Tsarevets 56 Ltd. – a company registereg in the Republic of Bulgaria with its head office and address of management: Veliko Tarnovo, 21 Chitalishtna Str., UIC: 202967426, tel .: +359 62 601 885; +359 62 601 886 and email: firstname.lastname@example.org
In connection with its activity – hotel business – the Company processes data, some of which is personal data, according to the Personal Data Protection Act and Regulation (EU) 2016/679, and therefore has the capacity of a personal data controller .
This policy is intended to inform the users of www.spa-hoteltsarevets.com about how their personal data is processed, their rights, the methods of personal data protection used by the controller, to whom the Company is entitled to provide the personal data collected, as well as the methods for exercising the rights of data subjects.
GDPR is the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and the Council). The Regulation significantly enhances the rights of European citizens and accordingly places more obligations on organizations collecting and processing personal data. It entered into force on May 25, 2018 and apply to all Member States of the European Union.
Personal data is collected for specific, explicitly stated and legitimate purposes and is not further processed in a manner incompatible with those purposes. The processing shall be lawful, bona fide and transparent in relation to the data subject.
3. Objectives and scope of Policy:
4. Glossary of terms:
'Personal data' means any information relating to an identified or identifiable person (data subject); identifiable person is an individual who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location, online identifier, or by one or more traits specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
'Genetic data' means personal data relating to the inherited or acquired genetic characteristics of an individual, which give unique information about the characteristics or health of that individual and which are obtained, in particular, from the analysis of a biological sample by the person concerned;
'Biometric data' means personal data obtained as a result of specific technical processing, which are related to the physical, physiological or behavioral characteristics of an individual and which permit or confirm the unique identification of that individual, such as facial images or fingerprints;
'Data subject's consent' means any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly affirmative action, expressing his/her consent to processing of personal data related to him/her;
'Processing' means any operation or combination of operations carried out with personal data or a set of personal data by automatic or other means such as the collection, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, distribution or otherwise as data become available, sorting or combining, limiting, deleting or destroying;
'Controller' means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the personal data processing; where the purposes and means of such processing are determined by the Union law or a Member State law, the controller or the specific criteria for its determination may be laid down in the Union law or in a Member State law;
'Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"Representative" means a natural or legal person established within the Union who is appointed by the controller or processor in writing in accordance with Art. 27, and represents the controller or the processor in connection with their respective obligations under Regulation (EU) 2016/679;
'Recipient' means a natural or legal person, public authority, agency or other entity to whom personal data is disclosed, whether third party or not. At the same time, public authorities, which may receive personal data in the context of a specific investigation in accordance with Union or Member State law, are not considered as 'recipients'; the processing of such data by the designated public authorities complies with the applicable data protection rules for the purposes of processing;
'Supervisory authority' means an independent public authority established by a Member State and responsible for monitoring the implementation of Regulation (EU) 2016/679;
'Personal data breach' means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or processed in any other way;
'Profiling' means any form of automated processing of personal data resulting in the use of personal data to evaluate certain personal attributes relating to an individual, and in particular to analyze or forecast aspects relating to the performance of professional duties of that individual, his or her economic status, health, personal preferences, interests, reliability, behavior, location or movement.
5. Basic principles regarding the processing of personal data that we observe:
- lawful, bona fide and transparent processing of personal data
- processing of personal data for specific purposes
- minimizing data
- up-to-date accuracy and maintenance
- storage limit
- integrity and confidentiality
6. Purpose of processing:
Tsarevets 56 Ltd. processes personal data for implementation of its activities - hotel business.
Personal data is collected for specific, legitimate purposes and must be processed lawfully and in good faith. Data is not further processed in a manner incompatible with these purposes. Further processing of personal data for archiving in the public interest, for scientific and historical research, or for statistical purposes, is not considered incompatible with the original purposes.
Beyond the above objectives and in connection with the principles set out in Art. 5 of Regulation (EU) 2016/679, Tsarevets 56 Ltd. does not collect or process other personal data of its employees, partners and clients. The Company does not process personal data for the purpose of automated decision-making, incl. profiling. The Company collects data from the data subject.
7. The Company only processes personal data when:
- has obtained clear, free, informed and unambiguous consent from data subjects who are notified in advance through this policy about the purpose of their personal data usage;
- there is a contractual obligation for the purpose of executing a contract, one party being the individual (when the Company processes data of its employees) and for the exercise, establishment and protection of rights and legitimate interests;
- processing is necessary for the fulfillment of a task of public interest (according to EU or national law);
8. What data is collected and processed:
Attention: Tsarevets 56 Ltd. does not collect or process sensitive personal information of its clients and users on its website www.spa-hoteltsarevets.com.
