28A;
  • XOPark Plovdiv - Plovdiv, Northern district, Bulgaria Blvd. No. 115A;

2.17 . Sensitive Personal Data: Refers to information allowing the identification of an individual that, if disclosed or processed improperly, could cause significant harm to a physical person. Sensitive personal data specifically includes personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the sole purpose of uniquely identifying a physical person, health data, or data concerning sexual life or sexual orientation of the physical person.

3. WHAT CATEGORIES OF INDIVIDUALS DOES THE GROUP COLLECT AND PROCESS PERSONAL DATA FROM?

The Group collects and processes your personal data if you are:

3.1. Employees of the Group, employed under a labor or civil contract;

3.2. Individuals applying for work with us;

3.3. Individuals who are contractors of the group (suppliers, clients, subcontractors, tenants, etc.), as well as representatives or authorized representatives of legal entities that are contractors;

3.4. Individuals visiting the shopping centers operated by the group;

3.5. Individuals participating in events organized in the shopping centers operated by the group, such as lotteries, art workshops, and similar activities;

3.6. Individuals using the Internet pages.

4. WHY IS IT NECESSARY TO COLLECT YOUR PERSONAL DATA?

4.1. If you are an employee of the Group, the Group collects and processes your personal data for the following purposes:

- Entering into and/or terminating a labor/civil contract;

- Paying wages, bonuses;

- Assessing work performance and results, disciplinary penalties, and proceedings;

- Participation in corporate human resources management programs, conducting training;

- Fulfilling the group's legal obligations established in labor, social security, and tax legislation (in the Labor Code, Social Security Code, Personal Income Tax Act, etc.), including summarizing and providing data for state institutions (e.g., National Insurance Institute, National Revenue Agency, etc.);

- Maintaining accounting records regarding wages, tax liabilities, and mandatory insurance contributions, administering additional employee benefits (e.g., short-term and long-term compensation and bonus programs);

- Providing social benefits and services through supplementary health insurance for employees and members of their families;

- Establishing contact and sending correspondence; internal communication;

- Maintaining, monitoring, and securing internal networks and IT systems, providing access;

- Participating in social, cultural, or other corporate events.

4.2. If you are a job applicant, the Group collects and processes your personal data to assess whether you meet the requirements for the position and to select personnel for the Group.

4.3. If you are an individual contractor of the group (suppliers, clients, subcontractors, tenants, etc.), as well as representatives or authorized representatives of legal entities that are contractors, the Group collects and processes your personal data for the following purposes:

- Fulfilling contracts and protecting the legitimate interests of the Group;

- Fulfilling legal obligations of the group arising from tax and accounting legislation, as well as other normative acts applicable to the group's activities;

- Marketing purposes - providing information and materials about the group's services in accordance with GDPR requirements, including:

  • Newsletters and marketing messages from the Group - informational emails about events in which the group will participate and/or organize;
  • Invitations to events organized or sponsored by the Group;
  • Managing the business strategy of the group - improving and optimizing the group's business strategy, as well as planning appropriate actions and activities of the Group.

4.4. If you are an individual visitor to the shopping centers operated by the Group, the Group collects and processes your personal data for the following purposes:

- Protecting our legitimate interest related to fulfilling contracts concluded with lessees in the shopping centers operated by the group;

- Planning, reporting, and tracking the attendance of the shopping centers operated by the group, in connection with carrying out the main activity of the Group;

- Protecting the life and health of individuals whose data is collected, or another physical person;

- For managing the business strategy of the group - improving and optimizing the group's business strategy, as well as planning appropriate actions and activities of the Group;

- Protecting legitimate economic interests - exercising the right of protection of the group when its rights and lawful interests are infringed upon, for conducting audits, etc.

4.5. If you are an individual participant in events organized in the shopping centers operated by the Group, the Group collects and processes your personal data for the following purposes:

- Protecting its legitimate interests, which include but are not limited to:

- Identifying participants, insofar as without their individualization, participation in organized lotteries is not possible;

- Awarding prizes after a lottery has been conducted;

- Paying due taxes and fulfilling other statutory obligations.

