Data privacy statement pursuant to GDPR
Your privacy is important to us. It is Enduro Ride’s policy to respect your privacy regarding any information we may collect from you across our website, http://enduro-ride.com, and other sites we own and operate.
We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used.
We only retain collected information for as long as necessary to provide you with your requested service. What data we store, we’ll protect within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification.
We don’t share any personally identifying information publicly or with third-parties, except when required to by law.
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.
You are free to refuse our request for your personal information, with the understanding that we may be unable to provide you with some of your desired services.
Your continued use of our website will be regarded as acceptance of our practices around privacy and personal information. If you have any questions about how we handle user data and personal information, feel free to contact us.
This policy is effective as of 11 May 2019.
Name and address of the controller
The controller within the meaning of the General Data Protection Regulation of the EU (GDPR) and other national data protection laws of Bulgaria, as well as other data protection provisions:
Stefan Karadzha 3
E-Mail: [email protected]
1. General information relating to data processing
1.1. Scope of personal data processing
We generally only collect and use our users’ personal data to the extent necessary for providing a functioning website and for our content and products and services. Our users’ personal data are routinely collected and used only after the user’s consent has been obtained. An exception is made in cases where it is not possible to obtain the consent beforehand for factual reasons and processing of the data is permitted by statutory provisions.
Personal data are only collected if you voluntarily communicate that to us in the context of your reservation. We exclusively use the data you have provided to process and complete your booking unless you have given further consent. Upon complete processing of the contract and full payment of the service price, your data will be blocked for further use and deleted after the retention period for tax and business records has expired insofar as you have not explicitly consented to further use of your data.
1.2. Disclosure of personal data
Your data will be passed on to Enduro-Ride, Stefan Karadzha 3, Gabrovo, Bulgaria, for the purpose of contract formation and processing. We will pass your payment data on to the financial institution engaged for the payment or to the payment service selected in the ordering process in order to process payments.
1.3. Payment processing using PayPal
1.4. Legal basis for the processing of personal data
To the extent that we obtain the consent for the processing procedures of personal data from the data subject, Art. 6 (1) (a) of the General Data Protection Regulation of the EU (GDPR) serves as the legal basis.
During the processing of personal data, which is necessary for the performance of a contract, the contracting party of which the data subject is, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing procedures needed to carry out pre-contractual measures. To the extent that personal data need to be processed to comply with a legal obligation that is binding on our company, Art. 6 (1) (c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or of another natural person make it necessary to process personal data, Art. 6 (1) (d) GDPR serves as the legal basis.
If the processing is needed to protect a legitimate interest of our company or of a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the first-mentioned interests, Art. 6 (1) (f) GDPR shall serve as the legal basis for the processing.
1.5. Deletion of data and duration of storage
The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage ceases. The data may be stored beyond the foregoing if provided for by the European or national legislator in legal Union regulations, laws or other regulations which the controller is subject to. Blocking or deletion of the data shall also take place if a storage period prescribed by the aforementioned standards expires, unless there is a necessity to continue to store the data in order to enter into a contract or perform a contract.
2. Provision of the website and creation of log files
2.1. Description and scope of data processing
Each time our website is viewed, our system automatically collects data and information about the computer system of the accessing computer.
The following data are collected in this process:
1. Information about the type of browser and the version used
2. The user’s operating system
3. The user’s Internet service provider
4. The user’s IP address
5. Date and time of the access
6. Websites from which the user’s system has accessed our website
7. Websites that are accessed from our website by the user’s system
The log files contain IP addresses or other data permitting association with a user. This may be the case, for example, if the link to the website from which the user accesses the website or the link to the website from which the user transfers contains personal data.
The data are also stored in the log files of our system. The user’s IP addresses or other data permitting an association of the data with a user are not affected by the foregoing. Storage of this data together with other personal data of the user does not take place.
2.2. Legal basis for the data processing
Article 6 (1) (f) GDPR serves as the legal basis for the temporary storage of the data and the log files.
2.3. Purpose of the data processing
The temporary storage of the IP address by the system is needed to permit delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
Storage in log files takes place in order to ensure the website’s ability to function. In addition, the data helps us optimize the website and ensure the security of our information technology systems. An analysis of the data for marketing purposes does not take place in this process.
Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
2.4. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. In the event of collection of the data to provide the website, this is the case when the respective session is ended.
In the event that the data are stored in log files, this will be the case after not later than seven days. Storage extending beyond that limit is possible. In this case, the user’s IP address will be erased or masked, so that it can no longer be associated with the viewing client.
