We value your confidentiallity
Information on data protection for the visitors of the website and the guest houses in “MUSEUM OF THE ARCHITECTURAL HISTORICAL RESERVE” BOZHENTSI “
Third parties working with or for the Administrator, including partners, external suppliers, customers, visitors, etc., as well as those who have or may have access to the personal data of the Administrator, are obliged to familiarize themselves with and comply with this policy.
2. Types of personal data that are processed by the Administrator
The personal data collected and processed by the Administrator are:
– Your first name, last name, surname, gender, email address, telephone number and permanent / current address;
– ID number;
– Data from your identity document (series, number, date and place of issue, validity);
– Information about your credit card (type and number of the card, account number, cardholder’s name, validity date and security code) – if you make payments by credit card;
– Information about the stay of guests, including date of arrival and departure, special requests, purpose of stay, observations of your preferences for services (including preferences for room, amenities or other services used);
– Data you provide us about your marketing preferences or in the process of your participation in surveys, competitions, promotional offers, as well as when subscribing to our e-newsletter;
– Other data, when a normative act requires it.
3. Sensitive personal data
The Administrator does not collect or process any type of sensitive personal data, unless the sensitive data is relevant to the specific purpose for which the personal data is processed; in other cases in which the Administrator is obliged by law; and / or if you have given your express consent.
4. Purpose of processing
The personal data of the subjects are processed in accordance with the GDPR and the Personal Data Protection Act, as well as the by-laws in the field of personal data protection. The Administrator processes your personal data for the following purposes:
• Establishing the identity of the data subjects;
• Keeping a register of accommodated tourists and providing the information maintained in it to the relevant authorities;
• Address registration of foreigners;
• Providing feedback to visitors in order to improve the services offered and to send information to them;
• Withholding and payment of tourist tax;
• Posting, preparing and sending checks/invoices for the services you use with us;
• Activities related to the development and implementation of measures to combat terrorism;
• Ensuring security and protection of data subjects;
• Receiving payments and recovering amounts wrongly paid;
• Exercising and protecting the legal rights and interests of the Administrator (such as sending notices, notarial invitations, filing claims, applications, complaints, signals, etc.);
• Sending marketing and advertising messages related to the services offered by the Administrator – after obtaining explicit consent;
• Providing an individual approach to the provision of services, consistent with the preferences stated by our visitors;
• Processing of applications;
• Fulfillment of the obligations of the Administrator in connection with the provided service;
• Implementation of effective communication;
• Updating the personal data of the data subjects;
• Fulfillment of other legal obligations of the Administrator;
• Other purposes for which the data subject has given explicit consent.
5. Legal basis for processing personal data
The Administrator collects and processes your personal data on one of the following grounds:
• Explicit consent – any freely expressed, specific, informed and unambiguous indication of the data subject’s will, by means of a statement or clearly confirmatory action expressing his or her consent to the processing of personal data relating to him or her. /e.g. for the purposes of direct marketing /;
• Fulfillment of contractual obligations – insofar as the main subject and purpose of the contract objectively cannot be achieved without providing a certain amount of personal data. In these cases, the will of the parties to enter into a contractual or pre-contractual relationship is sufficient and, accordingly, it is not necessary to give separate consent for the processing of personal data.
• Fulfillment of a legal obligation of the Administrator – in cases when personal data are transferred from one Administrator to another because of a transfer of receivables, the legal basis for processing personal data is fulfillment of the legal obligation under Art. 99, para. 3 of the Law on Obligations and Contracts. The law obliges the previous creditor to hand over to the new creditor the documents in his possession, which establish the claim. This circumstance determines the transfer of personal data, insofar as they are contained in the relevant documents;
• Protection of vital interests – such a hypothesis would exist in an emergency and when the consent of the data subject cannot be obtained;
• to protect the legitimate interests of the Administrator – these are the cases in which security and safety measures are taken, including through video surveillance, identity checks and registration of access to buildings, actions to ensure information and network security, etc. There is also a legitimate interest in processing personal data to protect the rights of the administrator in court or non-judicially, for example to file a claim for breach of contract or to seek liability for damages.
6. Personal data of children
The processing of personal data of a child under the age of 14 is carried out based on the explicit consent given by the parent exercising parental rights or by the guardian.
7. Consequences of refusal to provide personal data
The explicit consent of the data subject is not always necessary if the Administrator has another legal basis for the processing of personal data – e.g. statutory obligation. The refusal to provide the personal data required by the Administrator, as well as the provision of incorrect data, may lead to the impossibility of: concluding a contract; fulfillment of contractual and legal obligations, provision of services and others, which releases the Administrator from liability for non-fulfillment.
