This Privacy Notice (the “Notice“) is intended to inform you about how attorney Manuela Purnarova (hereinafter referred to as the “Attorney” or the “Data Controller”) processes and protects your personal data when you use this website (purnarova.com | purnarova.com/bg) (the “Website”). All terms used in this Notice are interpreted in accordance with the General Data Protection Regulation (“GDPR“). By accessing and using the Website, you are given the opportunity to learn how your personal data is collected, used, and stored, in accordance with this Notice.

1. Data Controller

The personal data controller is attorney Manuela Plamenova Purnarova, registered with the Sofia Bar Association, personal number: 1600795110, BULSTAT number: 180592853, law office address: Sofia, “Nadezhda” I residential area, bl. 146, entr. B, fl. 9, apt. 46.

The Data Controller processes your personal data obtained during your visit to the Website in accordance with national and EU legal provisions, and the rules and principles set out in this Notice.

For questions related to personal data protection, you may contact the Data Controller at: dataprotection@purnarova.com.

2. Categories of Personal Data and Purposes of Processing

The Data Controller processes personal data in the minimum scope necessary, and only for specific, clearly defined purposes related to the operation of the Website and communication with its visitors. Processing is carried out in accordance with the principles of lawfulness, fairness, and transparency. Below are the categories of data and purposes of processing:

• Data provided through the contact form: When sending an inquiry via the Website’s contact form, your name, email address, and message content (which may include other voluntarily provided personal data) are collected. These data are processed solely for the purpose of contacting you and responding to your inquiry. The Attorney encourages you not to include special categories of personal data (e.g., health information, ethnic origin), or national identification numbers, unless strictly necessary for the nature of your request. Where permitted by law, the data may also be processed for the purpose of fulfilling the Data Controller’s legal obligations, such as providing information to competent state or judicial authorities, assisting in inspections, or documenting electronic statements related to personal data and cookie policies. Additionally, the data may be used to handle incoming requests and to exercise data subjects’ rights.
• Automatically collected data (cookies and Google Analytics): The Website uses cookies and similar technologies to collect certain technical information about visits. Specifically, it uses the Google Analytics service to gather statistical traffic data. Google Analytics may collect data such as IP address, cookie ID, browser and device information, referring pages, and pages visited on the Website. This enables the generation of aggregated reports on how visitors use the Website. These data are used solely for statistical analysis and for improving the Website’s content and functionality (e.g., which pages are most visited). The information collected through Google Analytics does not allow you to be directly identified by name. Visitor IP addresses are anonymized before storage, and Google provides the data in aggregated statistical form. Since online identifiers such as IP addresses and cookie IDs are considered personal data—even if pseudonymized—the Data Controller handles such technical information with appropriate security and confidentiality safeguards.

The Website does not collect other categories of personal data from visitors. User registration is not required, and no contact data such as addresses or phone numbers are collected through the Website itself (unless you voluntarily include such information in a message submitted via the contact form). The Website does not use comment forms and does not profile its visitors. If you have explicitly provided consent, the Attorney may use your email address to send you professional communications—such as legal news, topic-specific updates, event invitations, or announcements related to the Attorney’s practice. Such communication is based solely on prior and freely given consent and always includes the option to unsubscribe.

If a legal service is subsequently provided as a result of a submitted inquiry via the Website, the Attorney may process additional personal data where necessary for client identification and for fulfilling legal obligations in accordance with the Anti-Money Laundering Act.

3. Legal Basis for Data Processing

The processing of your personal data is carried out on the basis of one or more of the legal grounds under Article 6(1) of the GDPR:

With regard to data provided through the contact form:

• The legal basis is usually the performance of steps at your request prior to entering into a contract (Article 6(1)(b) GDPR)—for example, when you submit an inquiry about legal services that may lead to the conclusion of a legal services agreement. When you contact the Attorney via the contact form or otherwise in relation to potential legal engagement, the data is processed in order to take steps at your request, such as providing information, clarifying service parameters, or scheduling a meeting.
• Processing may also be based on compliance with a legal obligation to which the Attorney is subject (Article 6(1)(c) GDPR). This applies where processing is required for compliance with legal obligations, including those related to accountability, supervision by competent authorities, or the exercise of data subjects’ rights.
• In certain cases, processing may be based on the Attorney’s legitimate interest (Article 6(1)(f) GDPR) in responding to inquiries and correspondence received from potential clients or other individuals.

