Below you can find brief information about:
- Competent supervisory authority,
- Legal basis for processing personal data,
- Purposes for which we use personal data,
- Principles for processing personal data,
- What personal data we collect,
- Period for storage of personal data,
- Access to and transfer of personal data, and
- Rights and guarantees, which GDPR provides to data subjects.
II. DETAILS OF PROVIDER
1. Name: KATALINA RESORT LTD, UIC 205728189
2. Registered office and address of management: 4580 Batak, hotel Katalina
3. Tel.: 03542 3366, e-mail: email@example.com
4. Registration in public registers: Commercial Register at the Registry Agency at the Ministry of Justice of the Republic of Bulgaria.
III. DETAILS OF COMPETENT SUPERVISORY AUTHORITY
1. Name: Commission for Personal Data Protection of the Republic of Bulgaria
2. Address: 1592 Sofia, Blvd., 2 Prof. Tsvetan Lazarov Blvd.
3. Telephone: 02 915 3 518
4. E-mail address: firstname.lastname@example.org
5. Website: https://www.cpdp.bg/
IV. GROUNDS FOR THE COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA
We process (including but not limited to: collect and store) your personal data only in connection with our activities and in accordance with the requirements of applicable law, including the Personal Data Protection Act of the Republic of Bulgaria and the General Data Protection Regulation.
We process your personal data on at least one of the following grounds:
- User’s consent to the processing of personal data;
- The processing of personal data is necessary for the fulfillment of contractual obligations of the Provider to the User;
- The processing of personal data is necessary to take steps at the request of the User before concluding a contract;
- The processing of personal data is necessary to comply with the legal obligations of the Provider;
- The processing of personal data is necessary for the purposes of the legitimate interests of the Provider to carry out its activities.
V. PURPOSES FOR THE COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA
We collect, process and store personal data of Users in connection with the implementation of our services and communication in connection with the use of the Website, as well as for the following purposes:
- Communication and identification in the performance of a service contract and a sales contract (including in the performance of a relevant contract);
- Communication, identification, processing and execution of inquiries, orders, requests, reservations, purchases of goods or services (including preparation for the conclusion of a contract, acceptance of orders, dispatch of goods, resolution of issues related to cancellation of orders, reservations, returns of purchased goods, refunds, etc);
- Fulfillment of tax and other legal obligations;
- Accounting purposes in connection with the use of our services;
- Protection of our legitimate interests in connection with the fulfillment of our obligations to state and municipal authorities (for example: National Revenue Agency, Ministry of Interior);
- Protection of our legitimate interests in relation to the storage of information in order to protect against legal or tax claims and to improve the performance of the Website;
- Protection of information security of the Website;
- Statistical information on the use of the Website;
- Providing advertising content in accordance with the interests of the User;
If a data subject refuses to provide us with some or all of the personal data necessary for the relevant purpose mentioned above, we may not be able to provide the relevant service (eg. to perform a contract with the relevant User) or to comply with the relevant legal requirements (for example, to enable the data subject to exercise their rights under the GDPR).
VI. PRINCIPLES OF COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA
We adhere to the following principles when collecting, processing and storing your personal data:
- legitimacy, good faith and transparency;
- limiting the purposes of processing;
- limiting the retention period in order to achieve the purposes for which the data are processed;
- minimizing the data being processed;
- accuracy and timeliness of data;
- integrity and confidentiality in the processing of data and ensuring an appropriate level of security of personal data.
VII. PERSONAL DATA
We collect the following categories of personal data of Users for the following purposes and on the following grounds:
- Your personal data (name and surname, telephone number and e-mail address), as well as other data that you provide to us voluntarily, for the purpose of processing your inquiries, providing service proposals and providing services by us, at a wish expressed by you, including communication with you in this regard, and on the basis of taking steps at your request for the possible conclusion of a contract, performance of a contract to which you are a party or consent to processing provided by you;
- Your personal data (name and surname, telephone number and e-mail address) and information related to payment and selected payment methods for the purpose of issuing and sending accounting / tax documents (invoices) in connection with the services you use, including communication with you in this regard, and on the basis of taking steps at your request for the possible conclusion of a contract, performance of a contract to which you are a party or performance of our legal obligation;
- Your personal data (name and surname, telephone number and e-mail address) and information related to refunds paid for orders, reservations, purchased goods or services, in case of cancellation of orders, reservations, return of products, and on the basis of performance of a contract to which you are a party and / or compliance with legal obligations;
- Your IP address, browser settings and preferred language, pages visited, and actions taken to send Push notifications, if you wish to receive them;
- Your IP address, pages visited, for information security purposes;
- Other data that may be required in certain cases or related to the provision of services to Users by us, including necessary for the performance of contractual obligations (eg date of birth, signature, Personal ID Number) or other data that Users decide to voluntarily share with us, and on the basis of performance of a contract to which you are a party, consent to processing provided by you or compliance with our legal obligation.
We do not process or collect from Users special categories of personal data (for example: data revealing racial or ethnic origin, political views, genetic or biometric data, as well as data on the sexual life and sexual orientation of the data subject).
We do not make decisions based solely on automatic data processing, including profiling.
We usually receive personal data directly from the data subject. However, it is possible to obtain personal data from other persons such as: other employees, in the company where the personal data subject works, as well as from publicly available sources such as the Commercial Register and the Register of Non-Profit Legal Entities at the Agency for the entries to the Ministry of Justice of the Republic of Bulgaria.