- For marketing purposes with explicit consent from the participants - for participation in a lottery, participants fill out a form and place it in the designated area;

- Protecting the life and health of individuals whose data is collected or another physical person;

- Fulfilling contractual obligations, complying with legal obligations, and managing the business strategy of the group - improving and optimizing the group's business strategy, as well as planning appropriate actions and activities of the group;

- Protecting legitimate economic interests - exercising the right of protection of the group when its rights and lawful interests are infringed upon.

4.6. If you are an individual user of the Internet pages, the Group collects and processes your personal data to conduct full-fledged correspondence and enable us to respond to your inquiry or request for information when you have contacted us through one of the methods indicated on the Internet pages, as well as for statistical purposes regarding the use of our site, in which case your data is anonymized.

4.7. If you do not fall into any of the above categories of individuals, the Group collects and processes your personal data only if you have provided your consent for this. In this case, you have the right to withdraw your consent at any time.

4.8. For individuals under 14 years old, consent for collecting and processing their personal data must be provided by the parent exercising parental authority or the guardian of the data subject.

5. WHAT PERSONAL DATA DO WE COLLECT AND PROCESS?

The Group collects and processes the following personal data about you:

5.1. For employees of the Group:

- Identification and contact details – names, gender, nationality, EGN (Personal Identification Number), address, phone numbers, email, place of birth, identity document information, copy of driver's license (only if a company car is provided);

- Family status – marital status, family relationships, names, and EGN of children under 18 years old;

- Education and competencies – diploma for completed education, certificates, qualifications;

- Professional experience and previous employers;

- Photograph;

- Financial data – bank accounts, information on bank loans, participation and/or ownership of shares or securities in companies;

- Data on competition and participation in other organizations (non-compete data);

- Data on access to systems, buildings, and premises of the Group;

- Work activities – position, workplace, department, work contact details – telephone, email, fax, working hours (full-time and part-time), data on completed training courses, employment and insurance history, salary, bonuses, days of temporary incapacity, income and insurance history paid by the previous employer for the respective calendar year, number of days and dates of annual leave;

- Work performance – evaluations, disciplinary actions, etc.;

- Membership in professional organizations, insurances;

- Medical data – health condition according to medical examination documents upon initial employment and other medical documents presented by the person during the term of the employment contract in compliance with the legal obligations of the Group;

- Criminal record data – certificate of good conduct, only for positions where this is required according to Bulgarian and European legislation.

5.2. For physical persons – job applicants at our company:

- Identification and contact details – first name, middle name, last name, telephone, email, photograph;

- Education, skills, and competencies (language proficiency certificates and others);

- Previous experience and employers;

- References – if provided by the applicant’s consent.

5.3. For physical persons – contractors of the Group (suppliers, clients, subcontractors, tenants, etc.), as well as representatives or proxies of representing legal entities:

- Identification and contact details – first name, middle name, last name, PN, permanent address and/or correspondence address, email;

- If contracts are signed by an authorized representative and a notarized power of attorney is presented, the following data will be collected for the principal and the authorized representative: first name, middle name, last name, PN (date of birth), ID card number, date of issue.

5.4. For physical persons – visitors to the shopping centers operated by the Group: photographic images, video, and audio recordings stored with the records created through surveillance means in the parking lots of the shopping centers operated by the Group.

5.5. For physical persons – participants in events organized in the shopping centers operated by the Group:

- Full name, Personal Identification Number, permanent/current address, telephone number;

- Photographic images, video, and audio data.

5.6. For physical persons – users of the Internet pages:

- Identification and contact details – first name, last name, email, telephone provided by you;

- Electronic identification data from your computer (such as "cookies" (more information can be found in the Cookie Policy) or "IP addresses");

- Other personal data that you have decided to provide when making an inquiry or in another manner indicated on our Internet pages, you have contacted us.