With regard to data collected through cookies / Google Analytics:

• Strictly necessary cookies: These cookies are essential for the functioning of the Website and cannot be disabled by users, as the Website would not function properly without them. The processing of personal data (e.g., unique identifiers or settings) related to these cookies is based on the Data Controller’s legitimate interest under Article 6(1)(f) GDPR—namely, ensuring the proper functioning, security, and stability of the Website for all visitors. Therefore, no consent is required for the use of strictly necessary cookies.
• Functional (preference) cookies: These cookies enable the Website to remember choices you make and to provide enhanced, more personalized features. The legal basis for processing personal data through these cookies is your prior consent, pursuant to Article 6(1)(a) GDPR.
• Analytical cookies (Google Analytics): These cookies help to understand how users interact with the Website, allowing the Website’s content and functionality to be improved. The Website uses Google Analytics—a web analytics service that does not include Google’s advertising features. The collected data is anonymized and not used for profiling or advertising. Analytical cookies are set only with your prior consent, under Article 6(1)(a) GDPR. This means that such cookies will be activated only if you explicitly choose to accept them (e.g., via the Website’s cookie banner). You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

For more information on the types of cookies used, please refer to the Cookie Policy.

4. Data Retention and Storage Periods

Your personal data is retained only for the period necessary to fulfill the purposes for which it is processed. The principle of storage limitation is applied when defining the specific terms, meaning that data is kept in a form that allows identification no longer than necessary for the processing purposes.

• When the processed personal data is contained in documents or other information carriers for which the applicable legislation prescribes a retention period, the data is stored for that statutory period. If there is another lawful ground for retention in a particular case (e.g., the protection of legal claims), the period may be aligned accordingly.
• Personal data included in submitted inquiries, requests, complaints, alerts, or other correspondence with us (including information regarding its processing, status, and outcome) is stored for a period justified by the need to ensure communication traceability, protection in case of potential disputes, and the possibility for further contact. If no statutory period is provided for the specific case, such data is retained for up to five (5) years from the conclusion of the relevant correspondence and related matters. If the communication results in a contractual or other legal relationship, the personal data is processed and retained in accordance with the legal framework applicable to that relationship.
• When visiting the Website, logs containing technical information (such as IP address, access date and time, requested resources, etc.) may be automatically generated and stored. These are processed for the purpose of ensuring the security of information systems, preventing misuse, and providing technical support. As a rule, such data is retained for a limited period appropriate to the purpose of its collection. In exceptional cases (e.g., security incidents), it may be stored until the necessary investigation or legal proceedings are completed.
• Logs generated from specific actions on the Website (e.g., form submissions) may be stored based on the need to prove the performed action, including for accountability or in case of a potential dispute. In the absence of specific legal requirements, the retention period is determined by the risks related to the processing and the possibility to exercise rights or defend against claims.
• When processing is based on your consent, personal data is stored until the relevant purpose is achieved or until the consent is withdrawn, whichever occurs first. If consent is given for a specific period, processing ends upon expiration of that period unless it is renewed by new consent.
• Data collected through Google Analytics is used for statistical purposes and is not retained in an identifiable form. We use settings that limit the retention period of unaggregated (raw) data. After the defined period expires, the data is automatically deleted. Only aggregated statistical reports, which do not contain personal data, are stored and may be used for long-term traffic analysis.
• The retention periods for data collected through cookies are determined based on the type and function of each specific cookie. For more details, please refer to our Cookie Policy.
• In the event of a legal dispute or official proceedings, a request from a competent authority, or a statutory obligation to retain the data longer, an extended retention period may apply—until the final conclusion of the relevant procedure and, if necessary, for an additional period required by law or necessary for the protection of legitimate interests.

The periods specified in this Privacy Notice are subject to periodic review and may be updated in accordance with changes in applicable legal requirements or data protection practices.

5. Recipients of the Data and Transfers to Third Countries

Personal data is disclosed to third parties only where there is a valid legal basis and to the extent necessary for a specific purpose, in compliance with applicable legal requirements and this Privacy Notice.

