Birs OOD entered in the Commercial Register at the Registry Agency under UIC 020951471 is a personal data controller (PDC) within the meaning of Regulation (EC) 2016/679 and other applicable acts of the European Union and of the Republic of Bulgaria.
In this capacity, the company is extremely responsible to the privacy of individuals and ensures as far as possible the protection of their personal data in the process of processing in connection with their activities.
This privacy statement aims, in accordance with the information requirements of Article 13 and Article 14 of the GDPR, to inform you about activities performed by Birs OOD as a personal data controller related to data processing, the purposes for which the data is being processed, the measures and guarantees for protection of processed data, your rights and how you can exercise them.
For any questions relating to the processing of your personal data, you may contact the Data Protection Officer at Birs OOD at e-mail: firstname.lastname@example.org, and in your message you should provide the necessary data for your identification and contact details for feedback.
You can also contact us at the address of our registered office: Varna, Golden Sands Resort, Marina Grand Beach Hotel.
What personal data do we collect, for what purposes and on what basis do we process them?
In its capacity as PDC, Birs OOD collects personal data for specific, precisely defined by law purposes and processes them legally and in good faith.
In the course of its activities, the PDC processes personal data of individuals for the following purposes:
- For the purposes of its lawful (legitimate) interest;
- Execution of contractual obligations or taking steps at the request of the client prior to the conclusion of a contract;
- Compliance with a legal obligation that applies to the company;
- Your explicit consent as a client
The grounds that entitle us to process your data are detailed in the Tourism Act, the Civil Registration Act (the mandatory hotel registration at the place where you will be staying), the Electronic Document and Electronic Certification Services Act (upon payment by POS terminals) and other relevant statutory instruments.
In carrying out its activities, the company processes personal data of individuals for the execution of the contracts it concludes. In connection with their implementation, the personal data controller collects and processes personal data of individuals limited to what is necessary, sufficient for the proper performance of the obligations under the relevant contract. Access to this information is provided to third parties only when this is specified in a special law.
In order to fulfill its obligations under a given contract, the company sometimes also processes data of children under the age of 18, provided by their legal representatives – a party to a contract with us. Personal data of children for the purposes of hotel accommodation are required to the extent required by regulatory requirements.
When processing personal data based on the consent of the data subject, the data are processed only if the persons have freely, specifically, informed and unambiguously expressed their consent to the processing.
In order to protect, exercise or preserve the legal rights, privacy, safety or property of the personal data controller, its employees and/or contractors, and to ensure the safety, privacy and security of hotel guests and members of the public, video surveillance is carried out on our sites. Video surveillance records are kept for a period of one month. Certain employees have access to these data within the scope of their official duties. The purpose of collecting personal data is to identify individuals for the purposes of access control.
Birs OOD processes your data only for the purposes for which it was collected and does not use it for any other purposes. These purposes are entirely related to the use of tourist services offered by the company.
In its capacity as PDC, Birs OOD keeps your personal data on paper and technical media and applies the necessary technical and organizational measures to ensure an appropriate level of security, including protection against unauthorized access, accidental loss, destruction or damage.
Different types of personal data are collected according to the purposes:
1. For booking or confirming a reservation, Birs OOD collects the following types of data:
- For booking made via web site – name and surname of the contact person; e-mail address of the contact person;
- For booking made by phone – telephone number and e-mail address for confirmation of reservation; name and surname of the contact person.
This data is stored until the booking is realized. The data is then destroyed and its subsequent processing is impossible.
2. When accommodating guests as a personal data controller, we process and store the following data:
- Personal Identification Number/ Personal Number of Foreign National;
- Name of person (data to be written according to national identification document);
- Date of birth;
- Number of identity card/valid national identification document;
- Country that issued the national identification document.
On the grounds of Article 116, paragraph 2 of the Tourism Act, the data recorded in the register of the accommodated tourists are retained for a period of five calendar years.
3. The following data shall be processed and stored for the realization of corporate or personal events by the PDC:
- Two names of the person organizing the event. For corporate events – a contact person designated by the legal entity organizing the event;
- E-mail address and phone number of the contact person.
This data shall be retained for a period of one up to three calendar years after the occurrence of the event. .
4. For direct marketing purposes, including analyzing and profiling target audiences to track the satisfaction of our clients, we process the following data:
- E-mail address;
- IP address;
- Behavior of the users of the Birs website .
Processing and storage of these data requires the explicit consent of the data subject. Data processed for direct marketing purposes shall be retained for a period of three years or until withdrawal of consent.
The purpose of collecting this data is to provide you with personalized offers and services tailored to your needs and expectations.
Transfer of personal data to a non-EU country or to an international organization?
The Company does not provide personal data to third parties outside the EU or to an international organization without your prior consent.
How long do we retain your personal data?
In its capacity as PDC, Birs OOD shall retain your personal data for a term not longer than the requirements of the applicable legislation for the respective envisaged term.
What are your rights?
In its capacity as PDC, we have taken measures to protect your personal data in accordance with the requirements of Regulation 2016/679, which are aimed at ensuring the rights of the individuals whose personal data are processed, namely:
– Right of access
– Right to rectify inaccurate or incomplete data;
– Right to erasure (the right to be forgotten), if the conditions of Article 17 of REGULATION 2016/679 are applicable;
– Right to restriction of processing;
– Right to data portability if the portability conditions under Article 20 of REGULATION 2016/679 are present;
– Right of objection, if the conditions of Article 21 of REGULATION 2016/679 are present.
– Right for the data subject not to be the subject of a decision based solely on automated processing involving profiling.
How can you exercise your rights?
The above rights may be exercised by submitting a written application (personally or through an expressly authorized person by a notarized power of attorney) to the Personal Data Controller (Birs OOD), in which you should specify your request. The request should be signed and sent to the PDC address. The application may also be submitted electronically in accordance with the Electronic Document and Electronic Signature Act.
You have a right to file a complaint to the supervisory authority
You have the right to file a complaint to the supervisory authority and the relevant competent authority is the Commission for Personal Data Protection, address: 2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia (www.cpdp.bg). In case you wish to file a complaint about the processing of your personal data through the PDC (recipients, including outside the EU and international organizations), you can do so by contacting the company at the details specified above or contacting the Data Protection Officer directly.