PERSONAL DATA PROTECTION POLICY OF BENEFIT SYSTEMS BULGARIA OOD
1. WHO ARE WE – INFORMATION ABOUT THE PERSONAL DATA CONTROLLER1.1. We are BENEFIT SYSTEMS BULGARIA OOD, registered in the Bulgarian Commercial Register under UIC 203418971, with seat and registered address in Sofia 1612, Krasno Selo District, 11–13 Yunak Street, floor 1 (hereinafter referred to as “Benefit Systems”, “We”, “Us”).
1.2. We take all necessary care and efforts to ensure that your personal data are processed in accordance with the requirements of the applicable legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR”).
1.3. Benefit Systems considers the security of the data it processes a priority. We have developed the necessary policies and procedures in this regard. We provide training to our staff on personal data protection, confidentiality and data security. In addition, we regularly review the data security models for the data processed by Us.
1.4. In order to provide our services, We process certain personal data. The purpose of this Policy is to inform you about the scope of the data we process, the purposes and legal bases for processing, the retention periods, the persons to whom the data may be disclosed, and other information required by law.
2. CONTACT DETAILS OF BENEFIT SYSTEMS BULGARIA OOD
2.1. The contact details of Benefit Systems Bulgaria OOD are:
address: Bulgaria, Sofia 1612, 11–13 Yunak Street, floor 1;
e-mail: dpo@benefitsystems.bg;
telephone: 0800 123 92
3. What personal data do we process, why and on what legal basis? How do we collect the personal data we process
3.1. Personal data in connection with the issuance and use of MultiSport and MultiSport Kids cards
– this category includes all natural persons who use a MultiSport card, including a regular card, a trial card, as well as persons who use MultiSport Kids cards.
3.1.1. In order to issue a MultiSport card to a specific user, Benefit Systems collects the name and surname of the user, as well as the name of the client company which pays Benefit Systems the price for the use of the card under a contract concluded between Benefit Systems and the client company. We receive these data from the client company and these data are printed on the MultiSport card together with the unique number (barcode) of the MultiSport card. In the event that we have concluded a contract with you as the applicant for issuing a MultiSport card for your accompanying person, we collect these data from you. The data of persons who use a MultiSport card as an accompanying card are collected from the person who pays Us the price of the accompanying MultiSport card, namely the client company with which we have a contract, or from the person–user of a MultiSport card with whom we have a contract.
3.1.2. In order to issue a MultiSport Kids card, Benefit Systems needs to receive the name and surname of the child who will use the MultiSport Kids card, the consent of its parent/legal representative for the issuance of the MultiSport Kids card, and the month and year of birth. These data are necessary for Benefit Systems because different services included in the MultiSport Kids Programme may be used by children of different ages, and also for children’s safety reasons – so that the user of the MultiSport Kids card can be identified when visiting a sports facility. Adult parents who request a MultiSport Kids card for their child must also provide their own e-mail address if they wish to complete an online consent for the processing of the data of the MultiSport Kids card user requested by them.
3.1.3. If the contract for the provision of services under the MultiSport and MultiSport Kids programme between Benefit Systems and a client company/card user (if such a contract exists) provides for a fee for reissuing a card due to loss/theft/breakage/damage, Benefit Systems may store information on the number of cases in which a particular card has been reported lost/stolen/broken/damaged.
3.1.4. In order for a user of a MultiSport/MultiSport Kids card to use sports, recreation and other services included in the MultiSport or MultiSport Kids programme through their issued card, Benefit Systems processes information about the sports facilities visited, the dates of the visits and the services used by the respective user. This information is collected by Us through the staff of the visited sports facilities. This information is necessary for us to fulfil our financial obligations to the persons managing the sports/recreation centres included in the MultiSport/MultiSport Kids Programme and to verify whether the reported sports/recreation services have actually been used by a user of an active MultiSport/MultiSport Kids card.
Important! Benefit Systems does not share with client companies information about the visits to facilities, the dates of visits, or the services used by a specific card user, except in cases of established abuse of a specific card or violation of the Terms of Use of MultiSport or MultiSport Kids cards, and only if Benefit Systems decides to exercise its contractual right to block a specific MultiSport or MultiSport Kids card that has been misused.
