POLICY
for
Processing Personal Data of Natural Persons by DIVA TOURS 12 LTD
/Hotel and Restaurant Vitoshko Lale (Vitosha Tulip) and Tavern Rodopchanka/ and the Measures Taken by the Company for Protection of These Data
This document was drawn up in compliance with the requirements of Regulation (EU) 2016/679Рћ of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as GDPR or the Regulation, of the relevant provisions of the Personal Data Protection Act, of the subordinate legislation for its application as well as the Guidelines of the Commission for Personal Data Protection. Its objective is to describe the approach to the processing of your personal data in conformity with the law and their protection within the framework of the activity implemented by DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale (Vitosha Tulip) and tavern Rodopchanka/.
The policy includes the following information:
1. DATA ABOUT THE DATA CONTROLLER AND COORDINATES FOR CONNECTION WITH HIM
2. WHAT PERSONAL DATA ARE PROCESSED BY THE COMPANY AND OBJECTIVES OF PROCESSING
3. GROUNDS FOR PROCESSING YOUR PERSONAL DATA
4. THIRD PERSONS WHOM THE DATA ARE PRESENTED TO /RECIPIENTS OF DATA/
5. TERM FOR STORAGE OF YOUR DATA
6. WHAT YOUR RIGHTS AS A DATA SUBJECT ARE
DATA ABOUT THE DATA CONTROLLER AND
COORDINATES FOR CONNECTION WITH HIM
DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale and tavern Rodopchanka/, represented by its Manager, with headquarters and management address: 1618, city of Sofia, district of Krasno Selo, 1, Rodopski Izvor Street processes your data in its capacity of a Data Controller within the meaning of the Personal Data Protection Act and the General Data Protection Regulation.
You may contact us on issues concerning your personal data processed by us at the following telephone number: 02 437 38 02, 0882 46 46 44, as well as at correspondence address: 1415, city of Sofia, district of Dragalevtsi, 1, Tsar Ivan Aleksandar Square or electronic address: info@hotel-vitoshatulip.com, Internet site: https://www.hotel-vitoshatulip.com/.
WHAT PERSONAL DATA ARE PROCESSED BY THE COMPANY
AND PURPOSES OF PROCESSING
The personal data processed by the Company aim at cooperating the implementation of the activity implemented by us and in particular:
В· To maintain labor legal relationships with its employees with observation of the relevant legislation;
· To maintain contractual relationships with natural persons – customers/principals and/or natural persons at and on the occasion of the implementation of the main and/or the associated activities of the Company with observation of the relevant legislation;
В· To maintain partnership relationships with third persons for implementation of the main and/or any of the activities associated with it, inclusive of, but not limited to: tax administration, the Registry Agency, the Occupational Medicine Service, the General Labor Inspectorate, the Bulgarian Food Safety Agency, the Ministry of Interior, banks, insurance companies and insurance brokers, Notaries Public and so on in satisfaction of the requirements of the legislation;
В· To establish and maintain bona fide commercial relationships with our customers and to provide servicing of quality following the principle of continuous improvement;
To protect our sites through a video monitoring system;
To satisfy the legal requirements relevant for our activity.
For the attainment of the objectives enumerated hereinabove, DIVA TOURS 12 LTD processes the following categories and specific kinds of data:
PERSONAL DATA MINIMALLY NEEDED FOR COMMENCEMENT OF LABOR LEGAL RELATIONSHIPS WITH EMPLOYEES:
– Names – for Employment /Service/ Contracts, for Powers of Attorney and so on;
– Address – for correspondence for the needs of a specific contract; electronic mail;
– Telephone numbers – personal/office, at which the subject agreed to receive calls;
– PIN (Personal Identification Number) / PFN (Personal Foreigner’s Number);
– Employment record card, certificates from a previous Employer – for information about the length of service, for the used annual leave and for the taxable income for the year of commencement;
– Diplomas, certificates relevant for the position;
– Criminal Record Certificate when required;
– Personal bank accounts – for payment of remunerations;
– Curriculum Vitae (CV) – at applying for and/or commencement of work.
