Privacy Policy

Optimax Tour Ltd , BG 130087089 with registered seat and management address: Burgas, “Tsar Simeon I” 59 Str. hereinafter referred to as the HOTEL, operates as data controller and processes personal data in accordance with the Personal Data Protection Act and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation, hereinafter referred to as GDPR.
The present Personal Data Protection Policy will be applied by the HOTEL and can be found on its official website.

The HOTEL, in its capacity of data controller and as a professional with longstanding experience in the field of tourism, respects the privacy of users. The present Data Protection Policy aims to inform you of the process of collecting, processing, storing, using and transfer of personal data. Please take the time to read and familiarize yourself with its content. If you have any questions, you can raise them through the Contact Form available on the website.

I. DEFINITIONS

Within the meaning of the present Policy and in accordance with the definitions provided in Article 4 GDPR, the terms below will have the meaning assigned to them as follows:

1. “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’);

2. “Data subject” – is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

3. “Controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

4. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In order to ensure and improve the services we offer and for the purpose of administrating the relevant resources, we retain, use and process personal data in the manner described in the present Personal Data Protection Policy in compliance with statutory requirements.

II. TYPES OF PERSONAL DATA PROCESSED

The types of personal data collected and processed by the Controller may vary depending on the purposes for which they are collected and the grounds for their processing:

1. In order to process and confirm a booking request, the HOTEL collects and processes the following types of data:

a) Booking via website:

  • name and surname of contact person;
  • e-mail address and telephone of contact person;
  • bank card details for the purpose of guaranteeing the reservation;

b) Booking by telephone:

  • contact telephone and email for booking confirmation
  • name and surname of contact person;

2. When welcoming guests at the HOTEL the Controller processes and retains the following types of data:

  • personal identification number;
  • name (in Cyrillic characters for Bulgarian nationals, and in Latin characters, as per national identification document, for foreign nationals);
  • date of birth;
  • gender;
  • nationality;
  • ID card/ valid national ID number;
  • country issuing the national identification document.

Data collected for the purpose of registration at the hotel is collected on the basis of Article 116, para 2 of the Tourism Act and is required for the register of accommodated tourists. Such data is retained for a period of 5 (five) calendar years.

3. The following data is processed and retained when corporate or private events are organised at the HOTEL:

  • name and surname of the event organiser. In the case of corporate events name and surname of the contact person appointed by the legal entity organising the event;
  • e-mail and telephone of the contact person.

This data is retained for a period of up to 5 (five) calendar years following the event with view of exercising legal rights or ensuring protection in the case of legal claims.

4. The following data is processed and retained for the purpose of ensuring safety in HOTEL premises and preventing unlawful action in the HOTEL – video images of individuals visiting the HOTEL. Video surveillance is carried out only in the common areas of the HOTEL. Data from such video surveillance assists the investigation of unlawful actions and antisocial behaviour. Such data is stored on DVR or NVR devices and access to the data is limited only to those individuals who authorised to access and process personal data. Video images of visiting individuals are stored for a period of up to one month from the record date and are destroyed automatically unless data retention for a longer period is required for the performance of a legal obligation to which the HOTEL is subject.

III. GROUNDS FOR PROCESSING

The HOTEL will process your personal data on the basis of Article 6(1), notes a, b, c, f of GDPR, namely:

Article 6(1)(a) GDPR – the data subject has given consent for the processing of his or her personal data for the receipt of commercial communication for marketing purposes.

Article 6(1)(a) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Article 6(1)(b) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;

Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the HOTEL, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

IV. PRINCIPLES OF PROCESSING

When processing personal data, we adhere to the following principles:

  • Lawfulness of the collection, processing and retention of your data – we fully comply with applicable Bulgarian and European legislation;
  • fairness and transparency – data is collected and processed in accordance with our Personal Data Protection Policy, available to all users;
  • relevance of processing to processing purposes and data minimisation – the types of data we collect are minimised in accordance with processing purposes. The purposes for which we process your data are those for which we have a legal obligation, contractual obligation or for which we have obtained your consent;
  • restriction of storage – we process and retain your data for a certain period of time, in accordance with the purposes for which such data is needed and in compliance with your consent.
  • user consent for data processing – in order to use your data for marketing purposes with view of improving offered services, we need to obtain your express consent.

Please bear in mind that when you send an inquiry to the HOTEL (for rates, reservations, clarifications on a bookings, event organisation and/or other questions related to services offered by the HOTEL) you are providing your consent for the HOTEL to store and process your personal data, provided for the purposes of the relevant inquiry.

In this case, your data will be deleted in accordance with valid legislation and the present privacy policy.

Personal data obtained in connection with an inquiry is processed and retained for a period of 6 (six) months from inquiry processing and is then deleted except in the cases where the Controller is entitled to retain the data on a statutory or contractual basis for a longer period of time.

V. PERSONAL DATA PROTECTION MEASURES

We employ electronic data protection means to ensure fast and accurate provision of services and assistance to users.

