Information about us

“SUNNY HILLS – ELENA SPA” Ltd, (hereinafter referred to as “the Hotel” and/or “the Administrator”), is a company registered in the Commercial Register and the Register of Non-Profit Legal Entities kept at the Registry Agency with UIC (Company number) 204373874, with registered office and registered address: town of Elena, 17 Stara planina Str., SPA Complex Elena, tel. +359 878 911 211

The contact details of our Data Protection Officer are:

• Personal Data Protection Officer: Kristina Koleva
• Tel: 0878 911 211
• Email: Elena_hotel@bg

The hotel as a data administrator collects and processes certain information about individuals.

This information may refer to employees, managers, customers and guests of the hotel, suppliers, contractors, business contacts and other individuals with whom the Administrator has a relationship or wishes to establish business contact.

This privacy policy governs how personal data is collected, processed and stored to meet standards within the Administrator`s organisation and to comply with legal requirements.

This Personal Data Privacy Policy is issued pursuant to the Personal Data Privacy Act and its implementing regulations, as amended, (“Bulgarian Legislation”), and the General Data Protection Regulation (EU) 2016/679 (“GDPR” or GDPR).

What is meant by “personal data” and “processing of personal data”?

“Personal data” is any information by which an individual may be identified, directly or indirectly, by one or more characteristics specific to the individual – such as: name, identification number/Personal ID number, contact details – location/postal address, telephone number, electronic address (email), online identifier/IP address, etc. These attributes may be part of an individual’s physical, physiological, genetic, psychological, mental, economic, cultural or social identity.

‘Processing of personal data’ means the set of operations performed on personal data or a set of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, arrangement or combination, restriction, erasure or destruction.

Our treatment of your personal data

The Hotel attaches great importance to the protection of personal data and collects and processes personal data only in compliance with local and European legislation. The purpose of this “Personal Data Privacy Policy” is to inform you how we process your data and what personal data we would collect about you, for what purpose, for how long and, where applicable, what your rights are.

The security of the data you entrust to us is very important to us. Therefore, we protect your data by implementing all appropriate technical and organisational means that are adequate to the possible risks to the rights and freedoms of individuals to prevent unauthorised access, unauthorised or malicious use, loss or premature deletion of information.

What information do we collect and why?

We may collect personal information about you when you use our Site or select our services. In most cases we require your personal data for the purpose of entering into a contract, to comply with a legal obligation or to protect our legitimate interest. In certain cases, we process data based on your consent.

Depending on the services you use, we may collect and process the following information about you:

• The person’s name, unique civil number (for the purposes of registration with the Hotel and invoicing, if requested), date of birth and gender;
• Contact details – contact address, telephone number and electronic address (email);

Principles that we are guided by and abide by:

We strictly comply with the basic principles established as mandatory in the processing of personal data;

Personal data is processed lawfully, fairly and transparently;

Personal data is collected for specified, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes;

The personal data is appropriate, relevant to and limited to what is necessary in relation to the purposes for which it is processed;

Personal data is accurate and kept up to date where necessary;

The personal data are kept in a form which permits identification of the individuals concerned for no longer than is necessary for the purposes for which the personal data are processed;

Personal data are processed in a manner that ensures an adequate level of security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, implementing appropriate technical and organisational measures;

We process the personal data we collect most often for the following purposes:

When concluding and executing a contract – to register the guest at the Hotel, prepare accounting documents such as a bill or invoice for the services provided to you; for the purpose of notifications related to our services;

In the performance of a legal obligation – for the purpose of obligations under the Tourism Act, the Accounting Act and the Tax and Social Security Procedural Code and other related regulations, in relation to the keeping of proper and lawful accounts; at obligations to provide information to all government commissions and regulatory bodies, as well as a court of law; in the performance of obligations in relation to online bookings (distance selling) and off-site sales at our Hotel;

With your consent- for direct marketing of our products and services.

What are your rights:

When collecting and processing your personal data, you have the right to:

Information about the processing of your personal data and access to the personal data collected about you;

Correction/completion if the data is inaccurate/incomplete – on your initiative or on the initiative of the Hotel;

Erasure of personal data, if there are legal grounds for this;

Restriction of the processing of your personal data by the Hotel, if there are legal grounds for this;

Portability of personal data between individual administrators – this right allows you to obtain your data from the Hotel and transfer it to another controller in a usable format;

Objection to the processing of your personal data, where there are lawful grounds to do so;

The right to a judicial or administrative remedy if your rights have been violated.