3.1.5. All MultiSport and MultiSport Kids cards are personal – they are issued to specific natural persons in order to be used personally by them. In order for a card user to use sports, recreation and other services included in the MultiSport or MultiSport Kids program when visiting the respective facility, the user of a MultiSport or MultiSport Kids card must prove their identity by presenting a document issued by the competent state, municipal, educational or other institutions which contains a name, surname and photograph (for example: identity card, driving license, student card, public transport card, etc.). This is necessary in order to verify whether the person actually using the MultiSport/MultiSport Kids card in the respective facility is the person whose name is printed on the presented card.
Important! Benefit Systems does not require and does not need copies of identity documents. Therefore, if users of MultiSport/MultiSport Kids cards are asked to provide such copies of identity documents, they are entitled to refuse to provide them and we encourage them to contact Benefit Systems immediately to report such practices.
3.1.6. For the purposes of preventing, detecting and dealing with cases of abuse of MultiSport/MultiSport Kids cards (for example unauthorized use) or violations of the Terms of Use of MultiSport/MultiSport Kids cards (published on this website or described in the relevant agreements between Benefit Systems and client companies/persons who use cards on the basis of a direct contract with Benefit Systems), Benefit Systems may require card users to confirm their visits to a specific sports facility by signing a form available at that facility, or may internally analyze information on the activity of a specific MultiSport/MultiSport Kids card.
3.1.8. In order to process and respond to requests/enquiries/complaints submitted by users of MultiSport/MultiSport Kids cards, Benefit Systems may process the following personal data, depending on how contact with Benefit Systems has been made:
– name and surname of the MultiSport/MultiSport Kids card user, MultiSport/MultiSport Kids card number, name of the client company;
– their e-mail address (if communication is carried out by e-mail) or telephone number (when communication is carried out by telephone) or address (for requests/enquiries/complaints sent by post);
– the information contained in the request/enquiry/complaint;
– voice recording of incoming and outgoing calls with the call center or our employee.
3.1.9. In order to be able, where necessary, to defend its legal rights against claims by users of MultiSport/MultiSport Kids cards, client companies or facilities included in the MultiSport/MultiSport Kids Programs, Benefit Systems stores the collected personal data of MultiSport card users described above for a certain period, specified below in this Policy, after termination of the service contract between Benefit Systems and the respective client company, or the contract between Benefit Systems and the respective facility, or the contract between Benefit Systems and the respective card user (if such a contract exists).
3.1.10. In order to comply with the requirements of applicable tax, accounting or other legislation regarding the storage of documents for tax and social-security control purposes, Benefit Systems stores the collected personal data of card users described above for a certain period of time specified below in this Policy, after termination of the contract between Benefit Systems and the respective client company or the contract between Benefit Systems and the respective facility included in the MultiSport/MultiSport Kids Program, and/or the contract between Benefit Systems and the respective MultiSport card user (in the event of such a contract). The reason for this is that Benefit Systems collects and uses the personal data described above in order to fulfil its financial obligations to the persons managing the sports/recreation centers included in the MultiSport/MultiSport Kids Program and to settle its financial relations with the persons who pay Benefit Systems the price of the MultiSport/MultiSport Kids cards.
3.1.11. In order to inform users of MultiSport cards about the addition of new services or changes in the network of sports and other facilities included in the MultiSport/MultiSport Kids Program, or in the Terms of Use of MultiSport/MultiSport Kids cards, or other changes related to the MultiSport/MultiSport Kids program, Benefit Systems may process e-mail addresses of the contact persons specified in the contracts with client companies.
For the purpose of expanding the network of partners (i.e. adding more sports facilities), Benefit Systems may process aggregated statistical information regarding the sports facilities visited or the services used by card users.
3.1.13. The purpose of processing personal data by Us is not to create individual profiles, combine databases or carry out any kind of targeted advertising. We do not carry out automated decision-making without human involvement and we do not use automated systems to create individual profiles of persons using a MultiSport/MultiSport Kids card.
