1. General Information

EMAG INTERNATIONAL OOD, with its registered office at Sofia 1750, Mladost I region, 40, Tsarigradsko shose Blvd., Europark, floor 6, registered with the Trade Registry under No. 203187055 (“eMAG” and/or “the Company”) is a personal data controller for the processing of your personal data described below.

This Privacy Policy applies to the processing of personal data of sellers’ representatives (“Seller”) in the context of the sale of products and/or services through the eMAG Marketplace platform (“eMAG Marketplace” and/or “Platform”).

eMAG reserves the right to modify this Privacy Policy, for example, to comply with legal requirements or to meet its business needs. If eMAG decides it is appropriate or required to notify you of these changes, it will inform you via a pop-up notification, email, or a notice of changes on the website. Subsequent access to the Platform after the date indicated as the latest version constitutes the Data Subject’s express acceptance of the latest version.

For the purposes of this Privacy Policy, capitalized terms shall have the meanings assigned to them by the applicable data protection legislation, and related terms shall be interpreted accordingly, particularly the terms “Personal Data,” “Processing,” “Controller,” “Data Processor” and “Data Subject.”

“Data Protection Legislation” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and any data protection laws in Bulgaria, as well as any acts or secondary legislation adopted at the European Union level to supplement or elaborate on the provisions of the GDPR (such as the Guidelines of the European Data Protection Board), applicable to the processing of data by Sellers’ representatives in the context of the sale of products and/or services through the Platform.

We take your privacy rights seriously. Your personal data will be treated securely and confidentially and only as described below.

2. Purposes of Processing Your Personal Data

eMAG will process your personal data for the following purposes:

2.a  To provide eMAG Marketplace services for the benefit of the company you represent

This general purpose includes activities such as:

• Creating and managing your account on the eMAG Marketplace — a process that involves providing your personal data as a representative of the legal entity, a potential Seller; Additionally, this processing activity may also involve verifying compliance with the eligibility criteria to become a Seller on the eMAG Platform, as well as performing cross-checks to verify the information you provide in this process (for example, we may verify whether you are listed as the company’s legal representative, we may verify whether there is another Seller account on the Platform based on the contact information provided, we may verify whether you have been previously suspended or had a restriction measure applied, we may request additional information, etc.). Please note that eMAG has no obligation or responsibility regarding the verification of the information you provide and/or its accuracy. It is your responsibility to provide accurate information and keep it up to date.
• Performing operations related to the processing, validation, and billing of online orders placed by buyers on the Platform.
• Resolving cancellations or issues of any kind related to an order, the goods and/or services sold or offered for sale, and keeping you informed.
• Resolving any tickets, messages, or complaints that you, as a Seller representative, submit regarding the Platform and informing you.
• Sending information regarding the contractual relationship between eMAG and you, as a Seller representative registered on the eMAG Marketplace Platform.
• Making all payments and settlements arising from the use of the Platform and from the contractual framework concluded between the Seller and eMAG; In this context, your personal data may be processed for the purpose of making all payments/collecting commissions and any other financial, accounting, or banking operation arising from the applicable contractual framework (where applicable).

The processing of your personal data for this purpose is, in most cases, necessary for the conclusion and performance of a contract between eMAG and the company you represent and/or to take steps prior to entering into the contract, as well as for eMAG to comply with specific legal obligations. Furthermore, the processing may also be based on our legitimate interest in ensuring that Sellers operating on the Platform meet the eligibility criteria set forth in the eMAG contractual framework, as well as our legitimate interest in defending ourselves in court in the event of any disputes, through actions to establish, exercise, or defend a right (for example, the situation where we wish to prove that we have resolved a request from you or that we have fulfilled our contractual obligations or the legal obligations imposed by regulations governing online intermediation services / marketplaces, such as Regulation 2019/1150 on promoting fairness and transparency for businesses using online intermediation services).

2.b  Verification of the identity of sellers’ representatives

To eliminate any suspicion of fraud and to limit and prevent potential fraud attempts, eMAG may, where necessary, implement a procedure to verify the identity of the beneficial owners / representatives of sellers / potential sellers on the eMAG Marketplace platform, which may involve validating the identity of the person in question via a video call with authorized representatives from eMAG departments. Additionally, eMAG conducts checks regarding the identification of customers and business partners in relation to money laundering.

