• Home
  • About us
  • Bulgaria as Premier Yachting Destination
  • Our work
  • News
  • Knowledge Hub
  • Members & Partners
  • Contacts
My Account
SIGN UP

Privacy Policy and Protection of Personal Data on the Site www.bya.bg

This document discloses the Privacy Policy and Protection of Personal Data collected from users of the Site with the address (URL) www.bya.bg. This Privacy Policy aims to inform you about how the owner of the website treats your personal data as the Data Controller, and also about how you could control your preferences and settings in relation to this treatment.

This Privacy Policy is an integral part of the General Terms and Conditions for using the Site www.bya.bg. All definitions given in the General Terms and Conditions are also applicable in this Privacy Policy.

This policy applies to all individuals who access the site, as well as its subdomains, pages and functionalities. It regulates the way in which the company collects, uses, stores and protects personal data in relation to the services provided through the site.

This Policy is effective as of 1 November 2025.

Data controller of personal data

Bulgarian Yachting Association is a Personal Data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”) and the Personal Data Protection Act of the Republic of Bulgaria (hereinafter referred to as the “PDPA”).

In order to comply with the requirements of the applicable personal data protection legislation, the company responsible for the protection of your personal data in its capacity as Data Data Controller is:

  1. Name: Bulgarian Yachting Association, UIC: 208075882;
  2. Headquarters and management address: Varna, Odesos district, 109 Knyaz Boris I Blvd., ent. 1, fl. 1;
  3. Communication email: office@bya.bg;
  4. Contact phone: +359 877 00 99 94
  5. Supervisory authorities:

    Personal Data Protection Commission

    Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.,
    tel.: (02) 940 20 46
    fax: (02) 940 36 40
    Email: kzld@government.bg, kzld@cpdp.bg
    Website: www.cpdp.bg

The Data Controller collects and processes all personal data in accordance with the laws on personal data protection applicable in Bulgaria and the European Union.

Principles of processing personal data

When processing personal data, the Data Controller complies with the following principles:

  1. collects personal data only where there is a legal basis, processes them fairly and in a transparent manner in relation to the data subject – principle of lawfulness, fairness and transparency;
  2. collects personal data for specific, explicit and legitimate purposes and does not process such personal data in a manner that is incompatible with the original purposes – principle of purpose limitation;
  3. processes only such volume and type of personal data as are related to and limited to what is necessary in relation to the purposes for which they are processed – principle of data minimization;
  4. keeps personal data accurate and up-to-date – principle of accuracy;
  5. stores personal data in a form that permits identification of the data subject for a period no longer than is necessary for the purposes for which the personal data are processed – principle of storage limitation;
  6. complies with the principles of data protection by design and data protection by default, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons presented by the processing, and implements appropriate measures to protect personal data and to comply with Regulation (EU) 2016/679.
  7. ensures an appropriate level of security for personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures – the principle of integrity and confidentiality.

Legal grounds for processing personal data

The Data Controller collects and processes your personal data on the following grounds:

  • Explicit consent obtained from you as a client/user. The consent obtained for the processing of personal data is voluntary and is provided for each specific case. The consent provided by you for the processing of personal data can be withdrawn at any time by submitting a free text request for the withdrawal of consent by email to the Data Controller. The withdrawn consent is effective for the future, and it does not affect the lawfulness of the processing of the personal data provided by you before submitting the request for the withdrawal of consent;
  • The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation of the Company;
  • Processing is necessary for the purposes of the legitimate interests of the Data Controller or a third party.

What data do we collect from our users

Before accessing the services of the Site, you must express your explicit consent to process your personal data in accordance with this Policy. We collect personal information that you voluntarily provide to us when you visit the site, express interest in receiving information about us or our services, when you participate in activities on the site or otherwise.

