GDPR

Personal Data Protection Policy

Introduction

Considering that:

  1. On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation, GDPR),
  2. Following GDPR and other applicable European and domestic legislation acts, including the Personal Data Protection Act, updated in the State Gazette, issue 1 of 4 January 2002, last amended. and ext. as of the date of this document in SG, issue 17 of 26 February 2019 ("the applicable law on data protection"), the legal entities established on the territory of the Republic of Bulgaria, which process personal data, should introduce appropriate technical and organizational measures in order to comply with the requirements and to ensure the right of individuals to the protection of their data,
  3. The GDPR encourages the development of data protection policies, mandatory company rules, and codes of conduct aimed at contributing to its correct implementation, taking into account the specific characteristics of the various data processing sectors and the specific needs of micro, small and medium-sized enterprises,

to ensure an adequate level of data protection in providing tourist, hotel, restaurant and other services directly associated with them at the sites listed in Annex No. 1, City Hotel Management EOOD, registered in the Commercial Register, kept by the Registry Agency of the Ministry of Justice, with UIC: 205411096, with registered office in Sofia, p. k. 1407, 100 James Boucher Blvd., represented by its manager Kaloyan Nikolov (from now on referred to as" the hotelier"), accepts and undertakes to comply with this policy for the protection of individuals when processing their data (the" Policy "):

Key concepts

All terms in this Data Protection Policy and their derivatives enjoy the meaning with which they are used in the applicable data protection law unless otherwise provided below:

  1. "Personal Data "or only" Data" within the meaning of this Policy means any information related to data subjects and processed by the Hotelier, including name, date of birth, gender, identification number, or another personal number; number, country of issue, date of issue and date of validity of a passport, identity card or other identity documents; permanent or current address; citizenship, vehicle registration number, image, credit, and debit card details, IP address, MAC address of computers, phones, and other personal devices; e-mail or other physical, physiological, genetic, mental, economic, cultural or social characteristics.
  2. "Processing" means any operation or set of operations performed with personal data by automatic or other means, including the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, distribution or otherwise, by which data is made available, sorted or combined, restricted, deleted or destroyed.
  3. "Data subjects" means individuals who can be identified, directly or indirectly, through the data processed by the Hotelier for them. The main categories of data subjects are the Hotelier employees, hotel guests, visitors to the Hotelier's website, and recipients of the electronic newsletter distributed on behalf of the Hotelier.
  4. "Special categories of personal data" means personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic and biometric data, health status or sexual life, or sexual orientation data of data subjects.
  5. "Data Administrator" means "City Hotel Management " EOOD, registered in the Commercial Register kept by the Registry Agency of the Ministry of Justice, with UIC: 205411096, having its registered office and registered address in Sofia, p. k. 1407, 100 James Boucher Blvd., represented by Kaloyan Nikolov, on whose behalf personal data are processed according to the goals and means defined by him. Unless and to the extent that the applicable data protection law provides otherwise, under the Policy, the Hotelier defines the purposes and means of processing including, but not limited to: the provision of hotel and restaurant services, the management of the hotel guests' and employees' profiles, recruitment and selection of staff, contracting with a company for hiring staff, contract for accounting or legal services, video surveillance and security activities in the hotel-managed facilities, posting and collecting personal information on the Hotelier's website and using the personal data, including for marketing purposes, as well as transferring it to third parties, etc.
  6. "Data processor" means (1) any person other than the Hotelier and his staff who processes personal data in the non-exhaustive activities described above, the purposes and means for which are determined by the Hotelier, and (2) the Hotelier, in the cases, in which it does not act as a data controller, for example when executing a contract with an organization conducting an event or recording audiovisual works on the territory of a hotel-operated site. In all cases, when processing data in conjunction with or in the capacity of processing data, the Hotelier concludes a contract or other legal act under Article 28, paragraph 3 of the GPDR.
  7. "Consent" means a freely expressed, specific, informed, and unambiguous indication of the will of the data subjects through affirmative action / click on the Hotelier's website or signature of a document in writing.
  8. "Child" means any person under the age of 18 unless and until otherwise specified in the applicable data protection law.
  9. "Personal data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or processed in any other way. The Hotelier must notify the supervisory authority and the data subjects (when acting as a data controller) or the data controller (when acting as a data processor) of data security breaches.
  10. "Data subject's rights claim" means any will to exercise data subject's rights regarding the protection of personal data by completing the form provided or by acting in an electronic interface to the Hotelier's systems, if such an opportunity is provided and in so far as the applicant's identity is established securely.
  11. "Third Party" means a natural or legal person, public authority, or other organization located outside the territory of the European Union, the European Economic Area, and the Swiss Confederation to which the Hotelier and/or processors transmit personal data.
  12. "Supervisory Authority" means the Commission for the Protection of Personal Data of the Republic of Bulgaria (CPDP) or another institution acting as a leading supervisory authority within the meaning of the applicable data protection law.
  13. 'Profiling' means any form of automated data processing designed to evaluate personal aspects related to their subjects or to analyze/forecast the fulfillment of professional responsibilities, economic status, location, health, personal preferences, reliability, or behavior.
  14. "Data Protection Officer" means the natural or legal person to whom the Hotelier entrusts the tasks provided for in the applicable data protection law.
  15. 'Personal data register' means any structured set of personal data accessed according to specific criteria, whether centralized, decentralized or distributed according to a functional or geographical principle.