The cases in which information on the use of a specific MultiSport/MultiSport Kids card may be processed, and then only by a human (an employee of Benefit Systems), are: where there is suspicion of unauthorized use of a specific MultiSport/MultiSport Kids card for the purposes of verifying, detecting and dealing with the consequences of unauthorized use of a MultiSport/MultiSport Kids card, or for the purpose of adding new sports facilities to the MultiSport/MultiSport Kids program if Benefit Systems identifies increased interest in a particular service.
3.1.14. For the purpose of ensuring a high quality of service, including clarifying details of requests/enquiries/complaints submitted by users of MultiSport/MultiSport Kids cards, as well as with a view to monitoring and training the employees with whom users communicate, Benefit Systems may process voice calls made through the company’s telephone exchange.
3.1.15. If you have chosen to use a Digital MultiSport Card available through the My Multisport application, your personal data will also be processed. The Digital Card is a functionality representing a digital version of a personal MultiSport Card that allows you to use sports and entertainment services at the Sports Facilities. Specific information about the Digital Card and the data processed is contained in the data protection policy of the application, available there.
3.2. Personal data of representatives of counterparties and contact persons of counterparties
3.2.1. In order for Benefit Systems to conclude a contract with its counterparty – a legal entity, regardless of whether this is a partner (i.e. a person managing a sports, recreation or other centre), a client (employer company) or another counterparty, Benefit Systems processes (verifies and uses) information about the representative of the counterparty who will sign the contract. If the person signing the contract on behalf of the counterparty is an attorney, Benefit Systems will also collect and process the power of attorney as a document containing personal data. This information is necessary for Benefit Systems to verify whether the person signing the contract on behalf of the counterparty has valid representative powers. These data are collected directly from the counterparty or from publicly available sources – the Commercial Register, BULSTAT Register.
3.2.2. For the purpose of communicating with a counterparty of Benefit Systems, which is a legal entity, the contract with the counterparty usually includes contact details of a specific natural person (telephone number and/or e-mail address and/or name and surname). These data are provided or entered into the contract directly by the counterparty. These data are used where it is necessary to communicate with the contact person in connection with the conclusion, performance or termination of the contract with the counterparty, or where it is necessary to sign documents by electronic signature.
3.2.3. For the purpose of providing a high level of service in relation to requests, questions and proposals for amendments or supplements to the contract with the counterparty, resolving issues, obtaining information and assistance in relation to the service used and the MultiSport/MultiSport Kids cards, we may record outgoing and incoming telephone calls between our employees and the contact persons specified by the counterparty. Only calls made through the company’s telephone exchange are recorded.
3.2.4. In compliance with legal requirements regarding the data that must be entered in accounting documents or registers, data about the legal representatives of counterparties may be used and stored by Benefit Systems when issuing accounting documents, when recording accounting documents in accounting registers, when fulfilling obligations to store accounting documentation and information, and for the purposes of exercising the legal protection of Benefit Systems (where necessary).
3.3. Personal data of job applicants
In order to assess to what extent you are suitable for the respective position announced by “Benefit Systems Bulgaria” OOD for which you are applying, we collect certain personal data about you in accordance with our Policy on the processing of personal data of job applicants.
3.4. Personal data of persons who use the contact forms on the website or otherwise communicate with us
3.4.1. You may send us questions, requests and post comments in various ways – for example by filling in a contact form integrated on our website, as well as through our profiles and fan pages on social networks. In order to identify you and process your message and send you our response (if such is necessary), we process your identification data and contact details that are filled in when you send the message to Us.
3.4.2. Our processing of your personal data is separate and different from the processing of your data by the administrators of the respective social networks for the purposes and on the grounds determined by them.
3.4.3. Filling in a contact form, sending us or posting questions, enquiries and comments is entirely voluntary, at your initiative and with your consent. Your personal data, processed for the purposes of reviewing and providing feedback on received questions, enquiries and other statements and for the purposes of publishing your comments on our profiles and fan pages in social networks, will be stored by us for a period of 1 month after we have processed the statement addressed to Us.
