Drag
Space Service
Satellites
Careers
0
 Contact
Space Service Satellites Careers News Contact
demo
Advanced avionics and data processing
Back
Satellites
ENDURANCE-15 Satellite
ESPA Platform endurosat featured image nanosat 4024
16U CubeSat
16U Platform endurosat featured image nanosat 4024
12U CubeSat
12U Platform endurosat featured image nanosat 4024
8U CubeSat
8U Platform endurosat featured image nanosat 4024
flight heritage badge
6U CubeSat
6U Platform endurosat featured image nanosat 4024
flight heritage badge
3U CubeSat
3U Platform endurosat featured image nanosat 4024
flight heritage badge
1U CubeSat
Front view of the EnduroSat 1U CubeSat satellite bus, highlighting the 1U solar panel X/Y.
flight heritage badge
Communication
Versatile Wideband SDR
Versatile Wideband SDR
K-band Transmitter
K-band Transmitter
X-Band Front End
X-Band-Front End
X-Band Transmitter
X-Band Transmitter
flight heritage badge state of the art report badge
S-Band Transmitter
S-band Transmitter
flight heritage badge state of the art report badge
S-Band Transceiver
S-band Transceiver
UHF Transceiver II
UFH Transceiver II
flight heritage badge state of the art report badge
Antennas
X-Band Patch Antenna
X-Band Patch Antenna
flight heritage badge state of the art report badge
X-Band 2×2 Patch Array
X-Band 2x2 Patch Array
flight heritage badge state of the art report badge
X-Band 4×4 Patch Array
X-Band 4x4 Patch Array
GNSS Patch Antenna
GNSS Patch Antenna
V/W-Band Patch Antenna
V-W Band Patch Antenna
K-Band 4×4 Patch Array
K Band 4x4 Patch Array
S-Band Antenna Commercial
S-Band Atenna Commercial
S-Band Antenna Wideband
S-Band Atenna Wideband
S-Band Antenna ISM
S-Band Atenna ISM
UHF Antenna III
UHF Antenna III
flight heritage badge state of the art report badge
UHF Antenna 2U
UHF Antenna 2U
Onboard computers
Onboard Computer With GNSS
flight heritage badge state of the art report badge
Onboard Computer (OBC)
flight heritage badge state of the art report badge
Power Modules
EPS III
EPS III
EPS II
EPS II
state of the art report badge
EPS I Plus
EPS I Plus
state of the art report badge flight heritage badge
EPS I
EPS I
state of the art report badge flight heritage badge
Solar Panels
8U Solar Panel
8U Deployable Solar Panel
6U Deployable Solar Array
6U-Deployable Solar Panel
6U Double Deployable Solar Array
6U-Double-Deployable-Solar-Panel
6U Solar Panel
6U Solar Panel
flight heritage badge state of the art report badge
3U Double Deployable Solar Array
3U Double Deployable Solar Panel
3U Deployable Solar Array
3U Deployable Solar Panel
state of the art report badge
3U Solar Panel
3U Solar Panel
flight heritage badge state of the art report badge
1U Solar Panel X/Y
1U Solar Panel X-Y
state of the art report badge flight heritage badge
1U Solar Panel Z
1U Solar Panel Z
state of the art report badge flight heritage badge
Structures
16U CubeSat Structure
16U Cubesat Structure
12U XL Cubesat Structure
12U Cubesat Structure
8U Cubesat Structure
8U Cubesat Structure
6U XL Cubesat Structure
6U Cubesat Structure
flight heritage badge state of the art report badge
3U Cubesat Structure
3U Cubesat Structure
flight heritage badge state of the art report badge
1U Cubesat Structure
1U Cubesat Structure
flight heritage badge state of the art report badge
Lab Equipment
DeskSat
DeskSat
Rotary JIG
Rotary JIG
Assembly JIG
Assembly JIG
6U Test Pod
6U Test Pod
Custom modules
Custom 6U Solar Panel
6U Solar Panel
Custom 3U Solar Panel
3U Solar Panel
Custom Patch Antenna
X-Band 2x2 Patch Array
All Products

Privacy Policy

Section I

GENERAL

Art. 1. (1) This Policy establishes the organization and rules that ENDUROSAT EAD, as a personal data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”), applies when collecting and processing personal data.(2) ENDUROSAT EAD is a company registered in accordance with the requirements of the Commercial Law and entered in the Commercial Register and the Register of Non-Profit Entities at the Registry Agency with UIC 203367904, with its registered office at 1A Flora Str., Sofia 1404, Bulgaria, (hereinafter referred to as “ENDUROSAT” or Administrator). Contact details:

  • address for correspondence: 1A Flora Str., Sofia 1404, Bulgaria
  • Phone: +35929065001
  • E-mail: legal@endurosat.com

 

Art. 2. (1) ENDUROSAT is committed to ensuring the confidentiality and security of personal data, as well as respecting the rights of data subjects. This policy outlines how ENDUROSAT processes, stores, and protects personal data in compliance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
  • Bulgarian Personal Data Protection Act (PDPA)
  • Guidelines of the Bulgarian Commission for Personal Data Protection (CPDP).

