Privacy Notice

Information on the processing of personal data in regards to the SMEDATA project

This policy has been prepared in accordance with the requirements of Art. 13 and Art. 14 of the Regulation (EU) 2016/679 – General data protection regulation (GDPR) and aims to inform you about the activities on processing of personal data, the purposes for which the data are processed, the measures and guarantees for the protection of the data processed, your rights and the way you can exercise them in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (referred to as “Regulation 2016/679” or “GDPR”) and other applicable European Union and national laws of all the parties involved in the project.

In details the project ‘Ensuring the Highest Degree of Privacy and Personal Data Protection through Innovative Tools for SMEs and Citizens — SMEDATA’ is a project co-funded by the European Commission under the Rights, Equality and Citizenship 2014-2020 Programme of the European Union that has the overall objective to ensure the effective application of the General Data Protection Regulation through awareness, multiplying training and sustainable capacity building for SMEs and legal professionals.

The information below describes the processing of personal data of participants in SMEDATA events and users visiting the project website ( in compliance with the Regulation (EC) 2016/679.
The information here provided does not concern other online websites, pages or services that can be accessed via hyperlinks on the above websites but relate to resources outside the SMEDATA domain.

  2. The data controller is the project Consortium:

    • The Commission for Personal Data Protection of the Republic of Bulgaria (CPDP);
    • The Italian Data Protection Authority (Garante per la protezione dei dati personali, GPDP);
    • APIS Europe JSC;
    • The Union of Bulgarian Jurists (SUB);
    • The European Women Lawyers Association – Bulgaria (EWLA);
    • Ernst and Young Law Partnership (EY);
    • The Law Department of the “Roma Tre” University,

    led by the project Coordinator – the Commission for Personal Data Protection of the Republic of Bulgaria. As such, the Consortium has an obligation to inform you what to expect when processing your personal data.

    Project coordinator contact details:

    Commission for Personal Data Protection

    Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

    Mobile: +359 876 563 690



    1. We collect and process personal data under contractual obligation (814763 – SMEDATA – REC-AG-2017/REC-RDAT-TRAI-AG-2017) with the European commission, and on legal basis under the Financial regulation applicable to the general budget of the Union in compliance with Article 6, par. 1, letters b) and c) of GDPR,
    2. The SMEDATA project is co-funded by the European Commission under Regulation (EU) no 1381/2013 of the European parliament and of the Council of 17 December 2013 establishing a Rights, Equality and Citizenship Programme for the period 2014 to 2020 (REC Programme) and is subject to the obligations set within the REC Programme, so is thereby processing personal data under legal obligation in compliance with Article 6, par. 1, letter c) of GDPR.
    3. We collect personal data from the users of the SMEDATA website on the basis of the user consent under Article 6 of Regulation (EU) 2016/679 – (GDPR) in order to provide entry to content and services provided from the website for the purpose of meeting the goals laid within the SMEDATA project in order to raise awareness and ensure the effective application of GDPR.
      Consent from the users of the website as well as the participants in the activities set in the project is also required for the dissemination of the project newsletters.
    4. The personal data collected shall be provided to all partners in the project Consortium and the European institutions concerned under contractual obligation in compliance with Article 6, par. 1, letter b) of GDPR.
  5. Personal data collected under the SMEDATA project will be stored for a period no longer than is needed for the completion of the project as well as for audit purposes provided in the Financial Regulation applicable to the general budget of the Union, European or national legislation and the European institutions. Data will be stored for up to 5 years after the end of the project (until the end of 2025).

    1. Data of participants in project events
    2. Registration for the events organized under the SMEDATA project, and the forwarding of the newsletters, requires the collection of a set amount of data from the participants, that may include, three names, place of employment, position within the organization and contacts (e-mail and/or phone number).

    3. Browsing data
    4. The information systems and software procedures used to operate the SMEDATA website collect personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols.

      This data category includes the IP addresses and/or the domain names of the computers and terminal equipment of users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user’s operating system and computer environment.

      These data are necessary to use web-based services and are also processed in order to extract statistical information on service usage (most visited pages, visitors by time/date, geographical areas of origin, etc.); check functioning of the services.

      The collected data is processed in order to improve and maintain the services provided by the SMEDATA website.

      Browsing data are kept for no longer than seven days (except where judicial authorities need such data for establishing the commission of criminal offences). 

    5.  Data communicated by users
    6. Sending messages, on the basis of the user’s free, voluntary, explicit choice, to the CPDP contact addresses, filling in and sending the forms made available on this website entail the acquisition of the sender’s contact information – which is necessary to provide a reply – as well as of any and all the personal data communicated in that manner.