3.4.4. In order to improve quality and prove the subject of the conversation, we may also record telephone calls initiated by our employee who communicates with potential counterparties using the contact details available in public registers when offering services with a view to concluding a contract with Benefit Systems. Only calls made through the company’s telephone exchange are recorded.
3.4.5. Personal data processed by us in connection with reports submitted under the Act on the Protection of Persons Submitting Reports or Publicly Disclosing Information on Violations
Benefit Systems processes in its whistleblowing channels under Act on the Protection of Persons Submitting Reports or Publicly Disclosing Information on Violations the following types of personal data: information identifying the whistleblower, such as full name, address, telephone number, e-mail address, capacity of the person submitting the report, information about a natural person referred to in the report as the person who committed the violation or with whom that person is associated, such as full name, place of work, position; information about violations that may make it possible to draw conclusions about a particular natural person.
3.4.6. Personal data processed by Cloudflare Turnstile
We use Cloudflare Turnstile, a service provided by Cloudflare, Inc., to protect our website from spam, abuse and malicious automated activity. Turnstile performs a non-interactive check to determine whether a given request is made by a human or an automated system.
To provide this security function, Cloudflare may process limited technical data, such as: IP address, device and browser information, request data (request headers), interaction and behavioral data necessary to distinguish legitimate traffic from automated traffic.
This data is processed solely for the purposes of security, fraud prevention and maintaining the integrity of the service.
Cloudflare acts as our data processor and the processing may involve the transfer of personal data outside the European Economic Area. Where such transfers are carried out, Cloudflare protects them through appropriate GDPR mechanisms, such as Standard Contractual Clauses (SCCs). For more information on how Cloudflare processes data, please refer to Cloudflare’s Privacy Policy.
3.5. Legal bases on which we process personal data
Benefit Systems processes the above data on the following legal bases:
3.5.1. the legitimate interests of Benefit Systems, as described above, namely:
• to provide the services under the contracts concluded with client companies in the manner described in the contracts, including to issue and deliver MultiSport and MultiSport Kids cards;
• to ensure that they can be used in the respective sports facilities;
• to fulfil its financial obligations to the persons managing the sports/recreation facilities;
• to detect, identify and remedy cases of abuse of MultiSport/MultiSport Kids cards (for example unauthorised use) or breaches of the Terms of Use of MultiSport/MultiSport Kids cards;
• to seek and include new sports facilities in the MultiSport or MultiSport Kids programme;
• to provide information about newly added sports facilities to its existing clients;
• to process call recordings of Benefit Systems employees or the call centre;
• when conducting marketing surveys involving our Clients;
• to collect and process contact data provided via a contact form on the Benefit Systems website, via a message on a social network, e-mail or by telephone;
• to process data to verify whether users of the website request legitimate access through the Cloudflare Turnstile solution;
• where necessary, to exercise its legal defense in the event of legal claims against Benefit Systems, as well as the legitimate interests of Benefit Systems when processing information about violations reported through the internal channels under Act on the Protection of Persons Submitting Reports or Publicly Disclosing Information on Violations.
3.5.2. compliance with obligations laid down in law, for example:
• Article 38 of the Tax and Social Insurance Procedure Code, Article 12 of the Accounting Act, etc. (e.g. obligations to store documentation for tax and social-insurance control);
• the Whistleblower Protection Act;
• the Personal Data Protection Act;
3.5.3. consent to the processing of personal data given by the parent of a user of a MultiSport Kids card;
3.5.4. performance of a contract to which the MultiSport card user is a party (if such a contract has been concluded); and for the conclusion of a contract with a counterparty that is a legal entity, regardless of whether it is a partner.