(2) This Policy has been drawn up in accordance with the provisions of the General Data Protection Regulation, the Personal Data Protection Act (“PDPA”) and aims to protect the interests of customers, contractors and suppliers – natural persons, and natural persons representing legal entities, including natural persons – employees/representatives of end-users-legal entities (parties to transactions concluded with an intermediary of ENDUROSAT), of employees of ENDUROSAT and, where applicable, of their relatives/relatives, of applicants for employment at ENDUROSAT, of visitors on the territory of the administrative building in the city Sofia (in cases where they do not fall into any of the other listed categories whose personal data is processed in connection with the implementation of video surveillance within the building in the city of Sofia). Sofia), the persons who have used the contact form available on the website of ENDUROSAT (where they do not fall within the scope of any of the previous categories of subjects) and all other natural persons with whose consent or on other legal grounds, ENDUROSAT has accessed personal data in connection with its business activities, as well as from unlawful and fraudulent processing of their personal data.

(3) In the event that other specific rules are applicable to the activities of ENDUROSAT within the framework of which personal data are processed, the same shall be complied with and observed when carrying out information processing activities (including but not limited to the handling of classified information within the meaning of the Classified Information Protection Act).

Art. 3. For the purposes of this Policy, the following terms shall have the following meanings:

  1. “Personal data” means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
  2. “Processing of personal data” means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. “Controller” means ENDUROSAT, a legal entity which alone or jointly with others determines the purposes and means of processing personal data ENDUROSAT, a company incorporated and existing under Bulgarian law, is the Controller responsible for the collection, use and storage (collectively “processing”) of your data Our contact details are as follows:

ENDUROSAT EAD

1A Flora Str.

1404 Sofia, BULGARIA

E-mail: info@endurosat.com

Phone: +35929065001

  1. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  2. “Personal Data Register” means a structured set of personal data, access to which is carried out according to certain criteria in accordance with the internal rules and documents of ENDUROSAT, which may be centralized and decentralized and is distributed according to a functional or geographical principle.
  3. “Consent of a natural person” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies his or her agreement to personal data relating to him or her being processed;
  4. “Recipient” means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not a third party.
  5. “Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored or otherwise processed.
  6. “Health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which provides information about his or her state of health.
  7. “Supervisory Authority” means the Commission for the Protection of Personal Data (CPPD) and/or an independent public authority established by a Member State pursuant to Article 51 of the GDPR.

 

Section II

BASIC PRINCIPLES OF PERSONAL DATA PROCESSING

Art. 4. (1) ENDUROSAT processes personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy and timeliness
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

When processing personal data, ENDUROSAT is guided by the basic principles ensuring the lawfulness of this process within the meaning of the GDPR, namely:

(2) ENDUROSAT shall process in a fair and lawful manner personal data collected for specific, lawful and legitimate purposes. ENDUROSAT shall not further process personal data for purposes incompatible with the purposes for which the personal data were originally collected. Further processing of personal data for archiving purposes in the public interest, scientific, historical research or statistical purposes shall not be considered incompatible with the original purposes.

(3) The personal data processed by ENDUROSAT shall be accurate and updated as necessary. Personal data shall be deleted or rectified without delay if it is found to be inaccurate or not relevant to the purposes for which it is processed.

(4) ENDUROSAT shall store the personal data in the form and in the manner which permits identification of the natural persons for a period no longer than is necessary for the purposes for which the personal data are processed. In the case of processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, personal data may be kept for a longer period, but only after the implementation of technical and organizational data protection measures appropriate to the purpose of the processing.

(5) ENDUROSAT shall process special categories of data only in the cases provided for in the GDPR and the GDPR, where the processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject has provided his or her explicit consent, and where the processing is necessary for the purposes of performing obligations and/or exercising the rights of ENDUROSAT under employment and/or social security law, for the purposes of preventive and/or occupational medicine.

(6) ENDUROSAT shall provide information on the rights of data subjects under Chapter III of the GDPR and shall ensure compliance with these rights as provided for in this Policy and subject to the requirements of the GDPR and other applicable national legislation.

(7) ENDUROSAT shall implement all appropriate technical and organizational measures to ensure the security of personal data and will update these measures periodically.

 

Section III

THE PURPOSES OF THE PROCESSING OF PERSONAL DATA. LEGAL BASIS FOR PROCESSING

Art. 5. ENDUROSAT processes personal data of natural persons for one or more of the following purposes:

1.To perform or comply with its legal obligations;

2.For the purposes of the legitimate interests of ENDUROSAT or a third party;

3.For the conclusion and/or performance of a contract;

4.To conduct the selection procedure;

5.Where the data subject has provided his or her explicit consent (e.g. for processing for marketing purposes);

6.For the purpose of controlling access to the territory of the administrative building in the city of Sofia, as well as to provide security, safety and protection of the property and information of ENDUROSAT.

Art. 6. ENDUROSAT shall process personal data in the presence of at least one ground for this provided for in the applicable legislation, namely:

  1. The data subject has given his or her explicit, free and informed consent to the processing of his or her personal data for one or more specific purposes;

1.1. In the event that the processing of personal data is based on consent, the data subject shall have the right to withdraw the same at any time by making an unequivocal statement to this effect to ENDUROSAT. The withdrawal of consent shall not affect the lawfulness of processing based on consent given prior to its withdrawal.

  1. The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract;
  2. The processing is necessary for compliance with or the performance of a legal obligation to which ENDUROSAT is subject;
  3. The processing is necessary to protect the vital interests of the data subject or of another natural person;
  4. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ENDUROSAT or a third party to whom the data is disclosed;
  5. The processing is necessary for the purposes of the legitimate interests of ENDUROSAT or of a third party to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, in particular where the data subject is a child.

 

Section IV

RECORDS OF PROCESSING ACTIVITIES

Art. 7. (1) In the course of its activities, ENDUROSAT shall maintain a register of processing activities containing the following information:

a) the name and contact details of ENDUROSAT and of the ENDUROSAT representative;

b) the purposes of the processing;

c) a description of the categories of data subjects and categories of personal data;

d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations (where applicable);

e) where applicable, the transfer of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of a transfer referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of the appropriate safeguards;

f) where possible, the time limits provided for erasure of different categories of data;

g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR and provided for by this Policy.

