As a Personal Data Controller, Grand Hotels Management and Marketing Ltd. has an obligation to inform you of what to expect when processing your personal information.
Transparency in information processing.
I. Declaration regarding the Personal Data Protection Policy
- The Management of Grand Hotels Management and Marketing Ltd. hereby ensures compliance with the legislation of the EU and the member states regarding the processing of Personal Data and the protection of the “rights and freedoms” of the persons whose personal data Grand Hotels Management and Marketing Ltd. collects and processes according to the General Data Protection Regulation (Regulation (EU) 2016/679).
- The Controller keeps a Register/s of the processing activities.
- This Policy applies to all Personal Data processing activities, including those carried out regarding Personal Data of customers, employees, suppliers and partners and any other Personal Data that the Company processes from various sources.
- The Controller keeps a Register/s of the processing activities. In cases where the keeping of the Register/s is assigned to a data protection person/Personal Data protection officer, he/she is responsible for entering any changes in the activities of Grand Hotels Management and Marketing Ltd. into this Register/s, as well as all other additional requirements, including data protection impact assessments. This Register shall be available upon request by the Supervisory Authority.
- This Policy applies to all employees/workers (and stakeholders) of Grand Hotels Management and Marketing Ltd., as well as to data processors and their staff members. Any violation of the General Regulation will be considered as a violation of labor discipline, and in case there is an assumption of a crime committed, the matter will be submitted for consideration in the shortest possible time to the relevant state authorities.
- Third parties that work with or for Grand Hotels Management and Marketing Ltd., including partners, external suppliers, customers, etc., as well as those who have or may have access to the Controller’s Personal Data, are required to familiarize themselves and comply with this Policy. The Controller is obliged to conclude a Data Confidentiality Agreement with any third party to which it grants access to the Personal Data processed by it, which gives Grand Hotels Management and Marketing Ltd. the right to carry out checks on compliance with the obligations imposed by the Agreement, unless the processing is not required by EU law or by the law of a member state.
II. Obligations and responsibilities under Regulation (EU) 2016/679
- Grand Hotels Management and Marketing Ltd. is a Personal Data Controller according to Regulation (EU) 2016/679 and bears all responsibility and risks of possible non-compliance with the GDPR requirements, including being responsible for developing and promoting good practices in the field of Personal Data processing data in Grand Hotels Management and Marketing Ltd.
- A Personal Data Processor is any person outside the Controller’s organization which directly processes Personal Data on behalf of the Controller and stores, digitizes, catalogs, etc. the whole information.
- The Data Protection Officer, respectively the person who, by job description or assignment, performs tasks related to Personal Data protection (responsible person/Data Protection Officer), takes part in the meetings of the Controller’s management at which issues in the field of Personal Data protection are discussed, and advises the Controller on demonstrating compliance with data protection legislation and good practice.
This reporting by the Data Protection Officer includes:
- developing and implementing the requirements of REGULATION (EU) 2016/679 as required by this Policy;
- security and risk management in relation to Policy compliance.
- The Data Protection Officer, who should be suitable, qualified and experienced, is selected by the Controller’s governing body (depending on its structure and legal organization form). The Data Protection Officer is obliged to advise and inform the Controller about the implementation of the GDPR and other laws of the domestic and European legislation in the field of Personal Data protection, in accordance with his/her obligations under the contract and according to the requirements of the GDPR, including monitoring the implementation of this Policy.
- The Data Protection Officer also has specific obligations under the GDPR: he/she is the addressee of all Data Subject requests under the Subject Request Management Procedure and is the point of contact for the Controller’s employees seeking clarification on any aspect of data protection compliance. The Data Protection Officer is also the contact person for the Supervisory Authority.
- Compliance with data protection legislation is the responsibility of all employees of the Controller who process Personal Data.
- The Training Policy of Grand Hotels Management and Marketing Ltd. (Training Policy) defines the specific requirements for training and awareness in relation to the specific roles of the employees/workers of the company.
III. Data Protection Principles
The processing of Personal Data is carried out in accordance with the Data Protection Principles set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of Grand Hotels Management and Marketing Ltd. are intended to ensure compliance with these Principles.
