PERSONAL DATA PROTECTION
This Policy has been prepared in accordance with the requirements of 2016/679 Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with reference to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / EC (Regulation).
PERSONAL DATA PROTECTION POLICY OF CUSTOMERS OF "MEGA T" LTD.
Art. 1. With respect to the provision of its services and the performance of its activities, MEGA T Ltd., as administrator processes the personal data of its clients - individuals, as well as the personal data of other individuals, listed below ("Data subjects") / "You"), in accordance with the rules and principles set forth in this Policy.
Art. 2. MEGA T Ltd. is a company with UIC 205855140, with registered office and address of management in the city of Varna, 10 Shipka Str., 2nd floor.
Art. 3. (1) In connection with the provided services Hotel Continental processes information regarding the following Data Subjects:
- individuals visiting the Website (the Website);
- individuals, making reservations on their own or on behalf of another individual or legal entity through the Website;
- individuals using the services provided by Hotel Continental, including, but not limited to - hotel accommodation, restaurant and related services, provision of premises for conferences and other events, etc., as well as individuals representing or acting on behalf of legal entities, using these services;
- individuals who have made inquiries on their own or on behalf of another person they represent (including, but not limited to inquiries made by e-mail, fax, phone, requests, signals, complaints or other correspondence with Hotel Continental);
- individuals, information about whom is contained in inquiries, requests, signals, complaints or other correspondence to Hotel Continental;
- The services of Hotel Continental can be requested only by people who have reached 18 years of age.
Personal data categories
Art. 4. The information about the Data Subjects (categories of personal data), processed by Hotel Continental, in accordance with this Policy may include:
1. Information, related with hotel accommodation services:
(a) Identification data: names of guests; date of birth; gender; nationality; national identification number (such as PIN for Bulgarian citizens) and/or identity document number; date of issuance of an identity document; validity of identity documents; country that issued the identity document; signature.
(b) Contact details: telephone; e-mail address; address.
(c) Information related to the hotel accommodation: room number; floor; dates of stay (check in and check our dates); length of stay (number of nights in the hotel); use of a tourist package; room type preference (smokers / non-smokers); VIP guest status;
(e) Additional information related to hotel accommodation at the explicit request of the user of the services: special requirements and preferences, incl. type of food and beverages; special requirements related to food, beverages and other substances which must be avoided by the guest (regardless of the reason).
2. Data related to payments and issuing of invoices: information about the payment method (in cash, by bank transfer, by credit card, etc.); information about due and made payments; information about payment terms and overdue/unpaid debts; bank information (bank, IBAN, bank account holder); currency of the payment made; credit / debit card number, validity and holder; CVC code; data contained in an authorization form for payment (slip); name of legal entity; address of a legal entity; VAT number and/or other identification, tax or registration number (PIN for individuals); authorization forms (signed).
3. In relation to the provision of restaurant services:
(a) Identification data: names;
(b) Contact details: telephone; e-mail address; address;
(c) Data related to payments and invoicing: number, validity and credit / debit card holder; CVC code; name of legal entity; address of a legal entity; VAT number and / or other tax or registration number (for sole proprietors and individuals); authorization forms (signed);
(d) Information related to preferences (upon explicit request by the user): food and beverage preferences; preferred payment method; special requirements related to food, beverages and other substances with which the guest is prevented from coming into contact (regardless of the reason).
4. In cases where the Data subject represents another person (e.g. company): information about that person (including place of work, position), as well as information about the requested services/orders made. Respectively, in the cases when the services are requested by a person other than the Data subject in favor of the Data Subject - in what capacity the Data subject will use the services, by whom they are requested, who will make the payment etc. (e.g. for placements organized by an employer or business partner of the Data Subject, etc.).
5. In relation to the issuance of customer discount cards:
(a) Identification data: names.
(b) Information about the discount that can be used with that customer card.
6. In relation to the the services and functionalities of the Website (if any):
(a) Data processed in relation the booking of a hotel accommodation: names; e-mail address; telephone; country; credit / debit card number, validity and holder; CVC code; number of rooms; number of guests, including number of adults and number of children; corporate code / access code; code of a participant in event and/or group accommodations; number of reservation; special offers and preferences of the guest (upon explicit indication in the reservation form).
