Translation from Bulgarian

Privacy Statement of Grand Hotel Pomorie

Grand Hotel Pomorie strives to offer exceptional products, services and experiences. We highly appreciate our business activity but above all we appreciate your loyalty. We realize that privacy is important to You and we prepared this statement to clarify our practices with regard to personal data we collect from or about You on this website through the medium of oral or written messages with us upon your visits at Grand Hotel Pomorie or through the medium of other sources such as tour operators.

This Statement indicates the practices adopted at Grand Hotel Pomorie and put in full compliance with the requirements of Data Protection Regulation (EU) 679/2016.

What kind of personal data do we collect?

Each event with the participation of our guests or the preparation of such event may require collecting personal data such as names, phone numbers, emails, addresses, and etc., and they are always collected for the specific purpose only and represent the smallest set possible of such data needed for achieving the goal.

Lotteries or marketing survey of our guest and client reviews on the quality of our products and services are a part of the list of such events designed to offer only the most suitable products and services for You.

Personal data collected upon guest registration is statutory and regulated. Upon registration at the hotel you shall be enabled to see the information provided by Receptionists regarding the data protection.

Additional information collected at the hotel

  1. Social media. If you are a social media user you will be aware that we encourage sharing with your contacts of information on your stay through text and / or photo material as well as participations in photo contests, such as with photos taken during your stay with us. If other people are present in the photo, their consent is required in this regard.
  2. Collection of information at the facilities of Grand Hotel Pomorie. The Tourism Act binds us to collect the minimum personal data required by this Act upon guest registration at the hotel. For security reasons, we may make video records of guests and visitors within the public areas of the complex under the terms and conditions stipulated in the Private Security Act.
  3. Car Rental Application requires additional statutory personal data related to this activity such as driving license number and other data related to the rent and the insurance services offered.
  4. Event Arrangement. Technical details of events arranged by you may include data such as date and time, number of guests, information regarding guest rooms and the minimal personal data required for them. Corporate events may require business data and additional information in this regard. When you visit us as a part of a group, we will have disposal of the personal data provided by the group so that you can receive our offers to visit the events arranged by the group, depending on your individual preferences. If you are an event organizer, you may agree to share your event data with any third parties – service providers which can provide you with their event services.
  5. Business partnership or career opportunitiesDo not hesitate to contact us regarding more information that would allow us to evaluate your skills for a good partnership or career development with us. In these cases, we may need to compare the information provided with publicly available information.

Personal data received from third parties

It is a common practice for third parties to be in your relationship with us such as tour operator by which you have booked and paid your stay and extra services or event organizers. They have contracts with us for processing of personal data as joint controllers or as a controller and processor of personal data so that your data protection is also in accordance with Regulation (EU) 679/2016 as a legal commitment of both parties with you.

Sharing personal data

While we strive to offer the best experience, and products and services of the highest quality at Grand Hotel Pomorie we may need to share information upon overlapping objectives or through the medium of your consent, with service providers our trading partners, which we have arrangement with in all cases in accordance with Data Protection Regulation (EU) 679/2016. For example, when planning a group event or meeting the information collected may be shared with the organizers and / or our trading partners whose products or services would improve your experience in our complex.

Sharing information with our spa complex, restaurant services or other cases such as concierge or external service providers is also only upon overlapping purposes or through the medium of your consent and is in accordance with the principles of Regulation (EU) 679/2016.

Sharing information in all other cases is legally regulated by the relevant officials, such as under the requirements of the Tourism Act.

Data on health status or medical information

We don’t keep the therapy files and other medical documents. They are in your possession and control only. Therapists will only be informed about the type and duration of the treatment from these documents and will immediately return them. Grand Hotel Pomorie never has any access to these documents beyond the limits of the current therapy session or examination.

Grand Hotel Pomorie does not provide with any personal data outside the country.

Protection of Personal Data

Definitions

According to Article 4 of Regulation 679/2016:

(1) “personal data” means any information related to identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more signs specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;

2) “processing” means any operation or sum of operations executed with personal data or set of personal data through automatic or other means such as collecting, recording, arranging, structuring, keeping, adapting or modifying, extracting, advising, using, disclosing through submitting, distributing or other means by which data becomes available, fixing or combining, limiting, deleting or destroying;

(3) “restriction of processing” means the marking of personal data kept in order to restrict the respective processing in the future;

(4) “profiling” means any form of automated processing of personal data involving the use of personal data for the evaluation of particular individual aspects regarding the natural person and in particular for analysing or forecasting of aspects related to the performance of the occupational duties of this natural person, his/her economic and health status, personal preferences, interests, reliability, behaviour, location or movement;

(5) “pseudonymization” means the processing of personal data in a way that personal data cannot longer be linked to a particular data subject without using additional information, provided that it is kept separately and is subject to technical and organizational measures to ensure that personal data is not connected to an identified or identifiable natural person;

(6) “filing system” means any structured set of personal data accessed in accordance with specific criteria, whether centralized, decentralized or distributed according to a functional or geographic basis;

(7) “controller” means a natural person or legal entity, public authority, agency or other entity which separately or jointly with other ones defines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its determination may be laid down in Union law or the law of a Member State;

(8) “data processor” means a natural person or legal entity, public authority, agency or other entity processing personal data on behalf of the controller;