The data shall be stored in Register “Personnel”.
PERSONAL DATA MINIMALLY NEEDED FOR PROVISION OF A SERVICE / COMMENCEMENT OF CONTRACTUAL RELATIONSHIPS WITH CUSTOMERS OF THE HOTEL AND THE RESTAURANT:
– Three names;
– PIN/ PFN, number of an identity document, date and place of birth, date and authority of issuance, citizenship;
– Gender;
– Address, electronic mail;
– Telephone numbers – personal/office, at which the natural person agreed to receive calls;
– In connection with the provision of services for hotel accommodation – information about the stay of the guests, including a date of arrival and departure, made special requests, observations for your preferences for services (inclusive of preferences for a room, conveniences and other services used);
– In connection with the provision of restaurant services – information related to preferences (with explicit declaring by the user): preferences for foods and drinks; preferred manner of payment; requirements related to food products, drinks and other substances, with which there is an obstacle for the guest to establish a contact / get in touch (regardless of the reason).
In some events the personal data processed by DIVA TOURS 12 LTD are not collected or received directly from the data subject they refer to but from third persons such as:
1. Organizers of an event – with regard to information about the participants in the event;
2. Trade partners (for instance reservation sites as: Booking com; tourist agents, other persons who provide agency services at making reservations or at declaring other services and others of the kind) of DIVA TOURS 12 LTD / hotel and restaurant Vitoshko Lale and tavern Rodopchanka/.
DATA RELATED TO PAYMENT:
If you have declared your desire to pay for the services used through a bank transfer or by a credit/debit card, you will be requested to provide the following data:
– at payment through a bank transfer: your names, PIN/PFN, address per registration, for natural persons, or title of a Company, address per registration, UIC (Unified Identification Code), IN (Identification Number) under the Value Added Tax Act, name of a property responsible person for legal persons.
– at payment / rРµ-authorization by a credit/debit card: kind and number of the card, date of validity, CVV code (the last three digits on the back of the card), name of the card holder.
Solely the receptionists, the Manager of the hotel and the employees in the Accountancy Department shall have access to these data.
If you paid through a bank transfer and you were issued an invoice, your data were entered into specialized software, and solely the receptionists and the Manager of the hotel have access to it, and each of them shall enter the system with his individual, personal and unique user name and password. The software shall keep your data only up to the expiration of the legally established term after which they shall be erased.
At payment by a credit/debit card we do not retain and do not take data about your card at payment, it is effected through a POS device provided by the Bank. After effecting the payment, the note from the POS device, which contains the kind of the card, the name of the card holder and the last 4 digits of the number are presented in the Accountancy Department and destroyed after the expiration of the legally established term of 5 years.
When the source of the data from your credit card are electronic mail or reservation sites and platforms as booking.com, HRS and so on, we do not print out and do not take your data from your card in any manner whatsoever. The authorization is made at the time of opening the data, the e-mails are erased and the platforms themselves took care of the destruction of this information within a term fixed or a number of shows. Vitoshko Lale Hotel does not bear responsibility for the manner of storage and protection of your data in these sites.
The data are stored in registers “Customers of the Hotel” and “Customers of the Restaurant”.
PERSONAL DATA MINIMALLY NEEDED FOR COMMENCEMENT OF CONTRACTUAL RELATIONSHIPS WITH SUPPLIERS OF THE HOTEL AND THE RESTAURANT:
– Names of the natural person / the representative of the Company
– Address, telephone numbers, electronic mail.
The data are stored in Register “Suppliers and Partners”.
SENSITIVE PERSONAL DATA:
In satisfaction of the requirements of the national legislation DIVA TOURS 12 LTD processes the following sensitive data about the health status of its employees:
– Card for a preliminary medical examination /medical certificate/ – for information at commencement of work;
– A medical certificate – in event of temporary disability due to illness;
– Decisions of the Labor Expert Medical Commission / the National Expert Medical Commission;
– A copy of a health record book.
