Stella Tours 2001 EOOD’s PRIVACY POLICY FOR CUSTOMERS’ PERSONAL DATA

The management of “STELLA TOURS 2001” EOOD (“STELLA TOURS”, “the company”, “we”, “the administrator”) is committed to ensuring compliance with EU and Bulgarian legislation regarding the processing of personal data and protection of ” the rights and freedoms “of the persons whose personal data the company collects and processes.

Regulation (EU) 2016/679 and this policy apply to all personal data processing functions, including those performed on personal data of customers, employees, suppliers and partners and any other personal data that we process from various sources

This policy applies in all cases in relation to the processing of personal data. Any breach of the General Regulation will be considered a breach of labor discipline, and in the event of a suspected criminal offense, the matter will be referred to the relevant public authorities as soon as possible.

Partners and third parties who work with or for STELA TOURS 2001 EOOD, as well as who have or may have access to personal data, will be expected to know, understand and comply with this policy. No third party may have access to personal data held by the company without first having entered into a data confidentiality agreement, which imposes on the third party obligations no less burdensome than those we have undertaken and which gives us the right to check compliance with the obligations assumed by the agreement.

Obligations and roles under Regulation (EU) 2016/679

STELA TOURS 2001 EOOD is a personal data administrator according to Regulation (EU) 2016/679.

The top management and all members of the management or supervisory bodies of STELLA TOURS are responsible for developing and promoting good practices in the field of information processing.

Compliance with data protection legislation is the responsibility of all employees of STELA TOURS 2001 EOOD who process personal data.

Principles of data protection

All processing of personal data is carried out in accordance with the principles of data protection. The company’s policies and procedures are intended to ensure compliance with these principles.

STELLA TOURS is committed to processing personal data lawfully, in good faith and transparently. The personal data we collect is used solely for specific, explicit and legitimate purposes. We will not sell your personal data in any way and will not pass it on or disclose it to a third party in any way, unless we are legally obliged to do so.

Objectives, legal grounds and deadlines for processing personal data

The company processes your personal data for purposes related to administrative reporting, financial accounting activities, banking and insurance activities and reporting, ensuring the safety of holidaymakers and protecting their legitimate interests.

The complete processing of your personal data is carried out only in connection with legal obligations imposed on the company under Bulgarian law (Social Security Code, Labor Code, Ministry of Interior, Tourism Act, Law on Foreigners in Bulgaria and others).

The personal data of natural persons processed in connection with an employment, civil and / or contractual legal relationship with the company are stored for the terms determined in accordance with the Bulgarian legislation.

The personal data of natural persons clients of the company are stored for a period of eighteen months and then destroyed and / or deleted in accordance with the rules adopted by the company.

Rights of data subjects

Data subjects have the following rights with regard to the processing of data as well as the data recorded for them:

– Make requests to confirm whether personal data relating to you are being processed and, if so, to have access to the data as well as information about the recipients of this data.

– Request a copy of your personal data from the administrator;

– Ask the administrator to correct personal data when it is inaccurate and when it is no longer up to date;

– To ask the administrator to limit the processing of personal data, in which case the data will only be stored, but not processed, and in the event that there is no legal prohibition to do so;

– To object to the processing of personal data concerning you for the purposes of direct marketing.

– Complain to a supervisory authority if you believe that any of the provisions of the ORD have been violated;

– Do not be subject to automated decisions that affect you.

We provide conditions to ensure that you exercise these rights:

– Data subjects may make requests for access to data.

– Data subjects have the right to lodge complaints with the company concerning the processing of their personal data, the processing of a request by the data subject and an appeal by the data subject concerning the way in which complaints are processed.

Consent

By “consent” STELLA TOURS will mean any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clearly confirmatory action expressing his consent to the processing of personal data relating to him. The data subject may withdraw his consent at any time, provided that it does not conflict with a legal obligation for the company.

When we process children’s personal data, permission must be obtained from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.

Data security

All employees are responsible for ensuring the security of the storage of the data for which they are responsible and which the company holds, and that the data is stored securely and not disclosed in any circumstances to third parties, unless the company has provided such rights of that third party by concluding a contract / confidentiality clause.

All personal data are available only to those who need them, and access is provided only in accordance with the established rules for access control. All personal data is treated with the utmost security.

An organization has been set up to ensure that computer screens and terminals cannot be viewed by anyone other than the company’s authorized employees. All employees are required to sign a privacy statement and be trained in compliance with organizational and technical measures for access, as well as the rules for locking workstations, according to the Instruction adopted by the administrator for processing and protection of personal data before provided access to information of all kinds.

Paper records are not accessible to unauthorized persons and cannot be removed from designated offices. As soon as the paper documents are no longer needed for the current work of customer support, they are destroyed in accordance with the rules adopted by the company.

Data disclosure

We provide conditions in which personal data is not disclosed to unauthorized third parties, which includes family members, friends, government agencies, even investigators, if there is a reasonable suspicion that they are not required in the prescribed manner. Employees are trained in order to avoid the risk of such a violation.

All requests from third parties for data must be supported by appropriate documentation and all such disclosures must be specifically authorized by the Management Authority.

Data storage and destruction

STELLA TOURS does not store personal data in a form that allows the identification of subjects for a longer period than necessary in relation to the purposes for which the data were collected. The Company may store data for longer periods only if the personal data will be processed for archiving, public interest and statistical purposes, and only in the implementation of appropriate technical and organizational measures to guarantee the rights and freedoms of the subject. of data.

On the territory of Hotel Elena, in the freely accessible parts of the building, video surveillance is carried out only for the purposes of the legitimate interests of the company, which would arise in case of accidental or deliberate actions or inaction by holidaymakers or employees of the hotel Camcorder recordings are automatically saved for seven days, after which they are automatically deleted again. Access to the data is very limited, it is done only when the need is identified and only by explicitly authorized employees of the company.

Data transfer

Any export of data from within the EU to non-EU countries (referred to in the General Regulation as “third countries”) is illegal, unless there is an appropriate level of protection of the fundamental rights of data subjects.

The transfer of personal data outside the EU is prohibited unless one or more of the following guarantees or exceptions apply:

1. Adequacy decision

The European Commission may assess third countries, territories and / or specific sectors in third countries to assess whether there is an appropriate level of protection of the rights and freedoms of individuals. No permit is required in these cases.

Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision.

2. EU-US Privacy Shield

If the Organization wishes to transfer personal data from the EU to a third country in the United States, it must verify that the organization has signed the Privacy Shield Framework Agreement with the US Department of Commerce.

3. Standard contractual clauses.

STELLA TOURS may adopt approved standard data protection contractual clauses for data transfers outside the European Economic Area. If the company accepts standard contractual clauses approved by the relevant supervisory authority, it has automatic recognition of adequacy.

Registers of processing activities.

At STELA TOURS we have created a data inventory process as part of our approach to dealing with risks and opportunities in the process of complying with the policy of compliance with Regulation (EU) 2016/679.

We are aware of the risks associated with the processing of certain types of personal data. Where the type of processing may pose a high risk to the rights and freedoms of individuals, in particular through the use of new technologies and taking into account the nature, scope, context and objectives of the processing, the company will assess the impact of the envisaged processing operations on the protection of personal data.

When, as a result of an internal assessment, it is established that the company will start processing personal data that could cause harm to data subjects due to high risk, the decision whether to continue processing or not will be submitted for review by the management authorities. If there are serious concerns either about the potential harm or danger or about the amount of relevant data, the matter will be referred to the supervisory authority for consultation.