You can protect your rights by writing to us at e-mail: reception@spacomplex.bg or mail/courier at address: town of Elena, 17 “Stara Planina” Str., SPA Complex Elena;

Your personal data is stored with us in accordance with the purpose for which it was collected and for the statutory periods.

When we may disclose your personal data:

We implement a range of measures to protect your personal data from loss, theft and misuse, and from unauthorised access, disclosure, alteration or destruction. The Hotel uses third parties to assist in certain contractual activities or in the performance of a legal obligation. We do not disclose your personal data to third parties until we are satisfied that all technical and organisational measures have been taken to protect that data and we endeavour to implement strict controls to fulfil this purpose.

Some of the recipients of personal data may be: courier companies, hired consultants and specialists, collection companies and law offices, banks, security companies, sales agents and representatives, etc.

Your personal data may be disclosed in circumstances at circumstances provided by law. For example, your personal data may be disclosed to third parties with your explicit consent or with the permission of the Personal Data Protection Commission. The provision of personal data in some cases is mandatory in order to comply with our legal requirements, such as: regulatory authorities, including state commissions, institutions and agencies, NRA, NSSI, courts, prosecutor’s office, and others to whom we are obliged to provide personal data under applicable law. Your personal data may, where necessary or appropriate, be provided for national security purposes or where issues of public importance arise.

“Cookies” and tracking

We use “cookies” to make your visit to our website more enjoyable and to enable us to provide you with the use of certain features on various pages. These are small text files that are stored on the end device from which you visit our site. Some “cookies”- session cookies, are deleted by closing your browser. Other “cookies” remain on your end device and allow us or partner companies to recognise your browser on a subsequent visit (“permanent cookies”). You can set your browser so that you are informed about the setting of “cookies” and decide individually to accept them or to exclude the acceptance of “cookies” for specific cases or in general. Further information can be found in the help section of your internet browser. Rejecting “cookies” may limit the functionality of our website. We distinguish between system “cookies” and promotional “cookies”. System “cookies” are necessary for the proper functioning of our website. Rejecting these “cookies” will change your user experience when browsing our website and certain services on our website will not be usable. Promotional “cookies” are stored as the website loads and help us to analyse aggregate data about our visitors – for example, how they get to our website, how long they spend on it, whether it is their first time visiting us, how they browse our website content, and to make the conclusion about the success of our marketing campaigns.

Links to social media

Our website also contains links to Facebook and Instagram. In this case, the transfer of data to said social media operators only takes place when the corresponding button on the icon illustrating the link is clicked. If such a button is clicked, the page of the respective social network opens. There you can post information about our services according to the rules of the social media operator. You can also use our official contact profiles on the various social networks as well as other official public profiles of the company. Such are our: Facebook page https://www.facebook.com/Elena.hotel.complex/;

Instagram page https://www.instagram.com/spacomplex_elena/. The personal data you send via private message will only be processed for the purpose of responding to your request. We are not responsible for the information and personal data that you share voluntarily on our official profiles without being explicitly requested by you.

Security

The Hotel takes measures to protect your personal data from accidental loss and unauthorized access, use, alteration or disclosure. Policies and procedures are in place designed to protect information from loss, misuse and unauthorized disclosure. In addition, we take additional information security measures, including access controls, strong physical security, and reliable practices for collection, storage, and processing information.

On the other hand, we implement technical measures such as encryption, pseudonymization, and anonymization of collected personal data.

When do we delete your personal data?

We keep all the information we have collected about you and destroy it within the statutory time limits, and if none within the time limits set by us after final settlement of all our financial relationships. We do not keep your data indefinitely.

Destruction

Accounting and business information as well as all other information and documents relevant for taxation and compulsory social security contributions shall be kept by the Hotel for the following periods:

• payrolls – 50 years;
• accounting records and financial statements – 10 years;
• documents for tax and social security control – 5 years after the expiry of the limitation period for repayment of the public debt to which they relate;
• all other media – 5 years, unless a shorter period is prescribed by law;

After the expiry of the retention period, media (paper or technical) which are not subject to submission to the National Archives Fund may be destroyed.

Once the retention period has expired, the data shall be destroyed as soon as possible by destroying the paper media by shredding and the technical media by deleting and erasing the relevant files from the Company’s computers and systems.

Changes to this Personal Data Privacy Policy

This Personal Data Privacy Procedure may be amended from time to time. Such changes will be effective immediately upon their posting. Regularly reviewing this page will ensure that you are always aware of what information we collect, how and for what purposes the Hotel uses it, and in any circumstances (if any) we will share it with other parties.