
Privacy Statement of park-hotel Sankt Peterburg Plovdiv
park-hotel Sankt Peterburg Plovdiv strives to offer exceptional products, services and experiences. We highly appreciate our business activity but above all we appreciate your loyalty. We realize that privacy is important to You and we prepared this statement to clarify our practices with regard to personal data we collect from or about You on this website through the medium of oral or written messages with us upon your visits at Grand Hotel Pomorie or through the medium of other sources such as tour operators.This Statement indicates the practices adopted at Grand Hotel Pomorie and put in full compliance with the requirements of Data Protection Regulation (EU) 679/2016.
What kind of personal data do we collect?
Each event with the participation of our guests or the preparation of such event may require collecting personal data such as names, phone numbers, emails, addresses, and etc., and they are always collected for the specific purpose only and represent the smallest set possible of such data needed for achieving the goal.
Lotteries or marketing survey of our guest and client reviews on the quality of our products and services are a part of the list of such events designed to offer only the most suitable products and services for You.
Personal data collected upon guest registration is statutory and regulated. Upon registration at the hotel you shall be enabled to see the information provided by Receptionists regarding the data protection.
Additional information collected at the hotel
Social media. If you are a social media user you will be aware that we encourage sharing with your contacts of information on your stay through text and / or photo material as well as participations in photo contests, such as with photos taken during your stay with us. If other people are present in the photo, their consent is required in this regard.
Collection of information at the facilities of park-hotel Sankt Peterburg Plovdiv. The Tourism Act binds us to collect the minimum personal data required by this Act upon guest registration at the hotel. For security reasons, we may make video records of guests and visitors within the public areas of the complex under the terms and conditions stipulated in the Private Security Act.
Car Rental Application requires additional statutory personal data related to this activity such as driving license number and other data related to the rent and the insurance services offered.
Event Arrangement. Technical details of events arranged by you may include data such as date and time, number of guests, information regarding guest rooms and the minimal personal data required for them. Corporate events may require business data and additional information in this regard. When you visit us as a part of a group, we will have disposal of the personal data provided by the group so that you can receive our offers to visit the events arranged by the group, depending on your individual preferences. If you are an event organizer, you may agree to share your event data with any third parties – service providers which can provide you with their event services.
Business partnership or career opportunities. Do not hesitate to contact us regarding more information that would allow us to evaluate your skills for a good partnership or career development with us. In these cases, we may need to compare the information provided with publicly available information.
Personal data received from third parties
It is a common practice for third parties to be in your relationship with us such as tour operator by which you have booked and paid your stay and extra services or event organizers. They have contracts with us for processing of personal data as joint controllers or as a controller and processor of personal data so that your data protection is also in accordance with Regulation (EU) 679/2016 as a legal commitment of both parties with you.
Sharing personal data
While we strive to offer the best experience, and products and services of the highest quality at Grand Hotel Pomorie we may need to share information upon overlapping objectives or through the medium of your consent, with service providers our trading partners, which we have arrangement with in all cases in accordance with Data Protection Regulation (EU) 679/2016. For example, when planning a group event or meeting the information collected may be shared with the organizers and / or our trading partners whose products or services would improve your experience in our complex.Sharing information with our spa complex, restaurant services or other cases such as concierge or external service providers is also only upon overlapping purposes or through the medium of your consent and is in accordance with the principles of Regulation (EU) 679/2016.Sharing information in all other cases is legally regulated by the relevant officials, such as under the requirements of the Tourism Act.
Data on health status or medical information
We don’t keep the therapy files
and other medical documents. They are in your possession and control only. Therapists will
only be informed about the type and duration of the treatment from these documents and will
immediately return them. Grand Hotel Pomorie never has any access to these documents beyond
the limits of the current therapy session or examination.
park-hotel Sankt Peterburg Plovdiv does not provide with any personal data outside the
country.
Protection of Personal Data
Definitions
According to Article 4 of Regulation 679/2016:
(1) “personal data”
means any information related to identified or identifiable natural person (“data subject”);
an identifiable natural person is a person who can be identified, directly or indirectly, in
particular by an identifier such as name, identification number, location data, online
identifier or one or more signs specific to the physical, physiological, genetic, mental,
intellectual, economic, cultural or social identity of that individual;
2) “processing”
means any operation or sum of operations executed with personal data or set of personal data
through automatic or other means such as collecting, recording, arranging, structuring,
keeping, adapting or modifying, extracting, advising, using, disclosing through submitting,
distributing or other means by which data becomes available, fixing or combining, limiting,
deleting or destroying;
(3) “restriction of processing” means the marking of personal
data kept in order to restrict the respective processing in the future;
(4) “profiling”
means any form of automated processing of personal data involving the use of personal data
for the evaluation of particular individual aspects regarding the natural person and in
particular for analysing or forecasting of aspects related to the performance of the
occupational duties of this natural person, his/her economic and health status, personal
preferences, interests, reliability, behaviour, location or movement;
(5)
“pseudonymization” means the processing of personal data in a way that personal data cannot
longer be linked to a particular data subject without using additional information, provided
that it is kept separately and is subject to technical and organizational measures to ensure
that personal data is not connected to an identified or identifiable natural person;
(6)
“filing system” means any structured set of personal data accessed in accordance with
specific criteria, whether centralized, decentralized or distributed according to a
functional or geographic basis;
(7) “controller” means a natural person or legal entity,
public authority, agency or other entity which separately or jointly with other ones defines
the purposes and means of processing of personal data; where the purposes and means of such
processing are determined by Union or national law, the controller or the specific criteria
for its determination may be laid down in Union law or the law of a Member State;
(8)
“data processor” means a natural person or legal entity, public authority, agency or other
entity processing personal data on behalf of the controller;
9) “recipient” means a
natural person or legal entity, public authority, agency or other entity which personal data
is disclosed to, whether or not a third party. At the same time public authorities which may
receive personal data in a specific investigation in accordance with Union law or the law of
a Member State are not considered as “recipients”; processing of such data by the said
public authorities complies with the applicable data protection rules according to the
purposes of the processing;
(10) “third party” means a natural person or legal entity,
public authority, agency or other authority other than data subject, controller, data
processor and the entities are entitled to process personal data under the direct
supervision of the controller or data processor;
(11) “data subject’s consent” means any
free, specific, informed and unambiguous indication of the data subject’s will by means of a
statement or a clear and confirmatory act expressing consent of his/her personal data to be
processed;
(12) “personal data breach” means a breach of security resulting in the
accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to
personal data which is otherwise submitted, kept or processed;
(13) “genetic data” means
personal data related to inherited or acquired genetic traits of a natural person giving
exceptional information on the characteristics or health of that natural person and
acquired, in particular, from a biological assay of the natural person concerned;
(14)
“biometric data” means personal data acquired as a result of a specific technical processing
which are related to the physical, physiological or behavioural characteristics of a natural
person and which allow or confirm the exceptional identification of that natural person,
such as facial images or dactyloscopic data ;
(15) “health status” means personal data
related to the physical or mental health of a natural person, including the provision of
health services which give information on his/her health status;
Principles
According to Article 5 of Regulation 679/2016, the principles are met
when:
Paragraph 1.
