PRIVACY POLICY of the authentication solution of Telenor Bulgaria EAD

1. INTRODUCTION

The security and proper use of personal data are of the utmost importance to both our users and Telenor. It is therefore important for our users to understand why and how we process their personal information in connection with the use of the Solution.
This Privacy Policy does not regulate rights and obligations, but aims to explain to the users of the Solution what personal data we process, why and how we do it, including when we need to disclose personal data to third parties. It also provides information about the rights that users have in connection with the processing of personal data by Telenor.
This Privacy Policy applies solely to the data we process for and in connection with the use of the Solution. It does not apply to other cases where Telenor processes personal data subject to the relevant policies published on https://www.telenor.bg/en/privacy.
For the sake of clarity and convenience of the users of the Solution, there are examples in some places of this Privacy Policy that illustrate why and/or how Telenor processes personal data. These examples are not exhaustive.

2. DEFINITIONS

2.1 Solution
This means the identification solution of Telenor Bulgaria EAD, available at https://id.telenor.bg allowing easy, secure and hassle-free authentication (login) into Telenor’s digital services or its Partners.

2.2 Telenor
Telenor Bulgaria EAD, Uniform ID Code (UIC) 130460283, having its seat and head office in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, Building 6. In this Privacy Policy, the use of the pronouns “We”, “Us” or “Ours” shall also mean Telenor Bulgaria EAD.

2.3 User
A person who has an account created in the Solution.

2.4 Personal data
In practice, this is any information that identifies a specific individual or that relates to an individual who can be identified directly or indirectly. The types of personal data that Telenor processes under this Privacy Policy are listed below.

2.5 Digital service
It means a website, an application or another service of the information society the access and use of which requires creation of an account and, respectively, authentication.

Examples:
Digital services of Telenor are:
Mobile application MyTelenor;
Web portal my.telenor.bg;
Business portal business.telenor.bg.

2.6 Partner
A third party who has agreed to use the Solution as a mechanism for authentication in its digital services.

3. WHAT DATA WE PROCESS

3.1 Account data in the Solution
This is the information needed to create an account in the Solution in order to use it.
See the data:
Mobile number (MSISDN);
(Added on 11.03.2020) Email address;
One time password for access (one-time-pin);
User password (hashed);
User ID in the Solution.

3.2 Data of a user of electronic communication services
In case a user has registered an account with MSISDN for which Telenor provides electronic communications services, Telenor will also process specific information about the user as a user of electronic communications services. The processing of this data is intended to ensure a high level of information security when accessing information and/or the functionalities of Telenor digital services that use the Solution for the purposes of user authentication.
Example:
Personal identification number (ЕГН), if MSISDN belongs to an individual;
Client number;
Status.

3.3 Account settings
These are user account settings that reflect the selection of certain parameters or functionalities, or that are applied by default if the user has not made a choice.
Examples:
Such data are the settings for the “remember me” functionality, password change, etc.

3.4 Data about the use of the Solution
This is automatically generated data that contains information about how users use the Solution.
Examples:
Such data are:
Date and time of failed and successful login attempts for a user;
A digital service where a user has logged in or failed to log in;
A browser through which a user has logged in or failed to log in;

4. HOW COLLECT PERSONAL DATA

When a Solution account is created and used Telenor collects user data in various ways. In most cases we receive information directly from the users. Certain data are automatically generated when users use the Solution (e.g. when they authenticate to a digital service), and sometimes the data is provided to Telenor by third parties.
Read more:
We collect data directly from users:
When an account is created and a user logs in to the Solution;
When the user password is changed;
When communicating with users regarding the Solution.
The following data is automatically generated:
The data of default settings if users have not set/changed them;
Data about the user of electronic communications services;
Data about the use of the Solution.
We receive data from third parties:
When users authenticate through the Solution or when communicate with Partners in connection with the Solution, we receive data from them;
When competent authorities exercise their powers, we receive data from them.

