- On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation, GDPR),
- in accordance with the GDPR and other relevant acts of European and national legislation, including the Law on Personal Data Protection, prom. in the State Gazette, issue 1 of January 4, 2002, last amended and ext. as of the date of this document in the State Gazette, issue 17 of February 26, 2019 (the “applicable data protection law”), the legal entities processing personal data established in the Republic of Bulgaria shall introduce appropriate technical and organizational measures, in order to comply with the requirements and to ensure the right of individuals to protect their data,
- The GDPR encourages the development of data protection policies, mandatory company rules, and codes of conduct, aimed at contributing to its correct implementation, taking into account the specific characteristics of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises,
to ensure an adequate level of data protection in providing of tourist, hotel, restaurant and other services directly associated with them at the sites listed in Annex No. 1, FIRST LINE HOTELS EOOD, registered in the Commercial Register, kept by the Registry Agency of the Ministry of Justice, with UIC: 205481600, with registered office in Plovdiv 4000, Central District, Knyaginya Maria Louisa Blvd. ” 8, represented by the Manager Nely Ivanova (hereinafter referred to as” the hotelier “), accepts and undertakes to comply with this policy for the protection of individuals when processing their personal data, (the” Policy “):
All terms in this Data Protection Policy and their derivatives enjoy the meaning with which they are used in the applicable data protection law unless otherwise provided below:
- “Personal Data “or only” Data ” within the meaning of this Policy means any information related to data subjects and processed by the Hotelier, including name, date of birth, gender, identification number , or another personal number; number, country of issue, date of issue and date of validity of a passport, identity card or other identity document; permanent or current address; citizenship, vehicle registration number, image, credit, and debit card details, IP address, MAC address of computers, phones, and other personal devices; e-mail or other physical, physiological, genetic, mental, economic, cultural or social characteristics.
- “Processing” means any operation or set of operations performed with personal data by automatic or other means, including the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, distribution or otherwise, by which data is made available, sorted or combined, restricted, deleted or destroyed.
- “Data subjects” means individuals who can be identified, directly or indirectly, through the data processed by the Hotelier for them. The main categories of data subjects are the Hotelier employees, hotel guests, visitors to the Hotelier’s website, and recipients of the electronic newsletter distributed on behalf of the Hotelier.
- „Special categories of personal data” means personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic and biometric data, health status or sexual life or sexual orientation data of data subjects.
- “Data Administrator” means “FIRST LINE HOTELS” EOOD, registered in the Commercial Register kept by the Registry Agency of the Ministry of Justice, with UIC: 205481600, having its registered office and registered address in Plovdiv 4000, Central District, Blvd. Princess Maria Louisa # 8, represented by Nely Ivanova, on whose behalf personal data are processed according to the goals and means defined by him. Unless and to the extent that the applicable data protection law provides otherwise, under the Policy the Hotelier defines the purposes and means of processing including, but not limited to: the provision of hotel and restaurant services, the management of the hotel guests ‘and employees’ profiles, recruitment and selection of staff, contracting with a company for hiring staff, contract for accounting or legal services, video surveillance and security activities in the hotel-managed facilities , posting and collecting personal information on the Hotelier’s website and using the personal data, including for marketing purposes, as well as transferring it to third parties, etc.
- “Data processor” means (1) any person other than the Hotelier and his staff who processes personal data in the non-exhaustive activities described above, the purposes and means for which are determined by the Hotelier, and (2) the Hotelier, in the cases , in which it does not act as a data controller, for example when executing a contract with an organization conducting an event or recording audiovisual works on the territory of a hotel-operated site. In all cases, when processing data in conjunction with or in the capacity of processing data, the Hotelier concludes a contract or other legal act under Article 28, paragraph 3 of the GPDR.
- “Consent” means a freely expressed, specific, informed and unambiguous indication of the will of the data subjects, by means of affirmative action / click on the Hotelier’s website or signature of a document in writing.