2.5. Option of objection and removal
Collection of the data for provision of the website and storage of the data in log files is essential for the operation of the website. Therefore, the user has no option of objection.
3.1.1. Description and scope of data processing (analysis of surfing behaviour)
1. Search terms entered
2. Frequency of page views
3. Use of website functions
The data collected in this way are pseudonymised by technical precautions. Therefore, it is no longer possible to associate the data with the user viewing the website. The data are not stored together with other personal data of the users.
3.2. Data collection by the use of Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of your use of the website. The information collected may include information about the operating system, the browser, your IP address, the website you viewed previously (the referrer URL) and the date and time of your visit to our website. The information on the use of our website created by this text file is transmitted to a Google server in the USA and stored there. Google will use this information to analyse your use of our website, to compile reports on the website activity for the website operator and to provide other services associated with the use of the website and use of the Internet. If required by law or to the extent that third parties process data on Google’s behalf, Google will also pass this information on to such third parties. This use will take place in an anonymized or pseudonymised form. You can obtain more detailed information concerning this directly from Google. Please click here.
3.3. Legal basis for the data processing
3.4. Purpose of the data processing
Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the use of the analysis cookies, we learn about how the website is used, so that we can constantly optimise our products and services.
Our legitimate interest in processing personal data pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
3.5. Duration of storage, option of objection and removal
The transmission of flash cookies cannot be disallowed in the settings of the browser, but this can be done by changing the settings of the flash player.
4.1. Description and scope of data processing
You can subscribe to a free newsletter on our website. When you register for the newsletter, the data from the input mask are transmitted to us.
In addition, the following data are collected during the registration:
1. The IP address of the accessing computer
2. Date and time of the registration
As part of the registration process, your consent is obtained and reference is made to this data privacy statement for the purpose of processing the data.
The data are exclusively used to deliver the newsletter.
We use the MailChimp mailing list provider to send our newsletter. MailChimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA (“Rocket”). Rocket is governed by the so-called “Privacy Shield framework”, a data privacy agreement between the European Union and the United States.
The data stored during registration is transmitted to Rocket and stored by Rocket. The data entered during registration is not transmitted to other third parties. After you have registered, MailChimp will send you an email confirming your registration. Furthermore, MailChimp provides diverse analysis options relating to how the delivered newsletter is opened and used, such as the number of users an email was sent to, whether emails were rejected and whether users unsubscribed from the list after receiving an email. However, these analyses are only group related and are not used by us for any individual analysis. MailChimp also uses the Google Analytics analysis tool by Google, Inc. and incorporates it in the newsletter in some circumstances. You can find more details on Google Analytics in this data privacy statement under “Data collection by the use of Google Analytics.”
You can find more information about data privacy at MailChimp under: http://mailchimp.com/legal/privacy/.
4.2. Legal basis for the data processing
If the user has given his or her consent, Art. 6 (1) (a) GDPR forms the legal basis for the data processing after registration for the newsletter by the user.
4.3. Purpose of the data processing
The user’s email address is collected for delivery of the newsletter.
The collection of other personal data as part of the registration process serves to prevent abuse of the services or of the email address used.
4.4. Duration of storage
The data shall be erased without undue delay when they are no longer necessary in relation to the purpose for which they were collected. Accordingly, the user’s email address shall be stored as long as the subscription to the newsletter is active.
4.5. Option of objection and removal
The subscription to the newsletter can be cancelled any time by the user concerned. There is a corresponding button on the website under Newsletter for this purpose.
5. Contact form and email contact
5.1. Description and scope of data processing
There is a contact form on our website that can be used to contact us electronically. If the user makes use of this opportunity, the data entered in the input mask are transmitted to us and stored. These data comprise:
1. Email of the user
2. Phone number
3. First and last names
4. Date of arrival
5. Date of departure
The following data are also stored at the time the message is sent:
1. The user’s IP address
2. Date and time of the registration
For the purpose of processing the data, your consent is obtained and reference is made to this data privacy statement as part of the registration process.
Alternatively, you can contact us by using the email address provided. In this case, the user’s personal data transmitted with the email will be stored.
The data are exclusively used to process the conversation.
6. Social Media
Plugins of the social network, Facebook, operated by Facebook, Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated into our website. The Facebook plugins can be recognised by the Facebook logo or the “Like” button on our page. You can find an overview of the Facebook plugins here: developers.facebook.com/docs/plugins/.
