Privacy Policy


The Administrator carries out its activities in strict compliance with the applicable legislation in the field of personal data protection. The Administrator is guided by the principle of transparency in the processing of personal data as a key element in building trust with website users. The protection of personal privacy is a top priority in the Administrator's activities. This Privacy Policy provides information on how the Administrator collects, uses, and protects personal data, the rights of data subjects, the conditions under which information is shared with third parties, and the security measures in place. As a personal data controller within the meaning of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (PDPA), the Administrator processes personal data lawfully, fairly, and transparently, collecting data only for specific, explicitly stated, and legitimate purposes, applying appropriate technical and organizational measures to ensure data security, and guaranteeing the exercise of data subjects' rights. Section I - Information about the Merchant processing and storing your personal data. Art. 1 (1) This online store is managed and administered by: Name: Dental Academy BG EOOD EIK/BULSTAT: 207206236 Registered office and management address: 9 Vasil Aprilov St., floor 1, apt. 3 Correspondence address: 9 Vasil Aprilov St. Email: info@dentalacademy.bg Webs

Section I - Information about the Merchant processing and storing your personal data.

Art. 1 (1) This Website is managed and administered by:

Name: Dental Academy BG EOOD

EIK/BULSTAT: 207206236

Registered office and address of management: 9 Vasil Aprilov St., floor 1, apt. 3

Address: 9 Vasil Aprilov

Email: info@dental-academy.co

Website: https://dentalac-ademy.co

Phone: +35987 9921078

(2) To contact the competent supervisory authority for personal data protection, you can use the following contact details:

Name: Комисия за защита на личните данни

Management Address:: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Mailing address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2

Телефон: 02 915 3 518

Section II - Terms used


Art. 2  For the purposes of these general terms and conditions, the terms listed should be interpreted and understood in accordance with the definition given for each of them:
"Cookies" are small text files that are stored on the user's end device when visiting the online store and serve to recognize the user on subsequent visits.

"Breach of personal data security" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Processing personal data" means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller on the basis of a written agreement pursuant to Article 28 of the GDPR.

"Data processing" includes any automated or non-automated action or set of actions with personal data, including their:

  • deletion or deactivation
  • use and analysis
  • acquisition and documentation
  • systematization and categorization
  • sharing and dissemination
  • storage and updating

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to the technical and organizational measures referred to in Article 4(5) of the GDPR.

"Consent of the data subject" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Data subject" means a natural person who can be directly or indirectly identified by means of information collected about them, including, but not limited to: name, personal identification number (PIN), foreigner's personal number (FPN), location data, online identifiers, or one or more factors specific to their physical, genetic, mental, psychological, economic, cultural, or social identity, in accordance with Article 4(1) of the GDPR.

"Website" is a distinct collection of systematically linked web pages and other digital resources (including, but not limited to: text content, images, multimedia files, scripts, and other software components) accessible via a unified URL address on the Internet and functioning through standardized network protocols (HTTP/HTTPS)

Section III - Legal grounds for processing personal data

Art 3 (1) The administrator collects, processes, and stores personal data of visitors and users of the website in connection with providing information about corporate activities, ensuring the functionality of the website, and communicating.

(2) The administrator collects, processes, and stores personal data of visitors and users of the website in connection with providing information about corporate activities, ensuring the functionality of the website, and communicating.

  1. Explicit and informed consent of the data subject for specific purposes of processing;
  2. Necessity for the performance of contractual obligations to which the data subject is party;
  3. Compliance with legal obligations applicable to the Controller, including reporting obligations to regulatory authorities;
  4. Protection of the legitimate interests of the Controller or of third parties, insofar as they do not conflict with the interests or fundamental rights and freedoms of data subjects;
  5. Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Art.4 Where processing is based on consent, the data subject shall have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Art.5 When processing is based on legitimate interests, the Controller shall carry out an impact assessment to ensure that the interests or fundamental rights and freedoms of the data subject do not take precedence. Legitimate interests include:

  1. Improving the functionality and security of the website;
  2. Preventing fraud and abuse;
  3. Protecting information systems;
  4. Analyzing user behavior in order to optimize the services provided.