- Personal Data must be processed lawfully, in good faith and transparently
Lawfully – to identify a lawful basis before processing Personal Data. These are so-called “grounds for processing”, for example “consent”. The subject’s consent is one of the grounds for processing Personal Data. This may also be the performance of a contract or a legitimate interest of the controller, in which cases consent does not need to be given.
In good faith – for the processing to be in good faith, the data controller must provide certain information to the Data Subjects, necessary in each specific case and for each specific purpose, in an understandable, concise and accessible way for the Data Subject. This applies regardless of whether the Personal Data is obtained directly from the Data Subjects or from other sources.
Transparently – Regulation (EU) 2016/679 sets out requirements regarding what information must be made available to Data Subjects, which is covered by the principle of “transparency” regulated in Articles 12, 13 and 14 of the GDPR. According to the cited provisions of the GDPR, the information must be communicated to the Data Subject in an understandable form, using clear and comprehensible language, i.e. privacy statements signed by Data Subjects must be detailed and specific, understandable and accessible. The rules for notifying the Data Subject from the part of Grand Hotels Management and Marketing LTD. are defined in the relevant transparency procedure, and the communication is carried out through a notification for confidential treatment of Personal Data.
The specific information that the Company provides to the Data Subject includes at a minimum: data that identifies the Controller and the contact details of the Controller and the contacts of the Data Controller, if any; the purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing; the period for which the Personal Data will be stored; the existence of the following rights – to request access to the data, correction, deletion (right to be forgotten), limitation of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights; the categories of Personal Data; the recipients or categories of recipients of Personal Data, where applicable; whether the Controller intends to transfer the Personal Data to a recipient in a third country and the level of data protection; any additional information necessary to ensure fair processing.
- Personal Data may only be collected for specific, explicitly stated and lawful purposes
The data obtained for specific purposes are not used for purposes that differ from those officially announced as part of the Register of data processing activities (Article 30 of the GDPR) of Grand Hotels Management and Marketing Ltd. A procedure for transparency in the processing of Personal Data defines the relevant rules.
- The Personal Data that the Controller collects must be limited to what is necessary for the relevant purpose of processing (principle of minimizing the data that can be processed for the specific subject)
- The person responsible for data protection ensures that only information is collected that is strictly necessary for the purpose of processing.
- All data collection forms (electronic or paper), including data collection requirements in the new information systems, should include a statement of good faith processing or a link to a Privacy Policy (notice of confidential treatment of Personal Data) and be approved by the responsible person, unless they are public on the Company’s websites
- The Data Protection Officer has obligations to carry out periodic checks at least once a year to ensure that the data collected continues to be adequate, relevant and not excessive.
- Personal Data must be accurate and up-to-date at all times, and the necessary efforts have been made to enable immediate (within possible technical solutions) deletion or correction.
- The data held by the Data Controller must be reviewed and updated as necessary. Data should not be stored in cases when it is likely to be inaccurate
- The responsible person / Data Protection Officer must ensure that all staff are trained in the importance of collecting and maintaining accurate data.
- It is also the duty of the Data Subject to declare that the data he/she transmits for storage by Grand Hotels Management and Marketing Ltd. is accurate and up-to-date. Completion of a form by the Data Subject intended for the Controller will include a statement that the data contained therein is accurate as of the date of submission.
- Employees, customers and all others are required to notify Grand Hotels Management and Marketing Ltd. of any changes in circumstances so that Personal Data records can be updated. It is the responsibility of Grand Hotels Management and Marketing Ltd. to ensure that any notice of change of circumstances is recorded and adequate action is taken.
- The responsible person / Data Protection Officer ensures that appropriate procedures and policies are in place to maintain the accuracy and up-to-date state of Personal Data, taking into account the volume of data collected, the rate at which it may change, other relevant factors.
- At least once a year, the responsible person / Data Protection Officer will review the retention periods of all Personal Data processed by Grand Hotels Management and Marketing Ltd., referring to the data inventory and identifying all data that is already are not required in the context of the registered purpose. This data is properly destroyed in accordance with the procedures and policies of the Controller.