  1. The Data Controller does not collect and does not store “sensitive” categories of personal data such as political beliefs, ethnic origin, sexual orientation, data about the health of the subject, religious or philosophical beliefs, etc.
  2. Personal data collected from the data subject when individuals contact the Data Controller via a contact form on the site.
    When the person sends a message to the Data Controller using the contact form, the Data Controller collects and stores the name and email address of the person, as well as the information provided in the message.
    Purpose for which the data is collected: The Data Controller collects and stores the specified information for the purposes of communicating with the individual.
  3. Personal data collected automatically.
    On our website, we collect data about all visitors, namely:
    • Browser identifier;
    • History of pages visited, in order to establish your preferences for certain types of content;
    • History of searches you have made on our pages;
    • Device data. We collect device data, such as information about your computer, phone, tablet or other device that you use to access the website. Depending on the device used, this data for separation may include information such as your IP address or proxy server, device and application identification numbers, location, browser type, hardware model, provided internet service and/or mobile operator, operating system and system configuration information.
    Purpose for which the data is collected: Improving the security of the services provided by the Provider and preventing misuse of the user account by third parties.
  4. Personal data collected from users when registering a profile on the website and submitting an application for membership in the association:
    • name;
    • email;
    • address/postal code;
    • phone number;
    • Company they represent;
    • Position;
    • Date of birth;
    • Option to upload a CV and photo.
    Purpose for which the data is collected: to maintain information about the members of the association, to fulfill membership obligations, as well as for tax and accounting purposes.
  5. Personal data collected from users when registering for a newsletter:
    • name;
    • email;

Cookies

The website uses cookies to ensure the normal functioning of the site, to analyze traffic and to personalize content. Users can control the use of cookies through their browser settings. Detailed information is available in our Cookie Policy.

Purpose of data collection

The Data Controller collects and processes the personal data of individuals that are provided directly by them or collected automatically and for the following purposes:

  • For the normal functioning of all services on the Site;
  • To establish contact with the person;
  • To provide services offered on the Site;
  • To fulfill the rights and obligations of the parties under the concluded agreement;
  • To improve the effectiveness and functionality of the Site;
  • For statistical purposes and analyses to improve our services;
  • To protect information security;
  • To ensure that our users are real and to prevent fraud.

How long do we keep information

We will not store your data for longer than is necessary to achieve the purposes for which we process it. If the basis on which we store your personal data ceases to exist (for example, if we no longer have a legitimate interest in storing your personal data, if the statutory period for storing your personal data has expired, or if you have withdrawn your consent to store your personal data), we will delete or destroy it in a secure manner. The Data Controller stores your personal data collected through the Site for a period no longer than is necessary and/or required by applicable law.

We apply the following periods for storing the different types of personal data according to their purpose, namely:

  1. Regarding personal data of persons who have made an inquiry through the contact form on the Site:
    – up to 12 months from sending the inquiry, if the user has not become a client of the Data Controller.
  2. Regarding personal data collected when registering to receive a newsletter:
    – Until you wish your registration to be deleted or while the site is operating.
  3. Regarding data in connection with the contractual relations that have arisen between the Data Controller and the User of the Site, they are stored for a period of five years from the moment the contractual relations arise, unless mandatory provisions of the law require the Provider to keep data about its partners for a longer period (e.g. for the categories of documents that we are obliged to keep according to the Accounting Act and/or the Tax and Social Security Procedure Code).

Where we store your personal data

Your personal data that we collect is stored on servers within the European Economic Area.

We store your personal data for no longer than is necessary to achieve the above-described purposes, or until the services and/or the Site are discontinued. Your personal data collected through the Site will be collected, processed, stored, disclosed and destroyed in accordance with applicable Bulgarian and European legislation.

Security measures

The Data Controller has taken a wide range of technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. All our employees are familiar with our security policy, as provided for in the Personal Data Protection Act. The personal information of our Users is accessible only to a limited number of qualified employees. We regularly check our security systems and processes. Although we take reasonable steps to maintain a secure site, electronic communications and databases are subject to errors, tampering and breaches and we cannot guarantee that such events will not occur and we will not be liable to visitors for any such events.

Access to personal data is limited to individually authorized and instructed personnel. We will inform you at any time about changes to our privacy and data security processes, including practices and policies, by always keeping this section up-to-date. You can request information at any time about where and how your data is stored, protected and used.

