PRINCIPLES FOR PROCESSING PERSONAL DATA

The policy of DINEVI & SIE SD, UIC: 102046289, with address: 92 Tsar Simeon Str., Sveti Vlas 8229, Bulgaria, aims to ensure compliance with the provisions of the Regulation.

DINEVI & SIE SD collects and processes personal data lawfully, fairly and in accordance with the principles and rights of natural persons in relation to the processing of their personal data.

DINEVI & SIE SD processes personal data of natural persons only in the following cases:

  • processing is necessary for compliance with a legal obligation of DINEVI & SIE SD;
  • processing is necessary for the performance of a contract (incl. an order/engagement) with DINEVI & SIE SD to which the natural person is a party, or in order to take steps at the request of the natural person prior to entering into a contract, where their identification is required;
  • the natural person has given their unambiguous consent for a clear and transparently defined purpose by DINEVI & SIE SD, for which processing of their personal data is required;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by DINEVI & SIE SD or by a third party, in accordance with the provisions of the Regulation;
  • other cases provided for in the Regulation.


DINEVI & SIE SD does not collect or process personal data of natural persons beyond its statutory obligations or its business needs.

In all cases where it is necessary for collected and processed personal data to be used for purposes other than the original ones, DINEVI & SIE SD notifies the relevant natural persons, requests their consent, and processes their personal data for other purposes only after their explicit consent has been obtained.

DINEVI & SIE SD collects and processes only the minimum necessary personal data of natural persons that:

  • are required by law;
  • are necessary for the performance of a contract;
  • are necessary to achieve the purposes for which they are collected.


DINEVI & SIE SD ensures that the processing of personal data is carried out with maximum accuracy and, where possible, always kept up to date.

DINEVI & SIE SD ensures that access to and processing of personal data is performed by the minimum necessary number of persons (operators) who have the required competence to process the data and the necessary commitment to protect it.

RETENTION PERIODS

DINEVI & SIE SD retains personal data within the following periods:

  • Data for the register of accommodated tourists within the meaning of Art. 116 of the Tourism Act, including identification data of accommodated persons and data related to hotel accommodation, in accordance with the procedure and retention period provided in the Tourism Act and the secondary legislation.
  • Information related to requested and used services for hotel accommodation, events, and restaurant services, including cancelled hotel reservations (insofar as related to refunds of prepaid amounts and/or retention of amounts due) – from the respective reservation/request until 5 (five) years after provision of the service/completion of performance of the contract/cancellation of the reservation. Where services are requested and used under a long-term performance contract, the period starts from the final performance and/or termination of the contract.
  • Financial and accounting documents; invoices; authorisation forms; other information related to tax and social security control – up to 10 (ten) years, counted from the beginning of the year following the year in which payment of the liability for the respective year is due.
  • Unstructured communication, correspondence, complaints, signals, and similar – 5 years.
  • Video recordings data – up to 1 week.
  • Data processed on the basis of the data subject’s explicit consent – from the moment consent is given until it is withdrawn by the data subject.
  • Until requested by the natural person for erasure, where there are grounds for such a request.


The personal data specified in this Policy may be processed for a longer period than the terms indicated above if this is necessary to achieve the purposes set out herein or to protect the rights and/or legitimate interests (including through court proceedings) of DINEVI & SIE SD, or if the applicable legislation provides for a longer retention period.

In all cases, DINEVI & SIE SD ensures that at least once per year a review is performed of the collected and processed personal data, and those data that fall within any of the above hypotheses are deleted without undue delay.

RULES FOR PROCESSING PERSONAL DATA

Personal data is processed with the necessary levels and measures of protection

DINEVI & SIE SD ensures the necessary levels of physical, organisational, and technological security, taking into account:

  • the nature, scope, context, and purpose of the processed personal data;
  • the likelihood, impact levels, and severity of the risk to the rights and freedoms of natural persons in the event of a personal data breach;
  • its financial and organisational capabilities.


DINEVI & SIE SD also ensures all necessary measures for the timely recovery of collected and processed personal data in the event of loss due to accidental, malicious, or force majeure events.

Personal data is processed with controlled and traceable access: DINEVI & SIE SD ensures the necessary and appropriate technical, organisational, and technological measures for controlled and traceable access to the personal data of natural persons.

Personal data is processed with the necessary accountability for compliance with the Regulation: DINEVI & SIE SD ensures the necessary accountability and registers in order to be able to demonstrate compliance with the provisions of the Regulation.