Section IV - Principles and objectives in the processing of personal data

Art. 6 When processing personal data, the Administrator complies with the following fundamental principles:

  1. Lawfulness, fairness, and transparency - processing is carried out in accordance with Regulation (EU) 2016/679, the Personal Data Protection Act, and applicable legislation, with full disclosure to data subjects.
  2. Purpose limitation and proportionality - only data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed is processed.
  3. Accuracy and timeliness - all reasonable measures are taken to correct or delete inaccurate personal data in a timely manner.
  4. Storage limitation - data shall be stored for no longer than is necessary for the purposes of the processing, unless there is a legal obligation to store it for a longer period.

Art. 7 (1) The administrator shall implement appropriate technical and organizational measures to protect personal data, including:

  1. Encryption and pseudonymization of personal data when transmitted electronically.
  2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.
  3. Access to personal data is only granted to authorized persons or third parties who maintain high standards in the processing of personal data in accordance with the adopted privacy policy.
  4. Data sharing with third parties is carried out only if there is a legal basis and after concluding an agreement for the processing of personal data.

Art. 8  When introducing new processing technologies or changing existing processes, the Administrator shall carry out an assessment of the impact on data protection.

Section IV - Types of personal data that the Merchant collects, processes, and stores

Art. 9 (1) The merchant processes the following categories of personal data and information in connection with the purposes and grounds specified below:

  1. Requests for training courses collected through the website, which require the sharing of your personal data (first and last name, telephone number, email address)

Purposes for which data is collected:

  1. Fulfillment of the Merchant's obligations to process inquiries

Basis for processing your personal data: By accepting the general terms and conditions, the privacy policy, or making a request, a contractual relationship is established between the Merchant and the Visitor, on the basis of which personal data is processed – Article 6, paragraph 1, item (b) of the GDPR.

  1. Assistance with a problem or answering a question (transaction details, such as the bank account number used for payment, including order information, such as the recipient's details, email address, telephone number, first and last name).

Purpose for which the data is collected:
The merchant makes efforts to fulfill requests and confirmations for concluded training contracts, as well as to ensure the proper functioning of the website. However, in certain cases, the data subject may encounter a problem that requires data sharing to be resolved. This information is shared via the contact form on the website or through official email communication.

Basis for processing your personal data:

Upon acceptance of the Privacy Policy, the data subject is expressly informed of the need to share certain data and gives their express consent for this, which is the basis for processing your personal data – Article 6, paragraph 1, item (a) of the GDPR.

  1. User experience data (IP address, last visit, time spent on the site, pages viewed)

Purpose for which the data is collected:

Optimization of the content and design of individual pages, with the aim of personalizing the terms and conditions for distance contracts, increasing customer satisfaction with the Merchant, and overall improvement of the services and training provided.  The information is anonymized and encrypted, and on this basis, it is not possible to access the specific user and their individual data unless they are a registered user.

Basis for processing your personal data:

The basis for processing your personal data for direct marketing purposes is based on our legitimate interest as a commercial company. This allows us to provide you with information about our training courses that may be of interest to you. In addition, when you accept the Privacy Policy through a specific action or consent to the use of cookies when you enter the website, we process your personal data on this basis – Article 6(1)(a) of the GDPR.

  1. Send newsletter (Email address)

Purpose for which the data is collected:

We collect your personal data in order to send you our newsletter, subject to your explicit consent. The newsletter may contain current news, upcoming training courses, special offers, and promotions. Basis for processing your personal data:

We process your personal data on the basis of your explicit consent. You can withdraw your consent at any time by clicking on the unsubscribe link at the bottom of each newsletter we send you. If you withdraw your consent, we will remove your data from our newsletter distribution list.