General Provisions

  1. The manager and management ofCity Hotel Management " EOOD, registered in the Commercial Register kept by the Registry Agency of the Ministry of Justice, with UIC: 205411096, has its registered office and registered address in Sofia, p. k. 1407, 100 James Boucher Blvd., undertake to comply with EU law and national law regarding the protection of personal data and the protection of the rights and freedoms of persons whose data the Hotel Collector collects and processes following the CPDP and the LPPD.
  2. The Hotelier undertakes to introduce appropriate technical and organizational measures to comply with the applicable data protection law, including through the validation and compliance with this Policy concerning:
  • the application of data protection principles;
  • the rules for collecting, storing, and deleting data and implementing security measures;
  • the implementation of access control systems, opening hours, and work discipline;
  • the procedure for portability/transmission of data to third parties;
  • the tasks of the data protection officer and the procedure for carrying out the risk impact assessment;
  • the system for reporting data breaches and liability for breaches;
  • the procedure for examining applications of data subjects;
  • conducting personal data protection training;
  • as well as the procedure for approving this Policy.

4. This Policy applies to all activities related to the processing of personal data. It is described in the registers of processing activities for the Hotelier developed following Article 30, Paragraph 1 and Article 30, Paragraph 2 of the CPDP ( "Registers of personal data processing activities").

5. The registers of personal data processing activities shall be reviewed at least once a year in light of changes in the processes undertaken by the Hotelier and any additional legislative requirements.

6. The registers of personal data processing activities shall be made available to the supervisory authority or controller for verification or audit.

Principles related to data processing

(1) Any processing of personal data must be carried out following the principles laid down in Art. 5 of the CPDP. Personal data are processed lawfully, in good faith, and transparently. Legally means with a predefined legal basis for processing. Good faith means that the Hotelier makes every effort to facilitate the exercise of the data subjects' rights, and the transparency requirement includes the Hotelier's obligation to provide the data subjects with the information under Art. 13-14 of the CPDP in a comprehensible and accessible form in clear and straightforward language.

(2) The specific information to be provided to the data subject shall include at least:

  1. the data identifying the Hotelier, his contact details with him and his representatives;
  2. contact details of the Data Protection Officer;
  3. information for the processing of personal data as well as the legal basis for the processing;
  4. the period for which personal data are processed and stored;
  5. the existence of the right of access, rectification, deletion, withdrawal of consent or objection to the processing, as well as the procedure for examining applications for the exercise of rights of data subjects;
  6. categories of personal data processed;
  7. information on recipients and/or third parties receiving the personal data as well as the level of data protection;
  8. any necessary additional information.

(3) Personal data are collected for specific, explicitly stated, and legitimate purposes. The objectives are described for each activity in the registers maintained by the Hotelier.

(4) The personal data collected must be limited to whatever is necessary, without collecting personal data that is not strictly necessary for the purposes stated above. The Data Protection Officer must approve all electronic or hard copy data collection forms, and all data collection methods shall be reviewed at least every two years.

(5)_ Personal data must be stored no longer than necessary. Personal data shall be stored for a specified period and then securely destroyed. When their storage needs to continue beyond the deadline, the data shall be anonymized and/or pseudonymized.