(b) Information about login acount details, server logs and Web Application Firewalls, etc.: date and time, IP address, URL, browser and device information.
(c) In relation to customer complaints, applications, requests, and signals: unstructured information contained in the relevant complaints, applications, requests, and signals.
Video surveillance and security
Art. 5. (1) According to the requirements of the applicable legislation, Hotel Continental applies security measures, which include the following technical and organizational means for controlled access and for ensuring security against encroachments on buildings and sites and for protection of life and health of the citizens: physical security, security alarm systems and video surveillance system, performing 24-hour video surveillance, consisting of recording and storage devices.
(2) Video surveillance and video recording can be carried out in publicly accessible areas and premises in the building of Hotel Continental and in those with specific access regime. There is no video surveillance in the guest rooms, sanitary and hygienic rooms, recreation rooms, etc. Data from video surveillance activities are stored in a monitoring room with limited access and 24-hour security.
(3) The Data subjects and the other visitors, who can be photographed, shall be notified by information signs, placed on visible places, about the use of technical means for monitoring and control and for any other relevant information regarding the performed monitoring.
Art. 6. (1) If the Data Subject has given his/her express consent, Hotel Continental, resp. other companies related to or partners of Hotel Continental, may process the following personal data: names; telephone; address; e-mail address; information about type and numbers of the used and preferred services provided by Hotel Continental and other data explicitly mentioned in the respective consent, for direct marketing purposes such as offering other goods and services, including goods offered by other persons and/or services, conducting consultations, surveys in order to improve the quality of services provided, etc. according to the scope of the specific consent given.
(2) When personal data is processed for direct marketing purposes, the Data subject has the right to object this processing at any time. In these cases, the processing of personal data shall be terminated.
(3) The Data subject has the right to withdraw at any time, his/her consent given for personal data processing, for direct marketing purposes. In these cases, the processing of personal data based on the given consent shall be terminated.
Purposes of personal data processing
Art. 7. Hotel Continental collects, stores and processes the information described in Art. 4, 5 and 6 above, for the purposes provided in this Policy and in the general conditions (contract) for use of the respective services. Depending on the legal basis for processing, these purposes can be:
(a) purposes related to the compliance with legal obligations of Hotel Continental;
(b) purposes related to and/or necessary for the performance of the contracts concluded with Hotel Continental or for establishing procedures at the request of the Data subject prior to the contract conclusion;
(c) purposes related to the legitimate interest of Hotel Continental or of third parties;
(d) purposes for which the Data subject has agreed with his/her personal data processing.
Art. 8. The purposes for personal data processing by Hotel Continental, related to compliance with legal obligations, include:
1. keeping record of the accommodated tourists and submitting information to the competent bodies according to the statutory order;
2. address registration of foreigners according to the requirements of the applicable legislation;
3. withholding and payment of tourist tax;
4. activities related to the development and implementation of counter-terrorism measures;
5. processing of signals, complaints, requests for the exercise of rights etc., as well as complaints and commercial guarantees (if applicable), including the preparation of answers to them.
6. accounting, invoicing and reporting of incoming and outgoing payments in accordance with the current tax and accounting legislation;
7. other activities in fulfillment of legal obligations (tax, accounting, regulatory, licensing, etc.) of Hotel Continental, related to the provision of information to competent state and judicial authorities and assisting in inspections by competent bodies.
Art. 9. The purposes for processing personal data by Hotel Continental, related to and/or necessary for the implementation of the contracts by Hotel Continental, include:
1. acceptance, administration, processing and cancelling reservations;
2. providing customer service, including the provision of online services through the Website, or other platforms/companies - partners to Hotel Continental.
3. communication related to the provided services;
4. administration and receipt of payments (including those made from distance) for the provided services.