DATA SUBJECTS

In connection with the services provided, DINEVI & SIE SD processes information regarding the following data subjects:

  • natural persons visiting the hotel’s website;
  • natural persons who make reservations in their own name or on behalf of another natural or legal person via the Website;
  • natural persons using the services provided by DINEVI & SIE SD, including, but not limited to, hotel accommodation services, restaurant services and related servicing, provision of premises for organising other events, as well as natural persons representing or otherwise acting on behalf of legal persons using these services;
  • the services of DINEVI & SIE SD may be requested only by legally capable persons who have reached the age of 18.

RIGHTS OF NATURAL PERSONS WHOSE DATA ARE PROCESSED

DINEVI & SIE SD ensures respect for the rights of natural persons whose personal data are collected and processed, including:

  • right to be informed about the processing of personal data;
  • right of access to personal data – what data are held;
  • right to rectification of inaccurate personal data;
  • right to erasure of personal data – the “right to be forgotten”;
  • right to restriction of processing;
  • right to be informed of actions taken following a request for rectification, erasure, or restriction of processing;
  • right to data portability;
  • right to object to the processing of personal data;
  • right not to be subject to automated decision-making, including profiling.

PERSONAL DATA PROCESSED

Personal data processed in the capacity of Controller:

  • of employees;
  • of individual customers;
  • of individual suppliers.

PURPOSES OF PERSONAL DATA PROCESSING

As a Controller, DINEVI & SIE SD performs the following operations and processes only the necessary personal data for the following purposes:

  • conclusion, performance, and termination of employment contracts and calculation of employees’ salaries and compensations/benefits;
  • acceptance, administration, and processing of reservations and their cancellation;
  • administration, performance, and delivery of purchases made through the Website;
  • administration and receipt of payments for the provided services, including remotely;
  • provision of services to customers;
  • ensuring an individual approach when providing services, aligned with the users’ stated preferences;
  • conclusion and performance of contracts with individual suppliers;
  • direct marketing for sales purposes.

RECIPIENTS AND CATEGORIES OF RECIPIENTS

In connection with the achievement of the purposes set out above, DINEVI & SIE SD provides personal data of natural persons to the following recipients:

  • NRA (National Revenue Agency) in relation to the calculation of staff salaries;
  • NSSI (National Social Security Institute) in relation to the calculation of staff compensations/benefits;
  • an occupational health service provider in relation to the obligation to maintain an up-to-date health status of staff and to perform periodic medical examinations;
  • the General Labour Inspectorate, NSSI, and the Ministry of Interior (MoI) – in relation to occupational accidents;
  • the Ministry of Interior (MoI) – in relation to providing information about hotel guests;
  • other state and municipal authorities and/or institutions – in relation to legal obligations towards them or legal requests from them for information containing personal data;
  • subcontractors for the performance of contractual obligations.

VIDEO SURVEILLANCE AND SECURITY

In accordance with the requirements of applicable legislation, DINEVI & SIE SD applies security measures, including the following technical and organisational means for access control and physical security against unlawful interference with buildings and premises, and for protection of the life and health of citizens: a video control system performing 24-hour video surveillance and consisting of recording and storage devices.

Video surveillance and video recording may be carried out in publicly accessible areas and premises within the buildings of DINEVI & SIE SD, as well as in areas subject to a special access regime. No video surveillance is carried out in guest rooms, sanitary and hygiene premises, rest areas, etc. Data from video surveillance activities are stored for a period of seven days.

Through information boards placed in a visible location, data subjects and other visitors who may be recorded are informed about the use of technical means for surveillance and control, and any other relevant information related to the surveillance carried out.

Processing of Personal Data for Marketing Purposes

We collect and process personal data for marketing purposes in order to provide personalised offers, news, and promotions that may be of interest to you. This includes sending marketing messages via email, SMS, phone calls, or other communication channels.

Categories of personal data: The processed personal data may include:

  • First and last name
  • Email address
  • Phone number


Legal basis for processing

The processing of personal data for marketing purposes is carried out on the basis of your explicit consent. You have the right to withdraw your consent at any time by contacting us or by using the unsubscribe option provided in each marketing message.

Retention period

Personal data will be stored until you withdraw your consent or until the expiry of the legally prescribed period.

Your rights You have the right of access, rectification, erasure, restriction of processing, and objection to the processing of your personal data, as well as the right to data portability. For more information, please contact us.

COMPANY CONTACT DETAILS

If you have questions or concerns regarding the processing of your personal data or wish to exercise any of your rights, you may contact us at:

COMPETENT SUPERVISORY AUTHORITY

In the territory of the Republic of Bulgaria, the competent supervisory authority is the Commission for Personal Data Protection.

If you suspect that your rights related to the protection of your personal data have been violated, you may submit a complaint to:

  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • Email: kzld@cpdp.bg
  • Phone: 02 / 91-53-518