In the event of a personal data breach, we will notify you and the competent supervisory authority within 72 hours by email with information about the extent of the breach, the data affected, any impact on the service and the action plan for measures to limit any possible harmful effects on data subjects.
In case you would like to receive detailed information about the technical and organizational measures, please do not hesitate to contact us.

Who we share your personal data with

Sometimes we record some of the information on our servers or send it to third parties. This is necessary in order to provide you with the best experience when using our services, and sometimes – in general, in order to ensure the availability and accessibility of the service you use.
Your personal data will not be transferred to third parties unless:

  • you provide us with your explicit, informed and freely given consent; 
  • the third parties in question provide us with support under a contract for the purpose of providing our products or services;
  • this is required by law or by virtue of an official act of a public authority;
  • this is necessary in connection with the sale of a business, our company or its assets, which are subject to confidentiality.

Our employees and partners are duly informed about the importance of their obligation to maintain confidentiality and are responsible for fulfilling this obligation.

For any other purposes not expressly mentioned in this Policy, we will request your explicit consent, identifying our partners as well as the purposes of the data transfer and sharing.

Rights of data subjects under GDPR

Right of access to your personal data. You have the right to request and obtain from the Data Controller confirmation as to whether personal data relating to you are being processed by sending a request in free text by email.

Right to rectification of personal data: if you find that the personal data we process about you are inaccurate, you have the right to have us correct these personal data. You may at any time correct or complete inaccurate or incomplete personal data relating to you by sending a request to the Data Controller by email in free text.

Right to erasure of personal data (right to be forgotten)

You have the right to request from the Data Controller the erasure of some or all personal data relating to you, and the Data Controller has the obligation to erase them without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you withdraw your consent on which the processing of the data is based and there is no other legal basis for the processing;
  • you object to the processing of personal data relating to you and there are no overriding legal grounds for the processing;
  • the personal data have been processed unlawfully;
  • the personal data must be erased for compliance with a legal obligation under EU law or the law of a Member State to which the Data Controller is subject;

The Data Controller is not obliged to erase personal data if it stores and processes them:

  • for exercising the right to freedom of expression and the right to information;
  • for compliance with a legal obligation which requires processing provided for in EU or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in it;
  • for reasons of public interest in the field of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • for the establishment, exercise or defence of legal claims.

To exercise your right to be forgotten, you must send an email request for the erasure of your personal data that the Data Controller processes, using a free text request.

Right to restriction of processing: in certain circumstances, such as if you doubt the accuracy of your personal data or you have objected to our legitimate purpose for processing your personal data, you have the right to request that we restrict the processing of your personal data until a solution is found. You have the right to request that the Data Controller restrict the processing of data relating to you by sending us a free text request by email where:

  • you contest the accuracy of the personal data, for a period that allows the Data Controller to verify the accuracy of the personal data;
  • the processing is unlawful, but you do not want the personal data to be deleted, but only their use to be restricted;
  • the Data Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
  • you have objected to the processing pending verification of whether the legitimate grounds of the Data Controller override your interests.

Right to data portability. If you have consented to the processing of your personal data or the processing is necessary for the performance of a contract with the Data Controller, or if your data is processed by automated means, you may:

  • request the Data Controller to provide you with your personal data in a machine-readable format and transfer them to another Data Controller;
  • request the Data Controller to directly transfer your personal data to a controller designated by you, where technically feasible.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with a supervisory authority regarding our processing of your personal data.

The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her;

Right to judicial or administrative redress in the event that the data subject’s rights have been violated.

You can exercise all your rights by contacting us via email: office@bya.bg. We will contact you and provide you with detailed information on the procedure for exercising your rights.

For questions related to the processing of personal data or the exercise of your rights, you can contact our Data Protection Officer at office@bya.bg.

Updating the policy

This policy may be updated periodically to reflect changes in our processes or legislation. All changes will be published on this page and will enter into force on the date of their publication. In the event of significant changes, we will notify users in an appropriate manner (for example, by email or a notice on the site).