privacy-policy
Information about us
“SUNNY HILLS – ELENA SPA” Ltd, (hereinafter referred to as “the Hotel” and/or “the Administrator”), is a company registered in the Commercial Register and the Register of Non-Profit Legal Entities kept at the Registry Agency with UIC 204373874, with registered office and address of management: town of Elena 17 Stara Planina Str, SPA Complex Elena Tel: +359 878 911 211
The contact details of our Data Privacy Officer are:
- Data Privacy Officer: Kristina Koleva
- Tel: 0878 911 211
- Email: Elena_hotel@bg
The hotel as a data administrator collects and processes certain information about individuals.
This information may relate to employees, managers, customers and guests of the Hotel, suppliers, contractors, business contacts and other individuals with whom the Administrator has a relationship or wishes to establish business contact.
This privacy policy governs how personal data is collected, processed and stored to meet standards within the Administrator’s organisation and to comply with legal requirements.
This Personal Data Privacy Policy is issued pursuant to the Personal Data Privacy Act and its implementing regulations, as amended, (“Bulgarian Legislation”), and the General Data Protection Regulation (EU) 2016/679 (“GDPR” or GDPR).
What is meant by “personal data” and “processing of personal data”?
“Personal data” is any information by which an individual may be identified, directly or indirectly, by one or more characteristics specific to the individual – such as: name, identification number/Personal ID number, contact details – location/postal address, telephone number, electronic address (email), online identifier/IP address, etc. These attributes may be part of an individual’s physical, physiological, genetic, psychological, mental, economic, cultural or social identity.
“Personal data” is any information by which an individual may be identified, directly or indirectly, by one or more characteristics specific to the individual – such as: name, identification number/Personal ID number, contact details – location/postal address, telephone number, electronic address (email), online identifier/IP address, etc. These attributes may be part of an individual’s physical, physiological, genetic, psychological, mental, economic, cultural or social identity.
Our attitude to your personal data
The Hotel attaches great importance to the personal data privacy and collects and processes personal data only in compliance with local and European legislation. The purpose of this “Personal Data Privacy Policy” is to inform you how we process your data and what personal data we would collect about you, for what purpose, for how long and, where applicable, what your rights are.
The security of the data you entrust to us is very important to us. Therefore, we protect your data by implementing all appropriate technical and organisational means that are adequate to the possible risks to the rights and freedoms of individuals, to prevent unauthorised access, unauthorised or malicious use, loss or premature deletion of information.
What information do we collect and why?
We may collect personal information about you when you use our Site or select our services. In most cases, we require your personal data for the purpose of entering into a contract, to comply with a legal obligation or to protect our legitimate interest. In certain cases, we process data based on your consent.
Depending on the services you use, we may collect and process the following information about you:
- Person’s name, uniform ID number (for the purposes of registration with the Hotel and invoicing, if requested), date of birth and gender;
- Contact details – contact address, telephone number and electronic address (email);
Principles that guide us and that we follow:
We strictly adhere to the basic principles established as mandatory in the processing of personal data;
Personal data are processed lawfully, fairly and transparently;
Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes;
The personal data are appropriate, relevant to and limited to what is necessary in relation to the purposes for which it is processed;
Personal data are accurate and kept up to date where necessary;
The personal data are kept in a form which permits identification of the individuals concerned for no longer than is necessary for the purposes for which the personal data are processed;
Personal data are processed in a manner that ensures an adequate level of security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, implementing appropriate technical and organisational measures;
We process the personal data we collect most commonly for the following purposes:
In the conclusion and execution of a contract – for the registration of the guest at the Hotel, the preparation of accounting documents such as a bill or invoice for the services provided to you; for the purpose of notifications related to our services;
In the performance of a legal obligation – for the purpose of obligations under the Tourism Act, the Accounting Act and the Tax and Social Security Procedural Code and other related regulations, in relation to the keeping of proper and lawful accounts; in obligations to provide information to all government commissions and regulatory bodies, as well as a court of law; in the performance of obligations in relation to online bookings (distance selling) and off-site sales at our Hotel;
With your consent, for direct marketing of our products and services.