The data are stored in Register “Health Status”.
VIDEO MONITORING:
In compliance with the requirements of the applicable legislation DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale and tavern Rodopchanka/ applies measures for security which include the following technical and organizational means for the exercise of control over the access and for provision of physical security against encroachments over the buildings and the sites and for protection of the life and the health of the citizens: alarm systems for security and a video control system exercising a 24-hour video monitoring and consisting of recording and memorizing devices.
Video monitoring and video recording are made in the common premises of the hotel, the lobby-bar, the tavern, the garden as well as at the entrance-exit points of the Vitoshko Lale hotel and restaurant. No video monitoring is exercised in the rooms for guests, the sanitary-hygienic premises, rooms for recreation and others of the kind. The data from the activities for video monitoring are stored on a server with limited access. Only the owner and the Manager of the Hotel have access to the frames made.
Through information signboards placed in an eminent place, the data subjects and the other visitors who may be photographed, are notified about the use of technical means for monitoring and control and about any other relevant information in connection with the monitoring exercised.
The data are stored in Register “Video Monitoring”.
USE OF “COOKIES”
The use of “cookies” is necessary for the functioning of our web site. Cookies are small text files which the web site may record on your computer or mobile device when you visit a page or a site. The cookie will help the site or other sites to recognize your device the next time you visit it. Cookies perform a multitude of various functions. For instance, they help us to remember your user name or preferences, to analyze how well our sites are presented or they even let us recommend you contents which we consider will be of interest to you. Some cookies contain personal information – for instance, if you clicked over “Remember Me” when you entered your profile, the cookie will remember your user name. Most cookies do not collect information which may identify you and they rather collect general information about the manner in which the users get to our site and use it or what their location is. All the modern browsers let you change the settings for cookies. You may usually find these settings in menu “options” or “preferences” of your browser. You should have in mind that if you choose “refusal”, you may not obtain access to some sections of our web site.
The cookies we use are anonymous and do not contain personal data.
GROUNDS FOR PROCESSING YOUR PERSONAL DATA
DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale and tavern Rodopchanka/ processes the personal data indicated hereinabove in conformity with the law, fully or as separate kinds, on the grounds anticipated in Art. 6 of the Regulation and they are most frequently processed on the following grounds:
Legal obligation
In the events when a number of statutory obligations anticipated in various legislative acts are applied with regard to the Company /both at a national level and in conformity with the legislation of the EU/, with a view to their fulfillment we process your personal data for the observation of the relevant obligation which is applied with regard to us. For instance: supply of information and reports to the National Revenue Agency and other state authorities in accordance with the applicable national legislation, keeping a register for the accommodated customers and supply of information from it to the competent authorities in accordance with the legally established procedure, address registration of foreigners, in compliance with the requirements of the applicable legislation and others of the kind. В
If you do not present your personal data, we will not enter into any legal relationship with you.
Contractual grounds
We process your personal data when this is needed for undertaking steps for conclusion of a Contract with you/the person represented by you or for the execution of an already concluded contract.
If you do not present your personal data, we will not enter into any legal relationship with you.
Legitimate interest
In view of the exercise and protection of the legal rights and interests of DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale and tavern Rodopchanka/, cooperation at the exercise and protection of the legal rights and interests of customers, employees as well as of other persons related to DIVA TOURS 12 LTD, video monitoring and control over the access are exercised on the territory of the hotel aimed at protection of the property, proving the satisfaction of the applicable requirements, provision of physical security against encroachments over the buildings and the sites and protection of the life and the health of the citizens.
If you do not present your personal data, we will not enter into any legal relationship with you.
