Personal Data Protection


In accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and the Council /Regulation/ in force as of 25.05.2018 UniCredit Factoring EAD provides you hereby with information regarding the processing of personal data by UniCredit Factoring EAD. 


Data controller details

UniCredit Factoring EAD, UIC: 175211006 (The Company), with headquarters and management address in Sofia, 14 Gyueshevo str., is a controller of personal data and processes your personal data in a lawful, conscientious and transparent way.


Data Protection Officer

The Data Protection Officer of UniCredit Factoring EAD is Mr. Anton Todorov. Contact details:


7, Sveta Nedelya Sq., 1000, Sofia, Bulgaria

Purposes for the processing of personal data

The Company is a legal entity that, in order to provide you with quality service, processes personal information for the following purposes:

  • To acquire receivables under commercial contracts, loans and other forms of financing (factoring, forfeiting, etc.) and to manage its relationships with the clients. The Company processes personal data in:
  1. Receiving preliminary information that is required to conclude a factoring or other contracts
  2. Performing consulting services for the client
  3. Performing transactions for specific deals, economic movements and/or balance changes, with immediate or deferred execution (e.g. Issuing invoices and other accounting documents to clients)
  4. Conducting audits, assessments of customer relationship outcomes and trends, and the associated risks
  5. Processing of personal data, made to track specific services/ deals requested by the client
  6. Disputes (commercial, arbitration, court, in front of administrative organs, etc.) in relation to the activity of the Company.
  • To assess the reliability and timeliness of payments when financing (in the form of factoring or other)
  • Promoting and selling products and services, including through preliminary profiling. During profiling, information about preferences, habits, and consumer choices is analyzed in order to improve the quality of customer service and offer new products and services.
  • Conducting customer satisfaction surveys, marketing and market research for the activities of the Company and the other companies of UniCredit Group, through interviews, questionnaires and other information channels.
  • Selecting outsourcing service providers for the Company. During the selection process for a provider, information, which constitutes personal data, is processed in accordance with Regulation (EU) 2016/679.
  • Managing the Company’s relations with outsourcing service providers. Personal data of the provider’s representative or of the provider itself is processed in negotiating and administrating agreements, in cases of court or tax investigations as well as in commercial and legal disputes.
  • Managing anti-fraud activities. UniCredit Factoring processes personal data when it carries out activities related to fraud prevention, discovery, investigation and management of frauds.
  • Providing security for areas and facilities and ensuring access control. Processing information constituting personal data obtained from surveillance systems; while carrying out operations at offices of the Company as well as while managing and controlling visitor flows at entrances and exits, protected by an electronic control systems.
  • Protecting data, information, applications, systems and network security.

Grounds for Personal Data Processing

UniCredit Factoring EAD processes your personal data pursuant to art. 6, par.1, letter “b” from  Regulation (EU) 2016/679 when processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. In the cases when you take steps to enter into an agreement with UniCredit Factoring EAD and/or sign an agreement with the Company it is necessary to give information which constitutes personal data so that the Company can take the necessary steps to provide you with the product or service that you would like to receive as part of the agreement. If you do not provide your personal data, it would be impossible for the controller to provide you with the requested services, taking steps before entering into an agreement.

Your personal data is processed pursuant to art. 6, par.1, letter “f” of  Regulation (EU) 2016/679 for the purposes of the legitimate interests of UniCredit Factoring EAD in cases when the following is performed:

  • Anti-fraud actions
  • Security and access control
  • Audio and video surveillance, audio and video recording for the purposes of security, access control, anti-fraud actions, documenting communication
  • When providing data to third parties: When legal or contractual obligations of the controller are fulfilled or on the basis of other valid legal grounds
  • Observance and implementation of group policies, reporting, audit activities, credit risk assessment, in which cases the Company provides data to related parties and to the companies of UniCredit Group
  • Assessment and improvement of the customer services provided by Unicredit Factoring and the companies within UniCredit Group
  • And also for the purposes of marketing and market research and analysis

When the processing of your personal data for specific purposes is based on the legitimate interests of UniCredit Factoring EAD, including profiling, you can object to processing for specific purposes at any time.