5. providing a guarantee for reservations and payment of the hotel accommodation and for additionally requested services;
6. financial-accounting activities and administration, processing and collection of due payments for the provided services;
7. recovery of incorrectly transferred amounts;
8. providing an individual approach while providing services, in compliance with the preferences stated by the user;
Art. 10. The purposes for personal data processing, related with the legitimate interests of Hotel Continental or of third parties include:
1. Legitimate interest - (1.1.) Exercise and protection of legal rights and interests of Hotel Continental; and (1.2.) assistance in exercising and protecting the legal rights and interests of clients; other persons related to Hotel Continental; employees of Hotel Continental; persons processing personal data on behalf of Hotel Continental; and trade partners of Hotel Continental:
(a) establishment, exercise or protection of legal claims of the above-mentioned persons under item (1.1) and item (1.2), including making complaints, sending signals, etc. to the competent state and judicial authorities, including by court order;
(b) video surveillance and access control for protection of the property of Hotel Continental, proving the fulfillment of the applicable requirements, provision of physical security against encroachments on the buildings and sites and protection of the life and health of the citizens;
(c) taking actions to suspend the provision of services in case of refusal for payment, infringements of rules and policies established by Hotel Continental, etc.;
(d) dealing with received complaints, signals, requests, etc.;
(e) collection of receivables due to Hotel Continental, including by legal forces and/or by assignment to third parties, as well as transfer of receivables to third parties (assignments) in accordance with the procedure established by law;
(f) issuing notarial invitations.
2. Legitimate interest - analysis, planning and improving the quality of services provided by Hotel Continental:
(a) keeping a copy of the data from internal information system, related with the current state of the hotel (occupancy, obligations, etc.) in case of failure of the information systems;
(b) receiving, processing and preparing answers to submitted applications, requests, etc., not related to complaints from the used services;
(c) customer satisfaction survey;
(d) control, analysis and optimization of business processes to improve the quality of services.
3. Legitimate interest - ensuring the normal functioning and use of the Website:
(a) maintenance and administration of the Website;
(b) find and resolve technical issues of the functionality of the Website;
(c) take measures for malicious actions against the security and proper functioning of the Website;
4. Legitimate interest - implementation of hotel and restaurant activities and provision of quality hotel and restaurant services:
(a) administration and management of the services provided by Hotel Continental;
(b) management and quality control of the services provided;
(c) receiving feedback on the services provided.
Art. 11. The purposes of personal data processing on the basis of consent given by the Data subject include:
1. Sending marketing messages and advertisements for services, special offers, events etc.;
2. Research and receiving feedback for the quality of the services;
3. Sending factsheets;
4. Other purposes for which a specific consent has been given by the Data subject.
Provision of personal data to Hotel Continental and consequences in case of refusal of such
Art. 12. (1) Hotel Continental shall clearly indicate, where applicable and in an appropriate manner, whether the provision of the relevant data and/or documents is obligatory, or is a requirement necessary for the conclusion or performance of a contract, as well as the consequences of refusal such data to be provided;
(2) In case an additional explanation is needed, every Data subject may request such in Hotel Continental or make an inquiry to the contacts indicated at the official website;
(3) The refusal to provide data and documents, indicated as obligatory, may become an insurmountable obstacle to the provision of a service by Hotel Continental, to the execution of the submitted requests, applications, etc., which releases Hotel Continental from liability for non-performance.
(4) The refusal to provide data and documents or the provision of incorrect ones may lead to impossibility to provide the respective services or to suspension of the services provided by Hotel Continental;
(5) The data subjects should not provide any specific categories of data to Hotel Continental within the meaning of Art. 9 and Art. 10 of the Regulation (namely: personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data or data about the sexual life or sexual orientation of the individual and personal data related to convictions and violations).
Other sources of personal data
Art. 13. (1) In some cases the personal data processed by Hotel Continental shall not be collected or received directly from the Data subject to which they refer, but from third parties such as:
1. Individuals representing, working for or cooperating with the Data subject;
2. Event organizers - regarding information about the participants in the event;
3. Trade partners (e.g. reservation sites, travel agents, other persons who provide intermediary services when making reservations or when ordering other services, etc.) of Hotel Continental;
4. Competent state and judicial bodies.
(2) The persons under par. 1, items 1-3 undertake to inform the Data subjects, whose data they collect and provide and to ensure that they provide the data on valid legal basis.
Processing of information by third parties - processors of personal data
Art. 14. (1) Hotel Continental may subcontract personal data processing activities to third parties - processors of personal data, in accordance with the requirements of the Regulation and other applicable rules for personal data protection, for the purposes specified in this Policy.
(2) In case personal data is disclosed to and processed by personal data processors, this shall be done only to the necessary extent for performance of the tasks assigned to them by Hotel Continental.