5. HOW AND WHY WE PROCESS PERSONAL DATA

Telenor uses personal data primarily to enable users to access and use the Application. We call this type of data processing “processing for contractual purposes”. In addition, Telenor also processes data for purposes defined as "legitimate interest". Such cases concern mainly data processing that is done to understand how users use the Solution which enables us to troubleshoot or resolve issues of the Solution and to optimize and improve its design and functionality. Of course, there are also cases where we are obliged to process personal data of users in order to fulfill obligations arising from a regulatory act. We may request the explicit consent of Solution users for certain operations to process their personal data. It is important to note that Telenor does not carry out automated decision-making activities based on consumer profiling, which has legal consequences for users or significantly affects them in a similar way.

5.1 Processing for contractual purposes
Most of the data processing operations are intended to give users the opportunity to register with the Solution and to make full use of it, using it for authentication in the digital services of Telenor and its partners. (Supplemented on 11.03.2020) For example, when you have a Solution account and want to take advantage of the Single-Sign-On functionality that allows you to access other digital services securely and easily without having to authenticate each time, you need to provide us with basic information and we need to verify it (e.g. by sending a one-time SMS or email password) and create an identifier to share with the digital service you want to sign in to through the Solution. These steps require us to process data that is relevant to you.

5.2 Legitimate interest
In order to provide and improve the reliability, functionality, design and information security of the Solution, we process personal data of users based on our legitimate interest.
We process data to improve customer service.
It is important for us to provide quick, convenient and effective assistance to users in case they find a problem with the Solution. Ensuring the quality of customer service is critical to improving Telenor processes and meeting customer expectations and needs.
We process data to maintain information and network security.
At Telenor, we are committed to ensuring the confidentiality, integrity and accessibility of our products and services, as well as the information concerning the customers. For this reason, we take measures aimed at preventing or detecting attacks and/or unauthorized access to the Solution and the digital services of Telenor and its partners. We also store entries (logs) with highly restricted access that are used only when we need to investigate potential security incidents.
We process data to improve the Solution and to increase customer satisfaction.
To understand how users access and use the Solution and to identify how we can improve its design and/or functionality, we use and analyze data pertaining to users. This also includes taking preventive measures to ensure the reliability of the Solution. In these cases, the data is processed in aggregated form, which does not allow the identification of a user.
We process personal data when that is necessary in order to settle legal disputes.
Sometimes, in order to exercise its rights or legitimate interests, Telenor may need to process personal data of certain users of the Solution in order to make an out-of-court claim or bring an action against:
third parties from whom Telenor received personal data about the respective users in accordance with this Privacy Policy; or
third parties to whom Telenor has disclosed personal data about the respective users in accordance with this Privacy Policy.
Accordingly, it is possible for the above persons, as well as the users themselves, to make an out-of-court claim or to bring an action against Telenor. In such cases, it may be necessary for Telenor to process the personal data of certain users in order to be able to organize and enforce the defense under the respective claim or case (thus Telenor strives to defend itself against unlawful encroachment on its property and/or reputation).
The type and volume of the processed personal data depend on the nature of the out-of-court claims or the legal actions.
Examples:
A user claims that they did not enter a digital service through the Solution. This requires Telenor to conduct an internal investigation of the case in order to establish the validity of the user’s claim and to provide the necessary evidence;
A competent authority to which Telenor has refused to provide consumer information imposes a penalty on Telenor and Telenor challenges the imposed penalty, which requires the processing of personal data for the relevant consumer and the submission of evidence to the relevant court.

5.3 Fulfilment of obligations arising from a regulatory act
In certain cases, the applicable national and European legislation requires Telenor to process personal data about consumers for certain purposes, in a specific way and / or for a specified period. The main cases where Telenor is required to personal data in order to fulfill its regulatory obligations are described below. We process personal data when, under applicable law, we are required to provide information to competent authorities.
The personal data processed by Telenor are to be made available to the competent authorities subject to the conditions stipulated by law and in accordance with the envisaged procedure.
For example, according to the Criminal Procedure Code of (CPC), Telenor is required, upon request from a court, a prosecutor or an investigative body, to provide documents or data that Telenor holds and that are relevant to the case in question. The requested papers or data may contain personal data of users of the Solution. We process personal data of users when, under applicable law, we are required to assist competent state and/or municipal authorities when they perform checks. The commercial activity carried out by Telenor is subject to control by various state and municipal authorities – e.g. Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Commission for Personal Data Protection (CPDP) and others. In the course of exercising this control these authorities have the power to make inspections and to request from Telenor the documents and information that it holds. The requested papers and data may contain personal data of users of the Solution.
For example, when a user has submitted an alert or complaint the CRC, CPC and CPDP have the power to request from Telenor documents and information relating to the case that may include data of a user of the Solution.
We process personal data to fulfill obligations arising from the accounting and the tax legislation.
The tax and accounting legislation in the Republic of Bulgaria requires Telenor to compile certain accounting and business information, including to keep such information for a specific period, as well as any other data and documents relevant for taxation. In fulfillment of this obligation, the relevant information and documents containing personal data of the users are kept by Telenor for the terms stipulated by the respective laws. These terms are very long (for example, the documents for tax and social security control are to be kept for eleven years).