(2) The register referred to in par. (1) shall be maintained at in written electronic form.

(3) The person responsible for maintaining the register referred to in par. (1) shall be the legal representative, and the actual acts of maintaining and updating the register may be entrusted to employees expressly entrusted and authorised to perform them with managerial functions.

Art. 8. The register of processing activities referred to in Article 7 shall apply to the following categories of natural persons – data subjects:

(1) Employees (current and former);

(2) Job applicants;

(3) Clients, counterparties and suppliers – natural persons and/or natural persons – employees and representatives of legal entities, as well as natural persons – employees/representatives of end-users – legal entities (parties to transactions concluded with an intermediary of ENDUROSAT);

(4) Visitors to the administrative building of ENDUROSAT, located in Sofia, on the territory of which video surveillance is carried out (hereinafter also referred to as “Visitors”);

(5) Persons who have used the contact form available on the ENDUROSAT website

EMPLOYEES

Art. 9. (1) ENDUROSAT shall process the personal data of its Employees (current and former) as an employer for the performance of the employment contract with the employee and in compliance with its legal obligations and as provided for in this Policy.

(2) The categories of personal data of Employees that ENDUROSAT processes are:

  1. physical identity – three names, SSN/date of birth/other identification number, address, passport details, place of birth (if applicable), gender and age;
  2. details of interests and hobbies, if voluntarily provided by the employee;
  3. social identity – education, professional and other qualifications, work activity,;
  4. family identity – marital status, family ties;
  5. personal data revealing racial or ethnic origin, necessary for performance of ENDUROSAT’s obligations as employer;
  6. personal data relating to health, such as information relating to prior medical examinations where required by law, sick leave certificates, etc., necessary for performance of ENDUROSAT’s obligations as employer or to provide additional health benefits to the employee;
  7. other – contact details (telephone), photographs, bank account details, nationality (if applicable), contact details in the event of an emergency (names and telephone number) of a relative. Other personal data strictly necessary for compliance with legal obligation of ENDUROSAT EAD or its affiliates.

In exceptional cases, ENDUROSAT may process employee data on the basis of its legitimate interests, for instance, IP address, access logs, device information to ensure security of the devices, data, client information, etc. In exceptional circumstances we may rely on your consent for clearly beneficial for the employee scenarios, such as providing the employee with additional benefits.

The purposes for the processing of personal data of employees are the conclusion, amendment and termination of employment relationship, payment of salaries, additional remuneration and bonuses, provision of additional benefits to employees when applicable, ensure safe and healthy working conditions, human resource management and development, improving work conditions, continuing education and certification of employees, administering leave, occupational accidents, provision of special working conditions for people with disabilities, etc. in accordance with the current labour and social security legislation, enforcement of wage garnishments, compliance with other legislative requirements.

JOB CANDIDATES

Art. 10. (1) ENDUROSAT shall process personal data of Job Candidates for the purpose of  conducting recruitment procedures and in order to enter into an employment agreement with an approved candidate in compliance with applicable law and as provided for in this Policy. The legal basis for such processing is the legitimate interest of ENDUROSAT in carrying out recruitment process in order to fill particular job vacancies, consent expressed by the job candidate by sending their application for a particular position and to perform a contract or to take steps at the request of the job candidates before entering into a contract for the approved job applicants. We may also process job candidates’ data on the basis of the explicit consent of the job candidate to store their application for a longer then the legally established period as described below.

(2) The categories of personal data of Job Applicants that ENDUROSAT processes are:

  1. physical identity – three names, date of birth, gender, address;
  2. social identity – education, professional and other qualifications, work activity;
  3. other – contact details (telephone number, email address), photograph, content of an enquiry made using the contact form available on the ENDUROSAT website and other details provided on the applicant’s initiative or strictly necessary data for compliance with legal obligation of ENDUROSAT EAD or its affiliates.

CLIENTS, CONTRACTORS AND SUPPLIERS

Art. 11. (1) ENDUROSAT shall process personal data of Clients, contractors and suppliers – natural persons and/or natural persons – employees and representatives of legal entities as well as natural persons – employees/representatives of end-users – legal entities (parties to transactions concluded with an intermediary of ENDUROSAT), in the performance of its contractual relations  with them and for the same purpose, in compliance with its legal obligations and as provided for in this Policy.

(2) The categories of personal data of Customers, contractors and suppliers that ENDUROSAT processes are:

  1. physical identity – two/three names, ID number/date of birth or other identification number (if applicable), address, passport details (if applicable), place of birth (if applicable);
  2. social identity – education (if necessary), professional qualifications (if necessary), work activity (if necessary), position held,
  3. other – contact details (telephone, e-mail address, fax), content of the request made via the contact form available on the ENDUROSAT website, bank account, nationality (if applicable), details published in profiles in instant messaging applications (chat systems).

VIDEO SURVEILLANCE

Art. 12. (1) ENDUROSAT processes personal data of employees, candidates, clients, contractors, suppliers and other visitors in the administrative building located in Sofia, in order to ensure the security, safety and protection of the property and information of ENDUROSAT, its employees and others – in compliance with and as provided for in this Policy.

(2) The categories of personal data of visitors that ENDUROSAT processes are the data contained in video and photo surveillance records.