- “Child” means any person under the age of 18 unless and until otherwise specified in the applicable data protection law.
- “Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or processed in any other way.
The Hotelier must notify the supervisory authority and the data subjects (when acting as a data controller) or the data controller (when acting as a data processor) of data security breaches.
- “Data subject’s rights claim” means any will to exercise data subject’s rights regarding the protection of personal data by completing the form provided or by acting in an electronic interface to the Hotelier’s systems, in the event that such an opportunity is provided and in so far as the applicant’s identity is established in a secure manner.
- “Third Party” means a natural or legal person, public authority or other organization located outside the territory of the European Union, the European Economic Area and the Swiss Confederation to which the Hotelier and/or processors transmit personal data.
- “Supervisory Authority” means the Commission for the Protection of Personal Data of the Republic of Bulgaria (CPDP) or another institution acting as a leading supervisory authority within the meaning of the applicable data protection law.
- ‘Profiling’ means any form of automated data processing designed to evaluate personal aspects related to their subjects or to analyze/forecast the fulfillment of professional responsibilities, economic status, location, health, personal preferences, reliability or behavior.
- “Data Protection Officer” means the natural or legal person to whom the Hotelier entrusts the tasks provided for in the applicable data protection law.
- ‘Personal data register’ means any structured set of personal data that are accessed according to specific criteria, whether centralized, decentralized or distributed according to a functional or geographical principle.
- The manager and management of FIRST LINE HOTELS EOOD, registered in the Commercial Register, kept by the Registry Agency of the Ministry of Justice, with UIC: 205481600, with registered office and headquarters in Plovdiv 4000, Central district, Knyaginya Blvd. Maria Louisa # 8, undertake to comply with EU law and national law as regards the protection of personal data and the protection of the rights and freedoms of persons whose data the Hotel Collector collects and processes in accordance with the CPDP and the LPPD.
- The Hotelier undertakes to introduce appropriate technical and organizational measures to comply with the applicable data protection law, including through the validation and compliance with this Policy concerning:
- the application of data protection principles;
- the rules for collecting, storing and deleting data and implementing security measures;
- the implementation of access control systems, opening hours and work discipline;
- the procedure for portability/transmission of data to third parties;
- the tasks of the data protection officer and the procedure for carrying out the risk impact assessment;
- the system for reporting data breaches and liability for breaches;
- the procedure for examining applications of data subjects;
- conducting personal data protection training;
- as well as the procedure for approving this Policy.
- This Policy applies to all activities related to the processing of personal data and described in the registers of processing activities for the Hotelier developed in accordance with Article 30, Paragraph 1 and Article 30, Paragraph 2 of the CPDP ( “Registers of personal data processing activities”).
- The registers of personal data processing activities shall be reviewed at least once a year in the light of changes in the processes undertaken by the Hotelier and any additional legislative requirements.
- The registers of personal data processing activities shall be made available to the supervisory authority or controller for verification or audit.
Principles related to data processing
(1) Any processing of personal data must be carried out in accordance with the principles laid down in Art. 5 of the CPDP. Personal data are processed lawfully, in good faith, and a transparent manner. Legally means with a predefined legal basis for processing. Good faith means that the Hotelier makes every effort to facilitate the exercise of the data subjects’ rights, and the transparency requirement includes the Hotelier’s obligation to provide the data subjects with the information under Art. 13-14 of the CPDP in a comprehensible and accessible form in clear and straightforward language.
(2) The specific information to be provided to the data subject shall include at least:
- the data identifying the Hotelier, his contact details with him and his representatives;
- contact details of the Data Protection Officer;
- information for the purposes of the processing of personal data as well as the legal basis for the processing;
- the period for which personal data are processed and stored;
- the existence of the right of access, rectification, deletion, withdrawal of consent or objection to the processing, as well as the procedure for examining applications for the exercise of rights of data subjects;
- categories of personal data processed;
- information on recipients and/or third parties receiving the personal data as well as the level of data protection;
- any necessary additional information.
