Политика за защита на личчните данни

[ovahotel_search show_childrens="true" show_rooms="true" show_night="true" show_night_ipad="false" class="white_color" /]

Галерия

DISCOVER NEWS UPDATE

INTERNAL RULES ON THE PROTECTION OF PERSONAL DATA*

SUBJECT

Art. 1. (1) These rules define the procedure by which the company “Frontline Management Ltd.” with UIC 201686287 collects, records, organizes, structures, stores, adapts, or modifies, retrieves, consults, uses, discloses by transmission, dissemination, or any other means by which the data becomes accessible, arranges or combines, restricts, erases, destroys, or otherwise processes personal data for the purposes of its business activities.

(2) Depending on the specific situation, the Company may process data in its capacity as a controller or processor.

(3) These rules have been drafted in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Art. 2. These Rules govern:

(1) The principles, procedures, and mechanisms for the processing of personal data;

(2) The procedures for notifying the supervisory authority in the event of security breaches;

(3) The procedures for handling requests for access to data, rectification of processed data, objections, and withdrawal of consent, as well as handling requests to exercise other rights that data subjects have under the law;

(4) The persons who process personal data and their obligations;

(5) The rules for transferring personal data to third parties in Bulgaria and abroad;

(6) The necessary technical and organizational measures to protect personal data from unlawful processing and in the event of incidents, such as accidental or unlawful destruction, loss, unauthorized access, alteration, or disclosure;

(7) The technical resources used in the processing of personal data.

DEFINITIONS

Art. 3. For the purposes of these Rules, the terms used have the following meanings:

PDPA – Personal Data Protection Act.
CPDP – Commission for Personal Data Protection.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Data Protection Officer – a natural person or organization designated in accordance with the requirements of Article 37 et seq. of the GDPR.

[or – if the appointment of a Data Protection Officer is not mandatory – alternatively, the following may be included:

Person Responsible for Personal Data – a person who is an employee of the company or performs functions on its behalf, to whom the duties related to the protection and processing of personal data, as set forth in these Rules, have been assigned. The core activities of the controller or processor do not consist of processing operations that, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale or the large-scale processing of special categories of data and personal data related to criminal convictions and offenses. In view of this circumstance, the Company is not required to appoint a data protection officer and it should not be considered that the Company has appointed such a person or that the person responsible for personal data has the duties and must meet the requirements of a data protection officer within the meaning of Article 37 et seq. of the GDPR.]
Data Controller – a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In these Rules, “data controller” refers to the Company.
Processor of personal data – a person or organization that, on the basis of a contract, processes personal data provided by the Company for the agreed purposes.
Data protection notices – individual notices containing information provided to data subjects at the time the Company collects information about them. These notices may be either general (e.g., addressed to employees or notices on the organization’s website) or related to processing for a specific purpose.
Data processing – any activity involving the use of personal data. This includes: receiving, recording, storing, performing an operation or a series of operations on the data, such as organizing, editing, restoring, using, disclosing, deleting, or destroying. Processing also includes the transfer of personal data to third parties.
Pseudonymization – the replacement of information that directly or indirectly identifies a natural person with one or more identifiers (“pseudonyms”) so that the person cannot be identified without access to additional information, which must be stored separately and kept confidential.
Consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies agreement to the processing of personal data relating to him or her.

DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA

Art. 4. (1) The Company collects and processes personal data necessary for the exercise of its rights and obligations as an employer, service provider, and contracting party, in compliance with the requirements of applicable law. The personal data processed by the Company is grouped into processing activity registers containing rules for the processing of personal data relating to:

workers, employees, and contractors under civil contracts;
job applicants;
customers;
service providers.

(2) Regarding persons employed under labor or civil law relationships with the Company, and job applicants, the following personal data is collected:

a) Identification: name; personal identification number (date of birth), permanent and/or current address, telephone number, identity card or passport details;

b) Education and professional qualifications: data related to education, work experience, professional and personal qualifications, and skills;

c) Health data: health status, decisions of the Medical Expert Commission (TELK), medical certificates, sick leave certificates, and any related documentation;

d) Other data: criminal record, when required by law, as well as other data whose processing is necessary for the fulfillment of the Company’s rights and obligations as an employer.