  1. Compliance with regulations and requirements of state and regulatory authorities (names and details of customer bank accounts)

Purpose for which the data is collected:

By collecting and processing the relevant categories of personal data, the Merchant demonstrates transparency in its operations and shows readiness for inspections by supervisory authorities. In addition, the data is collected for reporting to the tax authorities and when its storage is required for regulatory compliance.

Basis for processing your personal data:

The basis in the above cases is compliance with the regulatory framework, which is our obligation. This means that we, as a Merchant, are required by law to collect, process, and store certain data for the relevant period specified in the law.

Чл. 10 (1) Търговецът не събира и не обработва лични данни, които се отнасят за следното: 

  1. Racial or ethnic origin;
  2. Political, religious, and philosophical beliefs, or membership in trade unions, political parties, or non-governmental organizations;
  3. Genetic and biometric data, health data, or data concerning sex life or sexual orientation;
  4. Data concerning minors or young persons;

(2) All personal data collected by the Merchant is shared by the subjects to whom it relates.

Section V - Retention period of your personal data

Art. 11 (1) The merchant stores your personal data that it has collected only for the period necessary to achieve the purposes set out in this Policy, as well as when it has the right or obligation under the law to store it for a longer period.

(2) The deadlines we adhere to or are required to adhere to are as follows:

  1. Your personal data - up to 1 year
  2. If you are not a party to a valid training contract, or Data on concluded training contracts - up to 5 years;
  3. Data from user experience - up to 2 years from the last visit to the website;
  4. Sending of newsletters - until unsubscribed by the data subject, but no more than 2 years;

(3) The determining factors for the duration of storage are various circumstances, including but not limited to: the duration of the provision of services, if necessary for the establishment, exercise, or defense of our legal claims, or the existence of a legal obligation to store the relevant data.

Section VI - Rights regarding the processing of personal data

Art. 12 (1) Every natural person has the right to stop the processing of their personal data by submitting a request using the form in Appendix No. 3. This right applies to certain or all processing activities carried out by the Merchant.

(2) After the processing of personal data has been terminated, access to certain functionalities may be restricted, but this does not affect the ability to view publicly available information on the corporate website.

Art. 13 (1) Any person may terminate the receipt of marketing communications by clicking on the unsubscribe button in any email or by expressly notifying the Merchant.

(2) The termination of consent for future marketing activities does not affect the lawfulness of the processing carried out to date.

Art. 14 (1)

Upon request, the Merchant shall provide information about the personal data being processed, including its scope, purposes, and legal grounds.

(2) Upon request, a copy of the processed data shall be provided in an appropriate electronic format. In the case of repetitive or excessive requests, the controller may charge an administrative fee.

Art. 15 (1) Every natural person has the right to request the updating or supplementation of their personal data in the event of an established inaccuracy.

(2) The correction may be made independently through the provided functionalities or by submitting a request to the Merchant.

Art. 16 (1) Upon explicit request, the Merchant shall delete all stored personal data within 5 working days.

(2) The deletion shall be carried out after submitting a request using the approved form or a free-form request and subsequent confirmation of identity; (3) The deletion does not affect data that is subject to a legally established storage period.

Art. 17 (1) Any person may receive their personal data in a structured, commonly used, and machine-readable format.

(2) At the request of the person, the data may be transferred directly to another controller.

Art. 18 (1) Where there is a legal basis, the processing of personal data may be restricted in the following cases:

  1. Contesting the accuracy of the data;
  2. Claiming unlawful processing;
  3. Need for the data for legal claims;
  4. Objection to processing.

(2) During the review, the data is stored without further processing, except with the consent of the person or to protect legal claims.

Section VII - Persons who have access to your personal data

Art. 19 (1) In connection with the performance of the contract by the Administrator and the provision of the full functionality of the website, it is necessary to provide your personal data to the following entities that process and/or store it

  1. Employees responsible for processing and shipping orders from the online store to customers;
  2. Employees in the accounting and legal departments;
  3. Employees in the technical department who perform services related to the maintenance and development of the online store; Hosting service provider;
  4. Third-party employees - freight forwarders who deliver the ordered goods;
  5. State and regulatory authorities, upon explicit request based on an act of a state authority, court decision, or other document issued by a state official.

