top of page

Privacy Policy

I. Subject

This document governs the relations regarding the collection, processing, and protection of personal data relating to clients of the services and products provided by "ATLAS CONSULTING" EOOD in its capacity as a credit intermediary. This includes personal data relating to representatives and suppliers of "ATLAS CONSULTING" EOOD who are natural persons (including representatives of legal entities), as well as individuals employed under labor or civil law relationships with the company and job applicants.

II. Identification

  1. "ATLAS CONSULTING" EOOD, a sole-member limited liability company, is a Personal Data Controller with UIC 208229273.
    Registered Office/Management Address: 83 Samokovsko Shose St., Zheleznitsa, 1475 Sofia.
    Phone: +(359) 0882 971 799
    Email: info@atlascreditconsult.bg
    Correspondence Address: 83 Samokovsko Shose St., Zheleznitsa, 1475 Sofia.
  2. "ATLAS CONSULTING" EOOD is registered as a credit intermediary in the Register of Credit Intermediaries under Art. 51, Para. 1 of the Law on Mortgage Loans for Consumers (LMLC) by Registration Order BNB-128600/05.09.2025, issued by the Deputy Governor of the BNB heading the "Banking Supervision" Department, with Registration No. BCI000153.

III. Definitions

For the purposes of applicable legislation and this Policy:

  • "Regulation" – Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR).
  • "Personal Data" – Any information relating to an identified or identifiable natural person ("data subject").
  • "Processing" – Any operation performed on personal data, such as collection, recording, storage, adaptation, retrieval, use, disclosure, etc.
  • "Controller" – The entity (ATLAS CONSULTING EOOD) which determines the purposes and means of processing.
  • "Processor" – A person or entity that processes data on behalf of the Controller.
  • "Data Subject" – The natural person whose data is being processed.
  • "Client" – A natural person using the services of the company as a credit intermediary.
  • "Supervisory Authority" – The Commission for Personal Protection of Data (CPDP), Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

IV. Objectives and Scope

  1. The Manager of the company ensures compliance with EU law regarding the processing of data and protection of rights and freedoms.
  2. The company respects the privacy of individuals and strives to protect against unlawful processing.
  3. This policy informs individuals about the purposes of processing, recipients of data, and their rights under the GDPR and Bulgarian law.

V. Data Protection Principles

The company processes data based on: Lawfulness, Fairness, Transparency, Purpose Limitation, Data Minimization (Appropriateness), Proportionality, Accuracy, Storage Limitation, Integrity and Confidentiality, and Accountability.

VI. Purposes of Processing

  1. For the performance of a contract or pre-contractual relations: * Identity verification;
    Managing client requests and credit history analysis;
    Conducting credit assessments and preparing offers;
    Notifying clients regarding products/services.
  2. For compliance with legal obligations: * Law on Mortgage Loans for Consumers (LMLC);
    Accountancy Act and Tax-Insurance Procedure Code (TIPC);
    Reporting to the CPDP and Consumer Protection Commission.
  3. For legitimate purposes: * Individualizing services to client needs;
    Identifying representatives/suppliers for payments.
  4. For HR purposes: Regarding employees and job candidates.

VII. Consent

Processing for purposes beyond the above requires explicit consent, which the subject may withdraw at any time. Withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

VIII. Information on Data Processing

  • Data provision is voluntary, but refusal may make service provision impossible.
  • The company uses Processors (e.g., representatives or external accounting firms) bound by confidentiality agreements.
  • The company does NOT collect or process sensitive data (race, religion, genetic/biometric data, sexual orientation) and does NOT use automated decision-making.
  • Categories of data processed: Physical identity (names, PIN/EGN, address), economic identity (income, employment, credit history, bank accounts), family identity.

IX. Data Storage

Data is stored in physical files (locked in the Data Protection Officer’s office) and electronic databases.

X. Protection Measures

  • Technical: Access control via magnetic cards/keys and video surveillance.
  • Documentary: Established procedures for access, destruction, and storage terms.
  • Personnel: Staff signed confidentiality agreements and received training.
  • Automated Systems: Password protection, firewalls, and regular backups.

XI. Retention Period

  1. Data is stored for 6 (six) years from:
    The date the client received a credit; OR
    The date the contract was terminated.
  2. The 6-year term includes the 5-year general statute of limitations under Bulgarian law plus 1 year for administrative review.
  3. Terms may be extended in case of pending court proceedings or legal requirements.

XII. Destruction of Data

Data is destroyed securely (shredding for paper; permanent deletion for electronic files) once the retention period expires or the purpose is fulfilled.

XIII. Data Security

The company ensures data is not disclosed to unauthorized third parties and is only accessible to those responsible for processing.

XIV. Disclosure of Data

Data may be disclosed to:

  • Banks or financial institutions (for credit mediation).
  • Accounting firms, debt collection entities (if applicable), and postal/courier services.

XV. Rights of Data Subjects

Subjects have the right to: Information, Access, Rectification, Erasure (Right to be Forgotten), Restriction of Processing, Data Portability, Objection, and the Right to be notified of security breaches. They also have the right to administrative or judicial appeal and compensation for damages.

XVI. Records of Processing Activities

The company maintains internal Registers of all processing activities as required by law.

XVII. Final Provisions

The company does not transfer data to other EU member states or third countries outside the EU. If this changes, subjects will be notified in advance. This Policy is effective as of 01.01.2026.

bottom of page