(3) With regard to natural persons who are clients of the Company, personal data necessary for the fulfillment of the Company’s legal obligations as a service provider is collected, as follows:

name; personal identification number (date of birth), permanent and/or current address, telephone number, and data from an identity card or passport.

(4) With regard to natural persons who are service providers to the Company, personal data necessary for the conclusion and performance of contracts for the provision of services to the Company by external providers is stored, as follows:

name, personal identification number (date of birth), permanent and/or current address, telephone number, ID card or passport details; email address.

(5) The Company processes sensitive data only to the extent necessary for the fulfillment of its specific rights and obligations under labor and social security legislation.

PURPOSES AND PRINCIPLES OF PERSONAL DATA PROCESSING

Art. 5. The purposes of personal data processing are:

(1) human resources management, payment of wages, and fulfillment of the employer’s related obligations regarding the withholding and payment of employees’ health and social insurance contributions, taxes, as well as other rights and obligations of the Company in its capacity as an employer;

(2) administration of the Company’s customer relations and provision of services;

(3) conclusion and performance of contracts with suppliers for the provision of services to the Company.

Art. 6. Personal data shall be processed lawfully, in good faith, and transparently, in compliance with the following principles:

(1) The data subject shall be informed in advance of the processing of their personal data;

(2) Personal data shall be collected for specific, clearly defined, and legitimate purposes and shall not be further processed in a manner incompatible with those purposes;

(3) Personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are collected;

(4) Personal data must be accurate and, where necessary, kept up to date;

(5) Personal data shall be erased or rectified where it is established that they are inaccurate or no longer serve the purposes for which they are processed;

(6) Personal data shall be kept in a form that allows the identification of the individuals concerned for a period no longer than is necessary for the purposes for which such data are processed.

Art. 7. For the processing of data to be lawful, at least one of the following conditions must be met:

(1) The data subject has given consent;

(2) Processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;

(3) Processing is necessary for compliance with a legal obligation to which the controller is subject;

(4) Processing is necessary to protect the vital interests of the data subject or of another natural person;

(5) Processing is necessary for the performance of a task carried out in the public interest;

(6) Processing is necessary for the purposes of the controller’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The purposes for which personal data are processed on this basis must be described in the applicable data protection notices.

CONSENT

Art. 8. (1) The data subject consents to the processing if he or she expresses this clearly and unambiguously—through a statement or other affirmative act. If consent to the processing of personal data is given through a document that also addresses other matters, it must be requested separately from consent regarding other matters.

(2) Data subjects must be able to easily withdraw their consent to processing at any time, and such withdrawal must be honored promptly. If there is no other legal basis for the lawfulness of the processing, the processing must cease upon withdrawal of consent.

(3) Consent statements shall be retained by the company for as long as data processing activities are carried out on this basis, in order to comply with the principle of accountability.

PROCEDURES FOR THE PROCESSING OF PERSONAL DATA

Procedure for the processing of personal data relating to persons employed under labor or civil law relationships with the company, as well as job applicants

Art. 9. (1) Personal data relating to persons employed under labor or civil law relationships with the Company, as well as job applicants, is collected during and in connection with the recruitment process. The data of each employee of the Company is stored in personal files, and certain data may also be stored or processed on electronic media. Data from conducted competitions and interviews is stored on electronic and/or paper media, as needed.

(2) Personal files are organized in special lockable filing cabinets located in the office of the Person responsible for personal data. Job applicants’ data stored on paper is kept in designated cabinets in the office of the Person responsible for personal data. Access to the office is granted only to persons authorized to process personal data, and for this purpose, a special entry procedure is established using a key, magnetic card, or other appropriate means and/or device.

(3) Persons authorized to process personal data shall take all organizational and technical measures for the storage and protection of personal files and folders containing information, including restricting access to them by external persons and unauthorized employees.