Art. 13. No sensitive categories of data are collected on purpose by ENDUROSAT for video surveillance purposes. It may be the case however, in the event that the subjects fall within the scope of the cameras used on the territory of the administrative building in Sofia, the purpose of which is to implement security, safety and protection of the property and information of ENDUROSAT. When using video surveillance, ENDUROSAT has given careful consideration to the data minimization principle in order to avoid the risk of capturing sensitive data.

PERSONS USING THE CONTACT FORM OF THE WEBSITE

Art. 14. (1) ENDUROSAT shall process personal data of individuals who have used the contact form available on the ENDUROSAT website, when providing information on enquiries made by them and as provided for in this Policy. It is not necessary to provide any personal information in the public areas of this website. However, individuals may choose to do so by completing the application forms in various sections of the website, in particular for the purposes of requests for quotations, product information, orders, etc. Depending on the request we will process the information from the contact form either when the processing is necessary in order to take steps at the data subject request to entering into contact with or to comply with ENDUROSAT’s contractual obligations or on the basis of ENDUROSAT’s legitimate interest in communicating with the requestor and to provide them with the enquired information. In specific cases personal data may be processed also on the basis of the explicit consent of the data subject.

(2) The categories of personal data of the Persons who have used the contact form on the website that ENDUROSAT processes are:

  1. physical identity – names, address;
  2. other – contact details (telephone, email address), company name, job title, country, content of enquiry, IP address, operating system and web browser.

 

Section V

DATA COLLECTION AND PROCESSING METHODS

Art. 15. ENDUROSAT collects and processes personal data by electronic and non-electronic means.

EMPLOYEES

Art. 16. (1) The data of individuals in the category of “Employees” shall be collected, processed and stored on paper and electronic media by Human Resources Department, and/or by other specifically assigned employee of ENDUROSAT.

(2) The personal data of natural persons in the category of “Employees” shall be obtained from the natural persons to whom they relate when entering employment under an employment relationship (including a management contract), as well as when taking leave under the Labour Code, exercising the right to compensation for incapacity for work, when receiving social and/or family benefits, and in connection with and in relation to other rights and obligations related to the employment relationship.

(3) Access to the data of natural persons of the category “Employees”, except for the persons referred to in par. (1), may also be granted to the legal representatives of ENDUROSAT, HSE Specialist, other employees of the Finance and Accounting Department, Information Security Officers and other employees of ENDUROSAT whose official functions require it – subject to the principle of providing the minimum necessary data and processing them only for the assigned purposes.

(4) ENDUROSAT shall disclose the data of individuals in the category “Employees” only to the specified categories of third parties, namely:

a) public authorities in the performance of their legal duties or for the protection of legitimate interests;

b) occupational health services, companies offering internal audit services, companies providing supplementary social benefits, service providers organizing training with a specific focus, providers of legal, IT, transport and other services in compliance with the applicable law.

(5) The retention periods for the personal data of individuals in the category “Employees”, which shall be applied by ENDUROSAT, shall be as follows:

a) Personal data contained in the employment records of ENDUROSAT Employees shall be retained for the duration of the employment relationship and 5 years after termination, starting in the year following the year of termination;

b) an exception to the storage period under b. “a” is allowed only with respect to personal data proving employment and social security records (such as payroll records), which are kept for the statutory period (50 years) ;

c) personal data relating to the health of natural persons shall be kept for the statutory period .(6) After the expiry of the periods referred to in paragraph 5, in the event of the data subject exercising the right to erasure or in the event of withdrawal of consent to processing (in the applicable cases), ENDUROSAT shall erase and destroy the personal data in a manner consistent with the technical and organizational measures provided for in ENDUROSAT.

JOB CANDIDATES

Art. 17. (1) The data of individuals in the category of “Candidate Employees” shall be collected, processed and stored on paper and electronic media by the Human Resources Department, the Heads of Departments (according to the functional affiliation of the respective position to a specific department) or by another employee of ENDUROSAT specifically assigned.

(2) The personal data of individuals in the category “Employee Candidate” shall be obtained from the individuals to whom they relate when applying for employment with ENDUROSAT.

(3) In addition to the persons referred to in par. (1) access to the data of individuals in the category “Candidate Employees” may be granted to the managers, the Procurator, the Deputy Manager (Controller), information security officers or other employees of ENDUROSAT whose official functions require it – subject to the principle of providing the minimum necessary data and processing them only for the assigned purposes.

(4) ENDUROSAT shall have the right to disclose the data of individuals in the category “Employee Candidate” only to the specified categories of third parties, namely:

a) public authorities in the performance of their legal duties or the protection of legitimate interests;

b) to companies offering internal audit services, to companies operating websites providing the opportunity to post job advertisements, to providers of IT and other services to fulfil contractual or legal obligations, and to protect their legitimate interests.

(5) The retention periods for the personal data of individuals in the category of “Candidate Employees” applied by ENDUSAT shall be as follows:

  1. up to 6 months from the time of the final conclusion of the procedure for which the person has applied for all primary documents like CVs, motivational letter, documents which prove qualification or experience, and other documents provided or collected in the course and for the purpose of the recruitment procedure.
  2. 3 years for all personal data, contained in internal documents about the recruitment procedures, created by the Company provided these are stored solely for the purpose of compliance with the legal obligations of the Company stated in the Protection against Discrimination Act.

(6) The time limit referred to in paragraph 5.1 of this Article shall not apply where the natural person applying for employment has given his/her explicit consent to his/her data being processed by ENDUROSAT in connection with selection procedures other than the one for which he/she has applied. In this case, the data retention period is up to 1 year from the time of the final conclusion of the procedure for which the person has applied.

