🔐 Privacy Declaration

Protection of Your Personal Information
Last updated: 01.03.2026

📑 Table of Contents

1 Introduction

This Privacy Declaration applies to the services provided by "MODUL" EOOD and the use of the website www.toprentacar.bg, as well as all websites, domains, applications and products owned by the company.

As a registered personal data operator with the Commission for Personal Data Protection (CPDP), our main goal is to ensure the protection of information voluntarily provided by you through practices that exceed minimum legal requirements.

2 Information We Collect

Information we collect:

Personal information when renting a car

physical identity (names, ID/Passport number, validity date, issuing country, date of birth, full and exact address, contact phone, email), scanned copy or photo of driver's license and partial information about the credit card data used for the service deposit.

Processing is necessary for the performance of a contract to which the data subject is a party, as well as for actions preceding the conclusion of a contract. The need to collect personal information is also imposed by the fact that, under certain circumstances, state authorities have legal grounds to request personal information for identification.

Information when using website and subscriptions

Personal information provided by you when using our website and subscribing to services – names, date of birth, email. Examples of these services are email campaigns or events. Providing this data is voluntary, but some of our services are not accessible if you do not provide this information.

Aggregated Data

This data is generated by our system while monitoring website traffic. This information does not identify you and is not connected in any way to the personal information you may have provided.

3 Sharing with Third Parties

Sharing information with third parties:

  • Personal data is provided to third parties only after receiving written consent from the person to whom the data relates.
  • Without the person's consent, personal data may be provided to third parties in cases where we are obliged to provide information to state authorities that have legal grounds to request this information.
  • Aggregated data is not shared with third parties such as advertisers and business partners.

4 Use of Information

What is the provided personal information used for:

We collect information that helps us offer you the best possible and personalized service, as well as information we are legally required to collect under Bulgarian legislation.

Your personal information may be stored and processed for the following purposes:

  • To reserve a vehicle – in office, by phone or online.
  • To provide you with the "car rental" service, upon conclusion of a rental agreement.
  • To process transactions you may make in connection with car rental.
  • In cases where we are obliged to provide information to state institutions.
  • To offer you information that best matches you and your interests.
  • For conducting marketing campaigns, promotions and market research.

5 Cookies

Cookies:

The website, online services, interactive applications, electronic messages and advertisements of Modul EOOD may use cookies and other technologies such as pixel tags. These technologies help us better understand user behavior, understand which parts of our website they have visited, and facilitate and measure the effectiveness of advertisements and internet searches.

Information collected from cookies and other technologies is considered non-personal information. However, since local laws consider internet protocol (IP) addresses or other similar identifiers as personal information, we also consider these identifiers as personal information. Similarly, when non-personal information is combined with personal information, for the purposes of this Privacy Policy we treat the combined information as personal.

If you want to disable cookies, ask your provider to find out how to do this. Please note that you will not be able to use certain features of the Modul EOOD website after disabling cookies.

Like most websites, we automatically collect certain information and store it in log files. This information includes internet protocol (IP) addresses, browser type and language, internet service provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.

We use this information to understand and analyze trends, to administer the site, to learn more about user behavior on the site, and to gather demographic information about our user base as a whole. Modul EOOD may use this data in its marketing and advertising services.

6 Data Retention Period

Personal data retention period:

The retention period for provided personal information is 4 years and 6 months, justified by Art. 82, para. 4 of the Administrative Violations and Penalties Act and Art. 80 and 81 of the Criminal Code in connection with Art. 189 of the Road Traffic Act. After this period expires, the information is automatically deleted.

7 Right of Access

Right of access to information:

Every customer has the right at any time during processing to request information about the personal data collected and processed, as well as to request blocking or destruction (deletion) of personal data collected about them.

Deletion of personal data can be done by filling out a form. If deletion contradicts legal or contractual storage obligations or other reasons regulated by law, instead of deletion only blocking of the data will be performed, and the Client will be sent a reasoned refusal.

For more information, you can contact us at customer.service@toprentacar.bg

8 Whistleblowing Reports

Internal reporting under the law on protection of persons reporting or publicly disclosing information about violations

PROCEDURE FOR SUBMITTING REPORTS THROUGH THE INTERNAL CHANNEL

The report is submitted to the employee responsible for reviewing reports, in writing, including by email, or orally. Oral submission of a report can be made by phone, through other voice messaging systems, or at the request of the reporting person - through a personal meeting within a suitable timeframe agreed between the parties.

