Forum Holiday Ltd BG 102871996 with registered seat and management address: Burgas 8000, “Tsar Simeon I” 59 Str. hereinafter referred to as the HOTEL, operates as data controller and processes personal data in accordance with the Personal Data Protection Act and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation, hereinafter referred to as GDPR. The present Personal Data Protection Policy will be applied by the HOTEL and can be found on its official website.
The HOTEL, in its capacity of data controller and as a professional with longstanding experience in the field of tourism, respects the privacy of users. The present Data Protection Policy aims to inform you of the process of collecting, processing, storing, using and transfer of personal data. Please take the time to read and familiarize yourself with its content. If you have any questions, you can raise them through the Contact Form available on the website.
Within the meaning of the present Policy and in accordance with the definitions provided in Article 4 GDPR, the terms below will have the meaning assigned to them as follows:
1. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
2. ‘Data subject’ – is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
3. ‘Controller’ is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In order to ensure and improve the services we offer and for the purpose of administrating the relevant resources, we retain, use and process personal data in the manner described in the present Personal Data Protection Policy in compliance with statutory requirements.
The types of personal data collected and processed by the Controller may vary depending on the purposes for which they are collected and the grounds for their processing:
1. In order to process and confirm a booking request, the HOTEL collects and processes the following types of data:
a) Booking via website:
b) Booking by telephone:
2. When welcoming guests at the HOTEL the Controller processes and retains the following types of data:
Data collected for the purpose of registration at the hotel is collected on the basis of Article 116, para 2 of the Tourism Act and is required for the register of accommodated tourists. Such data is retained for a period of 5 (five) calendar years.
3. The following data is processed and retained when corporate or private events are organised at the HOTEL:
This data is retained for a period of up to 5 (five) calendar years following the event with view of exercising legal rights or ensuring protection in the case of legal claims.
4. The following data is processed and retained for the purpose of ensuring safety in HOTEL premises and preventing unlawful action in the HOTEL – video images of individuals visiting the HOTEL. Video surveillance is carried out only in the common areas of the HOTEL. Data from such video surveillance assists the investigation of unlawful actions and antisocial behaviour. Such data is stored on DVR or NVR devices and access to the data is limited only to those individuals who authorised to access and process personal data. Video images of visiting individuals are stored for a period of up to one month from the record date and are destroyed automatically unless data retention for a longer period is required for the performance of a legal obligation to which the HOTEL is subject.
The HOTEL will process your personal data on the basis of Article 6(1), notes a, b, c, f of GDPR, namely:
Article 6(1)(a) GDPR – the data subject has given consent for the processing of his or her personal data for the receipt of commercial communication for marketing purposes.
Article 6(1)(a) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Article 6(1)(b) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;
Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the HOTEL, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When processing personal data, we adhere to the following principles:
Please bear in mind that when you send an inquiry to the HOTEL (for rates, reservations, clarifications on a bookings, event organisation and/or other questions related to services offered by the HOTEL) you are providing your consent for the HOTEL to store and process your personal data, provided for the purposes of the relevant inquiry.
In this case, your data will be deleted in accordance with valid legislation and the present privacy policy.
Personal data obtained in connection with an inquiry is processed and retained for a period of 6 (six) months from inquiry processing and is then deleted except in the cases where the Controller is entitled to retain the data on a statutory or contractual basis for a longer period of time.
We employ electronic data protection means to ensure fast and accurate provision of services and assistance to users.
Processing of personal data provided to the HOTEL is carried out in compliance with applicable legislation in the field of personal data protection. The HOTEL will respect your privacy at all times. The HOTEL guarantees that the individuals it has authorised for the purpose of data processing have signed confidentiality agreements or are obliged by law to protect the confidentiality of the personal data entrusted to them.
The HOTEL implements technical and organisational security measures to protect the personal data you have provided against accidental or unlawful destruction, accidental loss, unauthorised access, modification or disclosure and against any other types of unlawful processing on behalf of non-authorised individuals. The applied measures are subject to ongoing control and adaptation to the newest technologies.