8. Recipients of personal data to whom your personal data are or may be disclosed
The Administrator provides the personal data of the subjects to the competent state, municipal and judicial bodies and institutions, when required by the legislation of the country and in accordance with the provisions thereof (eg. NRA, NSSI, Ministry of Interior, etc.). The Administrator also provides data to: trading partners; processing personal data on assignment by the Administrator; banks; postal and courier service providers; bailiffs; accountants; lawyers; notaries and other bodies, when this is necessary to fulfill a legal obligation of the Administrator, and personal data are not transferred to third countries.
10. Rights of data subjects
According to the GDPR, the data subject has the following rights with regard to the processing of his personal data:
– Right of access to data and information for the purposes of processing – Each person has the right to receive confirmation from the Administrator whether personal data related to him are processed, and if so, to obtain access to data and the following information: purposes of processing; the relevant categories of personal data; the recipients or categories of recipients to whom the personal data are or will be disclosed (including in third countries or international organizations); where possible, the estimated period for which the data will be stored and, if this is not possible, the criteria used to determine this period; the existence of the right to require the Administrator to correct or delete personal data or to restrict the processing of personal data related to the affected persons, or to object to such processing; the right to appeal to the Commission for Personal Data Protection; where personal data are not collected by the persons themselves, any available information about their source; the existence of automated decision making, incl. profiling, and at least in these cases essential information on the logic used, as well as the significance and intended consequences of this treatment for individuals.
The Administrator provides the person with a copy of the personal data that are being processed. For additional copies requested by individuals, the Administrator may charge a reasonable fee based on administrative costs. Where the person submits a request by electronic means, the information shall be provided in a widely used electronic form, unless the person has requested otherwise;
– Right to rectification of personal data – Any person whose data are processed by the Administrator has the right to ask the Administrator to correct inaccurate personal data related to him without undue delay. Given the purposes of processing, the person has the right to supplement incomplete personal data;
– Right of deletion (the right to be “forgotten”) – Any person whose data is processed by the Administrator, has the right to request from the Administrator the deletion of personal data related to him without undue delay, and the Administrator has the obligation to delete them without undue delay when: personal data are no longer needed for the purposes for which they were collected or otherwise processed; the person has withdrawn his or her consent on which the data processing is based and there is no other legal basis for the processing; the person objects to the processing and there are no legal grounds for the processing to take precedence; personal data have been processed illegally; personal data must be deleted in order to comply with a legal obligation that applies to the Administrator; personal data have been collected in connection with the provision of information society services.
Withdrawal of consent shall not affect the lawfulness of the processing based on a consent prior to its withdrawal.
– Right to restrict the processing of personal data – any person whose data is processed by the Administrator has the right to request from the Administrator to restrict the processing when one of the following applies: the person disputes the accuracy of personal data for a period that allows the Administrator to verify the accuracy of personal data. The Administrator no longer needs personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or protection of legal claims; the data subject has objected to the processing pending verification that the legal grounds of the Administrator take precedence over the interests of the data subject.
Where processing is restricted in accordance with the above paragraph, such data shall be processed, except for their storage, only with the consent of the data subject or for the establishment, the exercise or protection of legal claims or for the protection of the rights of another individual or for important reasons of public interest.
– Right to personal data portability – the data subject has the right to receive personal data concerning him and which he has provided to the Administrator, in a structured, widely used and machine-readable format and has the right to transfer this data to another Administrator without obstruction by the Administrator, when the processing is based on consent in connection with certain purposes or on a contractual obligation of the subject or taking steps before concluding a contract and when the processing is performed in an automated manner.
When exercising its right of portability, the data subject may receive a direct transfer of personal data from one Administrator to another, in cases where this is technically feasible;
– Right to object to the processing – The data subject has the right to object to the processing of personal data concerning him (when the processing is necessary for the performance of a task of public interest or in the exercise of official powers of the Administrator, or the processing is for purposes the legitimate interests of the Administrator or a third party), including profiling. The Administrator shall terminate the processing of personal data unless it proves that there are compelling legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims.
When processing personal data for the purposes of direct marketing, the data subject has the right at any time to object to the processing of personal data relating to him for this type of marketing, which includes profiling insofar as it relates to direct marketing. When the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes shall be terminated;
– Right to appeal to a supervisory body for personal data protection – According to the Bulgarian legislation, a supervisory body within the meaning of the GDPR is the Commission for Personal Data Protection /CPDP/ with address: Sofia 1592, 2 Tsvetan Lazarov Blvd., e-mail: email@example.com, website: www.cpdp.bg, tel.: 02 / 91-53-555.