We would like to inform you that we collect and process your personal data only to the extent necessary to fulfill the purposes for which they were collected. Unless explicitly stated, please do not disclose sensitive personal information such as data regarding your health, racial or ethnic origin, religion, membership in trade unions, sexual orientation, etc.

6. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?

Your personal data is stored by us only for the period necessary to fulfill the purposes for which they were collected or processed and for a period no longer than allowed by applicable law.

6.1. The personal data of employees providing information about their employment and insurance history or certifying such (including documents under Article 13 of the Labor Book and Employment History Regulation) is stored for a period of 50 years (payroll records, employment contracts (appointment orders), reassignment orders, unpaid leave exceeding 30 working days, termination of employment relationship orders). All other documents related to the employment relationship are kept until the expiration of the deadlines for filing claims in so-called labor disputes under Article 358(1) of the Labor Code or for a period of three years from the date of termination of the employment relationship.

6.2. The personal data of job applicants is stored for the duration of the recruitment process and up to 30 days after its cessation, unless the candidate has agreed to store their data for future applications or other open positions. After the completion of the recruitment process, the job application of a person with whom an employment/civil contract has been concluded will not be retained.

6.3. The personal data of physical persons – contractors of the Group (suppliers, clients, subcontractors, tenants, etc.), as well as representatives or proxies of representing legal entities, is stored for a period of five years from the expiration of the contract or its termination.

6.4. The personal data of physical persons – visitors to the shopping centers operated by the Group, is stored for a period of one month from the day of recording.

6.5. The personal data of physical persons – participants in events organized in the shopping centers operated by the Group, is stored until the end of the event and the settlement of all related matters, such as receiving a prize and paying tax on a received material prize, unless a longer storage period is provided by law.

6.6. The personal data of physical persons – users of the Internet pages, is stored only until the fulfillment of the purposes for which it was collected or processed. More information can be found in the Cookie Policy.

After the expiration of the storage periods, we take all necessary actions without undue delay to appropriately destroy the collected personal data.

7. WHO ELSE MAY BE A RECIPIENT OF YOUR PERSONAL DATA?

Processing of personal data may involve exchanging data between companies within the Group. The Group has a legitimate interest in such data exchange for achieving internal administrative, business, management, financial, marketing, and other purposes while adhering to the principles of personal data protection and implementing appropriate security guarantees.

The Group may share your personal data with third parties under the following conditions:

  • When outsourcing processing for performing specific processing activities documented by the Group to external payroll agencies, accountants, external organizations for travel and accommodation arrangements, external legal and financial consultants, external organizations for additional benefits (Multisport cards, etc.), subcontractors, and others;
  • When the Group needs to share such personal data with its external organizations and service providers offering information services and maintaining information systems;
  • Upon receipt by the Group of a request from a judicial authority or another authorized body of power for providing such personal data in accordance with applicable law.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

You have the right to request from the Group:

  • Access to your personal data, i.e., you have the right to know what personal data about you is being processed by us. The Group provides, upon request, free of charge, a copy of the processed personal data related to you. When submitting a request electronically, the Administrator provides the information in a widely used electronic format;
  • Correction – the right to request correction of your data stored by us if they are inaccurate or incomplete;
  • Erasure ("right to be forgotten"). You have the possibility to request the deletion of your personal data in the following cases:
    • If the personal data is no longer necessary for the purposes for which it was collected;
    • If the data subject exercises their right to object and there are no lawful grounds for processing that have precedence;
    • If the processing was unlawful;
    • If there is a regulatory obligation on the Administrator to delete the data.