Processing of personal data provided to the HOTEL is carried out in compliance with applicable legislation in the field of personal data protection. The HOTEL will respect your privacy at all times. The HOTEL guarantees that the individuals it has authorised for the purpose of data processing have signed confidentiality agreements or are obliged by law to protect the confidentiality of the personal data entrusted to them.

The HOTEL implements technical and organisational security measures to protect the personal data you have provided against accidental or unlawful destruction, accidental loss, unauthorised access, modification or disclosure and against any other types of unlawful processing on behalf of non-authorised individuals. The applied measures are subject to ongoing control and adaptation to the newest technologies.
The personal data we collect may be forwarded to HOTEL partners who act as processors on behalf of the HOTEL and have undertaken to meet all applicable requirements for the protection of personal data. We comply with the requirement that the respective data may only be used within the restrictions of the legal basis for which it is collected or your personal consent for processing carried out on behalf of the HOTEL and that such data must be treated as confidential.
The HOTEL may disclose and make available personal information in accordance with applicable law, where a court or administrative body orders or requires such disclosure or where the disclosure of personal data is related to the performance of a legal obligation to which the HOTEL is subject.

The data collected with the purpose of HOTEL accommodation will also be available to the third parties defined in the Tourism Act – the Ministry of Tourism, Municipalities, the Ministry of Interior, the National Revenue Agency and the National Statistical Institute.

VI. PERSONAL DATA RETENTION

The data concerning you which we collect is retained within the European Economic Area (EEA) in observation of national and European legislation and more particularly the GDPR.

VII. DATA SUBJECT RIGHTS

Users of services provided by the HOTEL have the following rights in their capacity of data subjects:

1. Right to access and right to rectification: in accordance with valid legislation, you have the right of access to the data you have provided for processing. By sending a written application through the website’s Contact Form, you can obtain information on the type of personal data you have provided and the relevant processing purposes. Once you have obtained access to your data, you may request rectification of the data if any errors or discrepancies are identified.

2. Right to object against processing on the basis of legitimate interest: Users may object against processing of their personal data. This objection must be addressed to the HOTEL through the Contact Form in this section of the website. The HOTEL undertakes to review your objection and to notify you of the result of its internal check within 30 calendar days.

3. Users are entitled to file complaints with the competent supervisory body. According to valid legislation the competent supervisory authority in the Republic of Bulgaria is the Personal Data Protection Commission.

4. Right to data portability: Where the HOTEL processes your personal data in an automated manner on the basis of your consent or a contract, you will be entitled to receive your personal data in a structured, commonly used and machine-readable format. Users have the right to transmit such data to another controller without hindrance from the HOTEL with regards to data provided under consent, data provided for the performance of a contract to which the user is party or in order to take steps at the request of the user prior to entering into a contract.

5. Right to erasure (‘right to be forgotten’): You have the right to obtain erasure of all personal data concerning you and processed by the HOTEL at any time, unless where processing is required for at least one of the following purposes, namely:

  • a) for exercising the right of freedom of expression and information;
  • b) for compliance with a legal obligation which requires processing by a Union or Member State law to which the HOTEL is subject;
  • c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • d) for the establishment, exercise or defence of legal claims.

Right to restriction: You have the right to obtain from the HOTEL restriction of processing where one of the following applies:

  • a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to be informed of a data breach pursuant to Article 34 GDPR:

When the personal data breach is likely to result in a high risk to your rights and freedoms, the HOTEL will communicate the personal data breach to you without undue delay; the communication will describe the nature of the personal data breach and will contain at least:

  • name and contact details of the contact person in the HOTEL team, from whom more information can be obtained;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication above will not be sent personally to each data subject in the event of security breaches if the HOTEL has met any of the following conditions:

  • a) has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption, or
  • b) has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to above is no longer likely to materialise;
  • c) the notification would involve a disproportionate effort.

In such a case the HOTEL will publish a notification on its site so that data subjects are informed in an equally effective manner.

VIII. CHANGES IN THE PERSONAL DATA PROTECTION POLICY

The HOTEL’s Personal Data Protection Policy may be amended unilaterally by the HOTEL with view of improving its provisions, offering new services, changes to the manner of service provision and communication with our clients and amendments required by legislative changes.
When introducing changes to the present Personal Data Protection Policy, the HOTEL will communicate to you such changes by publishing them on the HOTEL website, providing a reasonable period in which you can become familiar with the changes and, following expiry of this period, the changes will apply to the processing of your personal data without further notification.

If, within this time period you state that you object to the changes, it will be deemed that you have withdrawn your consent for the processing of your personal data and the HOTEL will terminate processing, provided that the grounds for the collection and processing of your personal data is consent. Such termination may result in termination of your registration for games, services, electronic bulletins, etc., which we offer, for the purposes of which you have initially provided your personal data.

IX. CONTACT WITH THE HOTEL TEAM

If you have any questions regarding our personal data protection rules and measures, send us a message using the site’s contact form.

Exercise of the above rights does not constitute waiver of the right to appeal. You can lodge an appeal with the relevant Bulgarian supervisory body – the Personal Data Protection Commission. Further information can be found at: www.cpdp.bg

Направете резервация

Make a reservation