The categories of recipients may include:

• Data processors providing services such as hosting, technical support, web analytics (including Google Analytics), translation, or other auxiliary activities related to the operation and maintenance of the Website. Such parties act under a concluded agreement, process data only in accordance with the Data Controller’s instructions, and implement mandatory security measures in accordance with Article 28 of the GDPR. In the context of using analytics services, certain data may be processed on servers located outside the European Economic Area. In such cases, appropriate safeguards for personal data protection are applied, including participation of the provider in the EU–US Data Privacy Framework and/or the use of Standard Contractual Clauses approved by the European Commission pursuant to Article 46 of the GDPR.
• Other data controllers whose cooperation may be necessary in relation to communication regarding submitted inquiries or the protection of legitimate interests – for example, notaries, enforcement agents, providers of courier or communication services. These parties are required to comply with applicable data protection regulations.
• Competent state, administrative or judicial authorities, where required by law or necessary for the fulfilment of a legal obligation or for the protection of rights and legitimate interests.
• Other cases expressly provided by law.

6. Your Rights as a Data Subject

As a data subject, you have the following rights, which you may exercise by submitting a written request to the Data Controller using the contact details provided in Section 1 of this Notice:

• Right to information (Articles 13 and 14 of the GDPR)

You have the right to receive information about the processing of your personal data by the Attorney. This Notice is intended to inform you in detail about the processing of your personal data in connection with your use of the Website and your communication with the Data Controller.

• Right of access (Article 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed by the Attorney when using the Website, to access such data, and to receive information regarding its processing and your related rights.

• Right to rectification (Article 16 GDPR)

You have the right to request the rectification or completion of your personal data if it is incomplete or inaccurate.

• Right to erasure (“right to be forgotten”) (Article 17 GDPR)

Where the legal grounds/conditions are met, you have the right to request the erasure of your personal data.

• Right to restriction of processing (Article 18 GDPR)

Applicable law provides the option to restrict the processing of your personal data if the conditions for restriction under the GDPR are met.

• Right to notification of third parties (Article 19 GDPR)

Where applicable, you have the right to request that the Attorney notify third parties to whom your personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or requires disproportionate effort.

• Right to data portability (Article 20 GDPR)

You have the right to receive your personal data, which you have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from the current Data Controller. This right applies when the processing is based on your consent or a contractual obligation, and is carried out by automated means. Where technically feasible, you also have the right to request the direct transfer of your personal data to another controller.

• Right not to be subject to automated decision-making, including profiling (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such processing is permitted by applicable law and appropriate safeguards are in place to protect your rights, freedoms, and legitimate interests. The processing activities described in this Notice do not involve automated decision-making, including profiling, as defined in Article 22 of the GDPR.

• Right to withdraw consent (Article 7(3) GDPR)

You have the right to withdraw your consent to the processing of your personal data at any time when the processing is based on your previously given consent. Such withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal.

• Right to object (Article 21 GDPR)

You have the right to object, at any time and on grounds relating to your particular situation, to the processing of your personal data where such processing is based on the legitimate interest of the Data Controller. If you raise such an objection, your request will be considered and processing will be stopped unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

• Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

If you believe that the processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority:

Commission for Personal Data Protection (CPDP)

2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

Website: www.cpdp.bg

You may also lodge a complaint with another supervisory authority in an EU Member State where you habitually reside, work, or where the alleged infringement took place.

If the Data Controller refuses, in whole or in part, to grant your request to exercise your rights under the GDPR (such as access, correction, erasure, etc.), you may submit a request for assistance to the CPDP under Article 54(1)(6) of the Bulgarian Personal Data Protection Act.

In addition to an administrative complaint, you also have the right to effective judicial remedy under Article 79 GDPR.

7. Data Security

The Data Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include access control, encrypted communication, device protection, and confidentiality commitments. All safeguards are reviewed and updated regularly in accordance with the level of risk and applicable legal requirements.

8. Changes to this Notice

This Notice may be updated periodically to reflect changes in applicable legislation or the way personal data is processed. The updated version will be published on this page and will indicate the date of the most recent revision. Where significant changes are made, additional steps will be taken to notify you when required.

Annex: Cookie Policy

Date of last update: 4 July 2025

By using this Website, you acknowledge that you have read and understood this Privacy Notice and its annexes. If you have any questions regarding this Notice or the way we process your personal data, please do not hesitate to contact the Data Controller using the contact details provided. Your privacy matters and we will take all necessary steps to protect it in accordance with applicable rules and best professional practices.