(6) Personal data must be processed in a manner that guarantees an adequate level of security.

(7)The data controller must be able to demonstrate compliance with other data protection principles ("accountability"). To ensure compliance with the principles, the Hotelier shall document in writing: (1) its data protection policies, rules, and procedures - through this Policy; (2) the approval of this Policy and the appointment of a Data Protection Officer - by order of the Hotel Manager; (3) receiving and processing applications for the exercise of data subjects' rights, (4) keeping records of data processing activities, (5) performing risk impact assessment, (6) prior consultation and notification to the supervisory authority, data controllers and data subjects, and (7) conducting data protection training - through appropriate forms, as well as through the publication of the data protection documentation website in whole or in part.

Collection, storage, and destruction of personal data

8. When collecting personal data directly from the data subjects or indirectly (e.g., by obtaining them from another organization, collecting them from the public register, or applying another method of data mining), the Hotelier provides information by the requirements of Articles 13-14 of CPDP and this Policy.

9. Any documents with which a subject provides his data must include a statement on behalf of the subject for the accuracy and timeliness of the data.

10. The Hotelier undertakes to introduce measures allowing access to the collected personal data only to the persons to whom it must be accessed as they need it for the performance of official or other duties (the principle of access to the data based on the need to know) ). Employees of the Hotelier are obliged not to disclose personal data of persons other than the persons referred to in the preceding sentence.

11. Guaranteeing the security of personal data is also about taking the appropriate technical measures, which may include at least:

  1. Password protection;
  2. Automatic locking of idle workstations on the network; (there may be an exception when mandatory virus scanning and data transfer registration are provided);
  3. Anti-virus software and firewalls;
  4. Role-based access rights, including those of temporary staff;
  5. Protecting devices leaving the organization's premises, such as laptops or the like;
  6. Security of local and wide area networks;
  7. Privacy-enhancing technologies such as pseudonymization and anonymization;
  8. Identification of appropriate international security standards appropriate for the Hotelier;
  9. When leaving the workplace unattended, care should be taken to ensure that computer screens and terminals are not visible to others, including by activating a screen saver on the device concerned. The processing of personal data remotely must be authorized explicitly by an authorized person by the Hotelier by a written act.

12. All documents containing personal data should be kept under appropriate organizational data protection measures, which will include at least the following:

  1. The levels of appropriate training of the Hotelier's staff;
  2. Measures that take into account the reliability of employees (e.g., attestations, recommendations, etc.);
  3. Inclusion of data protection in employment contracts;
  4. Identification of disciplinary measures for breaches of personal data protection;
  5. Regular inspection of staff to comply with relevant security standards;
  6. Control of physical access to electronic and paper-based records;
  7. Adopting a "clean workplace" policy;
  8. Storage of database paper in lockable cabinets;
  9. Restricting the use of portable electronic devices outside the workplace;
  10. Restricting the use by employees of personal devices in the workplace; Adopt clear rules for creating and using passwords;
  11. Regular backing up of personal data and physical storage of copy media outside workplaces in locations with an appropriate level of security;
  12. The imposition of contractual obligations on counterparties to take appropriate security measures when transferring data outside the EU.
  13. The collection, storage, and destruction of personal data are governed by rules and procedures for the storage of personal data, approved by the Company Manager.
  14. The Hotelier does not store personal data in a form that allows the identification of data subjects for a period not exceeding the specified storage periods.
  15. For purposes of archiving in the public interest, scientific or historical research, or statistical purposes, the Hotelier may store personal data for a more extended period.
  16. Upon expiration of the respective deadlines by the written order of an authorized employee of the Hotelier, personal data shall be anonymized, pseudonymized, or destroyed according to a procedure approved by the Manager of the Company.

CCTV

(1)The Hotelier performs video surveillance only under the following conditions:

  1. The Hotelier has made publicly available on his website information about data subjects related to their video surveillance rights;
  2. the areas in which the surveillance is carried out are indicated by stickers referencing the above information;
  3. video surveillance shall be carried out so that the dignity of the data subjects is not affected.

(2) The Hotelier does not conduct video surveillance in toilets, changing rooms, kitchens, or halls for staff rest.

(3) When conducting video surveillance in public places, the Hotelier shall ensure that a data protection impact assessment is carried out in advance.

