PERSONAL DATA PROTECTION POLICY

GOLDEN TOURS EOOD

 

We, Golden Tours EOOD are aware of the importance of protecting the personal data of our customers and partners, and strive to maintain good policies and practices that ensure maximum protection of any personal data provided by customers, processed during and/or on the occasion of providing basic and/or additional tourist accommodation and catering services, as well as other services provided on location in the hotel we managed ‒Sofia Hotel.

 

This Privacy Policy is based on the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). This Privacy Policy is applied in the hotel and on its official website.

 

All changes and additions to the Privacy Policy will be applied after the publication of its current content, available on our website: www.sofiahotel.net

 

The privacy policy is applicable to personal data of guests if they are a natural person or a representative of a legal entity that uses or wishes to use the services provided in the hotel managed by Golden Tours EOOD ‒ Sofia Hotel, including those offered online through a specialized platform on our website, including through social networks.

 

1. Definitions:

A total of 26 definitions are listed in the GDPR and it is not appropriate to reproduce them here. However, the main definitions of this policy are as follows:

 

'Personal data' means: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is a directly or indirectly identifiable person, in particular by means of an identifier, such as name, identification number, location data, online identifier or one or more features specific to the natural person, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;

 

"Processing" means: any operation or set of operations carried out with personal data or a personal data set by automatic or other means, such as collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission , disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying such data;

 

'Administrator' means: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for its determination may be laid down in EU legislation or in the legislation of a Member State;

 

"Consent of the data subject" means: any freely expressed, specific, informed and unambiguous indication of the data subject's will, by means of a statement or clearly confirmatory action expressing his or her consent to the processing of personal data relating to him or her;

 

2. Principles relating to personal data processing of: There are a number of fundamental principles on which the GDPR is based. They are as follows:

Personal data are:

  • processed lawfully, in good faith and in a transparent manner with regard to the data subject ("lawfulness, good faith and transparency");

  • collected for specific, explicitly stated and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes shall not be considered, in accordance with Article 89 (1), incompatible with the original purposes ("limitation of purposes");

• appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");

  • accurate and, if necessary, kept up to date; all reasonable measures must be taken to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which they are processed ("accuracy");

• stored in a way that allows the identification of the data subject for a period no longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as they will be processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject ("storage restriction");

  • processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures ("integrity and confidentiality"); 

 

3. Who processes and is responsible for personal data provided:

Golden Tours EOOD (we) is the company registered in the Commercial Register and the register of non‒profit legal entities at the Registry Agency with UIC BG813095472, which collects, processes and stores personal data under the terms of this policy and applicable legislation of the European Union and the Republic of Bulgaria.

 

Golden Tours EOOD is a personal data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and the law to protect personal data.

On all issues relating to the processing of personal data, you can contact us at our address of management: Varna 9007, Golden Sands Resort, or the following contact coordinates:

   • Website: www.sofiahotel.net

   • Email: reservation@sofiahotel.net

 

4. What data do we process, for what purposes and on what legal basis:

4.1. Depending on the specific goals and grounds, Golden Tours EOOD processes the only the data appointed below or in combination between them, namely:

  А) Data provided by clients and needed in order to identify and carry out reservations made and confirmed, such as:

     • Three names, telephone and/or e‒mail address, or a specified contact person, date and time of accommodation and departure, children and their age;

    • Data collected upon payment made to us – credit or debit card number, bank account and other information collected at and processed in connection with the payment by bank transfer, through a direct debit or through the POS Golden Tours EOOD;

    • Data on the services used and the information obtained about their preferred services that we offer;

    • Other data you provide to us in connection with the services already used.

  B) Data provided by clients and stored by Golden Tours EOOD in the process of providing the accommodation services at Sofia Hotel, which are collected, processed and stored in accordance with the current regulatory requirements regarding the register of accommodated tourists from the persons operating hotel businesses, namely:

     • Full name of the person; PIN /for Bulgarian citizens/ or LNS /for foreign nationals with a residence permit in BG/ or date of birth /in all other cases/;

     • gender;

     • nationality;

     • ID card number/valid national identity document, country that issued the national identity document.

