Privacy policy

PREAMBLE

“Interhotel – Sandanski - Bulgaria” AD, UIC 101511550, having its seat and registered address at: 19, Karningradska Street, Sofia 1000, hereinafter referred to as the “Company” is a controller of personal data and is responsible for compliance with the provisions of the General Data Protection Regulation 2016/679.

The purpose of this Privacy Policy is to inform you of what personal data the Company proceses and for what purposes, to whom it provides them, what are your rights regarding the processing of your personal data and how you can exercise them.

PRINCIPLES OF PERSONAL DATA PROCESSING

Compliance with the provisions of the Regulation

The Company policy aims to ensure compliance with the provisions of the Regulation.

Personal data are collected and processed lawfully and fairly

The Company collects and processes personal data lawfully, fairly and in compliance with the principles and rights of the natural persons concerning their personal data processing.

Personal data are processed transparently

The Company ensures transparency in the communication for the collected and processed personal data, such information being in a short, transparent, comprehensible and easily accessible form and using clear and unambiguous formulations.

Personal data is collected and processed only for certain purposes

The Company processes personal data of natural persons only in the following cases:

  1. processing is necessary to comply with a legal obligation of the Company;
  2. processing is necessary for the performance of a contract (including an order) with the Company to which a natural person is a party or for taking steps at the request of a natural person prior to the conclusion of a contract where its identification is required;
  3. a natural person has given his unequivocal consent for a comprehensible and transparently defined purpose on behalf of the Company for which the processing of his/her personal data is necessary;
  4. processing is necessary in order to protect the vital interests of the natural person whose personal data are being processed or of another natural person;
  5. processing is necessary for the legitimate interests of the Company or a third party, in compliance with the provisions of the Regulation;
  6. other cases provided for in the Regulation.

Personal data unnecessary for the Company activity shall not be collected and processed

The Company does not collect or process personal data of natural persons who exceed their statutory obligations or business needs.

Collected personal data are processed for other purposes only having the consent of the persons

In all cases where it is necessary to collect and process personal data of natural persons for purposes other than the original, the Company shall notify the natural persons concerned, seek their consent and proceed to process their personal data for other purposes only after their explicit consent.

The minimum necessary personal data are collected for processing

The Company collects and processes only the minimum personal data required of natural persons who:

  1. are provided by law;
  2. are necessary for the performance of a contract;
  3. are necessary to meet the purposes for which they are collected.

The processed personal data are accurate and up to date

The Company ensures that the processing of the personal data of natural persons is based on maximum accuracy and, if possible, they shall be always up to date.

Personal data are processed by the minimum number of people required

The Company ensures that the access to and the processing of personal data of natural persons is performed by the minimum number of persons (operators) who have the necessary competence for their processing and the necessary commitment to their secrecy.

Personal data are stored for the minimum required time

The Company keeps personal data for the minimum required time, which is:

  1. required by law;
  2. necessary to perform the contract (including the order) and its responsibility under it;
  3. necessary to meet the purposes for which the data are collected and processed; or
  4. upon request by a natural person for their erasure when there is reason for such a request.

Upon expiry of the minimum time required under items 1 to 4 of the preceding paragraph, personal data shall be destructed without undue delay.

In any case, the Company provides at least once a year to review the collected and processed personal data, and the ones that fall under any of the above hypotheses are erased without undue delay.

RULES FOR PERSONAL DATA PROCESSING

Personal data are processed with the necessary levels and measures of protection

The Company provides the necessary levels of physical, organizational and technological protection in view of:

  1. the nature, scope, context and purpose of the processed personal data;
  2. the probability, levels of impact and severity of risk for the rights and freedoms of the natural persons in case of breach of the security of the personal data processed;
  3. its financial and organizational capabilities.

The Company also provides all necessary measures for the timely recovery of collected and processed personal data in the case of their loss as a result of accidental, malicious or force majeure events.

Personal data are processed with controlled and traceable access

The Company provides the necessary and appropriate technical, organizational and technological measures for controlled and traceable access to the personal data of the natural persons.

Personal data are processed with the required accountability to comply with the Regulation

The Company provides for the necessary accountability and records to be able to demonstrate that the provisions of the Regulation have been complied with.

Respecting the rights of natural persons whose personal data are being processed

The Company ensures protection of the rights of the natural persons whose personal data are collected and processed, including:

  1. the right to awareness about the personal data processing;
  2. the right to access to personal data - what data are available;
  3. the right to correct inaccurate personal data;
  4. the right to erasure of personal data - the right to be forgotten;
  5. the right to restriction of the processed personal data;
  6. the right to awareness about actions as a result of a request for correction, erasure or restriction of the processing of personal data;
  7. right to data portability;
  8. right to object against processing of personal data;
  9. right not to be an object of automated individual decision-making

PROCESSED PERSONAL DATA

Processed personal data in its capacity of Controller:

  • of employees;
  • of clients natural persons;
  • of suppliers natural persons;
  • of shareholders natural persons.

OBJECTIVES OF THE PERSONAL DATA PROCESSING

The Company as Controller performs the following operations and processes only the required personal data for the following purposes:

  • for conclusion, performance and termination of employment contracts and calculation of employee wages and salaries;
  • for provision of services to the clients;
  • for conclusion and performance of contracts with suppliers of natural persons;
  • for direct marketing for the purposes of sales;
  • for Providing Medical Services to Clients Natural Persons using the services of "Medical Center Interhotel Sandanski" EOOD;
  • for processing of request of shareholders.

RECIPIENTS AND CATEGORIES OF RECIPIENTS

In connection with the fulfilment of the above objectives, the Company provides personal data to the following recipients:

  • National revenue agency concerning the calculation of the salaries of the staff;
  • NSSI concerning the calculation of staff benefits;
  • An insurance company for the purpose of concluding compulsory Occupational accident insurance for certain categories of employees;
  • Occupational Medicine Company in relation to an obligation to maintain an updated health status of the staff and to carry out periodic medical examinations;
  • General Labour Inspectorate, NSSI and MoI - concerning accidents at work;
  • MoI - concerning provision of information for hotel guests;
  • Other state and municipal authorities and/or institutions – concerning the statutory obligations to them or in connection with legitimate requests from them for information that contains personal data;
  • Subcontractors for performance of contractual obligations.

CONTACT DETAILS WITH THE COMPANY

If you have questions or ambiguities regarding the processing of your personal data or wish to exercise any of your rights, you can contact:

  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.;
  • Telephone: 02/ 932 00 66
  • Address: 19, Karnigradska Street, Sofia 1000

COMPETENT SUPERVISORY AUTHORITY

The competent supervisory body on the territory of the Republic of Bulgaria is the Commission for Personal Data Protection.

In case of doubt that your privacy rights have been violated, you can report to:

  • Address: 2,Tsvetan Lazarov Str., Sofia 1592
  • E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Web site:
  • Phone: 02 / 91-53-518