Privacy Policy

With this Privacy Policy, Canadian Chamber of Commerce in Bulgaria, a non-profit organisation registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code (UIC) 207386784, with its seat and registered address in Republic of Bulgaria, Sofia, 1000, Serdica District, 8-1, Tsar Kaloyan Str., fl. 2, in its capacity of the controller (herein after referred to as “controller”, “we”, “us”, “our”, “CanCham”), would like to inform you about the processing of your personal data.

By virtue of this document, we fulfil our obligations as per the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and according to the local Personal Data Protection Act (“PDPA”) and the relevant Bulgarian legislation and sub legislation. We as well aim to provide clarifications on the topics regarding the processing of your personal data.

Тhis Privacy Policy aims to inform the visitors of our website in their capacity of members and potential members, partners, consultants or just internet surfers for the specifics under which we collect their personal data which we receive through our website and in any other manners of communication.

Detailed information on personal data processed through cookies on the website is contained in the “Cookie Policy”.

Your personal data can be collected mainly by virtue of two different documents, namely: by filling out the Membership application of the Contact Form on our website.

Both of them are available on our website and could be filled online in an interactive form. The forms cannot be downloaded on a local device and for instance, subsequently send by an email.

All information that you have personally provided regarding your identity, contact details and any other information that you may have provided to us through the contact form or when completing the membership application will be processed by the CANADIAN CHAMBER OF COMMERCE IN BULGARIA, in our capacity of personal data controller.

This Privacy Policy will inform you as regards to the following main questions concerning the processing of your personal data:


Why We Process Your Personal Data? (Purposes of Processing Personal Data);


What Personal Data Do We Process About You? Categories of Personal Data Processed;


Transfer of Personal Data;


Legal Grounds for Personal Data Processing;


Data Retention Terms;


Data Protection & Data Privacy Measures;


Your Rights in Connection to the Data Protection;


How to Contact Us.

Why We Process Your Personal Data? (Purposes of Processing Personal Data);

We need to collect your personal data to be able to provide you with the information contained on this website, which generally gives you information about the activities of the CANADIAN CHAMBER OF COMMERCE IN BULGARIA, as well as about the opportunities we provide to our members, partners and sponsors. For example, when you visit the website, we may collect data about your IP address, unique mobile device number, etc.

In order to be able to respond to your inquiries on any matter or in connection with a requested membership, it is also necessary for us to process personal data as follows:

Your personal data obtained within the scope of the Contact Form may be processed for the following purposes:

  • Managing and preparation of responses in relation to messages received by you for the purposes of provision the information or other assistance requested by you.
  • Managing, planning and implementation of all types of communication activities for all members and candidate members.
  • Preparation of responses and providing information, in case of received requests regarding the exercise of rights by a data subject or other specific requests/complaints.

Your personal data obtained from Membership Application can be processed for the following purposes:

    • Examination of Membership applications within CanCahm by the responsible individuals and Committees in compliance with the adopted internal acts and the applicable Bulgarian legislation;
    • Provision of an email to inform the person whether the application has been approved, resp. rejected.
    • Administration of our database with information about members and candidate members with view to ensure compliance with legal rights and obligations.
    • Communicating with you regarding missing information and obtaining additional information essential for the Membership application.

    What Personal Data Do We Process About You? Categories of Personal Data Processed;

    Regardless of the way under which you have send us communications (via the respective Contact Form on our website and/or by virtue of submitted Membership Application), we obtain directly and automatically from you, or we may ask you to provide us with certain information about yourself for the fulfilment of the abovementioned purposes.

    The personal data collected about you can be of the following types:

    1. Personal data related to your identity: full legal names, date of birth;
    2. Contact information: e-mail address, telephone number, city and country of residence;
    3. Personal data about you, which you may have provided us via the Conctact Form or Membership application: Professional experience, position in the organisation/company, nationality;
    4. Other information that may not be personal data on its own but may be personal data in combination with your data – our Membership application comprehensively covers information about the business enterprise, establishment or other legal entity you represent. Data regarding companies and other legal entities do not constitute personal data. However, the company’s experience in exporting goods to Canada could be indirectly linked to you and also constitute personal data. In this regard, we point out that any information you fill out in the Membership application will be used solely for the purposes of providing our services and creating membership relationships.

    All types of personal data we process about you are commonly-used, we do not process any special categories of personal data about you.

    Considering that we are processing your personal data in order to manage and respond to all of the communications which you have sent us, this processing appears necessary to fulfil those purposes. If you do not provide us with the respective information – for example, your full legal name, contact information, etc., as the case might be, we will not be able to exercise our assistance in view of your requests or complaints.