11. Rights of the Personal Data Administrator
– To refuse to delete personal data under the conditions and grounds provided for in the General Regulation on Data Protection, the Personal Data Protection Act and other normative acts in this field, stating the reasons for the refusal;
– To refuse to grant access to the data of the subject of data if the request for granting the right of access is unclear, vague or otherwise, and in each case the Administrator is obliged to state reasons;
– To refuse to correct personal data or restrict the processing of personal data related to the data subject, explaining the reasons for this;
– To impose a reasonable fee when requests are manifestly unfounded or excessive, especially due to their recurring nature.
12. Protection of personal data
To ensure adequate data protection, the Administrator applies all necessary organizational and technical measures provided for in the GDPR, the Personal Data Protection Act, by-laws in the field of personal data protection, as well as best practices of international standards. In order to ensure maximum security in the processing, transfer and storage of personal data, the Administrator uses additional security mechanisms, such as firewalls, access control procedures, security passwords, locking devices and video surveillance system.
13. Rules for video surveillance
On the territory of the “MUSEUM OF THE ARCHITECTURAL HISTORICAL RESERVE” BOZHENTSI” video surveillance is carried out in order to ensure the safety of employees and visitors and protection of property, and is used as a means of controlling the work discipline of employees. Live webcams are also used and the image is available online.
The records are stored for a period of 2 months, after which they are destroyed and outsiders do not have access to them. The records shall be kept outside the above-mentioned period in the cases when necessary for the purposes of investigation of crimes or violations, for which the Administrator notifies the investigating body – police, prosecutor’s office, Commission for Personal Data Protection, etc., and in these cases, the records may be provided to the competent authorities.
Every individual has the right to access the videos relating to him. In the cases when personal data for a third party may be disclosed during the exercise of the natural person’s right of access, the Administrator shall be obliged to provide the respective natural person with access to the part of them relating only to him. To this end, he must take appropriate technical measures to erase/mask the images of other persons subject to video surveillance. In the absence of such a technical possibility, access to video recordings may be granted only with the consent of all persons subject to video surveillance.
14. Violations. Notification of violations
A breach of data security occurs when the personal data for which the Administrator is responsible is affected by a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or processed in other way. Once the employee has received information about a breach, he must determine whether the event in question constitutes a breach of personal data and notify the organization’s management of the event (if it is not known).
In case of violation of the security of personal data, which is likely to pose a risk to the rights and freedoms of individuals, the Administrator, without undue delay and when feasible – no later than 72 hours after learning of it, notify for the violation the Commission for Personal Data Protection.
Where and to the extent that it is not possible to submit the information at the same time, the information may be submitted in stages without further undue delay.
When the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, the Administrator shall, without undue delay, notify the subject of the breach.
The Administrator shall document any breach of personal data security, including the facts related to the breach, its consequences and the actions taken to address it.
15. Contact information
“MUSEUM OF THE ARCHITECTURAL HISTORICAL RESERVE” BOZHENTSI” with code BULSTAT 000210372, with registered office and address: BULGARIA, 5349, Bozhentsite village, represented by Director Miroslav Hristov Yordanov.
Data protection officer:
Albena Georgieva Georgieva
5349 Bozhentsite village, Gabrovo municipality
tel .: +359 66 990950
Approved by: …………………………………………………………
/Miroslav Yordanov – Director/
II. COOKIES POLICY
1. General information
This policy is part of the General policy of the Administrator for personal data protection, according to the requirements of the General regulation on data protection.
2. Purpose of using cookies
The collection of information and data from users through the cookie system is used in order to improve the service of the Administrator regarding the usability of the website and to display the most relevant information on this website.
3. What are cookies?
Cookies are small text files that are stored on your computer or mobile device when you visit a website. They allow the website to store your actions and preferences (such as username, language, font size and other display settings) for a certain period so that you do not have to enter them every time you visit the site or go from one page to another.
The function of cookies is to distinguish you from other users of the same website or to keep certain information related to your preferences.
Each cookie is unique to your browser and contains anonymous information.
4. Types of cookies used by the administrator
Mandatory cookies – These cookies are necessary for the website to perform its functions. For example: to fulfill the General Terms and Conditions proposed by the Administrator, to display the website in the correct language, etc.
Cookies for efficiency and functionality – These cookies allow you to customize the website traffic by a particular user to remember his preferences; in this way the Administrator conducts market research (for example: collects information about favorite pages, number of shares, likes for an article, etc.). IP anonymization is used for these cookies.
5. Consumer rights
The user can choose whether to accept cookies or not. The browser can be set to notify the user each time a cookie is received on his computer – so the user has the opportunity to accept or reject a cookie.
Some cookies can be turned off using the browser’s general settings, or the browser can be set to automatically reject all cookies.
You can contact us on all matters related to the protection and processing of your personal data at:
Data protection officer:
Albena Georgieva Georgieva
Bozhentsite village, Gabrovo municipality
tel .: +359 66 990950