When you visit our website, the plugin establishes a direct link between your browser and the Facebook server. This informs Facebook that you have visited our website with your IP address.
If you click the Facebook “Like” button while you are logged into your Facebook account, you can link the content of our website to your Facebook profile. This allows Facebook to assign your visit to our website to your user account.
Please note that we as the operator of the website do not receive any information about the transmitted data or the use of such data by Facebook. You can find more information about this subject in Facebook’s Data Policy at https://www.facebook.com/privacy/explanation.
If you do not want Facebook to be able to assign the visit to our website to your Facebook user account, please log out of your Facebook user account.
Functions of the Instagram service have been integrated into our website. These functions are offered by Instagram, Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can click the Instagram button to link the content of our website to your Instagram profile. This allows Instagram to assign your visit to our website to your user account. We would like to point out that, as the provider of the website, we have no knowledge of the content of the data transmitted or how it is used by Instagram.
7. Rights of the data subject
The following list comprises all the rights of the data subjects pursuant to GDPR. Rights that are not relevant for one’s own website do not need to be mentioned. In that regard, the list can be shortened.
If your personal data are processed, you are the data subject within the meaning of GDPR and you have the following rights vis-à-vis the controller:
7.1. Right to information
You may request confirmation from the controller about whether personal data concerning you are being processed by us.
If such processing is taking place, you can request information from the controller about the following:
1. The purposes for which the personal data are being processed;
2. The categories of personal data that are being processed;
3. The recipients or the categories of recipients to whom the personal data concerning you were disclosed or are yet to be disclosed;
4. The planned duration of the storage of the personal data concerning you or, if it is not possible to obtain specific information about this, the criteria for determining the duration of storage;
5. The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to objection to this processing;
6. The existence of a right to complain to a supervisory authority;
7. All available information about the origin of the data, if the personal data were not collected from the data subject;
8. The existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You also have the right to request information about whether the personal data concerning you are being transferred to a third country or an international organization. In this regard, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
8.2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are incorrect or incomplete. The controller shall carry out the rectification without undue delay.
8.3. Right to restriction of processing
You may request restriction of processing of the personal data concerning you under the following conditions:
1. If you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
2. The processing is unlawful and you reject erasure of the personal data and instead request restriction of the use of the personal data;
3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
4. If you have objected to the processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of the processing was restricted in accordance with the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.
8.4. Right to erasure
8.4.1. Obligation to erase
You may demand that the controller erase the relevant personal data without undue delay, and the controller is obligated to promptly erase the data if one of the following applies:
1. The personal data concerning you are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
2. You withdraw your consent on which the processing is based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal ground for the processing.
3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. The personal data concerning you have been unlawfully processed.
5. The personal data concerning you have to be erased to comply with a legal obligation under Union or Member State law to which the controller is subject.
6. The personal data concerning you were collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
8.4.2. Information to third parties
If the controller has made the personal data concerning you public and is obligated to erase them pursuant to Art. 17 (1) GDPR, the controller, taking account of available technology and the cost of implantation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject request the erasure by such controllers of any links to, or copy or replication of, those personal data.
There is no right to erasure if the processing is necessary
1. To exercise the right of freedom of expression and information;
2. To comply with a legal obligation which requires processing by Union or Bulgaria law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. For reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, to the extent that the right referred to in subsection (3) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. To establish, exercise or defend legal claims.
8.5. Right to notification
If you have claimed the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you were disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed of these recipients by the controller.
8.6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to have these data transmitted to another controller without hindrance from the controller to which the personal data were provided, if
1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or a contract pursuant to Art. 6 (1) (b) GDPR and
2. The processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another if this is technically feasible. This may not adversely affect the freedoms and rights of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; including profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes.
In the context of the use of information society services, you have the opportunity – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.
8.8. Right to withdraw the declaration of consent regarding data privacy
You have the right to withdraw your declaration of consent regarding data privacy at any time. A withdrawal of consent does not affect the lawfulness of any processing done up to the time of withdrawal.
8.9. Automated individual decision-making, including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
1. Is necessary to enter into or perform a contract between you and the controller;
2. Is authorised by Union or Member State law to which the controller is subject, and these legal provisions also lay down suitable measures to safeguard your rights and freedoms and legitimate interests, or
3. Is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR unless Art. 9 (2) (a) or (g) GDPR apply and suitable measures have been taken to protect your rights and freedoms and legitimate interests.
In the cases referred to in sections 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
8.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you are of the opinion that the processing of personal data relating to you violates the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.