4. To whom can the personal data we process be disclosed and who processes personal data on our behalf
4.1. Provided that the disclosure of personal data is in accordance with the applicable data protection legislation, Benefit Systems discloses or may disclose, where necessary, the following personal data to the following persons:
– printing houses printing the cards – we usually use an external service provider to print MultiSport or MultiSport Kids cards, to whom we disclose only the data that need to be printed on the card – name and surname, name of the client company with which we have a contract for the provision of services under the MultiSport/MultiSport Kids programme, possibly the validity period of the card (if applicable) and the unique barcode printed on the card. The printing houses may also be provided with information about the office address to which the printed cards are to be delivered;
– our partners (sports and recreation facilities) – when registering a visit of a user of a MultiSport/MultiSport Kids card for using services in their facility, they record data in our system and in forms whose templates are provided by us. The data our partners are instructed to collect are only those described in the Terms of Use of MultiSport/MultiSport Kids cards. If partners wish to collect personal data other than those described in the Terms of Use of the card, they act as independent data controllers and must inform you about the processing of personal data by them as independent controllers;
– clients (employers that have concluded an agreement with Benefit Systems) – in the event of established abuse of MultiSport/MultiSport Kids cards or violation of the Terms of Use, breach of contract followed by blocking of a specific MultiSport/MultiSport Kids card, we will inform the client who pays us the price of the respective card. When exercising any of the rights described below as data subjects, it may be necessary to disclose to the client information about the exercise of those rights, if in order to comply with your rights we need to inform the client who pays us the price of the respective MultiSport/MultiSport Kids card. Where it is necessary to pay a fee for issuing a duplicate of a damaged/lost/stolen MultiSport/MultiSport Kids card, information about the number of losses/damages/reported thefts may be disclosed to the client company that pays Us the price of the card and the issuance of duplicates (if this is foreseen in the contract);
– providers of additional services offered within the MultiSport/MultiSport Kids program (for example, but not limited to, organizers of sports competitions or other events in which card users have expressed a wish to participate; in such cases only the data necessary for participation in the respective event are disclosed);
– companies that provide the information systems we use and their maintenance, including the terminals – barcode readers in the sports facilities included in the MultiSport and MultiSport Kids program;
– companies providing payment services – where payment needs to be made under a contract or by law;
– persons providing services related to the servicing of users of MultiSport/MultiSport Kids cards – for example, persons who answer questions from card users on the telephone line (call center). These persons do not have access to data related to the use of your card and can only check whether it is valid for the respective month or other basic information. If, in order to process your enquiry, We need to review your data related to the use of the MultiSport/MultiSport Kids card, the call center sends the enquiry to us and we process it internally, within our organization;
– companies providing Benefit Systems with legal, accounting, consultancy and audit services – where necessary, part of your data may be disclosed to our providers of accounting services for the purposes of recording the necessary information in our accounting registers or issuing accounting documents, or for the purposes of conducting a financial or other audit. Where Benefit Systems needs legal services, we may disclose your personal data to our providers of legal services;
– marketing research agencies – in order to improve our services and customer care, we sometimes seek feedback from our Clients by conducting satisfaction surveys or other questionnaires which we carry out no more than a few times per year by telephone calls or by e-mail to the contact persons indicated by the Client. When processing the results of these surveys, Benefit Systems processes the following personal data of the contact persons: basic data – name, business e-mail, data about the employer. Benefit Systems may assign the satisfaction survey or the conduct of the questionnaire to a marketing research agency;
– as Benefit Systems is part of the international Benefit Systems Group, your personal data may be disclosed to: Benefit Systems International S.A., with address: ul. Młynarska 8/12, 01–194 Warsaw, Poland, and Benefit Systems S.A., with address: Pl. Europejski 2, 00–844 Warsaw, Poland. The reasons for this may be: the provision of administrative, management or other services by a company within our group (for example, IT support for some of the software systems we use);
– where necessary – to competent state authorities when fulfilling legal obligations of Benefit Systems, for example to the National Revenue Agency for tax reporting purposes.
4.2. Benefit Systems does not transfer or otherwise process personal data outside the European Economic Area.
5. How long do we process personal data and why
5.1. All personal data are processed by Benefit Systems for a limited period of time. Depending on the purpose, Benefit Systems processes personal data as follows:
5.1.1. Personal data related to a specific MultiSport/MultiSport Kids card, including (first name, surname, e-mail, telephone number, year and month of birth for MultiSport Kids users), are stored for a period of 18 months after deactivation of the MultiSport/MultiSport Kids card.