(3) The processors of personal data act on behalf of Hotel Continental and are obliged to process personal data in strict compliance with the instructions given by Hotel Continental, and do not have the right to use or process information in any other way and for purposes other than those specified in this Policy.
Categories of recipients of personal data
Art. 15. Hotel Continental does not disclose personal data about the Data subject to third parties, except in the cases when:
1. it is necessary for fulfillment of a legal obligation of Hotel Continental:
(a) competent state, municipal or judicial authorities;
2. this is explicitly provided for in the Policy and/or in the general conditions (contract) for use of the respective services, which Hotel Continental provides:
(a) processors of personal data on assignment by Hotel Continental;
(b) debt collection companies.
3. it is necessary for the provision of the services of Hotel Continental:
(a) banks and payment service providers;
(b) postal and courier service providers;
(c) trade partners of Hotel Continental such as: reservation sites; travel agencies and other providers of travel or other ancillary services such as car rental, taxi and other transport services etc.
4. The Data Subject has given his/her explicit consent - the persons referred to in the respective consent (e.g. related to Hotel Continental, trade partners of Hotel Continental, etc.);
5. It is necessary for protection the rights or legal interests of Hotel Continental, third parties or of the Data Subject:
(a) state, municipal and judicial authorities;
(b) private and state bailiffs;
6. In other cases, provided by law.
Art. 16. (1) Hotel Continental shall process and store information about the Data subject until the fulfillment of the respective purposes, for which it has been collected and processed.
(2) In accordance with its internal rules and procedures and the applicable legislation, Hotel Continental, shall process and store information about the Data subject, within the following terms:
Time limit for the storage of data
Data about the accommodated tourists in the sense of art. 116 of the Tourism Act, which include identifying information about the accommodated persons and data related to the hotel accommodation
In accordance with the term specified in the Tourism Act and Regulation.
Information related to the requested and used services for hotel accommodation, events and restaurant services, incl. information for canceled hotel reservations (as far as it is related to the refund of prepaid amounts and/or withholding of amounts due);
From the initial booking/reservation to 5 /five/ years from the provision of the service / completion of the contract / cancellation of the reservation.
In cases where the services are requested and used on long-term basis contract, the term begins from the final performance and/or termination of the contract.
Financial and accounting documents; invoices; authorization forms; other information related to tax and social security control;
Unstructured communication, correspondence, complaints, signals;
Up to 10 /ten/ years, from the beginning of the year following the year during which the payment of the obligation for the respective year is due.
In cases where the correspondence relates to a long term contract, the term begins from the final performance and/or termination of the contract
Data related to registration of an account in the e-shop of the Website;
For the entire period of registration and up to 5 years after its termination.
Data related to reservations for restaurant services made by phone
Up to 1 year
System logs, logs related to security, technical support, etc. (may contain information such as: date and time, IP address, URL, browser version and device information)
Log of the actions on requests for registration of an account or purchase of goods with or without a registered account on the Website (information such as: action/content of the request, date and time, IP address, etc.)
For the entire period of maintaining the account on the Website and up to 5 /five/ years after its termination.
Up to 5 /five/ years from purchase (if made without a registered account)
Video recording data
Data contained in feedback cards
The information from the feedback cards is entered in an anonymized form (only the feedback and recommendations) without any information about the person who provides this information in the internal systems of Hotel Continental, after which the feedback cards are destroyed immediately.
Up to 30 days from their completion.
Data processed with the express consent of the Data subject
From the moment the consent is provided until its withdrawal by the Data subject
The personal data specified in this Policy may be processed for a longer period than those mentioned above, if this is necessary to achieve the purposes set out in it or to protect the rights and/or legitimate interests (including in court) of Hotel Continental or if the current legislation requires data processing for a longer period
Rights of Data Subjects, related to their personal data
Art. 17. (1) Every Data subject has the following rights, related with their personal data processing:
1. Right to information - to receive information from Hotel Continental, about the personal data processing;
2. Right of access:
(a) to receive confirmation about the personal data processing relating to him/her;
(b) to have access to the personal data processed and to the detailed information concerning the processing and his/her rights.
3. The right to rectification - to require the correction or completion of his personal data, if it is inaccurate or incomplete;
4. The right to erasure - to request the erasure of his/her personal data, if there are grounds for this, provided for in the Regulation;
5. Right to limit the processing of personal data - to require Hotel Continental to limit the processing of his/her personal data within the limits provided for in the Regulation, if there are grounds for that.