(7) After the expiry of the periods referred to in paragraphs (5) and (6), where the data subject has exercised the right to erasure, or where consent to processing has been withdrawn (where applicable), ENDUROSAT shall erase and destroy the personal data in a manner consistent with the technical and organizational measures provided for in ENDUROSAT.

CUSTOMERS, CONTRACTORS AND SUPPLIERS

Art. 18. (1) The data of the natural persons of the category “Customers, contractors and suppliers” shall be collected, processed and stored on paper and electronic media by the legal representatives of ENDUROSAT,  by employees of the relevant departments – “Commercial Department”, “Finance and Accounting” or by another employee of ENDUROSAT expressly entrusted.

(2) The personal data of the natural persons of the category “Customers, contractors and suppliers” shall be obtained from the natural persons to whom they relate, when concluding and executing contracts with ENDUROSAT and when performing the services entrusted to them by ENDUROSAT.

(3) In addition to the persons referred to in par. 1, access to the data of the natural persons of the category “Customers, contractors and suppliers” may be granted other employees of ENDUROSAT whose official functions require it – subject to the principle of providing the minimum necessary data and processing them only for the assigned purposes.

(4) ENDUROSAT shall have the right to disclose the data of the natural persons of the category “Customers, contractors and suppliers” only to the specified categories of third parties, namely:

a) public authorities in the performance of their legal duties or the protection of legitimate interests;

b) companies offering internal audit services, providers of IT, legal, transport, etc. services to fulfil contractual or legal obligations, as well as to protect their legitimate interests.

(5) The retention periods for the personal data of individuals in the category of “Customers, contractors and suppliers”, with the exception of those referred to in paragraph (6), which shall be applied by ENDUROSAT, shall be the duration of the relevant contract and up to 5 years after its termination, starting from the year following the year of termination, unless an administrative, judicial or other type of proceeding has been initiated and/or initiated in relation to the sources of information referred to in this Article, requiring retention for a period until its final conclusion.

(6) The retention periods for the personal data of individuals in the category of “Customers, contractors and suppliers” contained in invoices applied by ENDUROSAT shall be the duration of the relevant contract and up to 10 years after its termination, starting from the year following the year of termination, unless an administrative, judicial or other proceeding has been initiated and/or initiated in relation to the sources of information referred to in this Article, requiring retention for a period until its final conclusion.

(7) Upon expiry of the time limits referred to in paragraph 5 and paragraph 6 or upon exercise by the data subject of the right to erasure or upon withdrawal of consent to processing (as applicable), ENDUROSAT shall erase and destroy the personal data in a manner consistent with the technical and organizational measures provided for in ENDUROSAT.

VISITORS

Art. 19. (1) The data of the natural persons of the category “Visitors” shall be collected, processed and stored by another explicitly assigned employee of ENDUROSAT.

(2) The personal data of the natural persons of the category “Visitors” shall be obtained when visiting the administrative building in Sofia city. The information is received from the Visitors.

(3) In addition to the persons referred to in par. (1) access to the data of the natural persons of the category “Visitors” may be granted to legal representatives, information security officers, employees expressly entrusted by the controller, as well as other employees of ENDUROSAT whose official functions require it – subject to the principle of providing the minimum necessary data and processing them only for the assigned purposes.

(4) ENDUROSAT shall be entitled to disclose the data of individuals in the category “Visitors” only to the specified categories of third parties, namely:

a) public authorities in the performance of their legal duties or the protection of legitimate interests;

b) to companies providing legal, IT, etc. services processing on behalf of ENDUROSAT and under contractual obligations with ENDUROSAT in compliance with applicable law,.

(5) The storage period for the personal data of individuals in the category of “Visitors”, which is applied by ENDUROSAT, is up to 2 months from the month following the calendar month within which the personal data were collected.

(6) After the expiry of the period referred to in paragraph 5 or in the event of the data subject exercising the right to erasure, ENDUROSAT shall erase and destroy the personal data in a manner consistent with the technical and organizational measures provided for in ENDUROSAT.

PERSONS USING THE CONTACT FORM OF THE WEBSITE

Art. 20 (1) The data of the natural persons of the category “Persons who have used the contact form available on the website of ENDUROSAT” shall be collected, processed and stored on electronic media by the Information Security Officers or by another employee of ENDUROSAT expressly entrusted with this task.

(2) The personal data of the natural persons of the category “Persons who have used the contact form available on the ENDUROSAT website” shall be obtained from the subjects to whom they relate, upon request, through the contact form available on the ENDUROSAT website.

(3) In addition to the persons referred to in par. 1, access to the data of the natural persons of the category “Persons who have used the contact form available on the website of ENDUROSAT” may be granted to the legal representatives of ENDUROSAT or other employees of ENDUROSAT whose official functions require it (and to whose activities the request relates) – subject to the principle of providing the minimum necessary data and processing them only for the assigned purposes.

(4) ENDUROSAT shall be entitled to disclose the data of individuals in the category “Individuals who have used the contact form available on the ENDUROSAT website” only to the specified categories of third parties, namely:

a) public authorities in the performance of their legal duties or the protection of legitimate interests;

b) to companies offering internal audit services, IT service providers, etc. in compliance with applicable law,.

(5) The storage period for the personal data of individuals in the category of “Individuals who have used the contact form available on the ENDUROSAT website”, which ENDUROSAT applies, is up to 1 years from the year following the calendar year within which the personal data was collected, unless there is a basis for further processing of the data provided requiring its storage for a longer period.

(6) Upon expiry of the period referred to in paragraph 5 or upon exercise by the data subject of the right to erasure or upon withdrawal of consent to processing (as applicable), ENDUROSAT shall erase and destroy the personal data in a manner consistent with the technical and organizational measures provided for in ENDUROSAT.