Categories of personal data recipients

In accordance with the requirements of  Regulation (EU) 2016/679 UniCredit Factoring has the right to disclose personal data which it processes to the following categories of recipients:

  • Public authorities, institutions, establishments and auditors in cases when the Company has a legal obligation to provide the data. Personal data can be provided with the purpose of receiving preliminary information necessary for entering into an agreement and/or its performance.
  • To third parties, individuals, legal entities, public authorities, institutions, establishments, upon fulfillment of legal or contractual obligations or other valid legal grounds.
  • To subcontractors of the Company, in their capacity as processors. Processors carry out processing in accordance with an agreement entered into with the Company or another legal act in accordance with the controller. The Company utilizes only those processors which provide sufficient guarantees for the implementation of appropriate technical and organizational measures in compliance with Regulation (EU) 2016/679.
  • To entities related to the Company, including the companies within UniCredit Group when processing personal data for the purposes of the legitimate interests of UniCredit Factoring; upon implementation of group policies; to improve customer service quality within the companies of UniCredit Group.
  • For making inquiries and receiving information from state authorities, institutions, establishments and registers (for example the National Social Security Institute, Central Credit Register, Civil Registration and Administrative Service, Experian Bulgaria EAD, etc.) in order to evaluate your creditworthiness or for the purpose of receiving other types of preliminary information necessary for entering into an agreement at the request of the individual.

Transfers of personal data to a third country or an international organization

If a necessity arises for UniCredit Factoring EAD to provide third countries or    international organizations with personal data which it has processed, the provisions of Regulation (EU) 2016/679 shall be complied with, including in the case of any possible transfer of personal data by the third country or international organization to another third country or organization.

Retention Periods

Unicredit Factoring EAD processes personal data under the terms stipulated in the effective legislation in the country and by regulatory supervisory authorities. After the expiry of legal/regulatory terms, the Company will delete your personal data. Personal data with regard to which there is no explicit legislative/supervisory obligation to be stored shall be deleted after the purpose for which it was collected and processed has been achieved.

Exercising rights under Regulation (EU) 2016/679

In addition to the provided information UniCredit Factoring EAD provides the following information regarding your rights as personal data subjects which you can exercise in compliance with the provisions of Regulation (EU) 2016/679:

The right to demand access from the controller to your personal data pursuant to art.15 of the Regulation.

The right to request from the controller rectification of your personal data pursuant to art.16 of the Regulation.

The right to request erasure of your personal data (‘right to be forgotten’) pursuant to art.17 of the Regulation in cases where:

  • There are no legal or contractual grounds for such processing
  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • The data subject withdraws his/her explicit consent in cases where personal data is processed only on the grounds that the data subject has given his/her explicit consent
  • In other cases stipulated in Regulation (EU) 2016/679


The right to ask for restriction of processing pursuant to art. 18 of the Regulation.

The right to object to the processing of personal data pursuant to art. 21 of the Regulation

The right to portability of personal data concerning you, which you have provided to the controller under the provisions of art. 20 of the Regulation.

The right to lodge a complaint with the Commission for Personal Data Protection.

UniCredit Factoring EAD provides you with an opportunity to exercise your rights under the Regulation in a clear and accessible way. For your convenience we provide you with a sample Request for Exercising Rights under Regulation (EU) 2016/679.

In case you would like to submit of your request/application to UniCredit Factoring EAD in free wording, it is necessary to give specific mandatory details in your request/application so that you can be identified in a timely and due fashion. With the purpose of your timely and due identification and in order to prevent any unlawful use of your personal data available in requests submitted by third parties acting in bad faith, we recommend that you use a specific set of details when submitting your request to the Company:

  • Your full name
  • Your Personal Number or Foreigner's Personal Number
  • Date and place of birth (if you are not a citizen of the Republic of Bulgaria)
  • The number of your ID card, date of issue, issuing body, expiry date
  • Permanent address/mailing address if different from the permanent address
  • Email address if you wish reception of response on your email address
  • Phone number if you would like us to contact you
  • In what capacity would you like to exercise your rights under Regulation (EU) 2016/679, for example supplier, employee/former employee, legal representative/beneficiary owner/proxy/ legal entity related to the company, BULSTAT/ UIC/ foreign reg. number; another quality-person, using electronic platform of the Company E-Factoring and others
  • Description of the request/application sent to the controller
  • Preferred manner of receiving a response from the controller: to the email address you have included in your request; at a mailing address; at the Company address

If the details are not complete and/or false, we may be unable to satisfy part of/the whole of your request.

We are constantly striving to improve the way in which you are serviced. In this respect, with the purpose of greater transparency and awareness we provide you with the following options for submitting a request under Regulation (EU) 2016/679:

  • In the office of the Company
  • Electronically to Qfstpobmebub/GbdupsjohAVojDsfejuHspvq/CH  by sending e-mail and letter signed in accordance with the Electronic Document and Electronic Certification Act

When submitting your request we recommend that you specify the means thereby you would like to receive the response to your request:

  • In the office of the Company
  • Electronically- by e-mail
  • At your permanent address or at a mailing address

The country’s Competent Supervisory Authority responsible for any matters relating to personal data you can contact in case of a dispute or disagreement considering the processing of your personal information is the Commission for Personal Data Protection.