(4) Employee files, as well as job applicant data, shall not be removed from the company’s premises.

Procedure for Processing Personal Data Relating to Customers and Service Providers

Art. 10. (1) Personal data relating to customers is collected upon submission of a request for the provision of a service or upon conclusion of a contract with a customer of the Company.

(2) Personal data relating to service providers is collected upon the conclusion of a contract with a service provider, and such personal data is typically contained in the text of the contracts themselves.

(3) Personal data is stored on electronic and paper media (signed copies of the concluded contracts), which are filed in separate folders. The folders are stored in lockable cabinets in the office of the Person responsible for personal data. Electronic data is stored in databases.

DOCUMENTATION OF PERSONAL DATA PROCESSING

Art. 11. (1) The Company documents personal data processing activities in compliance with the principle of accountability.

(2) The documentation must be sufficient to demonstrate compliance with the principles of lawful processing of personal data.

(3) Data processing related to the transfer of data to processors established in the country or abroad; storage of data on servers owned by third parties; archiving or erasure of data; implementation of pseudonymization, as well as any other processing whose parameters differ from those described in these rules, shall be documented by creating logs containing the following information:

(a) the purposes of the processing;

(b) the categories of personal data and the categories of data subjects;

(c) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries;

(d) the transfer of personal data to a third country;

(e) where possible, the envisaged time limits for erasure of the various categories of data;

(f) a general description of the technical and organizational security measures.

(4) The records shall be prepared by the persons performing the relevant data processing in accordance with the instructions of the Data Controller.

(5) The collection of all records containing the information described above constitutes the record of processing activities pursuant to Article 30 of the GDPR.

MEASURES FOR THE PROTECTION OF PERSONAL DATA

Technical Measures

Art. 12. (1) All premises where personal data is stored and processed are subject to access control. Possible technical means of access control include:

– security personnel;

– devices for identification via magnetic card and/or key;

– video surveillance in the hallways;

– a policy allowing external persons access to the company’s premises only when accompanied by a member of the company’s staff.

(2) The company’s premises are reliably secured through fire safety measures in accordance with Bulgarian legislation.

Documentary Protection Measures

Art. 13. (1) The company establishes procedures for processing personal data, regulating access to data, procedures for destruction, and retention periods, as detailed in these Rules. For certain categories of data, pseudonymization may be provided for at the suggestion of the Data Protection Officer.

(2) The reproduction and distribution of documents or files containing personal data shall be carried out solely by authorized employees when necessary.

Personal Security Measures

Art. 14. (1) Before assuming their respective positions, persons responsible for the protection and processing of personal data:

– undertake an obligation not to disclose the personal data to which they have access;

– familiarize themselves with the legal framework, internal rules, and company policies regarding the protection of personal data;

– undergo training on how to respond to incidents threatening data security;

– are instructed on the risks to the personal data processed by the company;

– undertake not to share critical information with one another or with external parties, except as provided for in these Rules.

(2) Upon joining the company, all employees undergo training on how to respond to incidents threatening data security, as well as training on the company’s obligations regarding the processing of personal data and the data protection measures they must implement in the course of their work. Subsequent training and drills for staff are conducted periodically to ensure familiarity with the regulatory framework, potential risks to data security, and measures to mitigate them.

Measures for the Protection of Automated Information Systems and Cryptographic Protection

Art. 15. (1) Access to the operating system containing files with personal data is restricted to individuals whose job duties or a specifically assigned task require such access. Access is granted via a password.

(2) Electronic databases are protected by logical security measures, such as an antivirus program that updates automatically, firewalls, and others.

(3) Personal data is periodically backed up to a physical storage medium for the purpose of preserving the information.

Art. 16. (1) The protection of electronic data against unauthorized access, damage, loss, or destruction, whether committed intentionally by a person or in the event of technical malfunctions, accidents, incidents, disasters, etc., is ensured by:

– setting passwords for computers through which access to personal data is provided, and for files containing personal data;

– antivirus programs and checks for illegally installed software;

– periodic checks of the integrity of the database and updating of system information, maintenance of the data access system;

– periodic archiving of data on technical media, maintaining information on paper (archival copies).

