The purpose of this notice is to comply with the information requirements of Articles 13 and 14 of the GDPR (General Data Protection Regulation)
to inform you about the personal data processing activities carried out by Hotel EMALI, the purposes for which the data are processed, the measures and safeguards for the protection of the processed data, your rights and how you can exercise them, in accordance with the requirements of EU Regulation (EU) 2016/679 of 27. 04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as “Regulation 2016/679” or “GDPR”) and other applicable acts of the European Union and of the Republic of Bulgaria.
Contact details of the controller.
EMALI Hotel, hereinafter referred to only as the Controller, not belonging to a hotel chain and solely owned by an individual.
You can also send your requests to: firstname.lastname@example.org
Contact details of the Data Protection Officer.
The Data Protection Officer of Hotel EMALI can be contacted at the following e-mail address: email@example.com, in your message you should provide the necessary data for your individualisation and contact details for feedback.
Purposes and grounds for processing personal data, categories of data processed.
No. 4 on the documents required for the conclusion of an employment contract, the Civil Procedure Code, the Personal Income Tax Act, the Ordinance on Cash Benefits and Social Security Benefits, the Ordinance on Medical Expertise, the Accountancy Act and other regulations, whereby it processes personal data in relation to the following main activities:
Registration of accommodated hotel guests according to the requirements of the Law on Social Security and the Law on Social Security;
Registrations and creation of employment records of employees,
Exchange of payment and accounting documents with suppliers of goods and services.
Exchange of payment and accounting documents with hotel clients – private persons and companies.
Execution of other functions defined by laws and regulations.
In exercising its powers, the Controller processes personal data of the above-mentioned main streams and of other persons, mainly in fulfilment of its legal obligations – basis for data processing under Art. 6, par. 1, б. “c” and “e” of the Regulation. In these cases, the data processed relate to the subject’s physical identity, nationality, economic identity and social identity and are used for the purposes provided for in the relevant law or regulation.
For the purposes of personnel administration (human resources management) and financial and accounting reporting, the Controller processes personal data on the basis of Art. 6, par. 1, б. “c” and Art. 9 par. 2 lit. “b” of the Regulation of job applicants, employees and natural persons, contractors and representatives of legal entities – contractors. The categories of data processed are data concerning the physical and social, family and economic identity data on the criminal record and health of the persons.
Where the Data Controller processes data on the basis of the subject’s consent, personal data shall only be processed if the individuals have freely, specifically, informedly and unambiguously consented to the processing, unless such collection is imputed by a contractual relationship or a legal act.
Processing shall be carried out for the specific and precise purposes specified by law, and the data shall be processed lawfully and in good faith and may not be further processed in a manner incompatible with those purposes.
Categories of data recipients outside Hotel EMALI.
The controller does not disclose personal data to third parties and recipients unless there is a lawful basis for obtaining the data or the data is not publicly available due to its inclusion in a public register.
Outside the case of public availability of data included in a public register, recipients of data may be, as the case may be:
Public authorities and bodies entrusted with public functions within the scope of their powers (NRA, NSSI, Ministry of the Interior and other bodies requesting the provision of personal data by law);
Banks for the purposes of making payments;
Courier companies and postal operators – for the purposes of carrying out correspondence with natural and legal persons-data subjects.
Data retention period.
As the data controller, Hotel EMALI processes data for a minimum period of time in accordance with the purposes of processing and as provided for by applicable law in accordance with the principle of storage limitation.
For a period of 50 years, data relating to employment and social security relations are stored. Guest registration cards, primary and secondary accounting documents, invoices and their contracts shall be kept for 5 years and the remaining data shall be kept for a period of between 2 months and 5 years, depending on the type of data determining the legal obligation to process, including its storage.
Rights of data subjects.
The measures taken to protect personal data in accordance with the requirements Regulation 2016/679, are aimed at ensuring the rights of the subjects whose personal data are processed, namely:
Right of access;
Right to rectification of inaccurate or incomplete data;
Right to erasure (right to be forgotten) if the conditions of Article 17 of REGULATION 2016/679 are applicable;
Right to restriction of processing;
Right to data portability if the conditions for portability under Article 20 of REGULATION 2016/679 apply;
Right to object if the conditions of Article 21 of REGULATION 2016/679 are met.
Right not to be subject to a decision based solely on automated processing, including profiling.
The above rights may be exercised by making a request to Hotel EMALI (in writing or electronically) in which you should specify your specific request. The request should be signed and sent to the address of Hotel EMALI or to firstname.lastname@example.org.
Right to complain to the Commission for Personal Data Protection
If you believe that your rights under Regulation 2016/679 have been violated, you may file a complaint with the Commission for Personal Data Protection at. “1595 Prof. No. 2 Tsvetan Lazarov or at email@example.com
Transfer of personal data to third countries or international organisations.
Hotel EMALI does not transfer the personal data processed to third countries or international organizations.
Personal data protection measures implemented by Hotel EMALI.
The Internal Rules of the Hotel “EMALI” on the measures for the protection of personal data, have put in place measures for the effective protection of personal data processed and the possibility to exercise the rights of data subjects provided for in REGULATION 2016/679.
Further information on the data protection measures at Hotel EMALI can be obtained from the Data Protection Officer of the Data Controller: firstname.lastname@example.org.