In this regard, we inform you that eMAG carries out, based on legitimate interest, verification activities regarding the identification of customers and business partners, which involve verifying documents, including the data recorded in the ID card, as well as verifying additional independent information, where applicable. Please note that these activities may also be carried out in conjunction with partners authorized to conduct such activities in the field of anti-money laundering/identity verification, such as MIH PayU B.V.

These processing activities are carried out based on eMAG’s legitimate interest, justified by the need to prevent fraud, to defend eMAG’s rights and interests in court by enabling it to bring legal action against Sellers whose true identity is known, as well as the interest in conducting Marketplace activities alongside legitimate businesses, and in protecting eMAG from potential reputational risks that could arise if goods and/or services were offered on the Platform by non-existent legal entities and/or those with a history of fraud. Last but not least, eMAG’s legitimate interest in complying with applicable legal requirements also applies (whenever legal requirements do not mandate the direct processing of Personal Data, but achieving the objective involves the processing of your Personal Data, for example regarding regulations on know-your-customer, money laundering, and/or cybersecurity).

Additionally, these Processing activities are also carried out based on the legitimate interest of third parties such as end customers, regarding their interest in purchasing goods and/or services from legitimate and bona fide companies, and of legitimate companies that could be victims of fraud, as well as those that are already eMAG Marketplace partners, regarding the potential reputational risks that may arise as a result of customers associating their image with malicious individuals.

In this regard, eMAG informs data subjects through this Privacy Policy, which is made available to you on the Platform, as well as at the beginning and throughout the enrollment process. Furthermore, eMAG processes only those Data that are strictly necessary for the aforementioned purpose (verification and identification of the Potential Seller’s/Seller’s representative, e.g., verification of data from the copy of the ID card, checks on suspicious transactions or operations, matching the image from the ID document with the image of the interlocutor — photo/video call, etc.). Additionally, eMAG has implemented appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of Personal Data.

2.c  To improve our services

We are constantly striving to provide sellers with the best possible experience on the eMAG Marketplace, and we take steps to ensure that the Platform’s features meet your expectations and to improve existing ones. To this end, we may collect and use certain information regarding your behavior on the Platform, invite you to complete satisfaction surveys, or conduct market studies and research, either directly or through partners.

Depending on the type of activity performed, processing may be based on your consent or on our legitimate interest in conducting business activities, always ensuring that your fundamental rights and freedoms are not affected.

2.d  For marketing activities

For this purpose, eMAG may process your Personal Data to send you personalized messages via email, SMS, push notifications, or web push notifications, or to contact you by phone, in order to provide you with information regarding various promotional campaigns in which you can participate as a Seller, potential partnerships, or promotions.

Regarding the legal grounds, as a general rule, we base our marketing communications on your prior consent. In this regard, please note that you can provide your consent by taking unambiguous actions such as signing up for a specific campaign, accepting by checking the relevant box, or performing specific actions clearly identified as such (for example, to sign up, you must add certain products to the indicated campaign).

In most cases, we base our marketing communications on your prior consent. You may change your mind and withdraw your consent at any time by:

• Changing the settings in your Seller account under the “My Subscriptions” section.
• Clicking the unsubscribe link displayed in the messages you receive from us.
• Contacting eMAG using the contact details listed below in the “7” section.

Please note that certain methods of withdrawing consent may not be available for all types of communication; for example, the unsubscribe link will not be included in push notifications.

Furthermore, particularly if you are already a Seller on the Platform, we may also base our marketing-related processing on our legitimate interest in promoting and developing our business, for the purpose of sending commercial communications regarding similar products or services that eMAG offers to Sellers. In this regard, you may object at any time to the processing of your Data for marketing purposes (both at the time of Data collection and subsequently, through the means described above). If you object, eMAG will implement your objection as soon as technically possible and, in any case, within the timeframe established by law, without requesting additional explanations or reasons related to your particular situation.