(2) The person responsible for personal data shall periodically report to the company’s management on the measures taken to ensure the level of security in the processing of personal data.

SECURITY BREACHES

Art. 17. (1) Persons who identify signs of a data security breach are required to report immediately to the person responsible for personal data, providing them with all available information.

(2) The person responsible for personal data shall immediately investigate the reported incident, attempting to determine whether a security breach has occurred and which data has been affected.

(3) The Data Protection Officer shall immediately report to the Company’s partners the available information regarding the security breach, including information on the nature of the incident, the time of its detection, the type of damage, the measures taken to date, and the measures the Data Protection Officer deems necessary to take.

(4) After consulting with the Company’s management, the Data Protection Officer shall take measures to prevent or mitigate the consequences of the breach and to restore the data.

(5) In urgent situations where consultation with management would delay the response and cause significant damage, the Data Protection Officer may, at their discretion, take measures to prevent or mitigate the consequences of the security breach. In this case, the Data Protection Officer shall immediately notify management of the measures taken and align subsequent actions with the instructions received.

Art. 18. (1) If the security breach creates a likelihood of risk to the rights and freedoms of the individuals whose data is affected, and following approval by the company’s management, the Data Protection Officer shall arrange for notification of the CPDP.

(2) Notification to the CPDP shall be made without undue delay and, where feasible, no later than 72 hours after the breach is first detected.

(3) The notification to the CPDP shall contain the following information:

(a) a description of the security breach; the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;

(b) the name and contact details of the Data Protection Officer;

(d) a description of the measures taken or proposed to address the security breach, including measures to mitigate any adverse consequences.

(4) Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall, without undue delay and in accordance with applicable law, notify the affected natural persons.

Art. 19. (1) The Company shall maintain a record of security breaches containing the following information:

(a) date of detection of the breach;

(b) description of the breach—source, nature, and scope of the affected data, cause of the breach (if applicable);

(d) measures taken to prevent and mitigate negative consequences for data subjects and for the Company;

(e) measures taken to limit the possibility of subsequent security breaches.

(2) The register shall be maintained in electronic format by the Data Protection Officer.

DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

Art. 20. (1) The Company may, if necessary, disclose personal data to third parties acting as processors, based on an explicit contract.

(2) In cases where data is provided to employees, customers, or service providers of a processor, the Company:

(a) requires sufficient guarantees from the processor regarding compliance with legal requirements and best practices for the processing and protection of personal data;

(b) enters into a written agreement or other legal instrument with equivalent effect that governs the obligations of the processor and meets the requirements of Article 28 of Regulation (EU) 2016/679;

(3) The processing of personal data by processors outside the EU/EEA is permissible only when:

(a) the European Commission has adopted a decision confirming that the country to which the transfer is made ensures an adequate level of protection of the rights and freedoms of data subjects;

(b) Appropriate safeguards are in place—such as Binding Corporate Rules (BCRs), standard contractual clauses approved by the European Commission, an approved code of conduct, or a certification mechanism;

(d) The transfer is necessary for one of the purposes listed in the GDPR, including the performance of a contract with the data subject, the protection of the public interest, the establishment and defense of legal claims, or the protection of the vital interests of the data subject where the data subject is physically or legally incapable of giving consent.

DATA PROTECTION IMPACT ASSESSMENT

Art. 21. (1) An impact assessment shall be conducted when required by applicable law and in light of the risk to individuals and the nature of the personal data processing carried out by the Company. An impact assessment shall be conducted for high-risk processing activities.

(2) An impact assessment is required whenever a key system is implemented or a business program is changed that involves the processing of personal data, including:

– the initial implementation of new technologies or the transition to new technologies;

– automated processing, including profiling or automated decision-making;

– large-scale processing of sensitive personal data;

– large-scale, systematic monitoring of a public area.