  C) Other:

    • Digital data ‒ videos. These are the data collected through CCTV systems used by Golden Tours EOOD in all public and accessible places at Sofia Hotel (lobby, reception, restaurant, lobby bar, corridors, stairs, entrances, parking,) for the purpose of security, monitoring, control and protection of public order;

    • IP address when visiting our website/ platform for online reservation,

    • Data regarding a claim filed with respect to the tourist service provided by us and used by the guests;

    • Information on the type and content of the reservation, as well as any other information related to it, including e‒mail, letters, applications, requests, complaints, and other feedback we receive from you;

 

4.2. Objectives and legal grounds for processing personal data:

The leading basis for the processing and storage of personal data is the execution of a contract to which the data subject is a party or for the purpose of taking steps at the request of the data subject before the conclusion of such a contract. At the same time, the processing of certain personal data is necessary for compliance with the legal obligations of the company under the Labor Code, the Tourism Act, the Civil Registration Act, the Accounting Act and other applicable normative documents, as well as for the protection of the legitimate interests of the Administrator or of third parties, such as:

  А) We process and store personal data that are minimally necessary and statutory for the purpose of providing tourist accommodation and catering services, as well as for all other services provided on the spot at Sofia Hotel, such as:

   • Identification of a client when: carrying out, amendment and termination of a reservation, as well as when providing tourist accommodation and catering services, as well as all other services provided on location at the hotel. The identification of a client is carried out through all commercial and communication channels ‒ at the hotel reception by providing an identity document, by telephone, on our online platform through an electronic contact form, by e‒mail, etc.;

   • Servicing and responding to client complaints/inquiries/grievances;

    • Adjustments of amounts due on already realized reservations for accommodation and catering if there are grounds for such an action;

  B)  In fulfillment of their legal obligations, Golden Tours EOOD process personal data for the following purposes:

    • Providing information to the Ministry of Interior, the competent municipality where the hotel is located, the Consumer Protection Commission and the Commission for Personal Data Protection, in connection with the fulfillment of our obligations as a hotelier, arising from the current regulations in this area;

    • Processing of personal data in invoices issued in the name of a client for other purposes compatible with the original purpose of their collection

    • Carrying out tax and social security control by the respective competent state bodies;

    • Providing information to the court and third parties in court proceedings in order to protect their legitimate interests, including the collection of receivables from customers through court proceedings..

  C) Golden Tours EOOD processes personal data also for the purposes of our following legitimate interests:

     • For direct marketing purposes ‒ sending offers containing information about our current offers, promotions and discounts for accommodation at Sofia Hotel and/or changing the conditions of those already used;

    • To include the guest's name, photographs, video and other data in advertising brochures, website etc. publications of Golden Tours EOOD as a result of participation in group events and activities at the hotel organized by us (dances, sports activities and other entertainment).

• To protect, exercise or preserve the legal rights, integrity, safety or property of the administrator, users of the administrator's services and members of the public;

 

 

5. Categories of third parties that gain access and process personal data:

In connection with the implementation of our activities and fulfillment of our contractual commitments with our customers, we provide personal data to the following groups of persons hereunder called recipients, namely:

  • the data subject ‒ whenever they exercise this right;

  • the users/customers to whom the data relates;

  • to business partners – for the purposes of fulfilling the bookings made by the guests: travel agents and representatives in Bulgaria and abroad, transport companies and airlines, suppliers of the respective basic and additional tourist services, and other subcontractors with whom we have signed agreements thereof;

  • credit card payment service providers;

  • insurance companies when ordering an insurance event with a tourist accommodated in our hotel;

  • IT companies supporting information systems, our company website, software and platforms for managing the reservations of our clients, etc.;

• public bodies (Ministry of Interior, municipality, NRA, NSSI, Consumer Protection Commission, Personal Data Protection Commission, judicial and other control bodies);

  • Other administrators of personal data to whom Golden Tours EOOD provides personal data on a legal basis and/or on the basis of a bilaterally signed contract.