(2)The aforementioned persons who process personal data ensure full compliance with all legal requirements, as well as the necessary level of security in the storage and processing of data.

(3) All third parties who have access to personal data have a confidentiality agreement with the Administrator to make sure the processed info is protected. In the event that such an agreement is not in force, the Administrator shall be responsible for ensuring that the relevant third parties apply the necessary protective measures and comply with all relevant rules for the security and protection of the personal data to which they have access.

Section VIII - Data Storage and Protection

Art. 20 (1) As a rule, all personal data shall be processed and stored within the territorial scope of the EU/EEA.

(2) If it is necessary to transfer information to countries outside the EU/EEA, the Merchant shall ensure appropriate technical and organizational measures for protection.

(3) Cross-border data transfers shall be based on the following rules:

  1. Cooperation only with partners who demonstrate high standards of information security and personal data protection;
  2. Implementation of standard contractual clauses approved by the European Commission that guarantee an adequate level of protection;
  3. Implementation of modern technological solutions for encryption and protection of information during its transfer.

(4) When identifying potential risks, the Merchant shall promptly implement additional technical and organizational security measures.

Чл. 21 (1) When registering an incident related to personal data security that poses a significant risk to the rights and freedoms of data subjects, the Merchant shall immediately notify the affected persons and the competent supervisory authorities.

(2) The notification shall include the following information:

  1. Detailed description of the incident and its impact;
  2. Approximate number of persons affected and records;
  3. Actions taken to limit the consequences;
  4. Measures to prevent future incidents;
  5. Recommendations to affected persons to minimize potential harm.

Чл. 22 (1) The notification obligation shall not apply in any of the following circumstances:

  1. Effective technical measures have been implemented to eliminate the risk of unauthorized access to the affected data;
  2. Follow-up actions have been taken to eliminate the likelihood of the identified risks materializing;
  3. The notification process would involve disproportionate effort in relation to the potential benefits for the individuals concerned.

(2) If the obligation for individual notification is waived, the Merchant shall publish a notice on the corporate website with general information about the incident.

Section IX - Final Provisions

Art. 23 (1) Upon discovering a violation of their rights, each individual should first contact the Merchant through the specified communication channels in order to voluntarily resolve the dispute.

(2) In the absence of a satisfactory resolution under paragraph 1, the natural person shall have the right to lodge a complaint with the competent supervisory authority - the Personal Data Protection Commission.

(3) In addition to the right under paragraph 2, any person may seek protection of their rights through legal proceedings before the competent court at their place of residence.

Art. 24 (1) If it is necessary to update the rules for the processing and protection of personal data, the Merchant shall promptly inform the interested parties through the official communication channels.

(2) The changes in the document shall take effect upon fulfillment of one of the following conditions:

  1. No objection within 14 days of receiving individual notification;
  2. Expiration of the 14-day period from the publication of the changes on the corporate website, without any objections received;
  3. Performance of conclusive actions that unequivocally confirm acceptance of the new terms and conditions.

(3) If you disagree with the changes, you have the right to discontinue using the services provided.

Art. 25 (1) This document supersedes all previous versions and shall enter into force on 20.02.2025.

(2) The rules shall apply for an indefinite period or until a subsequent update.

(3) In the event of a conflict between the provisions of this document and the applicable legislation, the mandatory legal norms shall prevail.

Section X - Annexes

Чл. 26 You can exercise all your rights regarding the protection of your personal data using the forms attached below or through the features in your profile.

Form for withdrawal of consent for processing purposes – Appendix No. 1
Request to be forgotten - to delete personal data related to me - Appendix No. 2
Request for portability of personal data - Appendix No. 3
Request for data correction - Appendix No. 4