6. CATEGORIES OF PERSONS TO WHOM WE DISCLOSE PERSONAL DATA

6.1 Personal data processors
Personal data processors are persons who process personal data on behalf of and as ordered by Telenor on the basis of a written agreement. They may not process the provided personal data for purposes other than the performance of the tasks assigned to them by Telenor. The processors are obliged to follow all Telenor instructions.
Read more:
Telenor takes the required steps to ensure that the processors involved comply strictly with the personal data protection laws and with the instructions of Telenor and that they have undertaken appropriate technical and organizational measures to protect personal data. An example of personal data processors is the providers of deployment and/or maintenance of information systems who sometimes need to access the personal data processed in the relevant systems for the purposes of accessing and operating the Solution.

6.2 Partners
To enable the users to use the Solution for authentication in third party digital services, Telenor concludes contracts with them (partners). The respective Partners need therefore to receive personal data of the users for the authentication process to take place.

6.3 Competent authorities
The provision of data to competent authorities is described above.

6.4 Third parties in connection with the transformation (e.g. merger or takeover) or transfer of an enterprise
In the case of transformation of Telenor, as well as in case of transfer of assets in accordance with the applicable legislation, it is possible that the personal data of the users will be provided to a third party – successor.

7. HOW LONG WE KEEP PERSONAL DATA

Telenor keeps the personal data of users for as long as necessary to achieve the goals set out in this Privacy Policy or to comply with the legal requirements. Users may request at any time to delete their accounts in the Solution in which case all personal data for which Telenor has no other reason to further keep them will be deleted.

Read more:
After the time limits for personal data processing have expired, the data are anonymized or deleted/destroyed, unless: br> they are needed for pending court, arbitration, administrative or enforcement proceedings, or in case of a complaint submitted by the respective user, which is to be considered by Telenor; or
the respective user has exercised their right to request restriction of the processing of the personal data concerning them.
Telenor endeavors to ensure that the processed personal data of users are updated (and corrected if necessary) and that data which is unnecessary to achieve the goals described above are not stored.

8. HOW WE PROTECT PERSONAL DATA

Building and maintaining the trust between us and users is a key strategic priority for Telenor. Therefore, protecting our systems and personal data is paramount for both our users and Telenor. Our main goal is to make users feel safe when using Telenor products and services. Telenor takes the necessary technical and organizational measures to keep the personal data of users safe in accordance with the requirements of the current legislation and good practices.
Read more:
After the time limits for personal data processing have expired, the data are anonymized or deleted/destroyed, unless:
they are needed for pending court, arbitration, administrative or enforcement proceedings, or in case of a complaint submitted by the respective user, which is to be considered by Telenor; or
the respective user has exercised their right to request restriction of the processing of the personal data concerning them.
Telenor endeavors to ensure that the processed personal data of users are updated (and corrected if necessary) and that data which is unnecessary to achieve the goals described above are not stored.
In order to protect the personal data of users, Telenor utilizes state-of-the-art technologies combined with uncompromising management of security controls. Our framework is based on some of the most popular security standards (ISO27001:2013 and others).
To ensure maximum data protection, Telenor has adopted a number of policies that regulate data processing. A variety of mechanisms (encryption, anonymization, pseudonymisation, etc.) are applied to both data in transit and data at rest.
Telenor has a designated data protection officer and specialized departments responsible for information security and fraud protection. They support the processes of protecting and securing personal data, and monitor their compliance.

9. RIGHTS OF DATA SUBJECTS

9.1. General information on the rights of individuals

Telenor takes action at the request of an individual to exercise a right under this section only if Telenor is able to identify the person concerned.