Please note that withdrawing your consent or exercising your right to object to receiving commercial communications does not affect administrative or transactional communications, which you will continue to receive (for example, communications regarding orders, invoices, products you have viewed on the Platform, tickets you have opened, complaints, notifications regarding activities in your account, etc.).

2.e  To resolve any requests or complaints from eMAG Platform customers

We may process your personal data to resolve requests, complaints, inquiries, or any other reports made by Platform customers regarding various aspects such as: products and/or services sold and/or offered for sale by the Seller, Platform features, and eMAG services. In these cases, the processing of your Data will generally be carried out pursuant to the performance of the contract between the Seller and eMAG, but certain processing activities may be based on eMAG’s legitimate interest in fulfilling its obligations as a marketplace and in demonstrating the actions eMAG takes in this capacity, as well as in establishing, exercising, or defending a right.

2.f  To comply with specific legal and regulatory requirements, detect fraud, resolve any disputes or litigation, and protect eMAG’s legitimate interests

We may process your Personal Data to comply with requirements set forth in both national and European legislation, as well as to protect ourselves against fraud, to protect the interests of other Platform users, such as other Sellers, customers, or service providers, as well as our partners; to defend our rights and/or property in the context of potential or existing disputes; to comply with our obligation to provide information and cooperate in the event of investigations, inspections, or audits, and to ensure your compliance with the contractual framework (including the eMAG Marketplace Terms and Conditions), which governs how the Platform may be used by sellers.

Please note that this purpose also involves establishing technical parameters and processing measures to prevent and detect any risks related to unauthorized or improper access to the Platform, as well as any risks related to the security of systems and/or accounts. Additionally, to fulfill this purpose, eMAG may disclose Personal Data to third parties such as courts, debt collection agencies, authorities, or attorneys, or may disclose data to comply with a legal obligation to respond to requests from these third parties.

This purpose may be based on the legal basis of eMAG’s compliance with specific legal and regulatory obligations, as well as eMAG’s legitimate interest in implementing the legal requirements applicable to it, as well as to protect against fraud and resolve any disputes or litigation, and to defend its rights and interests. In this regard, there may be situations in which we will use or disclose information to protect our rights and business operations. These may include:

• Measures to protect the website, network security, software, and users of the eMAG Marketplace platform against cyberattacks.
• Measures to prevent and detect attempted fraud, including the reporting of information to the competent authorities.
• Measures to manage various other risks.

The general basis for these types of processing is our legitimate interest in protecting our business and complying with applicable obligations, ensuring that all measures we take strike a balance between our interests and your fundamental rights and freedoms.

2.g  For the recording of interactions between you as the Seller’s representative and eMAG representatives

Given the existing contractual framework between the Seller and eMAG as well as applicable regulations, eMAG, as a provider of online intermediary services, documents and records interactions with you in order to demonstrate compliance with its own contractual and legal obligations. Thus, based on the legitimate interest regarding the ability to establish, exercise, or defend a right of eMAG related to the fulfillment of its obligations as a marketplace and the ability to prove the actions taken in this capacity, as well as for the purpose of providing evidence of the requests/modifications/agreements/options expressed by you, interactions and telephone conversations, as well as any data you provide in this context, will be documented and recorded by eMAG.

Therefore, please be aware that when you interact by phone with eMAG representatives, these telephone conversations will be recorded to demonstrate eMAG’s fulfillment of its obligation to respond to Sellers under the terms of the contract and to demonstrate your consent regarding various aspects of the contractual relationship (for example, the fact that you requested us to modify certain information regarding the products you offer, that you requested us to cancel an order, to perform certain operations related to an invoice, etc.).

In addition, the interactions documented and/or recorded in this manner may be used to analyze the quality of our services and the level of satisfaction among Sellers, with a view to improving them (for example, if you file a complaint regarding the quality of our call center service, the call may be listened to in order to evaluate how the operator responded to your requests).

