1. Identification of AFA OOD

AFA OOD (hereinafter referred to as AFA or the Controller), acting as ASSIGNEE under contracts for audit and/or consulting services, concluded with its clients -  acting as ASSIGNORS under the contracts, shall process certain categories of personal data in its capacity as a personal data controller.

AFA OOD is a limited liability company, registered in the Bulgarian Commercial Register with the Registry Agency under UIC 030278596, with registered seat and address of management: 38 Oborishte Str, Oborishte Region, 1504 Sofia.


  1. Contact with the Controller

You can contact the Controller directly in one of the following ways:

  • In writing at the address specified hereinabove;
  • By phone: (+359 2) 943 37 00 or (+359 2) 425 02 00;
  • By e-mail address: office@afa.bg;
  • Via website: afa.bg.


  1. Personal data subjects

In the course of the performed independent financial audit and the provision of other consulting services under the contracts concluded with its clients, AFA in its capacity as personal data controller shall collect and process the personal data of the following categories of data subjects:

a) legal representatives and/or proxies of the clients – assignors under the contracts concluded by the Controller;

b) stockholders, shareholders and members of the management bodies of the clients or of companies affiliated thereto and persons, related to the ones indicated herein, including beneficial owners pursuant to the Measures Against Money Laundering Act;

c) contact persons of the clients, other employees and persons, providing services to the clients under civil contracts;

d) natural persons – contractors of the clients;

e) natural persons, legal representatives, proxies, members of the management bodies of legal entities – contractors of the Controller’s clients.


  1. 4. Processed personal data

The personal data, that the Controller collects and processes, may be (without the list being exhaustive):

  • Three names;
  • Personal identification number (PIN)/, personal number of a foreigner (PNF)/, date of birth;
  • Address, e-mail address, IP address;
  • Passport/ ID card data;
  • Job position, place of work, telephone number;
  • Origin;
  • Education;
  • Labour activity;
  • Kinship;
  • Marital status;
  • Property/ Financial status;
  • Participation in and/or ownership of shares or securities in companies, etc.


  1. Legal grounds for the personal data processing by the Controller

The Controller processes your personal data on the basis of:

a) Art. 6, paragraph 1, letter b) of the General Data Protection Regulation (the Regulation), namely – for the performance of the respective audit and/or consulting engagement, assigned in accordance with the concluded contract;

b) Art. 6, paragraph 1, letter c) of the Regulation, namely – in order to comply with the legal obligations of the Controller under the Independent Financial Audit Act, the Measures Against Money Laundering Act (MAMLA), the Accountancy Act and other applicable normative acts;

c) Art. 6, paragraph 1, letter f) of the Regulation, namely – for the protection of the Controller’s legitimate interests in demonstrating the proper performance of the assigned engagements within the established term of limitation, as well as to promote the services, provided by it.


  1. Purposes of the personal data processing by the Controller

The specified personal data are processed by the Controller for the following purposes:

  • Performance of the concluded contract;
  • Fulfillment of the legal obligations pursuant to the applicable legislation;
  • Administration of the concluded contract and carrying out communications with the Controller’s clients;
  • Protection of the Controller’s legitimate interests in demonstrating the proper performance of the assigned engagements;
  • In view of promotion of the services, provided by the Controller – sending newsletters, informational materials, invitations for participation in trainings and the like.


  1. The specified personal data of yours may be provided to the following categories of recipients:

a) Competent state bodies – in fulfillment of the obligations of the Controller in accordance with the Bulgarian legislation;

b) Various service providers of the Controller – legal, tax and other consultants, IT service providers;

c) Subcontractors of the Controller.


  1. Terms of storage of the provided personal data

a) with respect to the personal data, included in accounting documents and documents subject to tax control – according to the statutory terms set forth in the Accountancy Act, the Tax and Social Security Procedural Code and the other relevant normative acts;

b) with respect to the personal data, collected in connection with the Controller’s obligations pursuant to the MAMLA – according to the terms set forth in the MAMLA;

c) with respect to the other personal data, collected in the course of performance of the independent financial audit or the provision of consulting services – for a term of 5 years after the date of the audit report, or within the 5-year limitation period after the termination of the concluded contract;

d) For a longer term, if provided for by another normative act.


  1. Providing personal data outside of the territory of Bulgaria

The Controller shall not provide the collected personal data to recipients in countries outside of the European Union and/or the European Economic Area.


  1. Rights of the data subjects

The data subjects have the right at any time to request from the Controller:

10.1. Rectification of the personal data in case the personal data processed is inaccurate. The subjects also have the right to have any incomplete personal data completed, including by adding a declaration thereto.


10.2. Erasure of the personal data in case:

a) The personal data is no longer necessary for the purposes, for which it has been collected and processed;

b) The personal data is being processed unlawfully;

c) The personal data must be deleted in order to comply with a legal obligation of the Controller in accordance with the Bulgarian legislation and/or the legislation of the European Union.


10.3. Restriction of the processing of the personal data in case:

a) The subject disputes the accuracy of the personal data – for a period that allows the Controller to verify the accuracy of the data;

b) The processing of personal data is illegal, yet the data subject does not wish to have them erased, but instead to limit their use;

c) The Controller no longer needs the personal data for the specified purposes, but the data subject requests their retention in order to establish, exercise or protect legal claims.


10.4. The data subject objects to the processing of their personal data in case:

a) The processing of the personal data is necessary for the legitimate interests of the Controller or a third party;

b) The personal data is processed for direct marketing purposes;

c) The personal data is being processed for scientific and/or historical research purposes or for statistical purposes.


All rights under this item 10 can be exercised by the data subjects by sending of a written request to the Controller’s address or by sending of an electronic request to the Controller’s e-mail address, specified hereinabove, in item 2 of the present document.


  1. Right of appeal to a supervisory authority

The data subjects have the right to lodge a complaint with the Bulgarian Personal Data Protection Commission (CPDP) if they believe that their personal data is being processed unlawfully or their rights in relation to their personal data are being violated.


Contacts of the CPDP:

2 Prof. Tsvetan Lazarov Blvd., Sofia 1592,

E-mail: kzld@cpdp.bg,

Website: www.cpdp.bg.


  1. Source of the personal data

The personal data are provided to the Controller by its clients, for the purposes specified hereinabove.


  1. Usage of a system for automated decision-making

The Controller does not use an automated decision making system that includes profiling upon the processing of the personal data.