Please read carefully the privacy policy of XB Systems AG (the Company). If any or all of the terms outlined in the Policy are unacceptable to you, it is advisable to bear in mind that it applies to the Personal Data processed by the Company in any case and to assess the provision of your Personal Data in legal relationships with the Company.


XB Systems AG is the administrator of Personal Data pursuant to Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data.

Objectives and scope of the privacy policy:

The Company collects and processes Personal Data in strict compliance with the principles and specific provisions of the applicable special legislation in this field. This policy provides detailed and comprehensible information on: the principles and objectives of collecting and processing Personal Data; the legal bases for this; the deadlines for storing these data; the rights and procedures for exercising the rights of the individuals providing Personal Data to the Company as well as the recipients of which this data can be disclosed, information on the right of access and the right to rectify the collected data.


“EDECSA” is the Electronic Document and Electronic Certification Services Act, promulgated in SG, Issue 34 of 06.04.2001, in force as of 07.10.2001, in the current version;

“Personal data” means any information relating to an identifiable natural person or a natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more signs specific to the physical, physiological, genetic, mental, mental, economic, cultural or social identity of that individual;

“Processing” means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adjusting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed;

“Applicable law” means the legislation of the European Union and the Republic of Bulgaria, which is relevant to the protection of personal data;

“Profiling” means any form of automated processing of personal data involving the use of personal data for the assessment of certain personal aspects of an individual and, in particular, for the analysis or forecasting of aspects relating to the performance of professional duties that physical person, his economic condition, his or her health, personal preferences, interests, reliability, behavior, location or movement;

“Data subject” means a natural person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more physical, physiological, genetic, mental, mental, economic, cultural or social identity of that individual;

“Regulation (EU) 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46 / EC (Single Data Protection Regulation) published in the Official Journal of the European Union on 4 May 2016

Principles relating to the processing of Personal Data:

When processing Personal Data, the Company is guided by the principles of:

  • 1. Transparency;
  • 2. Proportionality;
  • 3. Accuracy;
  • 4. Time Limit;
  • 5. Respecting the rights of data subjects;
  • 6. Confidentiality and security.

In view of its core business activity, the values of its founders and its clients, its operational activity is based on the principles of good faith, transparency and accountability in each of the actions taken.

Categories Personal data processing the company
The Personal Data of our clients that we process include the data they provide us in relation to our services and, in particular, the conclusion of the contract for the provision of advisory services. In this regard, we process the Personal Data when concluding contracts with clients and in cases of exchanging accounting and administrative papers and may be attributed to you.

These are:

  • • Identification number;
  • • Three names;
  • • Address;

The specified personal data is being processed in relation to the services provided by the Company and accounting of payments.

Processing Goals:

Personal data are processed by the Company for the purpose of providing the basic services and activities for the provision of certification services within the meaning of the Law on Corporate Social Responsibility, as well as the accompanying legal and accounting services related to asset management of the Company.

Legality of Processing

The Company processes Personal Data of the entities and in compliance with statutory obligations such as

  • • Obligations to provide information to supervisors;
  • • Obligations stipulated in the Commercial Act, the Accountancy Act and the Tax and Social Insurance Procedure Code and other related legislative acts aiming at compliance with the lawful and properly kept accounting.

How long do we Personal Data?

The Company keeps Personal Data for a period no longer than is necessary to achieve the relevant goals. Data is stored for 3 or 5 years after the contract for services was successfully completed or terminated and depending on the applicable prescription/limitation period for related claims and/or notifications well as taking into account the storage periods for accounting information. Under certain circumstances, if the Company requires a longer period of storage for legislatively proven periods, Personal Data may be stored for a longer period of time.
The Company is obliged to destroy the data once the reason for which it has been collected has been met.

Mandatory and voluntary nature of provision of Personal Data:

Specific categories of personal data (sensitive data) are not collected and processed through this website.

Information on the processing of Personal Data:

The Company processes the personal data provided to it independently. The necessary technical, factual and organizational measures have been taken in accordance with current state of the art and science, for the protection of Personal Data from accidental or unlawful destruction or accidental loss, unauthorized access, alteration or distribution or other known forms of processing.

Recipients to whom Personal Data may be disclosed:

In view of the activity of the Company, it concludes written agreements with contractors for the provision and receipt of different types of services, which are processing Personal Data or recipients of Personal Data. Subject to legal requirements, the Company may disclose the Personal Data provided to the following non-exhaustively listed entities in their capacity as executive bodies or contractors:

  • 1. Licensed foreign and / or local accounting and auditing companies and service providers;
  • 2. Law firms or other providers of consultancy services, courier companies, etc.;
  • 3. Web-design companies.

In the event that the Company discloses Personal Data to any of the above persons, there must be good reason to do so and, on the basis of the contract, the recipients of the Personal Data must provide an adequate level of protection.

Consumer rights and order for exercise of rights:

Personal Data subjects have the following rights regarding their Personal Information:

  • • Right of access;
  • • Right to rectification;
  • • Data portability rights;
  • • Right to delete;
  • • Right to delete (right to be forgotten);
  • • Right to ask for limitation of processing;
  • • Right to object to the processing of Personal Data;
  • • The right of the subject of Personal Data not to be subject to a decision based solely on automated processing involving profiling.
  • • Right to file a complaint with the Data Protection Supervisor.

Procedure for exercising the rights:

The Company assists and assists the individual to whom Personal Data relates in the exercise of his or her rights. Individuals have a right of inquiry in relation to the above and the Company provides the person concerned with information on the action taken on the request without undue delay and in any case within one month of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. The administrator shall inform the consumer of any such extension within one month of receipt of the request, indicating the reasons for the delay.

When the individual submits a request by electronic means, the information is provided, if possible, by electronic means, unless otherwise requested. If the Company does not act on the request, it shall notify the natural person without undue delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisor and seeking legal protection order.

Changes to privacy policy:

The Administrator has the right to update, supplement and modify this document at any time in the future in order to improve the effectiveness of the protection of Personal Data in accordance with the evolving regulatory environment, practical experience or other circumstances that require it.

We use cookies to help give you the best experience on our site. By continuing you agree to our use of cookies.Read more