Given that your interactions with eMAG are in your capacity as a representative of a legal entity, a contractual partner of eMAG, your acknowledgment of this processing activity is deemed sufficient through this Privacy Policy, together with the applicable Terms and Conditions, which mention the possibility of fulfilling contractual obligations via tickets, chatbots, calls, etc. Regarding eMAG contacting you via telephone call and recording it, given that this activity involves the processing of your voice, you may object to this processing, and eMAG will comply with your objection without requesting the reason related to your particular situation on which you are basing your objection. In this regard, you may exercise your right to object at any time, upon the conclusion of the contractual relationship, during the call, as well as subsequently by submitting a request to the contact details listed in the “7” section of this Privacy Policy. In this case, the effective resolution of your requests, inquiries, and complaints will not be affected in any way, but the resolution time may be longer.

3. Categories of Personal Data Processed by eMAG

To fulfill the purposes mentioned in the “2” section above, eMAG processes your Personal Data as a representative of the Seller, which directly identifies you or makes you identifiable. However, please note that the data listed below constitutes Personal Data, processed in accordance with this Privacy Policy and governed by Data Protection Law, exclusively when such data relates to you, the Seller’s representative, as a natural person; whereas, when the data pertains to a legal entity, it does not constitute Personal Data and is not subject to this Privacy Policy (for example, the company’s phone number, tax identification number, company IBAN, billing information, etc.). Thus, eMAG processes:

3.1 Identification data — such as first name, last name, and the information listed on the identity document. Please note that the processing of Personal Data contained in your ID card is carried out for the purpose of verifying your identity as well as for the purpose of preventing and addressing identity fraud by eMAG, in line with the purposes described in sections 2.a, 2.b, and 2.f. Additionally, this category includes Personal Data provided during the representative’s identity verification process, such as an image, voice, or other Personal Data voluntarily provided during this process.

3.2 Contact information — such as phone number and email address. This information may be processed for any of the purposes mentioned above. In particular, this Data will be used to contact you, to communicate eMAG’s solution or decision regarding any of your requests, to resolve any issues related to the products and/or services offered on the Platform, as well as to allow the Platform’s customers to contact you when necessary (for example, regarding an order).

3.3 Account data — such as username, email address, phone number, and password, which are required to create your account and allow you to access it.

3.4 Technical Data — When you access the eMAG Marketplace, our servers automatically create records of your visit. These records typically include your IP address, the number of visits, the type of browser you are using, the date and time of your activity, your selected preferences, the operating system you are using, your cookie settings, location data, and logs. This Data is processed primarily to provide you with access to the Platform but may also be used by eMAG for purposes such as generating management and statistical reports, detecting and preventing fraud attempts, and improving the quality of the services offered.

3.5 Financial data — such as debit/credit card information, billing, and payment data.

3.6 Data regarding the contractual relationship, interactions, and phone calls — such as notes or recordings of a phone call with eMAG representatives, your voice (without performing any identification-related processing in connection with this), live chat/email correspondence, details regarding requests, complaints, questions, and reports related to the contractual relationship between you and eMAG, your requests to exercise your rights, and any other records or data you choose to provide in your interactions with us, regardless of the medium (notes, recordings, etc.).

3.7 Other Personal Data processed occasionally — to resolve or prevent various situations related to the provision of the service (for example, your position within the company, other Personal Data you provide during the registration process on the Platform or during phone calls with eMAG operators, any photos uploaded to the Platform by you, details of interactions with the dedicated call center, etc.).

Please note that providing certain Personal Data may be required for your registration on the Platform and for the conclusion and/or performance of the contract between eMAG and the Seller. eMAG will notify you of such situations (including through the use of symbols/warnings in the interfaces regarding the requirement to provide certain data), and your refusal to provide us with this data will result in the inability to create or maintain a Seller account on the eMAG Marketplace Platform.

4. Access to Your Personal Data, Recipients of Your Personal Data and General Rules Regarding Retention Periods

Within eMAG, your Personal Data may be accessed by eMAG employees involved in activities related to the contract concluded between eMAG and the company of which you are an employee or representative.

Additionally, to provide services through the eMAG Marketplace, we share your Personal Data with Recipients such as those listed below:

eMAG platform customers

Given the specific nature of eMAG Marketplace, namely the provision of an online intermediation service, certain Personal Data may be made available to customers for the purpose of executing contracts (for example, between the Seller and eMAG, between the Seller and the customer, between the customer and eMAG) and all operations related to these contracts.