    7. Cookies and other tracking devices
    8. The SMEDATA website uses cookies.

      So-called session (non-persistent) cookies are used exclusively to the extent this is necessary to enable secure, efficient browsing. Storage of session cookies in terminal equipment or browsers is under the user’s control, whilst cookie-related information is stored server-side after HTTP sessions in the service logs no longer than the time it takes to meet the specific purpose that is being processed or is provided for by law. 

      We use Google Analytics as a monitoring tool (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies that allow us to see volumes of website visitors, their source and analyse how the content on the website is viewed and navigated. You can download and install an opt-out tool to prevent this information on your visit to be gathered (

    9. Mobile Application
    10. The Mobile application (“the App”) collects the following information:

      • The chosen language for the App
      • List of the bookmarked content
      • List of saved documents
      • Text of saved documents.

      This information is stored on your device and there is no option for it to be transferred to the App creators. Therefore, your data connected to the App usage is not processed by any of the partners in the SMEDATA Project.

      Please note that you need to provide permission for the App to access:

      • Your device’s Photos/Media/Files;
      • Storage and Network information.

      This permission is needed for downloading and accessing the content resources of the App that are stored online as well as for using the Bookmarks and Saved documents features. This information is not send to anyone. Some of the data, such as IP address of your device, is stored on the database server from which the download of the documents is performed. The information is stored 7 days.

      Please note that this Privacy statement does not cover hyperlinks in the App that re-direct you to external sources (e.g. the hyperlinks in section Useful links).

    11. Social media plug-ins
    12. We use social media platforms in order to promote the events, organised within the scope of the project and to popularise the project result. Each social media platform has own Privacy policy and processes your personal data on legal basis.


      When you visit SMEDATA website, Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA) recognises your profile and makes direct connection between your browser and your Facebook profile, and receives information about the visit of your IP Address on our website. You can read Facebook’s Privacy Policy for more information ( Other information that is processed from us and Facebook jointly is the one, being provided to us in connection to our Facebook Page. We have an access to anonymised statistics on the actions that are being taken on our Facebook page, that we cannot link to a special profile in no way.


      SMEDATA website uses functions of the LinkedIn network (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA). Any time you access one of our pages that contains functions of LinkedIn’s established. LinkedIn is notified that you have visited our website with IP address. We, as the provider of SMEDATA website, do not have any knowledge of the content of the transferred data and its use by LinkedIn. For more information (

  8. On the basis of legal requirements and under contractual obligation regarding SMEDATA project the personal data collected by the Consortium may be provided to the following entities:

    • European Commission (DG Justice and Consumers)
    • European anti-fraud officer (OLAF)
    • European Court of Auditors
  10. Data subjects have the right to obtain from the project Consortium, where appropriate, access to their personal data as well as rectification or erasure of such data or the restriction of the processing concerning them, and to object to the processing (pursuant to Articles 15 to 22 of the Regulation). Please contact one of the partners to lodge all requests to exercise these rights.

    a)  Right of access – Article 15 GDPR

    The right of access grants the data subject comprehensive insight into the data concerning them and into other important criteria, such as the purposes of the processing or the period for which the data shall be stored.

    b)  Right to rectification – Article 16 GDPR

    The right to rectification implies the possibility for the data subject to have inaccurate personal data concerning the subject rectified.

    c)  Right to erasure – Article 17 GDPR

    The right to erasure entails the possibility for the data subjects to have data erased at the controller. This is, however, only possible if the data concerning them are no longer necessary, if they have been unlawfully processed, or a corresponding consent has been withdrawn.

    d)  Right to restriction of processing – Article 18 GDPR

    The right to restriction of processing includes the possibility for the data subject to prevent for the time being any further processing of personal data concerning them. A restriction mainly occurs at the stage of examining other exercises of rights by the data subject.

    e)  Right to data portability – Article 20 GDPR

    The right to data portability implies the right for the data subject to receive from the controller the personal data concerning them in a commonly used, machine-readable format in order to have them, if necessary, transferred to another controller. In accordance with Art. 20 para. 3 sentence 2 of the GDPR, that right is not available if the data processing serves the purpose of performing public tasks.

    f)  Right to object – Article 21 GDPR

    The right to object includes the possibility for data subjects to object, in a particular situation, to the further processing of their personal data as far as this processing is justified by the performance of public tasks or of public and private interests.

  12. If a data subject considers that the processing of personal data relating to them infringes the Regulation, they have the right to lodge a complaint with the each of the partners (CPDP, GPDP, APIS Europe, SUB, EWLA, EY, “ROMA TRE” University) pursuant to Article 77 of the Regulation.


We may change this privacy policy. In that case, the “last updated” date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

Last update: 25.09.2019

The content of this website represents the views of the partners of the SMEDATA project and is their sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.

eu flagThis project is funded by the Rights, Equality and Citizenship Programme of the European Union