 

It may be necessary –  by law, in litigation and /or at the request of public and governmental authorities in or outside the country of residence, as well as for the purposes of national security, law enforcement or other issues of public importance, that we disclose personal data when such disclosure is necessary or appropriate.

 

We may also disclose guest information if we find that such disclosure is justified and necessary for the application of our company terms and conditions or to protect our activities, legitimate interests and the rights and legitimate interests of other users. In addition, in the event of a reorganization, merger or sale, it is possible to transfer any and all of the collected database to the relevant successor third party.

 

6.  Period of storing personal data. Security:

The duration of storage of personal data depends on the purposes of processing for which they have been collected:

  • Personal data processed for the purpose of providing and performing tourist accommodation and catering services in Sofia Hotel are stored for a period of up to 3 (three) years from the date of leaving the hotel, as well as until the final settlement of all financial issues between the parties, in observance of all normatively determined terms, whenever applicable;

   • Personal data processed for the purpose of issuing accounting/financial documents for tax and social security control, as well as but not only ‒ invoices, debit, credit notices, are stored for at least 3 (three) years, unless a longer term is stipulated by  applicable law;

  • Picture (Video) ‒ up to 30 days from the creation of the recording.

It may be possible to store personal data for longer periods in order to protect the legitimate interests of Golden Tours EOOD, as well as until the expiration of the relevant statute of limitations fоr protection purposes in case of claims from customers in connection with the implementation/termination of travel services, accommodation and meals in our hotels, as well as for a longer period in case of a lawsuit that has already been filed ‒ the documents are stored until its final resolution with a court/arbitration judgement that has entered into force.

 

As personal data administrator Golden Tours EOOD takes due care and the appropriate and required by law administrative, technical and physical measures, as well as those related to staff  /training, awareness, etc./ to protect the information at its disposal, including the protection of personal data of its customers from loss, theft and unauthorized use, disclosure, modification and any other illegal form of processing. We have physical, electronic and procedural safeguards that comply with our legal obligations regarding the protection of personal data, which we maintain in accordance with all contemporary technological means.

We are responsible for the protection of personal data of the client, which have became known to us in connection with our activities as an employer and hotelier, when providing our travel services specified in the subject of the General Terms and Conditions and this Policy, except in cases of force majeure, accidents or malicious actions from third parties, as well as in cases where the client himself has made this information available to third parties.

 

7. Video surveillance:

The common areas of Sofia Hotel are subject to round‒the‒clock video surveillance, which is carried out through stationary security cameras located at the respective places.

The video surveillance is carried out in order to protect, exercise or preserve the legal rights, inviolability, safety or property of the administrator, his employees and/or contractors, as well as to ensure the safety, inviolability and safety of hotel guests and members of society.

The video surveillance is organized and controlled by employees of the administrator, specially trained for data protection.

The recordings are stored on video servers for a period of 30 days, except in case of registered violation of the rights of the administrator, tourists or third parties, in which case the term of keeping the recordings may be extended according to the specific needs.

The guest has the right to request a review of the records if he/she alleges there is a violation of rights relating to third parties or to a supervised person, and the request will be considered within the time limits provided in section 8 of this policy.

The Company may refuse to consider requests that are unreasonably repeated, require disproportionate technical effort or endanger the privacy of other users.