Art. 21. In the event that ENDUROSAT wishes to process the data of natural persons in the category of “Customers, contractors and suppliers” for marketing purposes, the employees in the Marketing Unit shall request written consent for the processing of the data of the person by sending by email or by any other appropriate means a request for the collection of consent within the meaning of Art. 1(a) GDPR, except where consent has been collected at an earlier stage of communication with the data subject.

Art. 22. (1) In cases where ENDUROSAT has outsourced the processing of personal data under this Section to third party (natural and/or legal) processors, ENDUROSAT shall only use the services of such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures in such a way that the processing is carried out in accordance with the requirements of the GDPR and ensures the protection of the rights of data subjects.

(2) The processing referred to in par. (1) shall be governed by a contract which shall be binding on the processor in relation to ENDUROSAT and which shall regulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller and shall comply with the requirements of the GDPR.

Art. 23 (1) ENDUROSAT may transfer personal data to third parties only when strictly necessary and in accordance with applicable data protection laws. Personal data shall be transferred to other controllers only if this is necessary for the performance of a contractual obligation, or if ENDUROSAT or a third party has a legitimate interest in the transfer of the data, or if the consent of the individual has been given. Third parties may also be affiliates of ENDUROSAT. Where data is transferred to third parties on the basis of a legitimate interest, this is explained in this data protection notice.

(2) In addition, the data may be transmitted to other controllers where ENDUROSAT is obliged to do so by statutory provisions or by valid administrative or judicial orders.

Art. 24. (1) Personal data may be transferred to recipients located outside the EEA in so-called third countries. In such cases, prior to the transfer, ENDUROSAT shall ensure that either the recipient of the data ensures an adequate level of data protection (e.g. due to a European Commission adequacy decision for the country concerned or due to an agreement based on the so-called EU Model Clauses with the recipient) or that consent to the transfer has been given. The individual has the right to obtain an overview of the third-country recipients and a copy of the specifically agreed provisions ensuring an adequate level of data protection.

(2) Data may be transferred to processors or service providers within the European Union (EU) or European Economic Area (EEA) where GDPR provides a uniform level of data protection.

  • Examples of recipients: payroll providers, cloud service providers, IT support companies processing on behalf of ENDUROSAT and under contractual obligations with ENDUROSAT in compliance with applicable law.

(3) If data is transferred outside the EU/EEA, ENDUROSAT will ensure appropriate safeguards are in place, such as:

  • Adequacy decision by the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs) for intra-group transfers

(4) ENDUROSAT will inform data subjects of such transfers and the safeguards applied, where relevant.

Art. 25. (1) Cookies and tracking mechanisms may be used in the context of the online services offered by ENDUROSAT. Cookies are small text files that can be stored on a device when an online service offered by ENDUROSAT is visited. Tracking is possible using various technologies. In particular, ENDUROSAT processes information using pixel technology and/or during the analysis of log files. Visitors can manage cookies by following this link.

(2) Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

(3) Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

(4) Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

(5) Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

(6) Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

(7) Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

(8) Cookie settings and tracking mechanisms in the browser and/or in the privacy settings of ENDUROSAT can be managed. The settings that are by the user only apply to the browser used in each case.

(9) If the user wishes to deactivate all cookies, the user should deactivate cookies in his browser settings, bearing in mind that this may affect the functionality of the website.

(10) The management of settings regarding cookies and tracking mechanisms is not technically necessary.

(11) When visiting the ENDUROSAT website, users will be asked in the cookie layer whether they agree to the use of any technically unenforceable cookies or tracking mechanisms respectively. You can Change Cookie Preferences here.

(12) In privacy settings, consent may be withdrawn with effect for the future or consent may be given at a later stage.

 

Section VI

INTERNAL ORGANISATION AND ACCOUNTABILITY FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA

Art. 26. (1) EDNUROSAT shall keep internal files in electronic format for the different categories of natural persons whose data it processes.

(2) The following information shall be contained in a dedicated electronic application processing system, with limited access, for natural persons in the category of “Employees”: three names, position, date of conclusion and date of termination of the employment contract, basis for processing the personal data, consent status, in case the data are further processed on the basis of consent.

(3) A dedicated electronic application processing system, with limited access, shall contain the following information for individuals in the category “Candidate Employees”: three names, position applied for, information on whether they have been appointed, date of final completion of the selection procedure in which the individual participated, basis for processing the personal data, consent status, in case the data are further processed on the basis of consent.

(4) For natural persons in the category of “Customers, contractors and suppliers”, the following information shall be provided: two/three names, capacity/position, date of conclusion and date of termination of the contract, basis for processing the personal data, consent status in case the data is processed (additionally) on the basis of consent.

(5) For the individuals in the category ” Individuals who have used the contact form available on the website of ENDUROSAT”, the following information shall be contained: names, contact telephone number, e-mail address, IP address, date of enquiry and date of response by ENDUROSAT, basis for processing the personal data, consent status, in case the data is further processed on the basis of consent.

(6) Additionally, ENDUROSAT shall store the records from the security cameras located on the territory of the administrative building in Sofia. The following rules shall apply to the same:

  1. The data shall be stored only in electronic form on the technical (recording) device provided for this purpose;
  2. The retention period is 2 months from the month following the calendar month within which the personal data was collected;
  3. Access to the data from the video recordings is granted only to the legal representatives of ENDUROSAT, information security officers (exceptionally and in limited cases), a processing company providing specific IT services (exceptionally and in limited cases), as well as to the competent public authorities in the performance of their legal duties.