Read more: Only individuals who can be identified by Telenor may exercise their rights under this section. If the purposes for which Telenor processes personal data do not require or no longer require the identification of an individual, Telenor has no obligation to keep, obtain or process additional information in order to identify the person for the sole purpose of acting upon a request of that person. Telenor notifies individuals of the actions taken within one month of receiving a request under this section and in specific cases this period may be extended by another two months. Read more: Telenor provides information to individuals on the actions taken in relation to their requests for the exercise of rights under this section without undue delay and in any event within one month of receipt of the request. If necessary, this period may be extended by another two months, taking into account the complexity and number of requests. Telenor informs the person concerned of any such extension within one month of receipt of the request, indicating also the reasons for any delay. In case a request is refused, Telenor will notify the individuals concerned of their rights. Read more: If Telenor does not take action on the request of an individual, Telenor will notify the individual without delay and within one month at the latest of receipt of the request regarding the reasons for not taking action, as well as regarding the possibility of filing a complaint to the Commission for Personal Data Protection. In specific cases, Telenor may request additional information to verify the identity of individuals. Read more: In case Telenor has reasonable concerns about the identity of the individual that has filed a request under this section, Telenor may request the provision of additional information necessary to confirm the identity of the individual. The actions taken by Telenor in connection with and due to requests for exercising rights will be completely free of charge to the individuals unless their claims are clearly ungrounded or excessive. Read more: The actions that Telenor takes for and in the exercise of user rights are completely free of charge. Where a person’s request is clearly unfounded or excessive (e.g. because of its repetitive nature), Telenor may, at its sole discretion: (a) refuse to comply with the request; or (b) request payment of a reasonable fee, determined on the basis of the administrative costs necessary to provide the requested information or to take the requested action.

9.2 Users have the right to access the personal data concerning them.
Users have the right to receive information from Telenor whether personal data relating to them are processed. If so, users have the right to access the relevant data.

9.3 Users have the right to request correction of the personal data relating to them when such data are inaccurate or out of date.

9.4 In certain cases, users have the right to request deletion of the personal data relating to them.
Read more:
Users have the right to request Telenor to delete personal data relating to them in the following cases:
the personal data are no longer needed for the purposes for which they were collected or processed;
the user has withdrawn their consent on the basis of which the processing of personal data takes place and there is no other legal basis for the processing of the personal data;
the user has objected to the processing of personal data which is based on Telenor’s legitimate interest unless there are other legitimate grounds for processing which take precedence over the interests, rights and freedoms of the user, or the processing of data is necessary for the establishment, exercise or the defense of legal claims;
the user has objected to the processing of personal data for the purposes of direct marketing and there are no other legitimate grounds for the processing of the data;
the personal data relating to the respective user were processed unlawfully;
the personal data must be deleted by Telenor in order to comply with a legal obligation arising from the law of the Republic of Bulgaria or the law of the European Union.

9.5 In certain cases users have the right to request a restriction on the processing of personal data relating to them.
Read more:
Users may request Telenor to restrict the processing of personal data relating to them in the following cases:
the accuracy of personal data is challenged by the user for a period allowing Telenor to verify the accuracy of the personal data;
the processing is unlawful, but the user does not want the personal data to be deleted, but instead requires restriction on their use;
Telenor does not need the personal data for processing purposes any longer but the user requires them in order to establish, exercise or defend legal claims;
the user has objected to the processing of personal data based on Telenor’s legitimate interest pending verification whether Telenor’s legitimate grounds have priority over Telenor’s interests.

9.6 In certain cases, users are entitled to portability of personal data relating to them.
Read more:
Users have the right to receive from Telenor the personal data they provided in a structured, widely used and machine-readable format and to transfer those data to another administrator without hindrance by Telenor, insofar as:
Telenor processes those data for the purpose of entering into or executing a contract with the user or on the basis of the user’s consent; and
the processing of the relevant data is carried out by automated means.
Users have the right to ask Telenor to transfer their personal data directly to another administrator when technically feasible.

9.7 In certain cases, users have the right to object to the processing of personal data relating to them.
Read more:
Users have the right, at any time and on grounds relating to their particular situation, to object to the processing of personal data relating to them when Telenor processes their data in order to protect their legitimate interests.