Personal data is:
(a) processed lawfully, in good faith and in a transparent way with
regard to the data subject (“LAWFULNESS, GOOD FAITH AND TRANSPARENCY”);
(b) collected for
specific, explicit and legitimate purposes and is not further processed in a way
incompatible with these purposes; further processing for archiving purposes in the public
interest, for scientific or historical research or for statistical purposes is not
considered to be incompatible with the original purposes (“PURPOSE LIMITATION”) in
accordance with Article 89 (1);
(c) relevant, related and limited to what is needed in
relation to the purposes which they are being processed for (“DATA MINIMIZATION”);
(d)
accurate and, if needed, up-to-date; all reasonable measures should be taken to ensure the
timely deletion or correction of inaccurate personal data, taking into account the purposes
which they are processed for (“ACCURACY”);
(e) kept in form allowing the data subject to
be identified for a period no longer than is needed for the purposes which the personal data
is processed for; personal data may be kept for longer periods as far as they are processed
only for archiving purposes in the public interest, scientific or historical research or
statistical purposes in accordance with Article 89 (1), on the understanding that relevant
technical and organizational measures are properly applied and stipulated in this Regulation
in order to guarantee the rights and freedoms of the data subject (“RESTRICTION ON
KEEPING”);
(f) processed in a way providing with an adequate level of security of
personal data, including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage by applying proper technical or organizational
measures (“INTEGRITY AND CONFIDENTIALITY”).
Paragraph 2.
The controller is responsible
and may demonstrate the compliance with paragraph 1 (“ACCOUNTABILITY”).
Rights of the subjects
Data subjects shall have the following rights in respect of
the data processing and the data recorded for them:
Make confirmation requests if their
personal data is being processed and, if so, receive access to the data and information on
which the recipients of that data are.
Request a copy of their personal data from the
CONTROLLER;
Require the CONTROLLER to correct personal data when it is inaccurate and
out-of-date;
Require the CONTROLLER to delete personal data collected on the basis of
consent (right to be forgotten);
Require ask the ADMINISTRATOR to restrict the processing
of personal data where it is reasonably motivated and the data will only be kept but not
processed in this case;
Make a reasonable objection to the processing of relevant
personal data;
Send a complaint to the Supervisory Authority (Personal Data Protection
Commission) if they believe that any of the provisions of Regulation (EU) 679/2016 has been
violated;
Request personal data to be provided in a structured, widely used and machine
readable format when the way and formats are regulated in our internal legal basis;Withdraw
the consent to the processing of personal data at any time by a separate request sent to the
controller upon processing personal data on the basis of consent;
Not to be a subject of
automated decisions affecting them to a significant extent without the possibility of human
intervention;
Oppose automated profiling done without relevant consent.THE CONTROLLER
provides conditions to ensure that these rights are practiced by the data subject:Data
subjects may request access to data and the Controller ensures that the response of the data
subject’s request meets the requirements of the General Regulation.Data subjects are enabled
to submit complaints to the Controller related to the processing of their personal data.
Responsibility
According to Article 24 of Regulation 679/2016
Responsibility of
the Controller of Grand Hotel Pomorie
Paragraph 1.
Taking into account the nature,
scope, context and purposes of the processing as well as the risks of different probability
and burden on the rights and freedoms of natural persons, the controller shall put in place
proper technical and organizational measures to ensure and be able to demonstrate that the
processing shall be performed in accordance with this Regulation. These measures shall be
reviewed and and updated if needed.
Paragraph 2.
The measures referred to in
paragraph 1 shall include the use of proper data protection policies by the controller where
this is proportionate to the processing activities.
Paragraph 3.
Adherence to
approved codes of conduct or approved certification mechanisms may be used as evidence to
demonstrate that the controller’s obligations have been observed.
This paragraph shall be applied by park-hotel Sankt Peterburg Plovdiv as soon as sectoral
policies and/or certification in the hotel and restaurant industry are approved!
Joint
processing
park-hotel Sankt Peterburg Plovdiv always concludes data processing
contracts/agreements in accordance with Regulation 679/2016 in order to provide our guests
with maximum security and comfort when working with tour operators and/or other partners
with regard to the service and provision of their information and/or services.
Contact details
park-hotel Sankt Peterburg Plovdiv
marketing@sphotel.net