(7) The following units shall be responsible for the maintenance of personal data:

  1. For “Employees” – Human Resources Department;
  2. For “Staff Candidate” – Human Resources Department;
  3. For “Customers, Contractors and Suppliers” – Sales Department;
  4. For “CCTV” – information security officers
  5. For the register “Persons who have used the contact form available on the ENDUROSAT website – Information Security Officers.

(8) If necessary, the EDUSAT may also create additional registers for categories of data subjects beyond those mentioned above or on the basis of another structurally determining principle.

Art. 27. ENDUROSAT shall process the personal data independently, through employees of the company with the relevant functions or explicit powers or through explicitly entrusted third parties – processors of personal data.

Art. 28. The employees of ENDUROSAT who process personal data shall have the following rights and obligations:

  1. process personal data lawfully and in good faith;
  2. not to export and store the personal data outside the designated places regulated by the special access regime;
  3. to use the personal data to which they have access in accordance with the purposes for which it is collected and not to process it in an unauthorized manner /falsification and other types of abuse/;
  4. to update the personal data records as necessary and in accordance with their assigned functions;
  5. to delete or rectify personal data whenever it is found necessary to do so and in accordance with the internal acts of ENDUROSAT;
  6. to keep personal data in a form which permits identification of the natural persons concerned for no longer than is necessary for the purposes for which the data are processed;
  7. to keep up to date their knowledge of the regulations and internal acts of ENDUROSAT governing the processing and protection of personal data;
  8. comply with the rules for sharing information among staff (including identifiers, passwords, etc.), including any established information security policies of ENDUROSAT;
  9. to comply with the fire safety rules on the premises of ENDUROSAT in order to protect the paper, technical and information media where personal data are stored.

Art. 29. All employees of ENDUROSAT shall, upon taking up their duties, sign a declaration, agreement or other legally binding act by which they undertake to respect the confidentiality of personal data processed by ENDUROSAT and not to disclose data and information which have come to their knowledge in the course of or in connection with the performance of their duties.

Art. 30 (1) The legal representatives of ENDUROSAT shall, individually or through a person expressly entrusted and authorized by at least one of them – an officer of ENDUROSAT, exercise the following powers:

  1. ensure the organization of record-keeping in accordance with the measures provided to ensure adequate protection;
  2. monitor compliance with specific security and access control measures;
  3. control compliance with the requirements for the protection of personal data carriers, including the records kept;
  4. liaise with the Commission for Personal Data Protection and/or any other competent supervisory authority, notifying it in the event of security breaches;
  5. control compliance with the access rights of employees in relation to personal data media, records and the software and hardware resources for their processing;
  6. ensure compliance with the organizational procedure for the processing of personal data, including the time, place and order of processing, including through the registration of all actions carried out with/ in the records in the computer environment;
  7. determine and control compliance with the procedures for the storage, deletion and erasure of personal data, including the destruction of information media containing such data;
  8. approve the technical/information security policy of ENDUROSAT or other relevant internal acts, which shall include rules and procedure for:

– identification of the technical resources applied to the processing of personal data;

– the procedure for setting, using and changing passwords, as well as the actions to be taken in the event of learning a password;

– conducting regular prophylaxis of the computer and communication means, including checking for viruses, illegally installed software, database integrity, as well as data backup, updating system information, etc.;

  1. conduct periodic monitoring of compliance with data protection requirements and take measures to remedy any irregularities detected;
  2. approve a training plan for employees of ENDUROSAT and monitor its compliance;

(2) The exercise of the powers under subsections (1), (2), (3), (4), (5), (6), (7) and (9) may be delegated to an officer expressly charged with and authorized to exercise them. In this case, the designated person shall report periodically on the exercise of these powers directly to the legal representatives of ENDUROSAT as necessary, but not less frequently than once every six months.

Art. 31. (1) For non-compliance with the provisions of this Policy, employees of ENDUROSAT shall be liable under the applicable legislation in the field of personal data protection and under the Labour Code.

(2) If as a result of the actions of a relevant employee of ENDUROSAT in the processing of personal data, damage has been caused to a third party, the latter may seek liability under general civil law or under criminal law if the act constitutes a more serious act for which criminal liability is provided.

 

Section VII

RIGHTS OF DATA SUBJECTS. MEANS OF EXERCISE

Art. 32 (1) Any natural person whose personal data is processed by ENDUROSAT shall have the following rights within the meaning of Chapter III of the GDPR as follows:

а) Right to information.

b) Right of access;

c) Right to rectification of personal data;

d) Right to erasure of personal data;

e) The right to restrict the processing of personal data provided;

f) Right to object to processing;

g) Right to data portability;

h) The right not to be subject to a decision based solely on automated processing;

i) Right to lodge a complaint with the CPDP.

(2) ENDUROSAT shall provide the GDPR information to the data subjects through its Privacy Policy, available on the ENDUROSAT website: https://www.endurosat.com/, as well as at the company’s correspondence address: 1A Flora Str., 1404 Sofia, Bulgaria.

(3) Any data subject may exercise his/her rights under this Article by making an explicit application to this effect to the following email address: legal@endurosat.com or electronically under the terms of the Electronic Document and Electronic Certification Services Act, the Electronic Government Act and the Electronic Identification Act, or in writing to the following address: 1A Flora Str., Sofia 1404, Bulgaria.

(4) Where the processing of personal data is based on consent given by the subject, each subject shall have the right to withdraw that consent at any time. Withdrawal may be made in one of the following ways: by sending an explicit request to this effect to the following email address: legal@endurosat.com or in writing to the address. In the written form of the application, in the form of a letter or by writing to 1A Flora Str., Sofia 1404, Bulgaria.