(3) Personal data are collected for specific, explicitly stated, and legitimate purposes. The objectives are described for each activity in the registers maintained by the Hotelier
(4) The personal data collected must be
limited to whatever is necessary, without collecting personal data that is not strictly necessary for the purposes stated above. The Data Protection Officer must approve all electronic or hard copy data collection forms. All data collection methods shall be reviewed at least every two years.
(5)_ Personal data must be stored for no longer than necessary. Personal data shall be stored for a specified period and then securely destroyed. When their storage needs to continue beyond the deadline, the data shall be anonymized and / or pseudonymized.
(6) Personal data must be processed in a manner that guarantees an adequate level of security.
(7)The data controller must be able to demonstrate compliance with other data protection principles (“accountability”). To ensure compliance with the principles, the Hotelier shall document in writing: (1) its data protection policies, rules, and procedures – through this Policy; (2) the approval of this Policy and the appointment of a Data Protection Officer – by order of the Hotel Manager; (3) receiving and processing applications for the exercise of data subjects’ rights, (4) keeping records of data processing activities, (5) performing risk impact assessment, (6) prior consultation and notification to the supervisory authority, data controllers and data subjects, and (7) conducting data protection training – through appropriate forms, as well as through the publication of the data protection documentation website in whole or in part.
Collection, storage and destruction of personal data
- When collecting personal data directly from the data subjects or indirectly (eg, by obtaining them from another organization, collecting them from the public register or applying another method of data mining), the Hotelier provides information in accordance with the requirements of Articles 13-14 of CPDP and this Policy.
- Any documents with which a subject provides his personal data must include a statement on behalf of the subject for the accuracy and timeliness of the data.
- The Hotelier undertakes to introduce measures allowing access to the collected personal data only to the persons to whom it must be accessed as they need it for the performance of official or other duties (the principle of access to the data based on the need to know) ). Employees of the Hotelier are obliged not to disclose personal data of persons other than the persons referred to in the preceding sentence.
- Guaranteeing the security of personal data is also about taking the appropriate technical measures, which may include at least:
- Password protection;
- Automatic locking of idle workstations on the network; (there may be an exception when mandatory virus scanning and data transfer registration are provided);
- Anti-virus software and firewalls;
- Role-based access rights, including those of temporary staff;
- Protecting devices leaving the organization’s premises, such as laptops or the like;
- Security of local and wide area networks;
- Privacy-enhancing technologies such as pseudonymization and anonymization;
- Identification of appropriate international security standards appropriate for the Hotelier;
- When leaving the workplace unattended, care should be taken to ensure that computer screens and terminals are not visible to others, including by activating a screen saver on the device concerned. The processing of personal data remotely must be authorized explicitly by an authorized person by the Hotelier by a written act
- All documents containing personal data should be kept under appropriate organizational data protection measures, which will include at least the following:
- The levels of appropriate training of the Hotelier’s staff;
- Measures that take into account the reliability of employees (eg, attestations, recommendations, etc.);
- Inclusion of data protection in employment contracts;
- Identification of disciplinary measures for breaches of personal data protection;
- Regular inspection of staff to comply with relevant security standards;
- Control of physical access to electronic and paper-based records;
- Adopting a “clean workplace” policy;
- Storage of database paper in lockable cabinets;
- Restricting the use of portable electronic devices outside the workplace;
- Restricting the use by employees of personal devices in the workplace; Adopt clear rules for creating and using passwords;
- Regular backing up of personal data and physical storage of copy media outside workplaces in locations with an appropriate level of security;
- The imposition of contractual obligations on counterparties to take appropriate security measures when transferring data outside the EU.
- The collection, storage, and destruction of personal data are governed by rules and procedures for the storage of personal data, approved by the Company Manager.
