This is the data protection policy of Zornitza Family Estate Relais & Châteaux, which comprises the following companies:
– Borgo la Vigna OOD, 1164 Sofia, 23 James Bourchier blvd , VAT: BG203249902
For the purposes of this document, this group of companies is identified with the name of Zornitza Family Estate Relais & Châteaux . The policy refers to the data that are processed in the performance of its tourism and leisure services, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016).
Who is the Data Controller
The Data Controller is, in each case, the group company with whom the customer or supplier interacts. Each company is answerable to its customers and suppliers for compliance with the data protection regulations and guarantees their rights.
Who is the Data Protection Officer
The Data Protection Officer (DPO) is the person who supervises enforcement of the Zornitza Family Estate Relais & Châteaux, companies’ data protection policy, ensuring adequate processing of the personal data and protection of data subjects’ rights. This person’s duties include attending to any query, suggestion, complaint or claim made by the people whose data are processed. The Data Protection Officer can be contacted by writing to Borgo la Vigna OOD, 1164 Sofia, 23 James Bourchier blvd, or to the email address firstname.lastname@example.org.
For what purposes do we process data
We process personal data for the following purposes:
Attend to the queries made by the people who contact us via contact forms on our websites. We use the data solely for this purpose.
Attend to the people who contact us by telephone. In order to improve the quality of our service, the conversations may be recorded, notifying this beforehand to the person we are talking with.
Receive the CVs sent by people who are interested in working with us and manage the personal data generated as a result of their participation in staff selection processes, with the goal of analyzing the match of the candidates’ profile with the vacancies available or the new jobs that have been created. As a general procedure, we also keep the data of the people who have not been selected for a maximum period of one year in case a new vacancy or new job should arise during that period. However, in the latter case, we will delete the data immediately if the data subject asks us to.
Register new customers and the additional data that may be generated as a result of the business relationship with customers. As part of the contracting process, the essential data required for this are requested, including bank details (current account or credit card number), which will be notified to the banks that handle customer payments (they can only be used for this purpose). The provision of tourism services entails other processes, such as including the data for accounting or invoicing purposes or for notifying to the Tax Administration.
Information about our services
For so long as customers maintain the business relationship, Zornitza Family Estate Relais & Châteaux, uses their contact details to provide information pertaining to this relationship. This information may circumstantially include references to our services, whether of a general nature or referring more specifically to the customer’s features and needs.
Other information about the services
With the customer’s explicit authorization, upon termination of the contractual relationship, the contact details will be kept in order to send advertising related with our services, information of a general nature or specifically adapted to the customer’s features. This information is also sent to people who, while not being customers, have asked for the information or accept it by filling in our forms.
Advertising about the services offered by our group companies
Always with the explicit prior authorization of the people identified in the previous section, the contact details are used to send advertising, whether of a general nature or adapted to the person’s features, about the services offered by the companies belonging to our group. In addition, with the data subject’s explicit consent, the contact details may be made available to these companies so that they may send advertising about their services directly.
Managing our suppliers’ data
We record and process the data of the suppliers from whom we obtain services or goods. This may include the data of people who work as self-employed professionals and also the data of representatives of legal persons. We obtain the essential data that are necessary for maintaining the business relationship. They are used only for this purpose and in the manner required for this type of relationship.
When accessing our facilities, information is provided, when applicable, about the existence of video surveillance cameras by means of officially approved signs. The cameras record images only in those locations where this is justified to guarantee the security and safety of assets and people, and the images are only used for this purpose.
Users of our website
Other data collection channels
We also obtain data through face-to-face contacts and other channels such as receiving e-mails, through our profiles on the social media and during the registration process for Wi-Fi services. In all cases, the data are used solely for the specific purposes that justify collection and processing
What is the legal basis for processing the data
The data processing we perform has different legal justifications, depending on the nature of each type of processing.
In compliance with a precontractual relationship. This applies to the data of prospective customers or suppliers with whom a relationship is established prior to conclusion of a contractual relationship, such as preparing or studying estimates. It also applies to the processing of data of people who have sent us their CVs or who are taking part in selection processes.
