PRIVACY POLICY

1. Introduction

Dreamshot ЕOOD is a company, incorporated under the laws of Republic of Bulgaria, member of the EU, with a company number 206816838, registered in the Commercial Register and Register of Non-Profit Legal Entities, with seat and registered address at 1303 Sofia, 101 Aleksandar Stamboliyski Blvd., 9th floor, hereinafter referred to as “Dreamshot” or “the Company”.

Dreamshot values your privacy. We are committed to safeguarding the privacy of the job applicants.

When processing personal data, Dreamshot complies with all applicable personal data protection regulations including, but not limited to, Regulation (EU) № 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

This Privacy Policy has been prepared in order to explain how we collect, use, protect, and disclose information and data when you use Typeform’s forms (https://www.typeform.com/) to submit a job application to Dreamshot.

2. Information Dreamshot collects, purposes, retaining of data

Under the GDPR (Article 4.1), ‘Personal Data’ is defined as any information relating to an identified or identifiable Individual. It may include obvious identifiers like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

‘Special category data’ includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

Dreamshot does not process any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

Dreamshot processes the personal data of job candidates or internship candidates as follows:

2.1.

- Type of personal data: Names, date of birth, contact details, educational qualification degree, professional qualification, length of service, other data provided voluntarily by the candidate;

- Purposes of processing: Recruitment;

- Legal ground: To take steps at the request of the data subject prior to entering into a contract – Art. 6, para. 1, „b“ GDPR;

- Retention period: Up to 6 months after completion of the recruitment;

2.2.

- Type of personal data: Names, date of birth, contact details, educational qualification degree, professional qualification, length of service, other data provided voluntarily by the candidate;

- Purposes of processing: Protection on lawsuit;

- Legal ground: For the purposes of the legitimate interests pursued by the controller or by a third party – Art. 6, para. 1, “f” GDPR;

- Retention period: Until the expiration of the limitation period.;

The data are collected from the provided CV, diploma, qualification certificates or other documents, provided by the Candidate at his or her discretion to prove his or her suitability for the relevant position.

3. Sharing your information

We may share your personal data with third parties for Dreamshot’s business purposes or as permitted or required by law, including:

i. if we need to do so to comply with the applicable legislation, legal process or regulations; or

ii. to law enforcement authorities or other government officials, or other third parties pursuant to a subpoena, a court order or other legal process; or

iii. requirement applicable to Dreamshot; or

iv. if we believe, in our sole discretion, that the disclosure of personal data is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; or

v. to protect the vital interests of a person or our legitimate interests;

vi. to investigate violations of or enforce a user agreement or other legal terms applicable to any service; or

vii. to protect our property, Services and legal rights; or

viii. to help assess and manage risk and prevent fraud against us, our users and fraud involving our website or use of our services, including fraud that occurs at or involves our business partners, strategic ventures, or other individuals, and merchants; or

ix. to support our audit, compliance, and corporate governance functions.

We may disclose some personal data to companies in other countries, members of the European Union for certain of our business purposes.

We will not share your information with any third parties for the purposes of direct marketing.

4. Data transfer frameworks

We do not transfer personal data concerning individuals outside the EU/EEA. However, if we do, we will notify you and transfer your data in accordance with the GDPR transfer provisions.

5. Your rights

In connection with the personal data processing we carry out, you have the following rights under the GDPR and the applicable personal data protection legislation:

i. Right to information

You have the right to obtain information about the processing of your personal data by us, as this information is contained in this Policy.

ii. Right of access

You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.

iii. Right to rectification

You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.

iv. Right to erasure

In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed.

However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.

v. Right to restriction in relation to the data processing

The GDPR provides for the possibility to restrict the processing of your personal data if the grounds for doing so are in place. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the Personal Data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection.

vi. Right to object to processing - you have the right to object at any time and on grounds relating to your particular situation, to processing of your personal data which is based on public interest, exercise of official authority or Dreamshot or of a third party.

vii. Right to data portability

In that context you have the right to receive the personal data you have provided to Dreamshot in a structured, commonly used and machine-readable format. It also gives you the right to request that we transmit this data directly to another controller. The right to data portability only applies when our lawful basis for processing this information is consent or for the performance of a contract; and if we are carrying out the processing by automated means (excluding paper files).

viii. Right to complain to a supervisory authority

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

ix. Right to withdraw consent

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

x. Right not to be subject to a decision based solely on automated processing

You have the right not to be the subject of a decision solely based on automated processing, including profiling, which has legal consequences for you or similarly affects you significantly, unless the grounds for this as provided for in the applicable personal data protection legislation exist and appropriate warranties have been provided to protect your rights, freedoms and legitimate interests.

xi. Exercise of rights You may exercise the rights described above at any time by sending a written request by post to the contact address or by e-mail to the e-mail address provided in Sec. 11 below.

6. Keeping your information secure

We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your personal data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centres, and information access authorization controls.

We are not responsible for protecting any personal data that we share with a third-party based on an account connection that you have authorized.

7. What else should you know?

If we decide to change this Privacy Policy, we will inform you by posting the revised Privacy Policy on the website. Those changes will become effective on the revision date, shown in the revised Privacy Policy.

8. Contact Us

You may contact us if you have general questions or concerns about this Privacy Policy and supplemental notices or the way in which we handle your personal data.

If you want to execute any of your rights, as defined above, do not hesitate to contact us.

We can be contacted at [email protected] or at address: 1303 Sofia, 101 Aleksandar Stamboliyski Blvd., 9th floor.

9. Cooperation with regulators

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State at your habitual place of residence, place of work or place of the alleged breach, if you consider that the processing of your personal data infringes the provisions of the Regulation or other applicable personal data protection requirements.

The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., website: https://www.cpdp.bg/.

10. About this policy

We may update this Policy from time to time in order to reflect any changes in the processing of your personal data or to comply with changes in current legislation.