- The responsible person / Data Protection Officer ensures that requests for data correction are answered within one month. This deadline can be extended by another two months for complex requests. If Grand Hotels Management and Marketing Ltd. decides not to comply with the request, the responsible person / Data Protection Officer must respond to the Data Subject to explain the reasons for the refusal and inform him/her of his right to file a complaint to the Supervisory Authority, and to seek legal redress.
- The responsible person / Data Protection Officer should inform all third parties to whom inaccurate or out-of-date Personal Data have been provided that the information is inaccurate or out-of-date and should not be used to make decisions about the Data Subjects, as and forward any correction of Personal Data to the third parties where necessary.
- Personal Data must be stored in such a form that the Data Subject can be identified only for as long as it is necessary for processing.
- When Personal Data is retained after the date of processing, it is stored in an appropriate manner (minimized, encrypted, pseudonymized) to protect the identity of the Data Subject in the event of a data breach.
- Personal Data is kept in accordance with the Data Retention and Destruction Procedure and after its retention period has passed, it must be securely destroyed as directed in this procedure.
- The responsible person / Data Protection Officer must specifically approve any data retention that exceeds the retention period defined in the relevant procedure and must ensure that the rationale is clearly defined and complies with the requirements of the legislation on data protection. This approval must be in writing.
- Personal Data must be processed in a way that guarantees adequate security (Art. 24, Art. 32 of the GDPR)
The Data Protection Officer will carry out an initial impact assessment when necessary, taking into account all circumstances related to the data processing operations of Grand Hotels Management and Marketing Ltd. In each specific case, where there is a Personal Data breach, the Data Protection Officer as responsible person in the Controller’s enterprise should carry out a risk assessment and, in the event of a high risk, notify the Supervisory Authority and/or the Data Subject. In considering the risk on a case-by-case basis, the Data Protection Officer should consider the degree of potential harm or loss that could be caused to individuals (e.g. staff or customers) if a security breach were to occur, any likely reputational damage of the Controller, including possible loss of customer trust, etc. Ensuring the security of Personal Data is also related to the implementation of appropriate technical measures, which the Data Protection Officer monitors and which may include at least:
- Password protection;
- Automatic locking of idle workstations in the network;
- Removal of access rights for USB and other portable storage media (there may be an exception if mandatory virus check and data transfer logging are provided);
- Antivirus software and firewalls;
- Role-based access rights, including those of assigned temporary staff;
- The protection of devices that leave the premises of the organization, such as laptops or others;
- Security of local and wide area networks;
- Privacy-enhancing technologies, such as pseudonymization and anonymization;
- Identification of appropriate international security standards suitable for Grand Hotels Management and Marketing Ltd.
In assessing the appropriate organizational measures, the Data Protection Officer will consider the following:
- The levels of appropriate training in Grand Hotels Management and Marketing LTD.;
- The measures that take into account the reliability of employees (for example, attestation evaluations, recommendations, etc.);
- The inclusion of data protection in employment contracts;
- Identification of disciplinary measures for violations regarding data processing;
- Regular inspection of personnel for compliance with relevant security standards;
- Control of physical access to electronic and paper-based records;
- The adoption of a “clean workplace” policy – upon leaving the workplace, all work documentation should be removed or stored in appropriate places with limited access – special cabinets, locked rooms, destruction of no longer needed documents, etc.;
- Storage of paper database in lockable wall cabinets;
- Limiting the use of portable electronic devices outside the workplace;
- Limiting employees’ use of personal devices in the workplace;
- Accepting clear rules for creating and using passwords;
- Regular creation of backup copies of personal data and physical storage of media with copies outside the office;
- Imposing contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
The assessment of appropriate measures takes into account the identified risks to Personal Data, as well as the possibility of harm to the persons whose data is processed.
- Compliance with the principle of accountability
Regulation (EU) 2016/679 includes provisions that promote accountability and governance and complement transparency requirements. The principle of accountability in Art. 5, para. 2 requires the Controller to prove that it complies with the other principles in the GDPR and expressly states that this is its responsibility.
Grand Hotels Management and Marketing Ltd. demonstrates compliance with data protection principles by implementing data protection policies, adhering to codes of conduct, implementing appropriate technical and organizational measures, and adopting data protection techniques at the stage of design and default data protection, privacy impact assessment, Personal Data breach notification procedure, etc.