(3) A report on the assessment shall be drawn up and provided upon request by the CPDP.

DATA DESTRUCTION

Art. 22. (1) The destruction of personal data shall be carried out by the Company or an expressly authorized person, without infringing upon the rights of the data subjects whose data is subject to destruction, and in compliance with the provisions of the relevant legislation.

(2) The information in the registers shall be destroyed after the purposes of the processing have been achieved and there is no longer a need for storage.

(3) The destruction of data on paper shall be carried out by shredding with a shredder. Electronic data shall be deleted from the electronic database in a manner that prevents the recovery of the information.

PERSONS RESPONSIBLE FOR THE COLLECTION, PROCESSING, AND STORAGE OF PERSONAL DATA AND ACCESS TO PERSONAL DATA

Art. 23. The person responsible for personal data and the persons processing personal data on behalf of the company are natural or legal persons possessing the necessary competence and appointed and/or authorized by a relevant written document, including through these Rules.

Art. 24. The person responsible for personal data:

– assists the Company and the persons processing personal data in fulfilling their obligations regarding the protection of personal data by ensuring the implementation and maintenance of the necessary technical and organizational measures and means for the protection of data;

– ensures the normal functioning of the aforementioned protection systems;

– exercises control throughout the entire process of data collection and processing;

– fulfills all obligations regarding the reporting and management of data security breaches;

– periodically requests information from persons processing personal data regarding its collection, access, and processing;

– notifies the Company in a timely manner of any irregularities identified in connection with the fulfillment of its obligations;

– destroys data from paper and technical media in accordance with the law and the timeframes established in these Rules;

– authorizes natural or legal persons by written act to carry out the protection of personal data.

Art. 25. (1) The collection, processing, storage, and protection of personal data shall be carried out only by persons to whom this is expressly assigned and whose official duties or specifically assigned tasks require it.

(2) When performing activities that require the processing of personal data from the company’s records, service providers must comply with the applicable regulatory requirements regarding the processing of personal data and the procedures set forth in Article 19 of these Rules.

(3) Access to personal data may also be granted to the relevant state authorities—courts, investigative bodies, the prosecutor’s office, auditing authorities, and others. The aforementioned entities may request the data through proper channels in connection with the exercise of their powers.

RIGHTS OF DATA SUBJECTS

Art. 26. (1) Every person has the right to request access to their personal data, including the right to request confirmation as to whether data relating to them is being processed, to be informed of the purposes of such processing, the categories of data, and the recipients of the data, as well as the purposes of any processing of personal data relating to them.

(2) The right of access is exercised by a request from the data subject, received at the Company’s registered office address or official email address.

(3) Any individual has the right to request the erasure, rectification, or blocking of their personal data, the processing of which does not comply with the requirements of the law.

(4) Any individual has the right to object in writing to the processing and/or disclosure to third parties of their personal data without the necessary legal basis.

(5) The Company is required, within two weeks of receiving a request under the preceding paragraphs, to notify the applicant whether there are legal grounds for granting the request. If the Company determines that there are legal grounds to grant the request, it shall also notify the individual of the procedure by which they may exercise their right.

(6) Data subjects also have the right to:

– withdraw their consent to processing at any time;

– object to the use of their personal data for direct marketing purposes;

– request information regarding the basis on which their personal data has been transferred for processing to a processor outside the EU/EEA;

– object to a decision made solely on the basis of automated processing, including profiling;

– be notified of a data breach that is likely to result in a high risk to their rights and freedoms;

– lodge complaints with the supervisory authority;

– in certain cases, receive or request that their personal data be transferred to a third party in a structured, commonly used, machine-readable format (right to data portability).

AMENDMENTS TO THE INTERNAL RULES

Art. 27. The Company may amend these Rules at any time. All amendments shall be brought to the attention of the persons concerned without delay.

These Rules are adopted and enter into force on the date of their signing.

For and on behalf of “FRONTLINE MANAGEMENT” EOOD

/ /

Krasimira Yordanova – Manager

November 1, 2021