 

8. What are the rights of the guests relating to the processing of personal data by Golden Tours EOOD and what actions should be taken in order to exercise those:

   • right of access to the data relating to them ‒ the client has the right at all times to request confirmation of whether the data relating to them are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients , to which the data are disclosed;

   • the right to correct and update their personal data when they are inaccurate or incomplete in view of the purposes of their processing;

  • right to deletion (the right to be forgotten) when the subject's data are processed unlawfully or for no reason (the original purpose for which they were collected and processed has been fulfilled, the storage period has expired (including statute of limitations), consent for processing has been withdrawn, you have objected to their processing, etc.), there is no other reason for their processing or the national or  European legislation requires it;

   • right to restrict processing – in the event of a legal dispute between Golden Tours EOOD and the individual until its resolution, and/or for the establishment, exercise or defense of legal claims; where the processing is unlawful, but the data subject does not wish the personal data to be deleted, but instead requests the restriction of its use; in the event of an objection raised by the guest against the processing of personal data for the period of the verification of its validity;

   • right to data portability ‒ the data subject has the right to request us to transfer his personal data in a machine‒readable format to another controller explicitly indicated by him without hindrance;

  • notification obligation to in case of correction or deletion of personal data or restriction of processing ‒ the customer has the right to require us to notify the third parties to whom his personal data has been disclosed of any deletion, correction or blocking of this data, with the exception of the cases when this is impossible if it would require a disproportionate effort of Golden Tours EOOD

  • the right to be notified of a breach of personal data security ‒ in cases where there is a possibility that the breach of data security will create a high risk to the rights and freedoms of natural persons. We are not obliged to notify individuals if: we have taken appropriate technical and organizational protection measures with respect to the data affected by the security breach, and if we have subsequently taken measures that ensure the breach will not result in a high risk to guests' rights and if notification would require a disproportionate effort.

  • right to object to the processing of personal data – at any time and on grounds related to the specific situation of the person, provided that there are no convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or a lawsuit.

  • When personal data is processed for the purposes of direct marketing, the user has the right at any time to object to the processing of personal data concerning them for this type of marketing, which includes profiling, as far as it is related to direct marketing. At the time of the first contact with the user at the latest, he is expressly informed of the existence of the right of objection described above, which is provided to him by notification in a clear way and separately from any other information.

  • right to legal and administrative protection – right to file a complaint with a supervisory authority, right to effective legal protection against a supervisory authority, right to effective legal protection against an administrator or processor of personal data; right to compensation for damages sincured.

 

Details of the supervisory authority:

COMMISSION FOR PERSONAL DATA PROTECTION

Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

phone: 02/91‒53‒518, fax: 02/91‒53‒525,

e‒mail: kzld@cpdp.bg

www.cpp.bg

 

9. Can a data subject refuse to provide personal data to Golden Tours EOOD and what are the consequences of such reusal?

In order to fulfill the reservation made and to provide the accommodation services requested by the guests at Sofia hotel, we need certain data, which are normatively determined by the legislation in force in the Republic of Bulgaria.

Failure to provide the personal data specified in item 4 prevents the possibility of Golden Tours EOOD to accept the reservation and, accordingly, to provide the requested services on location at Sofia hotel.

 

10. Our Cookie Policy:

Golden Tours EOOD uses so‒called "cookies" on its website: www.sofiahotel.net, which are important for its correct operation. By visiting our site, visitors accept the use of cookies.

Types of cookies we use:

  • Mandatory cookies – these cookies are necessary for the correct operation of the website. For example, with these cookies we display the information on our site, photos, videos, etc., as well as help the search engine to function correctly so that you do not have to enter the same information on different pages. These cookies are temporary and are deleted when you close the browser.

   • Analytical cookies – thanks to these cookies we monitor the traffic of our site and can analyze how easily our users work with it (Google Analytics cookies). These cookies do not give us any personal data information. They show us which pages of our site have been viewed, whether our site has been accessed via a mobile or desktop device, and other anonymous data.

The cookie settings you receive from our site can be made in the browser you use. The restriction of certain types of cookies may prevent our site from working properly and you may not be able to use its full functionality.

 

 

11. Privacy Policy Changes:

 

Golden Tours EOOD has the right, when the circumstances require it, to unilaterally update, amend and supplement the personal data protection policy at any time in the future. Any addition or change to this Policy will be published on the hotel website: www.sofiahotel.net and/or will be provided upon the client's request.