VIII. PERSONAL DATA RETAINING PERIOD
We retain the personal data of the Users for a period not longer than necessary for the fulfillment of the respective purpose of processing or of the legally established period, where applicable. For example:
- personal data provided by you when filling in the contact form will be retained until the request is fulfilled or the question in connection with which you have contacted us is satisfied, as well as for a maximum of one year thereafter for statistics and marketing analysis;
- personal data of our clients processed in connection with contracts concluded between us and the respective User, will be retained for a period not exceeding ten years, as of January 1 of the year following the year in which the contract is reported for tax purposes;
- personal data of our clients processed in connection with the issuance of tax documents (invoices) will be retained for a period not exceeding ten years, starting from January 1 of the year following the year in which the document is reported for tax purposes;
- personal data of our partners/suppliers processed in connection with contracts concluded between us and the respective partner/supplier will be retained for a period not exceeding ten years, starting from January 1 of the year following this year in which the contract is reported for tax purposes;
- the personal data of participants in recruitment and selection procedures will be retained for a period not exceeding six months from the date of final completion of the recruitment/selection procedure in which the data subject concerned participates, respectively after the expiry of the time limit for appealing the procedure in question, unless the data subject in question has consented to the storage of his/her personal data for a longer period, in which case the data subject is entitled at any time and without giving any reasons to withdraw their consent.
The period of retaining depends, inter alia, on the duration of the legal relationship that has arisen between us and the respective User, as well as on the purposes for which personal data are processed. Where there is an indication of potential legal claim(s) or liability, these time limits will be extended accordingly. When the processing is based on the User’s consent (for example: in the case of personal data provided by third parties for direct marketing), we store this personal data as long as we have valid consent for their processing.
After the expiration of the above deadlines, we take the necessary care to erase and/or destroy your relevant personal data without undue delay.
IX. ACCESS TO PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD PARTIES
In principle, the personal data of the Users we process are available to our employees, representatives and partners who need them to fulfill legal obligations and/or to fulfill contractual obligations (for example: providing a service under a contract with a User ). In this regard, it is possible, at our discretion and in compliance with the requirements of the GDPR, to transfer all or part of your personal data to third parties such as accountants, professional consultants, including lawyers (for the purposes of financial and accounting and administrative services ), cloud platforms for data processing/storage (for the purposes of organizational services, for example: storage and processing of contracts with users of cloud platforms for greater security), companies providing postal services (for purposes of organizational service of our activity, for example: sending contracts on paper to the Users), IT service providers, system administration, marketing services (for the purpose of providing more reliable and quality work of the Website and more secure data processing), third-party storage service providers (ie hosting co companies) (for the purpose of fulfilling contracts with Users).
Based on applicable law or at the request of public authorities, all or part of your personal data may also be made available to public authorities.
We do not intend to transfer your personal data to countries outside the European Economic Community or to international organizations.
X. RIGHTS OF DATA SUBJECTS
At all times while we process your personal data and subject to the restrictions set out in applicable law, you, the data subject, have the following rights:
- Right of access – you have the right to request information about whether we process your personal data, as well as to access and copy your personal data; in the event that you request more than one copy of such personal data of yours, you may be required to pay a fee for each additional copy;
- Right of rectification – Right to Correct / Correct – You have the right to request that your personal information be rectified if you believe it is inaccurate or incomplete. We will make such rectifications/ corrections without undue delay;
- Right to be deleted/ forgotten – in certain circumstances (for example: the relevant personal data is no longer needed for the purposes for which it was collected; you have withdrawn your consent to the processing of certain personal data of yours for which there is no other legal basis for processing) you can request that your personal data that we process be deleted from our registers/ our database without undue delay. In certain cases, we may refuse to delete such personal data of yours (for example: the processing of personal data is necessary to comply with a certain legal obligation or to establish, exercise or protect legal claims);
- Right to limit processing – when certain conditions are met (for example: the processing of certain personal data is illegal, but you do not want this data to be deleted), you have the right to request a restriction on the way your personal data is processed;
- Right of portability – when your personal data is provided to us by you and processed automatically, you have the right to request that your personal data be transferred to you in a structured, widely used and adapted to machine readable format manner, and to be transferred to another controller of personal data, if technically feasible;
- Right to object – you have the right, at any time, to object to the processing of your personal data for certain purposes, in which case we will stop using your personal data for the specific purpose, unless we have preferential legitimate grounds for this (for example: you have the right, at any time, to object to the processing of your personal data for direct marketing purposes, in which case we will stop processing your personal data for these purposes without undue delay);
- Right to object to automated processing, including profiling – you have the right not to be the subject of a decision based solely on automated processing of your personal data, including profiling, and you also have all rights which arise for you in the event that you are subject to the legal consequences of such processing;
- Right to withdraw your consent to processing – in the event that we process your personal data on the basis of consent, at any time, you have the right to withdraw your consent. Withdrawal will not affect the lawfulness of processing based on consent prior to its withdrawal.
In the event that, at the request of a User, we delete his/her personal data from our database, we will only store the information that may be necessary to protect our legitimate interests or for public authorities.
You have the right to request that we inform you of all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed. We may refuse to provide this information if this would be impossible or would require a disproportionate effort.
In the event that we are required to transfer personal data to another controller, to rectify or delete personal data, to restrict or terminate the processing of personal data, to provide information about the recipients to whom the personal data has been provided, for which rectification, erasure or restriction of processing has been requested, or to provide access to personal data, and in case of concerns about the identity of the requested User, we may first request additional information to verify the identity of the data subject in question.
In the event that there is a third party in the processing of your personal data to whom all or part of your personal data has been transferred (as set out in Part IX above), all the above requests will be forwarded to this third party.
The exercise of the above rights is free of charge for the Users, except when the requests made are clearly unfounded or excessive. In such a case, we may either impose a reasonable fee on the execution of the request or refuse to take action on the request.
Users can exercise the above rights by contacting us by email at: email@example.com
XI. FILING COMPLAINT TO SUPERVISORY AUTHORITY