- The hotelier does not store personal data in a form that allows identification of data subjects for a period not exceeding the specified storage periods.
- For purposes of archiving in the public interest, for scientific or historical research, or statistical purposes, the Hotelier may store personal data for a more extended period.
- Upon expiration of the respective deadlines by the written order of an authorized employee of the Hotelier, personal data shall be anonymized, pseudonymized, or destroyed according to a procedure approved by the Manager of the Company.
(1) The hotelier performs video surveillance only under the following conditions:
- The Hotelier has made publicly available on his website information about data subjects related to their video surveillance rights;
- the areas in which the surveillance is carried out are indicated by stickers referencing the above information;
- video surveillance shall be carried out in such a way that the dignity of the data subjects is not affected.
(2) The Hotelier does not carry out video surveillance in toilets, changing rooms, kitchens, or halls for staff rest.
(3) When conducting video surveillance in public places, the Hotelier shall ensure that a data protection impact assessment is carried out in advance.
17. The Hotelier processes personal data for marketing purposes (providing information on current promotions, surveys of hotel guests’ satisfaction with their stay, etc.) based on a valid consent or based on their legitimate interest, insofar as it is specifically justified.
- In order for it to be valid, consent is subject to the following conditions:
- was given by the person concerned;
- consent has been given after the person concerned has been provided with information about the processing of his personal data;
- consent processing is always limited in time;
- the conclusion that consent has been drawn from the lack of opposition to the general terms;
- the subject may withdraw his consent at any time;
- the order of withdrawal of consent shall be in accordance with the order in which it was given.
- When the e-mail data are not collected directly by the data subjects, the first e-mail will be provided with the information referred to in Article 14 of the CPDP, as well as a request for consent.
- The Hotelier collects and processes the personal data of children only on the consent of their parent or guardian or guardian or a person authorized to give consent on their behalf.
Applications for the exercise of rights of data subjects
- Applications for the exercise of the data subject’s rights shall be submitted and considered in accordance with the procedure laid down in this Policy and the policies, rules, and procedures for its implementation.
- Data subjects shall exercise their rights by submitting a written application in a model to the Hotelier or by acting in the interface of the electronic systems maintained by the Hotelier, if such a possibility is technically provided and the identity of the person concerned is verified.
- The applications submitted are reviewed by the Data Protection Officer, who provides the data subjects with the necessary information and assistance to exercise their rights.
- The hotelier shall ensure that the following data subject rights are applied:
- the right of information whether personal data are being processed and access to documents containing the data, if such data are being processed;
- the right to object to the processing of personal data based on the legitimate interests of the Hotelier and/or the public interest; ; upon objecting, the Hotelier will terminate the processing unless there are legal grounds for it and/or the last is not necessary for the protection of legal claims;
- the right of portability in the event that personal data are processed on the basis of the subject’s consent or in an automated manner;
- the right to rectify if the data processed by the hotelier are incorrect, outdated or inaccurate;
- the right to restrict processing when objecting to the processing or to challenge the accuracy of the data;
- the right to withdraw consent to the processing of personal data;
- right to delete data (right to be “forgotten”).
Data Protection Officer
- The Data Protection Officer shall ensure compliance with the applicable data protection law by:
- performs the tasks provided by the applicable law;
- prepares policies, procedures and other documents and models to ensure that the Hotelier is accountable for compliance with applicable data protection law and monitors their implementation;
- review and update, if necessary, the registers kept by the Hotelier, including the registers of personal data processing activities.
- The Data Protection Officer shall perform the tasks of Art. 39, para. 1 (a) and (b) of the CPDP:
- by giving opinions and recommendations on the implementation of this Policy and the applicable data protection law;
- by organizing training and/or facilitating the awareness of the Hotelier’s employees, regarding the fulfillment of their data protection duties in accordance with this Policy and in the policies, rules and procedures approved for its implementation.