IV. Rights of data subjects
- According to the GDPR, the Data Subject has the following rights regarding the processing of his/her personal data:
- To receive information about the Personal Data related to him/her, which are processed by the Controller, and the purpose for which they are processed, including to obtain access to the data, as well as information who are the recipients of this data and the third parties to whom data is transmitted;
- To request a copy of his/her personal data from the Controller;
- To ask the Controller to correct Personal Data when they are inaccurate, as well as when they are no longer up-to-date;
- To demand from the Controller the deletion of Personal Data (right “to be forgotten”);
- To ask the Controller to limit the processing of personal data, as in this case the data will only be stored, but not processed.;
- To object to the processing of his/her Personal Data;
- To object to the processing of Personal Data concerning him/her for the purposes of direct marketing;
- To file a complaint with a Supervisory Authority if he/she believes that any of the provisions of the GDPR have been violated;
- To request and be provided with Personal Data in a structured, widely used and machine-readable format;
- To withdraw his/her consent to the processing of Personal Data at any time with a separate request addressed to the Controller;
- Not to be the subject of automated decisions that affect him/her to a significant extent, without the possibility of human intervention;
- To oppose automated profiling that occurs without his/her consent;
- Grand Hotels Management and Marketing Ltd. provides conditions to guarantee the exercise of these rights by the Data Subject:
- Data Subjects may make data access requests as described in the relevant procedure, which procedure also describes how Grand Hotels Management and Marketing Ltd. will ensure that the response to the Data Subject’s request meets the requirements of the General Regulation.
- When the requests of a Data Subject are manifestly unfounded or excessive, in particular due to their repetition, Grand Hotels Management and Marketing Ltd. may either impose a reasonable fee, taking into account the administrative costs of providing the information, communication or taking the requested actions, or refuse to act on the request.
- Data Subjects have the right to submit objections to Grand Hotels Management and Marketing Ltd. , related to the processing of their Personal Data The processing of a request from the Data Subject and the submission of objections by the Data Subject is carried out in accordance with the rules accepted in the Company. The Supervisory Authority in Bulgaria is the Commission for the Protection of Personal Data, address: 1592Sofia, ” Prof. Tsvetan Lazarov” No. 2 (cpdp.bg).
V. Consent
- By “consent” Grand Hotels Management and Marketing Ltd. understands any freely expressed, specific, informed and unequivocal indication of the will of the Data Subject, by means of a statement or a clear affirmative action, which expresses his/her consent for the Personal Data related to him/her to be processed. The Data Subject can withdraw their consent at any time. Consent of the Subject of Personal Data is required whenever there is no alternative legal basis for the processing.
- By “consent”, Grand Hotels Management and Marketing Ltd. understands only the cases in which the Data Subject was fully informed about the planned processing and expressed his consent without any pressure being exerted on him/her. Consent obtained under duress or based on misleading information will not be a valid basis for processing Personal Data.
- Consent cannot be inferred from a lack of response to a message to the Data Subject. For consent to exist there must be active communication between the Controller and the Subject. The Controller requests and obtains consent for processing activities where consent is required for these activities.
- For special categories of data, express written consent must be obtained in accordance with the Procedure for Obtaining Consent for the Processing of Personal Data of Data Subjects, unless there is an alternative lawful basis for processing.
- The Subject’s consent to the processing of Personal or special categories of data is given – on the basis of the relevant document of consent provided by the Data Subject to the Controller for each specific purpose of processing. When the Subject signs a contract, consent is not necessary because their data is collected on a different legal basis.
- When Grand Hotels Management and Marketing Ltd. processes personal data of children, it receives permission from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.
VI. Data security
- The employees of the Controller, who, according to their job characteristics, have an obligation to process certain Personal Data on behalf of their employer, are obliged to ensure the security of the processing and storage of the data on their part, including ensuring that they will not disclose the data to third parties, unless Grand Hotels Management and Marketing Ltd. has granted such rights to such third party to access the data.