9.8 Users have the right to file a complaint to a data protection supervising authority.
Read more:
Users have the right to file complaints or alerts to the Commission for Personal Data Protection (CPDP) in case they believe that Telenor violates personal data protection legislation. Instructions for filing complaints are published on the CPDP website: https://www.cpdp.bg
Users may also file complaints with other supervisory authorities on the territory of the European Union as provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

10. INFORMATION FOR CONTACT WITH TELENOR

Telenor Bulgaria EAD, Uniform ID Code (UIC) 130460283, having its seat and head office in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, Building 6, is the administrator of personal data that are processed in this Privacy Policy.
For questions and inquiries regarding the processing of personal data, please contact our Customer Service Center. Contact information for the Customer Service Center is published on the following address: https://www.telenor.bg/bg/private/online-request
Telenor Customer Service Center can help you get in contact with our data protection officer

11. UPDATING THE PRIVACY POLICY

This Privacy Policy was updated on 11.03.2020.
This Privacy Policy may be amended or supplemented due to amendments to the applicable law, at the initiative of Telenor, consumers or a competent authority (e.g. Personal Data Protection Commission).
Telenor strives to inform the users of the Solution about the amendment or supplementation of this Privacy Policy within 7 (seven) days before its entry into force by sending a message to the number used for registration in the Solution.
It is recommended that users periodically check the most recent version of this Privacy Policy published on www.telenor.bg/privacy.

What do I need a Telenor profile for?

To get access to our digital channels – the mobile application MyTelenor and the web portal MyTelenor, the online shop BUY ONLINE, the Business portal and some partner digital services such as Nickelodeon. With just one profile you get access to all of them.

How do I create my Telenor profile?

Find the login button in any of our digital channels and follow the steps. Have your mobile device close by because we will text you a one-time 4-digit PIN code with which we will confirm your mobile number. All you have to do next is to create a strong enough password and you are in!

How do I log in my Telenor profile?

Just fill in your mobile number and password at the login page and press the “Log in” button.

How do I change the password of my Telenor profile?

At the login page fill in your number and press FORWARD. After that click on Forgotten password and follow the steps. We will text you a one-time 4-digit PIN code with which we will confirm your mobile number. If all is good, you can set your new password and save the changes by logging in your Telenor profile.

Keep in mind that every time you change your password for your Telenor profile, we will prompt you to log in your profile with your new password on all other devices and browsers you use.

I have changed my mobile number. What happens with my Telenor profile?

No worries, if you have changed your mobile number but you use the same SIM card, you will keep your Telenor profile as set by you. You just have to use your new mobile number in combination with your current password. The rest is the same.

I have changed my mobile services provider. Can I keep my Telenor profile?

No, you cannot. You can use your Telenor profile as long as you are a customer of Telenor and your card is active. If you change your mobile services provider, your Telenor profile will be permanently deleted.

I am terminating my mobile number. Can I still use my Telenor profile?

No, you cannot. You can use your Telenor profile as long as you are a customer of Telenor. If you terminate your mobile number, your Telenor profile will be permanently deleted.

How do I delete my Telenor profile?

We will do that for you. Call 123 for more information.

Important to know: Deleting your Telenor profile will lead to removing all related services as well as files and data stored in all applications running with this profile. After your Telenor profile is deleted permanently, it cannot be retrieved back.

I have doubts that someone else is using my Telenor profile from another computer / mobile device. What do I do?

If you have such doubts, please change your password immediately. At the login page fill in your number and press FORWARD. After that click on Forgotten password and follow the steps. We will text you a one-time 4-digit PIN code with which we will confirm your mobile number. If all is good, you can set your new password and save the changes by logging in your Telenor profile.

Keep in mind that every time you change your password for your Telenor profile, we will prompt you to log in your profile with your new password on all other devices and browsers you use.

I have a few mobile numbers with Telenor. Do I have to create separate Telenor profiles for each one of them?

Yes, you need to create a separate Telenor profile for each of your mobile numbers.

I’ve changed the SIM card for my mobile number. Do I have to create a new Telenor profile for that number, or I can keep using the one I have already created?

You can keep using the Telenor profile you have already created. You don’t have to create a new one all over again – you use the same mobile number in combination with your current password.