Third-party providers of support and/or auxiliary services, such as:

• Electronic communication services (e.g., email, SMS, etc.).
• IT services (e.g., maintenance, support, development, cloud).
• Audit services.
• Legal, notary, debt collection agency, or other consulting services.
• Physical and/or electronic archiving services.
• Courier services.
• Customer support services such as CRM software or call center service providers.
• Identity verification and payment processing services.

Marketing and/or communication service providers, such as:

• Marketing agencies.
• Market research, survey, and market analysis agencies.
• Communication and PR agencies.
• Partners specializing in organizing lotteries and contests.

Law enforcement, regulatory, and other authorities

We may disclose your personal data to law enforcement, regulatory, government agencies, and other relevant third parties to comply with any legal or regulatory requirements.

Affiliates

eMAG may disclose your Personal Data to its affiliates if necessary for investment-related operations, due diligence, changes in ownership, changes in corporate structure, and similar matters. Additionally, if you choose to benefit from or participate in certain services, campaigns, or partnerships involving multiple companies within the eMAG group, your Personal Data may be disclosed to them for the purposes communicated to you at the time of such actions.

Mergers and Acquisitions

If our business or assets (or a portion thereof) are reorganized, sold, transferred, or merged with another business, your personal data will be disclosed and transferred to the new owners of the business. In such situations, we will take all measures required by law (including notifying you, where applicable and in accordance with the law).

Retention Period for Your Personal Data

eMAG will retain your Personal Data for as long as is reasonably necessary for the purpose stated in this Privacy Policy or pursuant to applicable legal obligations.

As a general rule, we will store your Personal Data for as long as you have an account on the eMAG Marketplace Platform. If you request the deletion of your Seller account on the eMAG Marketplace, eMAG may continue to process certain Personal Data about you pursuant to its legal obligations as well as pursuant to its legitimate interest in defending against fraud or in the event of disputes. Thus, eMAG may retain certain personal data even after the account is closed or the contractual relationship is terminated, when required by applicable law (for tax and accounting purposes, for example) or by our legitimate interests or those of our customers/partners. Subsequently, we will remove/delete your personal data from our systems and records and/or take measures to anonymize it, so that you, as a Seller representative, can no longer be identified.

If you would like additional information regarding the applicable retention periods, please contact us using any of the contact details listed in the section 7.

5. Your Rights as a Data Subject

You have several rights regarding your Personal Data. You may request access to your Data, request the correction of any errors on the eMAG Marketplace Platform, and/or object to the Processing of your Personal Data. You may also exercise your right to file a complaint with the competent supervisory authority or to seek legal recourse. More information about each of these rights can be found in the table below.

To exercise your rights, you may contact us at the address listed below in the “7” section. Please note the following preliminary points:

Identity. To verify the ownership of the data, account ownership, the legitimacy of the request, etc., we reserve the right to verify your identity when you submit a request regarding your Personal Data.

Fees. We will not charge a fee for you to exercise any right regarding your Personal Data, unless your request is unfounded, repetitive, or excessive, in which case we will charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the requested action. We will inform you of any applicable fees before processing your request.

Timeframes and Additional Details. We aim to respond to any valid requests without undue delay and in all cases within one month of receiving your request. However, given the complexity of the request and/or the large number of requests during a certain period, we may extend the response period up to 3 (three) months from receipt of your request(s), and we will notify you accordingly of such an extension. Additionally, there may be situations in which, to ensure we interpret your request correctly or to expedite the processing of your request, we will ask you for details regarding your request (for example, what data or information you wish to receive or what specifically concerns you).

Third-party rights. We are not required to comply with a request if it would adversely affect the rights and freedoms of other data subjects.

Possible “Self-service” mechanisms. The exercise of certain rights may be facilitated by eMAG through the implementation of self-service mechanisms, i.e., mechanisms that allow you to exercise these rights by using existing features on the Platform. In such cases, eMAG will inform you of these mechanisms and provide details regarding how they work and the effects of using them.