Consent

17. The Hotelier processes personal data for marketing purposes (providing information on current promotions, surveys of hotel guests' satisfaction with their stay, etc.) based on valid consent or based on their legitimate interest, insofar as it is specifically justified.

18. In order for it to be valid, consent is subject to the following conditions:

  1. was given by the person concerned;
  2. consent has been given after the person concerned has been provided with information about the processing of his data;
  3. consent processing is always limited in time;
  4. the conclusion that consent has been drawn from the lack of opposition to the general terms;
  5. the subject may withdraw his consent at any time;
  6. the order of withdrawal of consent shall follow the order in which it was given.
  7. When the e-mail data are not collected directly by the data subjects, the first e-mail will be provided with the information referred to in Article 14 of the CPDP, as well as a request for consent.
  8. The Hotelier collects and processes the personal data of children only on the consent of their parent or guardian or guardian or a person authorized to give consent on their behalf.

Applications for the exercise of rights of data subjects

22. Applications for the exercise of the data subject's rights shall be submitted and considered following the procedure laid down in this Policy and the policies, rules, and procedures for its implementation.

23. Data subjects shall exercise their rights by submitting a written application in a model to the Hotelier or by acting in the interface of the electronic systems maintained by the Hotelier if such a possibility is technically provided and the identity of the person concerned is verified.

24. The applications submitted are reviewed by the Data Protection Officer, who provides the data subjects with the necessary information and assistance to exercise their rights.

25. The Hotelier shall ensure that the following data subject rights are applied:

  1. the right of information whether personal data are being processed and access to documents containing the data, if such data are being processed;
  2. the right to object to the processing of personal data based on the legitimate interests of the Hotelier and/or the public interest; upon objecting, the Hotelier will terminate the processing unless there are legal grounds for it and/or the last is not necessary for the protection of legal claims;
  3. the right of portability if personal data are processed based on the subject's consent or in an automated manner;
  4. the right to rectify if the data processed by the Hotelier are incorrect, outdated, or inaccurate;
  5. the right to restrict processing when objecting to the processing or to challenge the accuracy of the data;
  6. the right to withdraw consent to the processing of personal data;
  7. right to delete data (right to be "forgotten").

Data Protection Officer

26. The Data Protection Officer shall ensure compliance with the applicable data protection law by:

  1. performs the tasks provided by the applicable law;
  2. prepares policies, procedures, and other documents and models to ensure that the Hotelier is accountable for compliance with applicable data protection law and monitors their implementation;
  3. review and update, if necessary, the registers kept by the Hotelier, including the registers of personal data processing activities.

27. The Data Protection Officer shall perform the tasks of Art. 39, para. 1 (a) and (b) of the CPDP:

  1. by giving opinions and recommendations on the implementation of this Policy and the applicable data protection law;
  2. by organizing training and/or facilitating the awareness of the Hotelier's employees regarding the fulfillment of their data protection duties following this Policy and in the policies, rules, and procedures approved for its implementation.

28. The Data Protection Officer accomplishes the tasks under Art. 39, para. 1 (c) and (e) of the CPDP, by preparing or monitoring the preparation of an impact assessment, if necessary.

29. The Data Protection Officer accomplishes the tasks under Art. 39, para. 1 (d) of the CPDP by reporting to the supervisory authority and providing it with information and clarification regarding compliance with the applicable data protection law.

30. The Data Protection Officer shall review the implementation of this Policy at least once a year.

31. The Data Protection Officer shall review the registers of personal data processing activities at least once a year.

Disclosure of data

32. The Hotelier does not disclose data to unauthorized persons.

33. Upon receipt of a request for data disclosure, the Hotelier shall immediately notify the data protection officer.

34. Requests must be accompanied by documents certifying the person's right to access the data.

35. In cases the Hotelier discloses data to third parties regarding applications for the exercise of the right of portability, the Hotelier shall disclose the data in the order determined and approved in this Policy and the policies, rules, and procedures approved for its implementation.

36. In all cases under this section, the Hotelier shall not disclose personal data to persons outside the territory of the European Union, the European Economic Area, and the Swiss Confederation, unless:

  1. there is a European Commission decision on an adequate level of data protection in the country concerned;
  2. in the absence of a decision under (a), the Hotelier shall take appropriate measures to compensate for the lack of an adequate level of data protection in the country concerned, subject to the applicable law.