Attention: Tsarevets 56 EOOD does not store bank card data of its customers and users on the website www.spa-hoteltsarevets.com.
The collected and processed data is:
- User name and surname - to identify the subject upon request;
- Email - for quick and easy communication;
- Telephone - for contact if necessary;
- Other data admissible under the Regulation if needed to fulfill a Company’s obligation or related to a specific service.
9. Recipients of personal data to which the Company has the right to disclose data:
The Company provides personal data to competent state authorities and institutions when required by the national legislation and in accordance with the rules set out therein (for example: the National Revenue Agency, the National Social Security Institute, the Employment Agency, judicial and investigative authorities, health authorities, etc.). It also provides personal data of individuals to accounting firms, banks, HR agencies and mobile operators for statutory purposes or those specified in a contract concluded with the individuals.
The personal data of www.spa-hoteltsarevets.com users is not disclosed to third parties beyond the legal requirements. The Company does not provide personal data to countries outside the European Union.
10. Rights of individuals - data subjects:
Measures taken to protect personal data in accordance with Regulation (EU) 2016/679 are designed to ensure protection of data subjects' rights, namely:
- Right of access;
- Right to correct inaccurate or incomplete data;
- Right of erasure (right to be forgotten), if applicable the conditions of Art. 17 of Regulation (EU) 2016/679;
- Right to restrict processing;
- Right of data portability, if applicable the conditions for portability under Art. 20 of Regulation (EU) 2016/679;
- Right of objection, if applicable the conditions of Art. 21 of Regulation (EU) 2016/679;
- Right to complain to the Data Protection Commission or the District Court;
- Right not to be subject to a decision based solely on automated processing involving profiling.
11. Data storage period:
As a data controller, Tsarevets 56 Ltd. processes data for a period as provided in applicable law and in accordance with the principle of storage limitation.
The remaining data is stored in different terms, depending on the data type defining the legal obligation for its processing, including storage.
Storage criteria are:
- when submitting booking data – the data is kept for 5 years after the corresponding booking is made.
- data on the register of the accommodated tourists within the meaning of Article 116 of the Tourism Act – the data is kept according to the term stipulated in the Tourism Act and the secondary legislation.
- when submitting contact form data – the data is kept for 2 years or until the sender receives a service that satisfies his requirements.
- Financial accounting documents and invoices – data is kept for up to 10 years.
- the personal data of the employees of Tsarevets 56 Ltd. are stored and processed for a longer period in accordance within the requirement of the Accounting Act.
- video surveillance of the site – data is kept for 2 months.
When in connection with the activity of the Company it is necessary to process or store data of persons under the age of 18 years, this is done by the explicit consent of the parent/guardian.
12. Responsibility of the Company for personal data protection:
In connection with the personal data controller responsibility introduced by Regulation (EU) 2016/679 and the Personal Data Protection Act, and to ensure adequate data protection, the Company applies all necessary organizational and technical measures to protect personal data of individuals. For maximum security in the processing, transmission and storage of personal data, the Company uses protection mechanisms for data stored both electronically and on paper.
Computer access via a local network to files containing personal data is carried out only by employees of Tsarevets 56 Ltd. or by a data protection officer authorized with statutory rights, solely from their physical workplace, by a specially designated computer and after identification by login and password to the system. At the end of the working day, employees turn off their local computer.
In order to increase the security of access to information, employees must change their passwords for a period not exceeding 2 months, determined by Tsarevets 56 Ltd. The Company uses a fully licensed operating system to perform its data protection functions. Any other software of unlicensed origin is prohibited to use.
Installation of software products on office computers is done only by a designated person - IT specialist.
13. Policy changes:
14. Contact details of the personal data controller:
Address: 21, Chitalishtna Str., Veliko Tarnovo, Bulgaria
Telephone: +359 62 601 885
15. Data protection supervisor:
Data protection supervisor at national level is the Personal Data Protection Commission. It monitors the correct application of Regulation (EU) 2016/679, and any natural person who considers that his or her rights regarding the processing of his/her personal data have been infringed may submit a complaint to the Commission at the following address:
Address: 2, Prof. Tsvetan Lazarov Str., Sofia, Bulgaria
Telephone: +359 2 91-53-555