In compliance with a contractual relationship. This applies to relationships with our customers and suppliers and all the activities and uses entailed by such relationships.
In compliance with legal obligations. The transfer of data to the Tax Administration is governed by rules that regulate business relationships. It may be necessary to transfer data to judicial authorities or security forces, also in compliance with legal provisions that compel collaboration with these public authorities.
Based on consent. When we send information about our services, we process the addressees’ contact details with their explicit authorization or consent. The browsing data that we may obtain with cookies are obtained with the consent of the person who visits our website. This consent can be revoked at any time by uninstalling these cookies. We also transfer personal data to other companies in our group with the prior consent of each person concerned.
For a legitimate interest. The images obtained with the video surveillance cameras are processed on the basis of our company’s legitimate interest to protect its assets and facilities. Our legitimate interest also justifies processing of the data obtained from the contact forms.
Who are the data disclosed to
As a general rule, we only transfer data to public administrations or authorities and always in compliance with legal obligations. The identifying data of the people who stay at our establishments are notified the Police (concerning the obligation to register and notify to the Police the identity of the people who stay at lodging establishments).
When issuing invoices to customers, the data may be notified to banks. Furthermore, if consent has been given, the data may be made available to other companies belonging to our group for the purposes stated above.
For the performance of certain tasks, we contract the services of companies or people who provide us their experience and expertise. On certain occasions, these companies need to access personal data held by us. This is not a data transfer as such but should be considered a processing assignment. We only contract services from companies that can guarantee compliance with data protection regulations. At the time of contracting the service, such suppliers’ confidentiality obligations are formally stated and their activities are monitored. This may be the case of data hosting services, IT support services or legal, accounting or tax advisors.
For how long do we keep the data
We comply with the legal obligation to limit as much as possible the period during which the data are kept. Consequently, we only keep them for such time as is necessary and justified for the purpose for which they were obtained. In certain cases, such as the data included in accounting documentation and invoices, tax regulations require us to keep them until our liabilities in this matter have lapsed. In the case of data that are processed on the basis of the data subject’s consent, they are kept until the data subject revokes consent. The images obtained by the video surveillance cameras are kept for a maximum period of one month. However, in the case of incidents where it is justified, they will be kept for such time as may be necessary to assist in the investigations carried out by the security forces or judicial authorities.
What rights do people have respect to the data we process
As stated in the General Data Protection Regulation, people whose data we process have the following rights:
To know whether they are processed. First of all, any person has the right to know whether we process their data, irrespective of whether or not there has been a prior relationship.
To be informed at the time of collection. When the personal data are obtained from the data subject, clear information must be provided at the time of collection about the purposes they will be used for, who will be the data controller and the other aspects arising from this processing.
To access. This is a very broad right which includes knowing precisely which personal data are being processed, the purpose they are being processed for, the disclosures that will be made to other people (if applicable) or the right to obtain a copy or know for how long it is planned to keep them.
To ask for rectification. This is the right to obtain rectification of inaccurate data that are being processed by us.
To ask for erasure. In certain circumstances, the data subject has the right to ask for erasure of the data when, among other reasons, they are no longer necessary for the purposes for which they were collected and which justified their processing.
To ask for restriction of processing. Also, in certain circumstances, the right is acknowledged to ask for restriction of processing of the data. In this case, processing will be stopped and they will only be kept for the exercise or defense of legal claims, pursuant to the General Data Protection Regulation.
To data portability. In the cases provided in the regulation, the data subject’s right is acknowledged to obtain his or her personal data in a structured, commonly used and machine-readable format, and to transmit those data to another data controller if the data subject so decides.
To object to processing. A person may invoke grounds relating to his or her particular situation to require that his or her data cease to be processed insofar as they may cause harm, except for compelling legitimate grounds or for the exercise or defense of legal claims.
To not receive marketing information. We will comply immediately with requests to not continue sending marketing information to people who had previously authorized us to send it.
How can the rights be exercised or defended
You can exercise the rights listed above by sending a written request by post to Borgo La Vigna OOD, 1164 Sofia, 23 James Bourchier blvd or by sending an email to email@example.com, stating in all cases “Personal data protection” as subject.