Registers of data processing activities

37. The registers of processing activities include:

  1. business processes related to the processing of personal data;
  2. sources of personal data;
  3. the categories of data subjects;
  4. the categories of personal data processed;
  5. the purposes for which each category of personal data is used;
  6. recipients and potential recipients of personal data;
  7. the role of the organization in data processing (data controller or processor).

Impact assessment on data protection

38. Where an activity related to the processing of personal data, including an activity using new technologies, is likely to create a high risk to the rights and freedoms of data subjects, an impact assessment shall be carried out by this Policy and policies, rules and regulations and procedures approved for its implementation.

39. In case of non-performance of the impact assessment or non-implementation or incorrect application of the prescribed risk management measures, the Data Protection Officer shall object to the Company's Manager in writing form against the respective activity.

40. The objection shall suspend the execution of the planned activity until it is considered by the Company Manager, who shall issue a written decision.

41. The retention periods are determined for each type of personal data, respectively for each category of data subjects, as follows:

 

SUBJECTS

TERM

STARTING THE TERM

Legal basis

TYPE OF DOCUMENTS

Hotelier employees

During the duration of the relevant contract; and 5 years after that.

Date of termination of employment with the employee

Execution of the employment or civil contract; legitimate interest of the employer;

All data and records of data from the employee's work file for which the statutory time limit does not apply

Job applicants

6 months

Recruitment Campaign End Date

Legitimate interest

All documents provided to the Company in connection with the recruitment campaign

Job applicants

1 year

After 6 months from the end of the recruitment campaign or when received by another administrator

Consent of data subjects

All documents provided to the Company in connection with the recruitment campaign

Former employees /

 

Employees

50 years

January of the reporting period following the accounting period to which the documents relate

 

Salary data, payroll data

Accommodation at hotelier hotels

5 years

January of the reporting period following the accounting period to which the documents relate

 

Accounting records and financial statements, including tax control documents, audits and ex-post financial inspections

Employees and representatives of suppliers, tour operators, agents, event organizers and other contractors

5 years

January of the reporting period following the accounting period to which the documents relate

 

Accounting records and financial statements, including tax control documents, audits and ex-post financial inspections

Persons whose data have been obtained in connection with promotional campaigns, etc.

1 year

Date of receipt of data, end date of promotional campaign or date of contract for hotel services

 

Electronic registers of personal data, correspondence, documents related to the activities.

Staff and guests of hotels, bars, restaurants, beaches and more for the provision of tourist and related services

30 days

Date of video recording

Legitimate interest

CCTV recordings

Employees and representatives of contractors

5 years

The beginning of the year after the conclusion of a transaction or termination of the relationship

 

All documents and information regarding the obligations arising from the LMIP

They have filed applications, complaints and alerts on CPDP

2 years

Receiving the document

 

Requests from data subjects and any other requests, complaints and alerts

Subjects submitted applications and employees of the hotelier

2 years

Sending a resolution on the data subject's request

 

Data protection officer's resolution and related correspondence

All data subjects

2 years

Date of data security breach / data breach notification by data processor

 

Documents relating to personal data breaches; notifications;

Employees and guests visiting the premises of the hotels with vehicles

30 days

Date of the site visit with the vehicle

 

Vehicle registration number

Final provisions

42. This policy applies to the processing of personal data by the Hotelier in all his activities, as from the date of their approval by order of his manager.

43. For implementing this policy, the Hotelier introduces policies, rules, and procedures, and for the unsettled policies, rules, and procedures will apply the current policy and the applicable law.

44. The manager of each Hotelier designates the data protection officer, and it may be responsible for data protection at more than one hotelier site.

45. (1)The data protection officer is appointed by the manager of each Hotelier, and it may be responsible for data protection at more than one hotel site.

(2) This policy is approved for implementation based on Art. 126, item 10 of the Labor Code by order of the manager of the Company. Failure to comply with this policy constitutes a violation of labor discipline within the meaning of Art. 37 of the Internal Labor Rules in connection with Art. 187, para. 1, item 3 and item 7 of the Labor Code.

(3) Failure to comply with this policy by the Company's external suppliers constitutes a material breach of the relevant contract with that provider.

TOP