(5) In the event that the data subject considers that by its actions ENDUROSAT violates its legal rights with regard to the collection, processing and storage of the personal data provided, the data subject may apply to a supervisory authority, in Bulgaria this is the Personal Data Protection Commission, with address at 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, email: kzld@cpdp.bg or the competent courts, and shall have the right to lodge a complaint setting out its grievances.

 

Section VIII

DATA PROTECTION AND SECURITY MEASURES

Art. 33. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of data subjects, ENDUROSAT shall implement technical and organizational measures to ensure a level of security appropriate to that risk, including where necessary:

a) pseudonymization and encryption of personal data;

b) the ability to ensure the continued confidentiality, integrity, availability and resilience of personal data processing systems and services;

c) the ability to promptly restore the availability of and access to personal data in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Art. 34. In assessing the appropriate level of security, ENDUROSAT shall take into account, in particular, the risks that are associated with the processing of personal data, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Art. 35. Any natural person acting under the authority of ENDUROSAT (employee and/or processor) who has access to personal data shall process that data only on the written instructions of ENDUROSAT, unless the person concerned is required to do so by EU or national law.

Art. 36 (1) If a particular type of processing carried out by ENDUROSAT, in particular where new technologies are used, and taking into account the nature, scope, context and purposes of the processing, is likely to give rise to a high risk to the rights and freedoms of data subjects, ENDUROSAT shall, before the processing is carried out, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

(2) In carrying out a data protection impact assessment, the opinion of the data protection officer, where one has been appointed, must be provided.

(3) The assessment under par. 1 shall contain at least:

a) a systematic description of the intended processing operations and the purposes of the processing, including, if applicable, the legitimate interest of ENDUROSAT;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects;

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other stakeholders.

(4) ENDUROSAT shall consult the DPA as required by Article 36 of the GDPR prior to processing where the data protection impact assessment referred to in para. 1 shows that the processing will give rise to a high risk if ENDUROSAT has not taken measures to mitigate that risk.

Art. 37. The measures in place for the protection and security of the data processed by ENDUROSAT for each of the categories of data subjects referred to in Article 8 above shall include at least the following:

  1. Physical protection measures;
  2. Personal protection measures;
  3. Documentary protection measures;
  4. Measures to protect information systems and networks.

Art. 38. (1) At the time of adoption of this Policy, ENDUROSAT has not appointed a Data Protection Officer within the meaning of the GDPR, as the mandatory prerequisites of Article 37(1) of the GDPR are not met.

(2) In the event of a change in circumstances necessitating the appointment of a Data Protection Officer, ENDUROSAT will appoint one, subject to the requirements of the GDPR and national legislation.

 

Section IX

RETENTION AND DELETION OF DATA. DATA ANONYMIZATION

Art. 39. (1) ENDUROSAT retains personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or protect legitimate interests or on another valid legal basis as per the internal documents of the company in this regard.

(2) Data Deletion and Anonymization. After the expiration of the retention period, ENDUROSAT will:

a) Permanently delete electronic data from systems and backups

b) Shred or destroy physical documents securely

c) Anonymize data where continued statistical analysis is necessary (without identifying individuals)

(3) ENDUROSAT reviews retained data annually to ensure compliance with the defined retention schedules.

Section X

ACTIONS IN THE EVENT OF A PERSONAL DATA BREACH. EMERGENCY, ACCIDENT AND DISASTER PROTECTION ACTIONS

Art. 40. (1) In the event of a personal data breach, without undue delay, and where practicable, not later than 72 hours after becoming aware of it, ENDUROSAT shall notify the personal data breach to the CPD or the supervisory authority competent in accordance with the GDPR, unless the personal data breach is likely to pose a risk to the rights and freedoms of natural persons.

(2) The notification under par. 1 shall contain at least the following information:

a) a description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;

b) indicate the name and contact details of the DPO or other staff member of ENDUROSAT from whom further information may be obtained;

c) a description of the possible consequences of personal data breach;

d) a description of the measures taken or proposed by ENDUROSAT to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects.

(3) Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, ENDUROSAT shall, without undue delay, notify the data subject of the personal data breach in accordance with Article 34 of the GDPR. Such notification to the data subject is not required if any of the following conditions are met:

a) ENDUROSAT has taken appropriate technical and organizational measures to protect and these measures have been implemented in relation to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to any person not authorized to access it, such as encryption;

b) ENDUROSAT has subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.

c) The communication would result in a disproportionate effort. In such a case, a public announcement shall be made or another similar measure taken so that data subjects are equally effectively informed.

Art. 41. ENDUROSAT shall take preventive action in the protection of personal data and in cases of force majeure events, drawing up an action plan for the various cases, namely:

  1. protection in the event of accidents beyond the control of ENDUROSAT – specific actions are taken according to the situation;
  2. protection from fires – immediate extinguishing with own means /extinguishers, fire extinguishing systems/and notification of the relevant authorities;
  3. flood protection – action is taken to contain the spread, and water is pumped out or scooped up by own hand; if possible, all media (paper and/or electronic) of personal data is immediately removed from the affected premises.

 

Section XI

FINAL PROVISIONS

Art. 42. This Privacy Policy is effective as of 06.06.2017 and will remain in effect except with respect to future changes to its provisions, which will be effective immediately upon their publication on this page. We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically.

Your continued use of the Service after we have posted changes to the Privacy Precautions Policy on this page will mean that you acknowledge the changes and agree to abide by and be bound by the revised Privacy Precautions Policy.

Last updated: 07.03.2025