However, the right to erasure does not apply in cases where the data is processed:

  • For exercising the right to freedom of expression and the right to information;
  • To comply with a legal obligation requiring processing, provided for in Union law or Member State law applicable to the Administrator or for the execution of a task carried out in the public interest or in the exercise of official authorities conferred on the Administrator;
  • For reasons of public interest in the area of public health;
  • For archiving purposes in the public interest, scientific or historical research, or statistical purposes under Article 89(1) of Regulation (EU) 2016/679, insofar as the right to erasure might make impossible or seriously impair the achievement of the objectives of that processing;
  • For establishing, exercising, or defending legal claims.
  • Restriction of processing of your personal data. In case of needing to verify the accuracy of the data, the basis for processing, or the lawfulness of processing, you can request the Administrator to restrict (stop) processing of your data.
  • Objection to processing. Regarding data processed on the basis of "legitimate interest," you have the right at any time and on grounds relating to your specific situation to object to processing. In case of such objection, the Administrator must cease processing your personal data unless it demonstrates compelling legitimate grounds for processing that override your interests, rights, and freedoms or in case the data is processed for establishing, exercising, or defending legal claims.
  • Data portability – to request your personal data in a structured, commonly used, and machine-readable format.
  • When processing is based on your consent, you have the right to withdraw your consent at any time.
  • You also have the right to lodge a complaint with the competent supervisory authority if you consider that your data is being processed unlawfully by the Administrator:

Commission for Personal Data Protection
Address: 1592 Sofia, Prof. Tsvetan Lazarov Blvd. No. 2;
Correspondence Address: 1592 Sofia, Prof. Tsvetan Lazarov Blvd. No. 2;
Telephone: +359 2 915 3 518;
Website: www.cpdp.bg
Email: kzld@cpdp.bg

To exercise your rights, you can contact us as specified in section 11 below "Contact regarding personal data. Data Protection Officer in the Group."

9. HOW WE PROTECT YOUR PERSONAL DATA:

The Group makes every effort to protect your personal data from damage, loss, disclosure, misuse, intrusion, alteration, or destruction. To safeguard the confidentiality of your data, we implement physical, software-technical, organizational, and administrative safeguards. We restrict access to your personal data only to those individuals who need this information to provide you with benefits or services. Additionally, we train our employees on privacy matters.

10. CHANGES TO OUR PRIVACY POLICY AND PRACTICES:

The Group may change this personal data protection policy at any time. If the Group plans to amend this policy (e.g., if we intend to use your personal data for purposes different from those stated in the policy at the time of data collection, while adhering to the principle of lawfulness), a notice about the changes will be published in the updated version of the personal data protection policy, which will take effect from the date of publication. The Group will notify you of any changes by publishing them on the pages with the personal data protection policy or via email or another form of notification.

11. CONTACT REGARDING PERSONAL DATA. DATA PROTECTION OFFICER IN THE GROUP.

In accordance with Article 37(2) of the GDPR, the Group has appointed a Data Protection Officer. The Data Protection Officer monitors compliance with this policy applicable to the Group and provides contact for all data subjects regarding the exercise of their rights under the applicable data protection legislation.

For any questions or comments related to this personal data protection policy, the way your personal data is collected and used by the Group, exercising your rights concerning your collected personal data, you can contact the Data Protection Officer as follows:

Name: Alexandra Dzhambazova
Tel.: +359 888334623
Email: office@trinitycapital.bg

This General Personal Data Protection Policy was composed and adopted by all companies in the Group in their capacity as Data Controllers, in order to fulfill their obligations to provide information to data subjects under Articles 13 and 14 of the GDPR.

MAP OF THE STORES

en_ВИЖ ОЩЕ
ALL STORES

RETAIL PARKS FOR THE PEOPLE.
logo XOPark

Plovdiv
logo XOPark

Haskovo
logo XOPark

Yambol
  1. Stores
  2. News and Promotions
  3. About us
  4. Contacts
  1. Terms and Conditions
  2. Cookie policy
  3. Privacy Policy

RETAIL PARKS FOR THE PEOPLE.
logo XOPark

Plovdiv
logo XOPark

Haskovo
logo XOPark

Yambol

By using this website you agree to the use of cookies that help us improve user experience, personalize content and ads, and analyze traffic. For more information, read our Cookie Policy.

By using this site, you confirm that you have read and agree to the Terms and Conditions and the Privacy Policy

Agree