- Personal Data or part of it must be accessible only to those who have an obligation to process/store it, and access can only be granted in accordance with established access control rules. All Personal Data must be stored, for example:
- in a room with controlled access; and/or in a locked cabinet or filing cabinet; and/or
- if it is computerized, protected by a password in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information (for example, access control rules); and/or
- stored on portable computer media that are protected in accordance with organizational and technical measures for controlling access to information.
- To create an organization to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees / workers of Grand Hotels and Management. All employees / workers are required to be trained and accept the relevant contractual clauses / declaration of compliance with organizational and technical access measures, as well as workstation locking rules, before they are granted access to information of any kind.
- Paper records must not be left where they can be accessed by unauthorized persons and cannot be removed from designated office premises without express permission. As soon as paper documents are no longer required for ongoing customer support work, they must be destroyed in accordance with established procedure/rules and protocol.
- Personal Data may be deleted or destroyed only in accordance with the accepted procedure. Paper records that have expired should be shredded and destroyed as “confidential waste”. Data on the hard drives of redundant personal computers must be erased or the drives destroyed according to established policies/procedures.
- The processing of Personal Data “outside the office” poses a potentially greater risk of loss, theft or breach of personal data. The staff is specifically authorized to process the data outside the Controller’s premises.
VII. Disclosure of data
- Grand Hotels Management and Marketing Ltd. must ensure conditions under which Personal Data is not disclosed to unauthorized third parties, including family members, friends, government authorities, even investigative ones, if there is reasonable doubt that they are not required by the established order. All employees / workers should exercise caution when asked to disclose Personal Data held about another person to a third party It is important to consider whether or not the disclosure of the information is related to the needs of the activity carried out by the organization. It is necessary to provide employees with special training and periodic briefings in order to avoid the risk of such a violation.
- All requests from third parties to provide data must be supported by appropriate documentation and all such data disclosures must be coordinated with the responsible person / Data Protection Officer to provide an opinion.
- Personal Data will be provided to the competent public authorities during and on the occasion of the exercise of their official powers.
VIII. Storage and destruction of data
- Grand Hotels Management and Marketing Ltd. does not store Personal Data in a form that allows the identification of subjects for a longer period than is necessary, in relation to the purposes for which the data were collected.
- Grand Hotels Management and Marketing Ltd. can store data for longer periods only if the personal data is processed for archiving purposes, for purposes of public interest, scientific or historical research and for statistical purposes, and only when performing appropriate technical and organizational measures to guarantee the rights and freedoms of the Data Subject.
- The storage period for each category of Personal Data is specified in the Data Storage and Destruction Procedure as well as the criteria used to determine this period, including any legal obligations requiring Grand Hotels Management and Marketing Ltd. to retain the data.
- The procedure for storing and destroying data, as well as the rules for destroying information on unused recording media, applies in all cases.
- Personal Data must be destroyed according to the principle of ensuring an appropriate level of security (Article 5, para. 1 b. f) of the General Regulation) – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures (“integrity and confidentiality”);
IX. Data transfer
Any export of data from within the EU to countries outside the EU (referred to in the General Regulation as “third countries”) is illegal unless there is an appropriate level of protection of the fundamental rights of Data Subjects.
The transfer of Personal Data outside the EU is prohibited unless one or more of the specified safeguards or exceptions apply:
- Adequacy decision
The European Commission may assess third countries, territory and/or specific sectors in third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In these cases, no authorization is required. Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision
- Mandatory company rules
Grand Hotels Management and Marketing Ltd. may adopt approved mandatory corporate rules for the transfer of data outside the EU where applicable. This requires their submission to the relevant Supervisory Authority for approval.
- Standard contractual clauses
The Controller may adopt established standard contractual data protection clauses when transferring data outside the European Economic Area. If Grand Hotels Management and Marketing Ltd. accepts standard contractual clauses approved by the relevant Supervisory Authority, there is automatic recognition of adequacy.
- Exceptions
In the absence of an adequacy decision, mandatory company rules and/or contractual clauses, a transfer of Personal Data to a third country or international organization shall only take place under one of the following conditions: the Data Subject has expressly consented to the proposed transfer after being informed of the possible risks of such transfers; the transmission is necessary for the performance of a contract between the Data Subject and the Controller or for the performance of pre-contractual measures taken at the request of the data subject; the transmission is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person; the transmission is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defense of legal claims; the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally unable to give consent; the transmission is made from a register which, under EU law or the law of the Member States, is intended to provide information to the public and is available for reference by the public in principle or by any person who can demonstrate that he/she has a legitimate interest in doing so, but only insofar as the reference conditions laid down in Union law or the law of the Member States are fulfilled in the particular case.