What are your rights:
When your personal data is collected and processed, you have the right to:
Information about the processing of your personal data and access to the personal data collected about you;
Correction/completion if the data is inaccurate/incomplete – on your initiative or on the initiative of the Hotel;
Erasure of personal data, if there are legal grounds for this;
Restriction of the processing of your personal data by the Hotel, if there are legal grounds for this;
Portability of personal data between administrators – this right allows you to obtain your data from the Hotel and transfer it to another controller in a usable format;
Objection to the processing of your personal data, where there are lawful grounds to do so;
The right to a judicial or administrative remedy if your rights have been violated.
You can protect your rights by writing to us at e-mail: reception@spacomplex.bg or mail/courier at 17 “Stara Planina” Str., SPA Complex Elena;
Your personal data is stored with us according to the purpose for which it was collected and for the statutory periods.
When we may disclose your personal data:
We implement a range of measures to protect your personal data from loss, theft and misuse, as well as from unauthorised access, disclosure, alteration or destruction. The Hotel uses third parties to assist in certain contractual activities or in the performance of a legal obligation. We do not disclose your personal data to third parties until we are satisfied that all technical and organisational measures have been taken to protect that data and we endeavour to implement strict controls to fulfil this purpose.
Some of the recipients of personal data may be: courier companies, external consultants and specialists, collection companies and law firms, banks, security companies, sales agents and representatives, etc.
Your personal data may be disclosed in circumstances provided by law. For example, your personal data may be disclosed to third parties with your explicit consent or with the permission of the Personal Data Protection Commission. The provision of personal data in some cases is mandatory in order to comply with our legal requirements, such as: regulatory authorities, including state commissions, institutions and agencies, NRA, NSSI, courts, prosecutor’s office, and others to whom we are obliged to provide personal data under applicable law. Your personal data may, where necessary or appropriate, be provided for national security purposes or where issues of public importance arise.
Links to social media
Our website also contains links to Facebook and Instagram. In this case, the transfer of data to said social media operators only takes place when the corresponding button on the icon illustrating the link is clicked. If such a button is clicked, the page of the respective social network opens. There you can post information about our services according to the rules of the social media operator. You can also use our official contact profiles on the various social networks as well as other official public profiles of the company. Such are our: Facebook page https://www.facebook.com/Elena.hotel.complex/;
Instagram page https://www.instagram.com/spacomplex_elena/. The personal data you send via private message will only be processed for the purpose of responding to your request. We are not responsible for the information and personal data that you share voluntarily on our official profiles without being explicitly requested by you.
Security
The Hotel takes measures to protect your personal data from accidental loss and unauthorized access, use, alteration or disclosure. Policies and procedures are in place designed to protect information from loss, misuse and unauthorized disclosure. In addition, we take additional information security measures, including access controls, strict physical security, and robust information collection, storage, and processing practices.
On the other hand, we implement technical measures such as encryption, pseudonymization, and anonymization of collected personal data.
When do we delete your personal data?
We keep all the information we have collected about you and destroy it within the statutory time limits, and if none within the time limits set by us after final settlement of all our financial relationships. We do not keep your data indefinitely.
Destruction
Accounting and business information, as well as all other information and documents relevant for taxation and compulsory social security contributions, are kept by the Hotel for the following periods:
- payrolls – 50 years;
- accounting records and financial statements – 10 years;
- documents for tax and social security control – 5 years after the expiry of the limitation period for repayment of the public debt to which they relate;
- all other media – 5 years, unless a shorter period is prescribed by law;
After the expiry of the retention period, media (paper or technical) which are not subject to transfer to the National Archives Fund may be destroyed.
After the end of the retention period, the data shall be destroyed as soon as possible by destroying the paper media by shredding, and the technical media by deleting and erasing the relevant files from the Company’s computers and systems.
Changes to this Privacy Policy
This procedure for the protection of personal information is subject to change over time. Such changes will be effective immediately upon their disclosure. Regularly reviewing this page will ensure that you are always aware of what information we collect, how and for what purposes the Hotel uses it, and in any circumstances (if any) we will share it with other parties.