The management of STELLA TOURS 2001 EOOD (hereinafter „STELLA TOURS”, „the company”, „we”, „the controller”), shall ensure compliance with the legislation of the EU and the Republic of Bulgaria in relation to the processing of personal data and the protection of the "rights and freedoms" of the people, whose personal data are collected and processed by the company.
Regulation (EU) 2016/679 and this policy refer to all functions of processing personal data, including those relating to personal data of clients, employees, suppliers and partners and all other personal data, which we process from various sources.
This policy applies to all cases relating to personal data processing. Every breach of the General regulation will be seen as a breach of discipline at work and in case of a potential criminal offence, the issue will be considered in the shortest appropriate period of time by the relevant state authorities.
Partners and third parties who work with or for STELLA TOURS 2001 EOOD as well as anyone who has or may have access to the personal data will have to be familiarized, understand and comply with this policy. No third party can have access to personal data stored by the company unless they agree to execute a non-disclosure agreement in advance, which imposes on such third party obligations, which are not less strict than those, which we have assumed and which entitles us to make inspections on the compliance with the obligations assumed under the agreement.
Roles and responsibilities according to Regulation (EU) 2016/279
STELLA TOURS 2001 EOOD is a data controller pursuant to Regulation (EU) 2016/679.
The senior management and all members of management or supervisory bodies of STELLA TOURS are responsible for the development and the promotion of good practices in the field of data processing.
Observance of data protection law is responsibility of all employees of STELLA TOURS 2001 EOOD who process personal data.
Data protection principles
All processing of personal data is made in compliance with the principles of data protection. The policies and procedures of the company aim at ensuring strict observance of these principles.
STELLA TOURS will process personal data lawfully, fairly and in a transparent manner; Personal data, which we collect are used only for specified, explicit and legitimate purposes. We will never sell your personal data and will never transfer or disclose them to a third party unless we are bound to do that by the law.
Purposes, legal grounds and terms for personal data processing
The company will process your personal data for the purposes of administrative reporting, financial and accounting activities, banking and insurance operations and reporting to ensure security of the tourists and protection of its legitimate interests.
The general processing of your data is carried out only in connection with the statutory obligations imposed on the company by the Bulgarian law (Code of Social Insurance, the Labour Code, the Ministry of the Interior Act, the Tourism Act, The Foreigners in the Republic of Bulgaria Act, etc.).
The personal data of natural persons processed in connection with y employment, civil and/or contractual relationship with the company are stored for the time periods prescribed by the Bulgarian law.
Personal data of natural persons - clients of the company are stored for a period of eighteen months and shall be destructed and/ or erased according to the rules adopted by the company.
Rights of data subjects
The data subjects have the following rights with regard to processing of data, which are collected from or recorded about them:
- to request confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information who are the recipients of these data.
- To request copies of their personal data from the controller;
- To request from the controller rectification of personal data which are incorrect or out-of-date;
- To request from the controller to restrict data processing and in such case data will be only stored and will not be processed if there is not legal prohibition about that;
- To object to personal data processing referring to your goals for the purpose of the direct marketing.
- To lodge a complaint to supervisory authority if you consider that any provisions of the GDPR is violated;
- not to be subject to automated decisions, which concern you.
We will ensure conditions that guarantee exercising of these rights by you:
- Data subjects may make request for access to data.
- Data subjects are entitled to submit complaints to the company relating to personal data processing, processing of requests from the data subject and submission of complaint by the data subject concerning the method of processing the complaint.
STELLA TOURS considers that ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; The data subject may withdraw his or her consent at any time if it does not contradict any statutory obligation of the company.
When we process personal data of children, first we obtain the permission of the individuals exercising the parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.
All employees are responsible to guarantee the security of data for which they are liable and which the company keeps and ensure that such data are stored securely and are not disclosed under any circumstances to third parties unless the company has granted such rights to such third party based on execution of non-disclosure agreement/ clause.
All data are accessible only to those who need them and the access is granted only in compliance with the established access control rules. All personal data are treated with the highes levels of security.
Organisation has been created to guarantee that the computer screens and terminals are not seen by any person except the authorized employees of the company. All employees are required to sign confidentiality declaration and to be trained to observe the organizational and technical access measures as well as the rules for locking the work stations according to the Instructions on personal data protection and processing adopted by the controller before access to any kind of data is granted to them.
Records on paper are not accessible for unauthorized persons and may not be taken out of the specially designated offices. As soon as the paper documents are no longer required for the current tasks of customers' support, they shall be destructed in compliance with the rules adopted by the company.
We guarantee that personal data are not disclosed to any unauthorized third persons including family members, friends, and state authorities even investigating authorities if there is a reasonable doubt that they have not been requested in the statutory manner. Employees shall receive training in order to avoid the risk of such violation.
All requests of third persons for data provision shall be supported with the appropriate documentation and all such data disclosures shall be specially authorized by the management body.
Data storage and destruction
STELLA TOURS will not store personal data in a manner, which ensures identification of subjects for a longer period than it is necessary with regard to the goals for which data have been collected. The company may store data for longer periods only if personal data will be processed for the purpose of archiving, for the public interest and for statistical purposes and only upon implementation of appropriate technical and organizational measures to guarantee the rights and the freedoms of data subjects.
There are video surveillance systems installed in the territory of Elena Hotel, in the freely accessible parts of the building, only for the legitimate interests of the company, which would occur in case of accidental or specific actions or omissions on the part of the hotel guests or staff. Records from the video surveillance system shall be stored automatically for a period of seven days and then they shall be automatically erased. Access to data shall be very limited and shall be carried out in case of identified need and only by employees of the company explicitly authorized for that purpose.
Any export of data from the EU to non-EU countries (specified in the General regulation as "third parties") is unlawful unless there is appropriate level of protection of the basic rights of the data subjects.
Personal data transfer outside the EU is forbidden under one or more of the specified guarantees or exceptions are applied:
1. Adequacy decision
The European Commission may assess third countries, territory and/ or specific sectors in third countries in order to assess whether there is appropriate level of protection of the rights and freedoms of the natural persons. In such cases authorization is not required.
Countries, which are members of the European Economic Area (EIA) but not to EU are considered as meeting the requirements for adequacy decision.
2. EU-U.S. Privacy Shield
If the Organization wishes to transfer personal data from the EU to a third country in USA, it shall verify whether the organization has executed the Frame agreement „Privacy Shield“ with the US Department of Trade.
3. Standard contractual clauses.
STELLA TOURS may adopt recognized standard contractual clauses for data protection upon data transfer outside the European Economic Area. If the company adopts standard contractual clauses approved by the relevant supervisory authority, adequacy is automatically recognized.
Records for processing activities
STELLA TOURS has developed a process of data inventory as a part of its approach for handling the risks and the opportunities in the process of observance of the policy for compliance with the Regulation (EU) 2016/679.
We are completely aware of the risks connected with processing of specific types of personal data. If any kind of processing may result in high risk for the rights and the freedoms of the natural persons especially with the use of new technologies and taking into account the nature, the scope, the context and the purpose of processing before proceeding to processing, the company will make assessment of the impact of the envisaged processing operations on personal data protection.
When as a result of the internal assessment is established that the company will start personal data processing, which due to high risk may cause harms to data subjects, the decision whether processing will continue or not will be delivered for review on the part of management authorities. If there are serious doubts either concerning the potential harm or danger or concerning the quantity of the relevant data, the issue will be referred to the supervisory authority for consultation.