for the processing of personal data in the context of the ICH GCP Training
Adopted 01 October 2022
For the purposes of conducting its business and providing its services ALBERATO EOOD in the process of registration at district Krasno selo, kv. Lagera, bl. 42A, entr. A, fl. 10, ap. 35, Sofia 1612, Bulgaria, (“Company”) processes personal data in compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data;
- controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data as per Art. 4, (7) GDPR;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
- ‘USER’ means any individual who is using or visiting the Web Site and/or a person, who may be offered, is being offered to buy or has bought a good or a service;
- ‘User Account’ means the online profile account of the USER that is created within the Web Site in order to access the Training, test and Materials offered by the Company.
All capitalized terms, that have been defined within the General Terms (‘Terms”) shall have the same meaning as given within the Terms.
- Controller’s name and contact details
The Controller is ALBERATO EOOD in the process of registration at district Krasno selo, kv. Lagera, bl. 42A, entr. A, fl. 10, ap. 35, Sofia 1612, Bulgaria
- Personal data categories
The Company as Controller is processing the following personal data concerning the USERS-data subjects:
- First and last name
- Email address
- Bank details (bank and bank account)
- Number of Certificate of the USER-data subject
- Date on which the Training was completed by the USER-data subject
- Date on which the test was completed by the USER-data subject and with what result
- Cookies-related information
- Categories of data subjects
The Company processes as Controller the personal data of the following data subjects:
- individuals who are visiting the Web Site of the Company.
- individuals who have registered on the Web Site of the Company and have created a User Account.
- individuals who have used the services (including but not limited to the Training) of the Company thus creating the rational assumption that may be interested to use again the same or similar services of the Company.
- Individuals who have contacted directly the Company.
- Purposes of processing
The Company processes as Controller personal data for the following purposes:
- for the execution and performance of contracts to which the Company is a party (e.g. provision of Training and maintaining of Certificates during their period of validity);
- for marketing purposes, including, but not limited to offering Company’s services (including the Training service) to potentially interested customers;
- for the purpose of improving the Company’s services;
- for the purpose of complying with Company’s legal obligation/s;
- for the purpose of protecting the legitimate interests pursued by the Company or by a third party:
- protection of the Company’s rights, freedoms, good name and reputation and legal interests in the course of administrative or court procedures,
- allowing third parties to check the existence, truthfulness and validity of issued Certificates,
- obtaining and maintaining licenses which are necessary for the Company, including undergoing audits and inspections.
- Legal basis for the processing
The Company processes as Controller personal data on the following legal basis:
- the processing is necessary for the performance of the Company’s contractual obligations (i.e. provision of a Training and maintaining a Certificate for the period of its validity) towards the USER (data subject) or in order to take steps at the request of the USER prior to entering into such contract;
- the processing is necessary for the purpose of complying with Company’s legal obligation/s;
- the processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party;
- when the data subject has given his/her consent for the processing of personal data concerning him/her for one or more specific purposes.
- Personal data recipients
The Company may share personal data concerning the data subjects with the following categories of recipients:
- Governmental and municipal bodies, agencies and authorities, authorized to receive the personal data, when the Company is obliged by law to provide to them that personal data- example: tax authorities, ministry of interior, courts, etc.
- Vendors, subcontractors and service providers, that are providing services to the Company: accounting, invoicing, payment, banking, hosting, legal, courier, archiving, consulting, security, design, infrastructural, connectivity and other services.
- Third parties which what to check the existence and/or validity of a certificate issued by the Company.
- Protection measures
The Company has implemented appropriate technical and organizational measures for protection of the personal data, in order to ensure the rights and freedoms of the data subjects based on the principle of integrity and confidentiality. The Company selects appropriate recipients, which have appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- Pseudonymization and encryption of personal data;
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Data transfer
In case personal data needs to be transferred to countries outside the European Union, this will be done in compliance with Chapter V of GDPR.
- Storage period
The Company stores the personal data for up to 5 years.
- Rights of the Data Subject
The data subjects have the following rights regarding the personal data concerning them, that are processed by the Company:
- Right of access, including to obtain a copy
- Right to rectification of inaccurate personal data
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to a decision based solely on automated processing, including profiling
The data subjects may execute the above mentioned rights by sending an email to email@example.com
- Consent and Consent Wwithdrawal
When required by the law the Company may request the data subject to provide his/her consent for the processing of personal data concerning the data subject. The consent must be freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. The data subject shall have the right to withdraw his or her consent at any time.
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR
You can find a current list of the supervisory authorities in EU here: https://edpb.europa.eu/about-edpb/about-edpb/members_en or by typing “data protection authority / agency” in your language in Google.
A cookie is a small text file that a website stores on your computer or mobile device when you visit the Company’s Web Site.
- First party cookies are cookies set by the website you’re visiting. Only that website can read them.
- In addition, a website might potentially use external services, which also set their own cookies, known as third-party cookies.
- Persistent cookies are cookies saved on your computer and that are not deleted automatically when you quit your browser, unlike a session cookie, which is deleted when you quit your browser.
To view some of Company Web Site pages and use some of the functionalities, you will have to accept cookies from external organisations.
The cookies will stay on you browser, until you delete them.
The types of first-party cookie Company uses are to:
- store visitor preferences
- make Company’s Web Site operational
- gather analytics data (about user behaviour)
These are set by Company and only we can read them. They remember:
- if you have already replied to our survey pop-up (about how helpful the site content was) – so you won’t be asked again
There are some cookies that we have to include in order for certain web pages to function. For this reason, they do not require your consent. In particular:
- authentication cookies
- technical cookies required by certain IT systems
We use these purely for internal research on how we can improve the service we provide for all our USERS. The cookies simply assess how the USER interacts with our Web Site – as an anonymous user (the data gathered does not identify the individual personally). Also, this data is not shared with any third parties or used for any other purpose. You can refuse these types of cookies.