    Transfer of Personal Data;

    Your personal data, depending on the nature of the activity performed, for which processing personal data appears necessary, may be transferred to any of the following categories third parties (i.e. natural persons or individuals outside Canadian Commercial Chamber in Bulgaria):

    1. Companies and organizations, including within our corporate group, from which we receive various information technology services (e.g. Microsoft as a provider of cloud services serving for personal data storage), or cooperate with in compliance with the applicable legislation and for the purposes specified in this Privacy Policy.
    2. Companies and organizations – suppliers of services with which explicit contracts have been concluded (for example, lawyers, accountans, etc);
    3. Public bodies and institutions, courts, prosecution, upon explicit request thereof, and in performance of our legal obligations under the respective applicable legislation;

    Your personal data are not transferred to third parties located outside the European Union, except to our representatives and members of the Managing Board, who live in the USA or at the moment of transfer of the data are in the USA.

    Additionally, the partner organizations which provide us with the respective information technology services (provision and support of IT systems, etc.) utilize secure and certified software products, such as those of Microsoft, as well as in each case take the highest level of organisational and technical measures in order to ensure the protection of your personal data. We shall only transfer to these partner organizations the personal data they need in order to provide us the contracted services to us, without further allowing them to use your personal data for their own purposes.

    Your personal data, received by the Membership application on our website, may be shared with the members of our Managing Board, who live and/or work in Canada, for the purposes of decision making whether your application will be approved or rejected, as well for the purpose of identification how we can assist you in case you become our member personally or through the organisation you represent. In any such case we shall ensure the appropriate and adequate safeguards with respect to the protection of personal data transferred.

    Please note that the said transfer is carried out within our organization and does not take place from our organization to third parties located in country outside the EU.

    Legal Grounds for Personal Data Processing;

    Your personal data are collected and processed automatically when you provide us with the relevant information via the Membership application and the Contact Form, found on our website. The personal data, which you have submitted under any of the two scopes, may be processed on the following legal grounds:

    • For the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract – 6, para. 1, l. “b” of the GDPR (for instance in case of Membership application submission);
    • When the processing is necessary for the legitimate interests of Canadian Chamber of Commerce in Bulgaria, or of a third party, provided that it does not harm the fundamental rights and freedoms of the data subject – 6, para. 1, l. “f” of the GDPR (for instance for carry out additional checks of the identity of the individual, who has filed an application via the Contact Form, with respect to defending against legal claims and others).
    • In case you have provided an explicit consent 6, para. 1, l. “a” of the GDPR (applicable to the processing of personal data for direct marketing purposes, a possibility that is currently not active on our website).

    Data Retention Terms;

    Pursuant to the applicable data protection legislation, we have implemented and follow an internal general data privacy policy, which sets out the retention periods for which we store your personal data. The periods concerned are based on (a) the type of information we collect and (b) the purposes for which we collect it.

    We retain your personal data for as long as is necessary for the processing purposes for which the data is collected, or until the expiration of a statutory period.

    Your personal data are stored, respectively are erased, destructed or anonymised in compliance with the relevant legislative provisions.

    It is our legitimate interest to retain some of your personal data collected in view of contracts executed (or to be entered) for the statute limitation period for making claims – 5 (five) years as of the expiry or termination of the contract concluded with you. Furthermore, we will not delete or anonymize your personal data if it is necessary for any pending judicial or administrative proceedings on complaints you may have against us.

    For all other cases regarding personal data collected on the grounds of explicit consent (for example, personal data obtained via the Contact Form on our website), we shall limit the retention period to 2 (two) years as of the time of obtaining the relevant implicit consent (the moment of receiving the electronic communications in our systems).

    Data Protection & Data Privacy Measures;

    In performance of our legal obligations as per the GDPR and the local applicable data privacy legislation in Republic of Bulgaria, we have implemented appropriate technical and organizational measures to ensure a high level of security to the personal data we process.

    In view of the above, we have adopted all the necessary internal policies and procedures, while defining the respective data protection records to be maintained, including on paper, the persons who are responsible for their protection, as well we have limited the access to the personal data. We have also explicitly stipulated the rules regarding the storage periods of the personal data processed, and the procedures for their destruction.

    Furthermore, we utilize appropriate antivirus and cybersecurity software products, ensuring the necessary level of protection against security breaches and malicious attacks.

    On a physical level, we have ensured a system of measures related to the protection of the buildings, premises and facilities in which personal data processed and stored may be accessed, including through restricted access to the premises, locks, separate cabinets, including fire alarms, equipment on the premises appropriate to the needs, purposes and level of impact of the processing of personal data.

    In order to ensure complete and efficient protection of the information, we do not publicly share the exhaustive list of all the protection measures we have implemented at hardware and software level, but refer to the most popular ones.

    In cases of transfer of personal data, we require our representatives, part of the Management Board, as well as our suppliers and partner organizations which have access to your personal data to use appropriate measures to ensure the protection and confidentiality of your personal data. However, you are also responsible for safeguarding your personal data that you share with us over the Internet. Unfortunately, the transmission of information over the Internet may not be completely secure, despite the measures we have taken, given the passage of the same through the networks, channels and platforms of third party electronic service providers. Therefore, please note that the transmission of your personal information over the Internet is done at your own risk and we recommend that you consider carefully to whom you share your personal data.

