Violation reporting



Date: 18.12.2023


1. Data about the controller and contact details.

We "ANDY BG" Ltd, with UIC: 115820126 and registered office and registered address at. Our registered office and registered address is Trud, Maritsa municipality, Plovdiv region, ul. "Karlovsko shose" 16 B, complex "ANDI", (also referred to in this document as "the Company"), we acknowledge that it is important for you to understand how we collect, store and share personal data created and received in the process of receiving, registering and processing signals of violations.


Contact information for the Company includes: tel: 032/904 000 and fax: 032/904 004. 


2. Who is the Notice intended for?

This Privacy Notice is intended for all individuals whose personal data we process in the operation of the internal whistleblowing channel. Such persons may include whistleblowers, affected persons, witnesses, third parties, including those with a right of defence such as persons assisting the whistleblower, related parties and other individuals.


3. What personal data do we process, for what purposes and on what basis do we carry out the processing?

In order to deal with whistleblowing, we only process the personal data necessary to receive, register, deal with and follow up the whistleblowing.


The categories of personal data we process within the channel depend on the specific alert and may include /but are not limited to/:


- Individually identifiable data;


- Employment relationship data;


- Social and relationship data;


- Economic identity data.


In most cases, the investigation of whistleblowing will not require the processing of sensitive personal data, which is why we ask you to avoid providing sensitive information and/or information of a highly personal nature unless this information is relevant to the breach itself.


 Personal data is processed on the basis of the controller's compliance with a legal obligation, which requires the establishment of an internal whistleblowing channel.


4. Who do we get the data from?

Most often we receive the data directly from the person to whom it relates, e.g. the whistleblower provides us with their identifying data, but it is possible that the data may be received from others, e.g. the whistleblower provides us with details of the person concerned, witnesses and those entitled to protection, such as family members.


5. How long do we keep your data?

As required by legislation, data is retained for 5 years after the conclusion of the consideration of the alert. A longer retention period is possible if there are legal proceedings in relation to the alert.


6. To whom do we provide your personal data?

We process the data mainly within our organisation and only those involved in the handling of the specific alert have access to it. We provide data to the competent state authorities whenever this is provided for by law, e.g. to investigating authorities in the case of evidence of a crime or to the Data Protection Commission in the case of an inspection. We do not transfer personal data to third countries or international organisations.


7. Is your data protected?

"ANDI BG Ltd takes reasonable physical, technical and organisational security measures designed to protect all personal data from loss, misuse, alteration, destruction or damage as required by law.


To protect your identity, we are:


- Provided for a duty of confidentiality applicable to persons who have or may have access to that information.


- Clearly allocated the responsibilities of those responsible for receiving and dealing with alerts, including those in management positions.


- Established specific requirements to protect the identity of individuals, such as: redacting documents used in the investigation to remove the name and/or other identifying information of the whistleblower; replacing references to the whistleblower with a pseudonym, letter, or number; limiting access to relevant documents to employees involved in the investigation AND conducting all meetings involving the whistleblower in a secure location (e.g., off-site or in a location without the ability to observe the meeting


- Consider possible ways to investigate the whistleblowing without revealing the identity of the whistleblower


- Ensure additional measures are in place to physically protect the protected information media.


We determine these measures based on the risks we have identified, periodically review the measures provided and update them as necessary.


You also play an important role in protecting your identity, and you need to keep track of who you disclose personal data to and how you protect your communications and devices. 


8. What are your rights? 


When processing personal data, ANDI BG Ltd applies the statutory rules for the exercise of data subjects' rights in good faith. As a data subject, you have the right to request: 

As a data subject, you have the right to request:

- to grant you access to your personal data, subject to the rights of third parties;

- remove inaccurate personal data (including the right to have incomplete personal data completed);

- erase personal data. Applicable only in the following cases:

o the personal data is no longer necessary for the purposes for which it was processed;

o you withdraw your consent and there is no other basis for the processing;

o you object to processing based on our legitimate interests and we cannot demonstrate that our interests outweigh your rights;

o the personal data has been unlawfully processed;

o erasure is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.

- restrict the processing of personal data to storage only where:

o the accuracy of the personal data is contested;

o the processing is unlawful but you object to the erasure of the personal data;

o we no longer require the personal data but it is still necessary for you to establish, exercise or defend a legal claim.

If you have any questions or concerns about the processing of your personal data or wish to exercise any of your rights, please contact us at the following email address: : 

In your request to exercise your rights, you should state your names. Indicate what your request is. Provide the address for correspondence with you (physical address, e-mail address) according to your preferred form of communication and sign your request.

In order for us to consider your request, we must identify you. Therefore, you need to send us your request via the e-mail address through which we have already communicated (e.g. when you submitted the alert). If necessary, at our discretion, we may request additional identification data as well as proof of identity. We will inform you of the reasons that necessitate the provision of additional information.


If you believe that the processing of personal data is unlawful or violates your rights, you may lodge a complaint with the Commission for Personal Data Protection, whose address is. 1592 Sofia Blvd. "1595 Prof.  or to the competent court.