The personal data we collect may be forwarded to HOTEL partners who act as processors on behalf of the HOTEL and have undertaken to meet all applicable requirements for the protection of personal data. We comply with the requirement that the respective data may only be used within the restrictions of the legal basis for which it is collected or your personal consent for processing carried out on behalf of the HOTEL and that such data must be treated as confidential.
The HOTEL may disclose and make available personal information in accordance with applicable law, where a court or administrative body orders or requires such disclosure or where the disclosure of personal data is related to the performance of a legal obligation to which the HOTEL is subject.
The data collected with the purpose of HOTEL accommodation will also be available to the third parties defined in the Tourism Act – the Ministry of Tourism, Municipalities, the Ministry of Interior, the National Revenue Agency and the National Statistical Institute.
The data concerning you which we collect is retained within the European Economic Area (EEA) in observation of national and European legislation and more particularly the GDPR.
Users of services provided by the HOTEL have the following rights in their capacity of data subjects:
1. Right to access and right to rectification: in accordance with valid legislation, you have the right of access to the data you have provided for processing. By sending a written application through the website’s Contact Form, you can obtain information on the type of personal data you have provided and the relevant processing purposes. Once you have obtained access to your data, you may request rectification of the data if any errors or discrepancies are identified.
2. Right to object against processing on the basis of legitimate interest: Users may object against processing of their personal data. This objection must be addressed to the HOTEL through the Contact Form in this section of the website. The HOTEL undertakes to review your objection and to notify you of the result of its internal check within 30 calendar days.
3, Users are entitled to file complaints with the competent supervisory body. According to valid legislation the competent supervisory authority in the Republic of Bulgaria is the Personal Data Protection Commission.
4. Right to data portability: Where the HOTEL processes your personal data in an automated manner on the basis of your consent or a contract, you will be entitled to receive your personal data in a structured, commonly used and machine-readable format. Users have the right to transmit such data to another controller without hindrance from the HOTEL with regards to data provided under consent, data provided for the performance of a contract to which the user is party or in order to take steps at the request of the user prior to entering into a contract.
5. Right to erasure (‘right to be forgotten’): You have the right to obtain erasure of all personal data concerning you and processed by the HOTEL at any time, unless where processing is required for at least one of the following purposes, namely:
6. Right to restriction: You have the right to obtain from the HOTEL restriction of processing where one of the following applies:
7. Right to be informed of a data breach pursuant to Article 34 GDPR:
When the personal data breach is likely to result in a high risk to your rights and freedoms, the HOTEL will communicate the personal data breach to you without undue delay; the communication will describe the nature of the personal data breach and will contain at least:
The communication above will not be sent personally to each data subject in the event of security breaches if the HOTEL has met any of the following conditions:
In such a case the HOTEL will publish a notification on its site so that data subjects are informed in an equally effective manner.
The HOTEL’s Personal Data Protection Policy may be amended unilaterally by the HOTEL with view of improving its provisions, offering new services, changes to the manner of service provision and communication with our clients and amendments required by legislative changes.
When introducing changes to the present Personal Data Protection Policy, the HOTEL will communicate to you such changes by publishing them on the HOTEL website, providing a reasonable period in which you can become familiar with the changes and, following expiry of this period, the changes will apply to the processing of your personal data without further notification.
If, within this time period you state that you object to the changes, it will be deemed that you have withdrawn your consent for the processing of your personal data and the HOTEL will terminate processing, provided that the grounds for the collection and processing of your personal data is consent. Such termination may result in termination of your registration for games, services, electronic bulletins, etc., which we offer, for the purposes of which you have initially provided your personal data.
If you have any questions regarding our personal data protection rules and measures, send us a message using the site’s contact form.
Exercise of the above rights does not constitute waiver of the right to appeal. You can lodge an appeal with the relevant Bulgarian supervisory body – the Personal Data Protection Commission. Further information can be found at: www.cpdp.bg