    Your Rights in Connection to the Data Protection;

    You have certain rights which are granted to you pursuant to the GDPR and the other applicable local legislation. In certain instances some rights are subject to certain limitations and exceptions under the law. To exercise your rights or ask questions, you should direct your request to the email or contact address below.

    Specifically, you have the following rights under applicable law:

    Right of access to your personal data processed

    You have the right of access and can request more detailed information about whether we process your personal data, what categories, for what purposes, to whom we disclose it, etc. If you have requested, we will provide you with access to your personal data that is being processed in the form of a copy. When you have made the request by electronic means, we will, where possible, provide the information to you in a commonly used electronic form, unless you have requested otherwise from us.

    Right of rectification of the inaccurate personal data related to you

    When you want us to correct your personal data, you may request that we also notify the third parties to whom it has been disclosed, except where this is impossible or involves excessive effort.

    Right to erasure (“right to be forgotten”) of your personal data processed

    You have the right to request the erasure of your personal data when:

    – they are no longer necessary for the purposes for which they were initially collected or otherwise processed;

    – you withdraw your consent to the processing of your personal data and there is no other legal basis for the processing;

    – you object to processing based on a legitimate interest and it does not override your rights, freedoms and interests;

    – processing is without legal basis or the erasure of your personal data is our legal obligation under Bulgarian or European law.

    Pursuant to the latter (see ident number 4), we have the right to continue processing despite your request for erasure in order to comply with our legal obligations under the law of the Republic of Bulgaria or the European Union law that require processing of your personal data or where necessary for the establishment, exercise or defense of legal claims.

    Right to restriction of the processing of your personal data

    Where the processing of your personal data has been restricted, we could still continue processing it in two cases:

    1. with your explicit consent; or
    2. for the establishment, exercise or defense against legal claims or for the protection of the rights of another natural person or for important reasons of public interest for the European Union or a Member State.

    The right to receive the personal data that you have provided to us and that concerns you and to transmit those data to another controller (“right to portability”)

    The right to portability can only be exercised where the following two conditions are met:

    1. it concerns processing carried out by automated means (i.e. this right does not apply to processing of data in the form of paper files), and
    2. the processing of your personal data is based on (i) your consent or (ii) a contract to which you are a party, or to take steps at your request before entering into a contract.

    You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request a direct transfer of your personal data to another controller where this is technically feasible.

    You should be aware that when you exercise the right of portability, this does not result in your data being deleted from our systems. You will be able to continue to benefit from our services even after the data portability operation. Data portability also does not affect the initial retention period that applies to the transmitted data. You may exercise your other rights that are set out in the legislation and we have listed here while we continue to process the data.

    Right to object to processing of your personal data which is based the legitimate interest of the controller, including when profiling is carried out on this legal ground

    You have the right at any time to object to the processing of your personal data by us as a controller through preferred way of communication – using our Contact Form on the website, email or the phone. For these purposes please use the contact details in the end of this document.

    Right to file a complaint before the competent supervisory authority or before a court if your rights have been violated or you have suffered unlawful processing of your personal data

    In the event of a complaint, you also have the right to contact the Commission for the Protection of Personal Data (“CPPA”):

    1. In writing to the following address: Sofia, 1592, Sofia Municipality, 2, blvd. Tsvetan Lazarov;
    2. Telephone numbers: 02/91-53-519; 02/91-53-555;
    3. Fax: 029153525; or
    4. E-mail: [email protected]

    The CPPD website can be found at:

    Where the processing is based on consent given by you, you have the right to withdraw your consent at any time by notifying us at the addresses listed at the end of this document.

    How to Contact Us

    In order to exercise any of your rights listed above or to contact us if you have any questions regarding this document, you may contact us using any of the contact information below:

    Contact person on data protection matters: Mr. Ivaylo Gorgachev
    You can submit your request via e-mail address to the following: [email protected]

    Address for correspondence: Republic of Bulgaria, Sofia 1000, Serdica District, 8-1, Tsar Kaloyan Str., fl. 2

    The controller of personal data is Canadian Chamber of Commerce in Bulgaria (CanCham), a non-profit organisation registered with the Bulgarian Commercial Register and Register of Non-Profit Legal Entities with Unified Identify Code (UIC) 207386784, with its seat and registered address in Republic of Bulgaria, Sofia 1000, Serdica District, 8-1, Tsar Kaloyan Str., fl. 2

    As per requests relating to the exercise of your rights, they should be generally made in person or by a person expressly authorised by you.
    We shall respond to your request in the form in which you made your enquiry to us – in writing on paper or in electronic form. Where you have made a request by electronic means, where possible the information will be provided to you in a commonly used electronic form unless you have requested otherwise.

    Further to the above, we will provide you with information about the action we have taken on your request within one month of receiving it. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. If such an extension is necessary, we will notify you within one month of the submission of your request, explaining the reasons for the extension.

    The most up-to-date Privacy Policy can always be found on our website. In this regard, you will be always able to inform yourselves in regard to any change which have been made to this Policy.

    Changes to this Privacy Policy

    This Privacy Policy has been adopted and is effective as of 26.06.2023. We reserve the right to make changes to this Privacy Policy.