X. Register of data processing (data inventory)
- Grand Hotels Management and Marketing Ltd. has created a data inventory process as part of its approach to address risks and opportunities in the process of complying with Regulation (EU) 2016/679 compliance policy. During the inventory of the data in Grand Hotels Management and Marketing Ltd. and in the work flow of data, the following are established:
- business processes that use Personal Data;
- the sources of Personal Data;
- the number of Data Subjects;
- description of the categories of Personal Data and the elements of each category;
- processing activities;
- the purposes of the processing for which the Personal Data are intended;
- the legal basis for the processing;
- the recipients or categories of recipients of the Personal Data;
- the main systems and places of storage;
- all Personal Data subject to transfers outside the EU;
- storage and deletion periods.
- Grand Hotels Management and Marketing Ltd. is aware of the risks associated with the processing of certain types of Personal Data.
- Grand Hotels Management and Marketing Ltd. assesses the level of risk for individuals related to the processing of their Personal Data. When mandatory, data protection impact assessments are carried out in connection with the processing of Personal Data by Grand Hotels Management and Marketing Ltd. and in connection with the processing undertaken by other organizations on behalf of Grand Hotels Management and Marketing Ltd.
- Grand Hotels Management and Marketing Ltd. manages all risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules. When a type of processing may lead to a high risk for the rights and freedoms of natural persons, in particular with the use of new technologies and taking into account the nature, scope, context and purposes of the processing, before proceeding with the processing Grand Hotels Management and Marketing Ltd. also evaluates the impact of the planned processing operations on the protection of Personal Data. . A common impact assessment may consider a set of similar processing operations that pose similar high risks.
- When, as a result of the Impact Assessment, it is clear that Grand Hotels Management and Marketing Ltd. will start processing Personal Data that, due to a high risk, could cause harm to the Data Subjects, the decision whether to continue the processing or not will be transmitted for review by the responsible person / Data Protection Officer.
- If the responsible person / Data Protection Officer has serious concerns either about the potential harm or danger, or about the amount of relevant data, he/she should refer the matter to the Supervisory Authority.
- The Data Protection Officer makes a periodic review of the initially inventoried data, revises the information entered in the “Register of processing activities” in the light of any changes in the activities of Grand Hotels Management and Marketing LTD..
ADDITIONAL INFORMATION TO THE PERSONAL DATA PROTECTION POLICY
- General regulation for the protection of personal data
Regulation (EU) 2016/679 (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC. It has direct effect and implies a change in the legislation of the member countries in the field of Personal Data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that Personal Data is not processed without their knowledge and, where possible, is processed with their consent.
- Scope outlined by the General Data Protection Regulation
Material scope – this Regulation applies to the processing of Personal Data in whole or in part by automatic means, as well as to the processing by other means of Personal Data that are part of a register of Personal Data or that are intended to form part of a register of Personal Data.
Territorial scope – the Rules of the General Regulation will apply to all data controllers established in the EU who process Personal Data of natural persons in the context of their activity. It will also apply to non-EU controllers who process Personal Data for the purpose of offering goods and services or if they monitor the behavior of Data Subjects who reside in the EU.
- Definitions
‘Personal data’ means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
“Processing‘ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Administrator.” – any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;
“Data Subject” – any living natural person who is the subject of the Personal Data stored by the Controller.
“Consent of the Data Subject” – any freely expressed, specific, informed and unequivocal indication of the will of the Data Subject, by means of a statement or a clear affirmative action, which expresses his/her consent to the Personal Data relating to him/her being processed;
“Child” – The General Regulation defines a child as anyone under the age of 16, and under national law anyone under the age of 18. The processing of a child’s Personal Data is only lawful if a parent, guardian or custodian has given consent. The Controller makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.
Contact with the Personal Data Controller:
website: www.grandhotel.bg
E-mail:
Phone: 02 8199 221