For registration of reports, forms according to a template approved by the national authority for external reporting are used, which contain at least the following: three names, address and phone of the submitter, as well as an email address, if any;

  • the names of the person against whom the report is filed and their workplace, if the report is filed against specific persons and they are known;
  • specific data about a violation or a real danger of such being committed, place and period of commission of the violation, if such has been committed, description of the act or circumstances and other circumstances, insofar as such are known to the reporting person;
  • date of submission of the report;
  • signature, electronic signature or other identification of the submitter. The written report is submitted by the submitter by filling out a form according to a template, which is stored and provided by the employee responsible for reviewing reports. The oral report is documented by filling out a form by the employee responsible for reviewing reports, who offers the person submitting the report to sign it if they wish. Any kind of sources of information supporting the statements made in the report and/or reference to documents may be attached to the report, including indicating data for persons who could confirm the reported data or provide additional information
  • if the report does not meet the requirements of para. 1, a message is sent to the reporting person to correct the detected irregularities within 7 days of receiving the report. If the irregularities are not corrected within this period, the report together with its attachments is returned to the reporting person
  • each report is checked for its credibility. Reports that do not fall within the scope of the law and whose content does not provide grounds to be considered plausible are not considered. Reports that contain obviously false or misleading statements of fact are returned with an indication to the submitter to correct the statements and for the responsibility they bear for false accusation

A sample Form for registering a report for submitting information about violations under the Law on Protection of Persons Reporting or Publicly Disclosing Information about Violations can be found upon request from the employee responsible for receiving reports, as well as on the website of the Commission for Personal Data Protection: https://www.cpdp.bg

WORKING WITH REPORTS AND INTERNAL INVESTIGATION

Employees responsible for reviewing reports are obliged to:

  1. receive reports and confirm receipt within 7 days of receiving them;
  2. ensure that the identity of the reporting person and any other person mentioned in the report will be duly protected and take necessary measures to limit access to the report by unauthorized persons;
  3. maintain contact with the reporting person, requesting additional information from them and from third parties if necessary;
  4. provide feedback to the report submitter about the actions taken within no more than three months after confirming receipt of the report;
  5. document oral reports;
  6. maintain a register of submitted reports;
  7. hear the person against whom the report was filed, or accept their written explanations and collect and evaluate the evidence they indicate;
  8. provide the affected person with all collected evidence and give them the opportunity to object to them within 7 days, while respecting the protection of the reporting person;
  9. provide the affected person with the opportunity to present and indicate new evidence to be collected during the investigation;
    • organize follow-up actions in connection with the report, for which purpose they may request the assistance of other persons or units within the structure of the respective obliged entity;
    • propose to the management of the enterprise/employer to take specific measures to stop or prevent the violation in cases where such has been detected or there is a real danger of its imminent commission;
    • direct the reporting person to the competent authorities when their rights are affected;
    • forward the report to the external reporting authority when action on their part is necessary, with the reporting person being notified in advance of the forwarding; in case the report is filed against the employer of the reporting person, the employee responsible for reviewing the report directs the person to simultaneously report to the external reporting authority.

In case of a submitted report, the employee responsible for reviewing reports should obtain a Unique Identification Code (UIC), which should be used by them for registering submitted reports to obliged entities.

To obtain the UIC, the employee responsible for reviewing the report will need to provide the following information:

  1. Name and UIC/BULSTAT of the employer where the report was filed;
  2. Identification data of the employee responsible for reviewing the report;
  3. Subject of the report /the relevant areas provided for in Art. 3, para. 1 and para. 2 of the law;
  4. Method of receipt /written or oral/;

FOLLOW-UP ACTIONS

The employer:

  1. based on the received report and the proposals of the employee responsible for reviewing the report, takes actions within their competence to stop the violation or prevent it if it has not started;
  2. prioritizes according to predetermined criteria and rules the review of multiple received reports for more serious violations;
  3. terminates the investigation:
    • when the violation for which the report was filed is a minor case and does not require additional follow-up actions; termination does not affect other obligations or applicable procedures in connection with the violation for which the report was filed, nor the protection under the law regarding internal or external reporting;
    • on a repeated report that does not contain new information of material significance for a violation for which an investigation has already been completed, unless new legal or factual circumstances provide grounds for follow-up actions;
    • when data about a committed crime is established; the report and materials related to it are immediately sent to the prosecutor's office;
  4. prepares an individual report, in which they briefly describe the information from the report, the actions taken, the final results of the investigation of the report, which together with the reasons they communicate to the worker or employee who submitted the report and to the affected person while respecting the obligation for their protection.

In cases where the investigation is terminated under item 3, letters "a" and "b", the reporting person may file a report with the national authority for external reporting.

9 Contact Information

CONTACTS OF THE EMPLOYEE RESPONSIBLE FOR RECEIVING REPORTS UNDER THE WHISTLEBLOWER PROTECTION ACT:

👤 Viktoria Valentinova Yankova

📞 +359 898 696 857

📧 signal@dely-rentacars.com

Approved by:

Viktoria Valentinova Yankova
Manager of Art Deli EOOD

← Back