• Privacy Policy



    This Privacy Policy governs how Mercatus Ltd. collects, processes and stores personal data in accordance with the requirements of the General Data Protection Regulation – Regulation (EC) 2016/679, the Personal Data Protection Act of the Republic Bulgaria and other normative Bulgarian or international acts. The confidentiality of information for our users is a top priority for us. Mercatus Ltd. in its capacity of data controller and in compliance with the legislation and good practices, apply the required technical and organizational measures to protect the personal data of the individuals. This policy provides information on how and what kind of personal data we collect from and for you, why we need it, whom we can provide or disclose, and how they are protected. Please read them carefully. By providing your personal data to Mercatus Ltd., whether electronically or on paper, you accept and agree to the practices described in this Privacy Policy and Privacy Policy. If you have any questions about this policy, please contact the Personal Data Administrator, and if you do not agree with any of the terms contained in our Privacy Policy, we do not recommend using products and services provided by Mercatus Ltd. for which you are required to provide your personal information.


    2.1. In connection with the processing of your personal data, you may contact us at the following contact points:



    Mercatus Ltd




    Lozenec, Plachkovica 2 street







    Post code:




    If you believe that we are violating your rights to process your personal data and complying with the requirements of the General Data Protection Regulation – Regulation (EU) 2016/679, you have the right to submit a complaint to the Personal Data Administrator “, file a complaint with a supervisor and seek legal protection as follows:

    • Right to appeal to a supervisor, Pursuant to Article 14 (2) (e)

    Competent supervisory authority -the competent supervisory body is the Commission for Personal Data Protection, Sofia 1592, “Prof. 2 Tzvetan Lazarov Blvd., Internet address www.cpdp.bg, tel. 02 915 3 518


    This Privacy Policy (“Policy”) is issued on the basis of the Personal Data Protection Act (Bulgarian Legislation) and the General Data Protection Regulation – Regulation (EC) 2016 / 679 (“GDPR”). Bulgarian law and the GDPR provide rules on how Mercatus Ltd. must collect, process and store personal data.

    In order to process personal data in accordance with legal requirements, personal data is collected and used lawfully, the necessary security of the processing operations is ensured and Mercatus Ltd has taken the necessary measures to ensure that the personal data being processed are not subject to unlawful disclosure. According to the basic principles observed by Mercatus Ltd., your personal data is:

    3.3.1. processed in a lawful, conscientious and transparent way with regard to the data subject (“legality, good faith and transparency”);

    3.3.2. collected for specific, explicit, and legitimate purposes and not further processed in a way inconsistent with those objectives (“limitation of objectives”);

    3.3.3. appropriate, relevant and limited to what is necessary in relation to the purposes for which they are being processed (“minimize data”);

    3.3.4. accurate and up-to-date; Mercatus Ltd has taken all reasonable steps to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which they are processed (“accuracy”);

    3.3.5. stored in a form that allows the data subject to be identified for a period no longer than is necessary for the purposes for which the personal data are processed; (“Storage limitation”);

    3.3.6. processed in such a way as to ensure an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or deterioration, by applying appropriate technical or organizational measures (“integrity and confidentiality”);

    3.3.7. Mercatus Ltd. is responsible and able to prove that it adheres to the basic principles related to the processing of personal data (“accountability”).


    With the adoption and implementation of the current policy of Mercatus Ltd. in accordance with the Bulgarian legislation and Regulation (EC) 2016/679, the rules on the protection of individuals with regard to the processing of personal data and the rules on the free movement of personal data data. The adoption and implementation of Mercatus Ltd’s policy under the Personal Data Protection Act and Regulation (EC) 2016/679 protects the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.

    With this policy, Mercatus Ltd. aims to ensure:

    • Legality of the processing of personal data by Mercatus OOD;

    • Rights of individuals, data subjects under Regulation (EC) 2016/679;

    • Compliance with the requirements of the Regulation to Mercatus Ltd in its capacity of Administrator and / or Processor, including:

    • Data protection at design stage and by default

    • Records of processing activities

    • Appropriate technical and organizational measures shall be reviewed and, if necessary, updated

    • Measures for risk assessment related to the processing of personal data

    • Compliance with the Requirements for Assigning the Processing of Your Personal Data to Third Parties (Processors)

    • Obligations of civil servants handling personal data and / or persons having access to personal data and working under the direction of personal data processors, their liability for non-performance of these obligations;

    • Taking into account the achievements of the technical progress, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks with various probabilities and burdens on the rights and freedoms of natural persons, Mercatus OOD in its capacity of Administrator and / or The personal data processor shall apply appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

    • Ensure compliance with the basic principles of the transfer of personal data to third countries or international organizations outside the EU.

    5. Scope


    5.1.1. “Personal data” means any information relating to an identifiable natural or legal person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more signs specific to the physical, physiological, genetic, mental, mental, economic, cultural or social identity of that individual;

    5.1.2. “Processing” means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data become available, arranged or combined, restricted, deleted or destroyed;

    5.2. The data protection policy applies to the processing of personal data of users, employees where they have become known to partners and suppliers as described in the records of the processing activities established in accordance with Article 30 of the General Regulation on data protection – Regulation (EC) 2016/679 (“Registry of processing activities”).