- The Data Protection Officer accomplishes the tasks under Art. 39, para. 1 (c) and (e) of the CPDP, by preparing or monitoring the preparation of an impact assessment, if necessary.
- The Data Protection Officer accomplishes the tasks under Art. 39, para. 1 (d) of the CPDP, by reporting to the supervisory authority and providing it with information and clarification regarding compliance with the applicable data protection law.
- The Data Protection Officer shall review the implementation of this Policy at least once a year.
- The Data Protection Officer shall review the registers of personal data processing activities at least once a year.
Disclosure of data
- The hotelier does not disclose data to unauthorized persons.
- Upon receipt of a request for data disclosure, the hotelier shall immediately notify the data protection officer.
- Requests must be accompanied by documents certifying the person’s right to access the data.
- In cases the Hotelier discloses data to third parties regarding applications for the exercise of the right of portability, the Hotelier shall disclose the data in the order determined and approved in this Policy and the policies, rules, and procedures approved for its implementation.
- In all cases under this section, the hotelier shall not disclose personal data to persons outside the territory of the European Union, the European Economic Area and the Swiss Confederation, unless:
- there is a European Commission decision on an adequate level of data protection in the country concerned;
- in the absence of a decision under (a), the hotelier shall take appropriate measures to compensate for the lack of an adequate level of data protection in the country concerned, subject to the applicable law.
Registers of data processing activities
- The registers of processing activities include:
- business processes related to the processing of personal data;
- sources of personal data;
- the categories of data subjects;
- the categories of personal data processed;
- the purposes for which each category of personal data is used;
- recipients and potential recipients of personal data;
- the role of the organization in data processing (data controller or processor).
Impact assessment on data protection
- Where an activity related to the processing of personal data, including an activity using new technologies, is likely to create a high risk to the rights and freedoms of data subjects, an impact assessment shall be carried out in accordance with this Policy and policies, rules and regulations and procedures approved for its implementation.
- In case of non-performance of the impact assessment or non-implementation or incorrect application of the prescribed risk management measures, the Data Protection Officer shall object to the Manager of the Company in writing form against the respective activity.
- The objection shall suspend the execution of the planned activity until it is considered by the Company Manager, who shall issue a written decision.
- The retention periods are determined for each type of personal data, respectively for each category of data subjects, as follows:
- This policy applies to the processing of personal data by the Hotelier in all his activities, as from the date of their approval by order of his manager.
- For the implementation of this policy, the hotelier introduces policies, rules, and procedures, and for the unsettled in these policies, rules, and procedures will apply the current policy and the applicable law.
- The data protection officer is designated by the manager of each hotelier. It may be responsible for data protection at more than one hotelier site.
- (1)The data protection officer is appointed by the manager of each hotelier. It may be responsible for data protection at more than one hotel site.
(2) This policy is approved for implementation on the basis of Art. 126, item 10 of the Labor Code by order of the manager of the Company. Failure to comply with this policy constitutes a violation of labor discipline within the meaning of Art. 37 of the Internal Labor Rules in connection with Art. 187, para. 1, item 3 and item 7 of the Labor Code.
(3) Failure to comply with this policy by the Company’s external suppliers constitutes a material breach of the relevant contract with that provider.
List of Hotels and Resorts managed by the Hotelier
- Hacienda Beach Hotel, located in Gereni locality, Sozopol municipality 8130 Burgas District;
- Atrium Beach Hotel, located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Royal Castle Design & SPA Hotel, located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Royal Bay Hotel, located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Royal Park Hotel ,located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Andalucia Beach Hotel ,located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Villas Elenite , located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Chaika Beach Resort Hotel ,located in Royal Club Victoria Complex in Elenite Resort. 8259, Nessebar municipality, Bourgas district;
- Pamporovo Hotel – Pamporovo Resort, Chepelare Municipality, Smolyan District
and all facilities for eating and providing tourist services other than accommodation.