Consent
In other events, the Company processes your personal data solely on the grounds and after having obtained your explicit consent for the purpose.В
THIRD PERSONS WHOM THE DATA ARE PRESENTED TO
/RECIPIENTS OF DATA/
With regard to the data which are stored in Register “Personnel”
The data from the Register are not presented to third persons, with the exception of the hand-over of references and lists in the National Social Security Institute, the National Revenue Agency and the Labor Inspectorate in compliance with the requirements of the relevant legislative acts as well as the Occupational Medicine Service /OMS/ and an insurance company.
· With regard to the data which are stored in Register “Health Status”
The data from the Register are not presented to third persons, with the exception of a reference in the National Social Security Institute, the Bulgarian Food Safety Agency /BFSA/, the Regional Health Inspectorate and the Occupational Medicine Service /OMS/ in compliance with the requirements of the relevant legislative acts. The data are also presented to the insurance company which services the Company.
· With regard to the data which are stored in Registers “Customers of the Hotel”, “Customers of the Restaurant” and “Suppliers and Partners”
The data from the Register are not presented to third persons, with the exception of competent authorities, when this is required by the law.
With regard to the data related to payment: in individual events when the matter is about remote payment, the authorization note is sent to the bank servicing us, with the request that the Bank should make remittance of the retained amount into our account, and the grounds for the request are also sent simultaneously with the
note. After the processing of the authorization, the authorization note is destroyed by the Manager /on a monthly basis/.
· With regard to the data which are stored in Register “Video Monitoring”
The data from the Register are not presented to third persons, with the exception of competent authorities, when this is required by the law.
TERM FOR STORAGE OF YOUR DATA
DIVA TOURS 12 LTD /hotel and restaurant Vitoshko Lale and tavern Rodopchanka/ stores your personal data for the following terms:
Register “Personnel”
All the files of the personnel in hard copy and a technical carrier are stored for a term of 50 /fifty/ years from the termination of the Employment Contract with the Company.
All the documents proving length of service are stored for 50 /fifty/ years in conformity with Art. 12, Para. 1 of the Accountancy Act;
Register “Health Status”
The medical certificates presented by the data subjects are stored for 10 years, counted from 1 January of the year following the year of issuance of the medical certificate.
Decisions of the Labor Expert Medical Commission / the National Expert Medical Commission – they are stored in files of the personnel in hard copy and a technical carrier for a term of 50 /fifty/ years.
Card for a preliminary medical examination – they are stored in files of the personnel in hard copy and a technical carrier for a term of 50 /fifty/ years.
Health record book – a copy of it is stored for the period, during which the person works in the Company.
Registers “Customers of the Hotel” and “Suppliers and Partners”
The data in the Register are stored for a term of 5 /five/ years, counted from 1 January of the year following the year of provision of the service / termination of the Contract.
Register “Customers of the Restaurant”
The data in the Register are stored for a term of 2 years, counted from 1 January of the year following the year of termination of the Contract / provision of the service. At issuance of an invoice, the data are stored for a term of 5 years.
Register “Video Monitoring”
The data are stored for a term of up to 30 /thirty/ days counted from the date of the video recording, after which, if there is no reason for their being taken down, they are self-destroyed.
WHAT YOUR RIGHTS AS A DATA SUBJECT ARE
You have the following rights with regard to your personal data processed by DIVA TOURS 12 LTD:
В· Right to information;
В· Right to access to your personal data;
В· Right to rectification;
В· Right to erasure;
В· Right to restriction of the processing;
В· Right to data portability;
· Right to objection to processing one’s personal data.
You may exercise the rights indicated hereinabove through submission of a request in a free form to the electronic address of DIVA TOURS 12 LTD: info@hotel-vitoshatulip.com. We will answer each your request without needless delay within a 14-day term from its receipt.
You have also the right to submit a complaint to the Commission for Personal Data Protection in its capacity of a national supervisory authority when you consider that there is violation in connection with the processing of your personal data by the Company.
23.05.2018 City of Sofia
Manager: /Zahari Haytov/