    6. Purposes of the processing of personal data

    6.1. According to the requirements of Section I – Transparency and Conditions of the General Data Protection Regulation – Regulation (EC) 2016/679 Mercatus Ltd provides transparent information, communication and conditions for the exercise of data subjects’ rights under Article 12 of the Regulation.

    6.2. The purposes and information regarding the processing of personal data by Mercatus Ltd. are provided in accordance with the “Transparent Communication Procedure” (P_A2_BG), the “Procedure for the Collection of Personal Data” (P_A13_BG) and the “Procedure for Receiving Personal data “(P_A14_BG).

    6.3. The purposes and information regarding the processing of personal data are set out in the data provided to the data subjects “DATA PROCESSING INFORMATION” (D_A13_BG) and “Information provided when receiving personal data” (D_A14_BG).

    7. Transparency. Rights of individuals whose data is processed by Mercatus OOD

    Information about your rights relating to the processing of personal data – Pursuant to Article 14 (2) (c)

    Right Reason Description of the law

    Right of access – Article 15 Right to confirm processing and access to your personal data.

    Right of rectification – Article 16 Correct inaccurate or incomplete personal data.

    Right of deletion – Article 17 Requesting deletions of your personal data.

    Right to Limitation of Processing – Article 18 Require a restriction on the processing of your personal data.

    Notification Obligation – Article 19 Obligate to be notified in any action related to correction, erasure, or limitation of processing.

    Right of objection – Article 21 Objection at any time against the processing of your personal data:

     for the performance of a task of public interest or on the basis of official authority or for the purposes of legitimate interests, including profiling.

    Processing for direct marketing purposes

    Processing for scientific or historical research purposes or for statistical purposes

    Right of Withdrawal of Automated Processing Article – 22 you may refuse to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for you or concerns you considerably.

    Right of portability – Article 20 You have the right to receive your personal data.

    Right of appeal and effective legal protection Articles- 77, 78 and 79 You have the right to complain to the Commission for the protection of personal data for breaches of Regulation (EC) No 2016/679 of 27 April 2016 and the right to effective protection against CPDP, administrator or processor of your personal data.

    Right to Compensation- Article 82 You are entitled to compensation for material or immaterial damages suffered as a result of a breach of Regulation (EC) No 2016/679.

    7.1. All data subjects (users, customers, or employees where you have become aware of such data by partners or suppliers as described in the processing activities registers) are entitled to exercise their rights as follows:



    Via Telephone

    In the internet


    Nikolay Haitov 12

    TELEPHONE 359895616-301







    e-mail :


    8. Transmission of personal data to third States or international organizations

    8.1. Transmission of personal data processed or intended to be processed after the transfer to a third country or to an international organization outside the EU is carried out by Mercatus OOD only under the terms of the General Data Protection Regulation (EC) 2016/679, subject to the conditions set out in Chapter V of the Regulation.

    8.2. Mercatus OOD applies all the provisions of the Regulation so as not to jeopardize the required level of protection of individuals provided by the Regulation.

    8.3. In the event that Mercatus Ltd. will transfer personal data to a third country or to an international organization outside the EU, this transfer shall be in accordance with the “Non-EU Transit Procedure” (P_A44_BG) and the data subjects shall be notified in advance “Data Collected Personal Data Processing” (D_A13_BG) and “Information Provided in Receiving Personal Data” (D_A14_BG), requiring their “Agreements for the Transmission of Personal Data” (D_A49_BG).

    9. Violations and Notification of Violations

    9.1. “Personal data breach” means a security breach that causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed by Mercatus Ltd.

    9.2. In the event of a personal data breach, the following should be immediately notified:

    • Contact details with a Data Protection Officer

    Pursuant to Article 14 (1) (b)

    Name: Genoveva Georgieva, Country: Bulgaria, Address: Nikolay Haitov 12, Phone: 359895616301, City / Village: Sofia, e-mail: privacy@mercatus.bg, Website: https://mercatus.bg

    9.3. In the event of a personal data breach that risks creating a risk to the rights and freedoms of individuals without undue delay, and where feasible – not later than 72 hours after he / she has become aware of it, Mercatus Ltd informs the Commission for the Protection of Personal Data about the violation.

    9.4. In the event that a specific violation poses a risk to the rights and freedoms of individuals, Mercatus Ltd. takes steps to inform the persons concerned in order to minimize the possible adverse consequences.

    9.5. Mercatus Ltd takes action according to “Privacy Statement Procedure” (P_A33_BG).

    10. Destruction

    10.1. Mercatus Ltd follows the “Personal Data Destruction Procedure” (P_A17_EN_01).

    11. Changes to privacy policy

    11.1. Mercatus Ltd has the right to update it by amending and supplementing the privacy policy at any time in the future, when circumstances warrant.

    12. Document owner and approval

    12.1. The manager is the owner of this document and is responsible for reviewing this procedure in accordance with the requirements for review and update of Regulation (EC) 2016/679.

    12.2. The current version of this document is available to all / company_file_server / Personal_Data_Management staff members.

    12.3. This procedure was approved by the Personal Data Administrator on 05/31/2018. and is issued under the control of the version under his signature.

    This site uses cookies to optimize performance for you. Accept if you agree with our cookie policy. Check them here .

    DevScale - Software development and design