5.1.2. Personal data processed for the purposes of issuing invoices and fulfilling our other legal obligations under tax, accounting and other legislation may be stored for the maximum statutory period of 10 years (or another period provided for by law) (Article 38 of the Tax and Social Insurance Procedure Code, Article 121 of the VAT Act, Article 12 of the Accounting Act).
5.1.3. Personal data contained in accounting documents or registers, as well as personal data related to payments from or to Benefit Systems, are stored for the period specified in the preceding point.
5.1.4. In the event of claims/allegations of breaches by card users, client companies and partners, personal data related to a specific MultiSport/MultiSport Kids card of the respective user are also stored until the expiry of the limitation period for those claims/allegations. In general, the maximum period is 5 years, which period is included in the period for storing tax or accounting information indicated in the preceding points.
5.1.5. Processing of contact details of contact persons specified in contracts with client companies of Benefit Systems for the purpose of sending current information on the facilities where MultiSport or MultiSport Kids cards can be used, changes to the Terms of Use of MultiSport or MultiSport Kids cards or other relevant information is discontinued upon termination of the service contract with the client company, when the client company changes its contact person, or when the data subject objects to the processing of personal data for these purposes.
5.1.6. Voice recordings of telephone calls are stored for up to 3 (three) months from their occurrence, and in the event of a complaint or dispute the recording of the call will be stored for the period necessary to finally resolve the dispute.
5.1.7. Data obtained in connection with a report received under Act on the Protection of Persons Submitting Reports or Publicly Disclosing Information on Violations are generally kept until the follow-up measures are completed. As a rule, data from the report are deleted 6 months after the proceedings have been finally closed, unless the initiation of further legal action requires them to be stored for a longer period (e.g. initiation of administrative, criminal or disciplinary proceedings). Personal data in connection with the report will be deleted by us immediately if we consider them unfounded. Reports concerning violations committed more than 2 (two) years ago will be deleted immediately.
6. What rights do the persons whose personal data we process (data subjects) have and how can these rights be exercised
6.1. Under the General Data Protection Regulation, the data subject has the following rights in relation to the processing of his/her personal data:
6.1.1. the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, where the processing of personal data is based on consent – this right may be exercised by contacting Benefit Systems using the contact details indicated above;
6.1.2. the right of access to personal data (i.e. to request information as to whether their personal data are being processed and to receive a copy of the data being processed, as well as information on the purpose of the processing, to whom they have been or will be disclosed – Article 15 of the General Data Protection Regulation);
6.1.3. the right to rectification of personal data (i.e. to request rectification of inaccurate personal data or completion of incomplete personal data – Article 16 of the General Data Protection Regulation);
6.1.4. the right to erase personal data (i.e. to request that personal data be erased under the conditions of Article 17 of the General Data Protection Regulation, including data for which there is no legal basis for processing or which have been unlawfully processed);
6.1.5. the right to restrict processing (i.e. to request that the personal data continue to be stored but not otherwise processed under the conditions of Article 18 of the General Data Protection Regulation);
6.1.6. the right to data portability (i.e. under the conditions of Article 20 of the General Data Protection Regulation to receive the personal data in a structured, commonly used and machine-readable format and to request that We transfer the personal data to another controller, where technically feasible and the other controller agrees to receive them);
6.1.7. the right to object to the processing of personal data for direct marketing purposes and the right to object to the processing of personal data for the purposes of the controller’s legitimate interests under the conditions of Article 21 of the General Data Protection Regulation;
6.1.8. the right to lodge a complaint with the Commission for Personal Data Protection (address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.) in case of violation of applicable personal data protection legislation.
The above rights may be exercised by means of a written request that complies with the requirements of the Personal Data Protection Act, sent to the contact details indicated above, and the right to lodge a complaint – by submitting it to the Commission for Personal Data Protection.
7. Changes to this Policy
7.1. We will review and update this Policy regularly in line with legislative changes and our efforts to improve the level of security of the personal data we process.
The latest version of this Policy is dated 21.11.2025.