9) “recipient” means a natural person or legal entity, public authority, agency or other entity which personal data is disclosed to, whether or not a third party. At the same time public authorities which may receive personal data in a specific investigation in accordance with Union law or the law of a Member State are not considered as “recipients”; processing of such data by the said public authorities complies with the applicable data protection rules according to the purposes of the processing;

(10) “third party” means a natural person or legal entity, public authority, agency or other authority other than data subject, controller, data processor and the entities are entitled to process personal data under the direct supervision of the controller or data processor;

(11) “data subject’s consent” means any free, specific, informed and unambiguous indication of the data subject’s will by means of a statement or a clear and confirmatory act expressing consent of his/her personal data to be processed;

(12) “personal data breach” means a breach of security resulting in the accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data which is otherwise submitted, kept or processed;

(13) “genetic data” means personal data related to inherited or acquired genetic traits of a natural person giving exceptional information on the characteristics or health of that natural person and acquired, in particular, from a biological assay of the natural person concerned;

(14) “biometric data” means personal data acquired as a result of a specific technical processing which are related to the physical, physiological or behavioural characteristics of a natural person and which allow or confirm the exceptional identification of that natural person, such as facial images or dactyloscopic data ;

(15) “health status” means personal data related to the physical or mental health of a natural person, including the provision of health services which give information on his/her health status;

Principles

According to Article 5 of Regulation 679/2016, the principles are met when:

Paragraph 1.

Personal data is:

(a) processed lawfully, in good faith and in a transparent way with regard to the data subject (“lawfulness, good faith and transparency”);

(b) collected for specific, explicit and legitimate purposes and is not further processed in a way incompatible with these purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes is not considered to be incompatible with the original purposes (“purpose limitation”) in accordance with Article 89 (1);

(c) relevant, related and limited to what is needed in relation to the purposes which they are being processed for (“data minimization”);

(d) accurate and, if needed, up-to-date; all reasonable measures should be taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes which they are processed for (“accuracy”);

(e) kept in form allowing the data subject to be identified for a period no longer than is needed for the purposes which the personal data is processed for; personal data may be kept for longer periods as far as they are processed only for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with Article 89 (1), on the understanding that relevant technical and organizational measures are properly applied and stipulated in this Regulation in order to guarantee the rights and freedoms of the data subject (“restriction on keeping”);

(f) processed in a way providing with an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by applying proper technical or organizational measures (“integrity and confidentiality”).

Paragraph 2.

The controller is responsible and may demonstrate the compliance with paragraph 1 (“accountability”).

Rights of the subjects

  1. Data subjects shall have the following rights in respect of the data processing and the data recorded for them:

Make confirmation requests if their personal data is being processed and, if so, receive access to the data and information on which the recipients of that data are.

Request a copy of their personal data from the CONTROLLER;

Require the CONTROLLER to correct personal data when it is inaccurate and out-of-date;

Require the CONTROLLER to delete personal data collected on the basis of consent (right to be forgotten);

Require ask the ADMINISTRATOR to restrict the processing of personal data where it is reasonably motivated and the data will only be kept but not processed in this case;

Make a reasonable objection to the processing of relevant personal data;

Send a complaint to the Supervisory Authority (Personal Data Protection Commission) if they believe that any of the provisions of Regulation (EU) 679/2016 has been violated;

Request personal data to be provided in a structured, widely used and machine readable format when the way and formats are regulated in our internal legal basis;

Withdraw the consent to the processing of personal data at any time by a separate request sent to the controller upon processing personal data on the basis of consent;

Not to be a subject of automated decisions affecting them to a significant extent without the possibility of human intervention;

Oppose automated profiling done without relevant consent.

  1. THE CONTROLLER provides conditions to ensure that these rights are practiced by the data subject:

Data subjects may request access to data and the Controller ensures that the response of the data subject’s request meets the requirements of the General Regulation.

Data subjects are enabled to submit complaints to the Controller related to the processing of their personal data.

Responsibility

According to Article 24 of Regulation 679/2016

Responsibility of the Controller of Grand Hotel Pomorie

Paragraph 1.

Taking into account the nature, scope, context and purposes of the processing as well as the risks of different probability and burden on the rights and freedoms of natural persons, the controller shall put in place proper technical and organizational measures to ensure and be able to demonstrate that the processing shall be performed in accordance with this Regulation. These measures shall be reviewed and and updated if needed.

Paragraph 2.

The measures referred to in paragraph 1 shall include the use of proper data protection policies by the controller where this is proportionate to the processing activities.

Paragraph 3.

Adherence to approved codes of conduct or approved certification mechanisms may be used as evidence to demonstrate that the controller’s  obligations have been observed.

This paragraph shall be applied by Grand Hotel Pomorie as soon as sectoral policies and/or certification in the hotel and restaurant industry are approved!

Joint processing

Grand Hotel Pomorie always concludes data processing contracts/agreements in accordance with Regulation 679/2016 in order to provide our guests with maximum security and comfort when working with tour operators and/or other partners with regard to the service and provision of their information and/or services.

Contact details

Grand Hotel Pomorie (POMORIE TURINVEST EAD)

reservation@grandhotelpomorie.com

+359885882010

office@gdprconsulting-bg.com

+359888206819