6. Notification of third parties - the right to require Hotel Continental to notify third parties to whom his personal data have been disclosed, of any correction, deletion or restriction of processing of his personal data, unless this proves impossible or involves a disproportionate effort;
7. Right to data portability - to receive the personal data concerning him, which he has provided to Hotel Continental, in a structured, widely used and machine-readable format, and to transfer this data to another administrator without hindrances from Hotel Continental.
The right to data portability applies when the following two conditions are met simultaneously:
(a) the processing is based on consent or a contractual obligation; and
(b) the processing is carried out automatically.
If technically feasible, the Data subject has the right to receive a direct transfer of personal data from Hotel Continental to another administrator. The right to data portability shall be exercised in a way that does not adversely affect the rights and freedoms of others.
8. Rights in case of automated individual decision-making, including profiling - not to be the subject of an automated decision based solely on automated processing (i.e. processing without human intervention), including profiling within the meaning of the Regulation, which has legal consequences concerning Data subject or similarly affects him to a significant extent, unless the grounds provided for in the Regulation are met and appropriate guarantees are provided to protect the rights, freedoms and legitimate interests of the Data subject. Such guarantees are at least the right of human intervention by Hotel Continental, the right of the Data subject to express his/her point of view and to challenge the decision.
If such decision, including profiling, is taken in relation with the Data subject, the Data subject has the right and will receive from Hotel Continental essential information about the logic used, the meaning and intended consequences of this processing, as well as the manner of exercising the rights under this point.
9. Right of withdrawal the consent for processing - when the processing of personal data is based only on the consent given by the Data subject, he/she may withdraw his/her consent at any time. Such withdrawal shall not affect the legality of the processing based on the given consent until the moment of its withdrawal;
Right of objection
Art. 18. The data subject shall have the right at any time and on grounds related with his/her specific situation, to object the processing of personal data concerning him/her, including profiling, within the meaning of the Regulation, based on the public interest, the exercise of official powers or the legitimate interests of Hotel Continental or a third party. In these cases, Hotel Continental terminates the processing of personal data, unless it is proved that there are compelling legal grounds for processing that take precedence over the interests, rights and freedoms of the Data subject, or for the establishment, exercise or protection of legal claims.
Art. 19. (1) The Data subject may exercise his rights related to the protection of personal data by sending a written request to Hotel Continental personally or by a notarized request sent by mail.
(2) The request under para. 1 may also be exercised electronically, and for this purpose the same must be signed by the Data subject with a qualified electronic signature within the meaning of the Electronic Document and Electronic Certification Services Act and Art. 3, point 12 of Regulation (EU) № 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and certification services in electronic transactions in the internal market and repealing Directive 1999/93 / EC, and to be sent to Hotel Continental at the e-mail address indicated on the official website of the hotel.
(3) The data subject may exercise the rights related to his/her personal data, personally or through a person explicitly authorized by him/her (with a notarized power of attorney).
(4) Some of the rights may also be exercised through the functionalities available on the Website.
Right to lodge a complaint with a supervisory authority
Art. 20. Any Data subject shall have the right to lodge a complaint with a Data Protection supervisory authority, in particular in the Member State (EU / EEA) of his/her residence, place of work or place of the alleged infringement, if he/she considers that the processing of his personal data infringes the provisions of the Regulation or other applicable data protection requirements.
Supervisory body in the Republic of Bulgaria
Art. 21. A supervisory body in the Republic of Bulgaria is:
Commission for Personal Data Protection
Address: Sofia 1592,"Prof. Tsvetan Lazarov ” blvd. № 2
Restrictions to the rights
Art. 22. The scope of the data subjects' rights and the obligations of Hotel Continental in relation to these rights may be limited by a legislative measure of EU or Member State law applicable to Hotel Continental.
Explanations and additional information
Art. 23. The data subject may receive explanations regarding the content and grounds for data processing, the manner of exercising the rights under this Policy, as well as any additional information from Hotel Continental in connection with his data processing rights.
This Data Protection Policy is compiled by MEGA T EOOD in its capacity of personal data controller in order to fulfill its obligations to provide information to data subjects under Art. 13 and Art. 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on Data Protection).
This Data Protection Policy is effective as of 12.06.2020.