Privacy Policy

Privacy policy of Hotel Cosmopolitan AD

Adopted on 25/05/2018.

Approved by: Krasimir Angelov Dakov /manager/

Hotel Cosmopolitan AD, EIK: 201344433 with registered office and management address: Ruse, 1 Dobri Nemirov Street is a personal data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act. The privacy policy of Hotel Cosmopolitan AD aims to inform natural persons (data subjects) about the purposes and grounds for processing personal data, the rights and ways of exercising them by the data subjects, the categories of recipients to whom the data may be disclosed , the mandatory or voluntary nature of providing the data.

1. General information:
1.1 The privacy policy of Hotel Cosmopolitan AD has been drawn up and is based on the requirements and principles for the protection of personal data adopted by Regulation (EU) 2016/679 (General Data Protection Regulation-GDPR) regarding the protection of natural persons in relation to processing of personal data and on the free movement of such data.
1.2 In the sense of Regulation (EU) 2016/679, the definitions used in this Policy have the following meaning:
Personal Data means any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;
A personal data registry means any structured set of personal data that is accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle.
An administrator is any natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of processing personal data; when the purposes and means of this processing are determined by the law of the EU or the law of the Republic of Bulgaria, the administrator or the special criteria for its determination may be established in the law of the European Union or in the law of the Republic of Bulgaria;
Data subject – is a natural person who is identified or who can be identified based on certain information representing personal data directly or indirectly;

2. Principles of personal data processing
2.1 Hotel Cosmopolitan AD processes personal data in a manner that applies appropriate technical and/or organizational measures. The following principles are followed during processing:
 the data is collected for specific, legitimate purposes and is not processed in a manner incompatible with these purposes (“appropriateness of personal data processing and purpose limitation”)
 lawful, good faith and transparent processing of personal data with respect to the data subject (lawfulness, good faith and transparency)
 proportionality and limitation of personal data processing in relation to the purposes for which the data are processed (“minimizing the data”);
 limitation of storage for a period not longer than necessary for the purposes for which the personal data are processed (“storage limitation”)
 Processing in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures (“integrity and confidentiality”)
 accuracy and timeliness of personal data processing.

3. Basis for processing personal data:
3.1 Hotel Cosmopolitan AD processes personal data on the basis of:
 the processing is necessary for compliance with a legal obligation that applies to Hotel Cosmopolitan AD in its capacity as a personal data administrator.
 the processing is necessary for the performance of a contract with Hotel Cosmopolitan AD, to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract.
 the data subject has consented to the processing of his personal data for one or more specific purposes. In cases where personal data is processed solely on the basis of consent, the data subject has the right to withdraw consent at any time. Withdrawal of consent by the data subject is not applicable in cases where processing

the data collection is based on a legal or contractual basis.
Hotel Cosmopolitan AD processes personal data independently or by assigning data processors in accordance with the law.
4. Hotel Cosmopolitan AD, as an administrator, does not process personal data such as racial or ethnic origin, political views, religious or philosophical beliefs, or membership in trade unions, as well as the processing of genetic data, biometric data for the sole purpose of identifying the individual, health data or data on the sex life or sexual orientation of the natural person, unless the data subject has given his express consent to the processing of such personal data for one or more specific purposes.

5. Purpose of personal data processing.
5.1 Hotel Cosmopolitan AD, as a company operating in the field of hotels, restaurants and tourism, processes personal data for the following purposes:
 hotel accommodation
 organization of meals in its restaurants
 use of spa, wellness and fitness services
 additional tourist services (transportation, excursions and others)
If you refuse to provide personal data, Hotel Cosmopolitan AD will not be able to provide the requested hotel and tourist services or carry out the relevant commercial transaction, insofar as the processing of personal data is largely in fulfillment of the company’s legally and normatively established obligations (except in the cases , for which personal data is processed on a basis other than the legal one).
6. The personal data that individuals provide to Hotel Cosmopolitan AD when submitting a request for the provision of hotel and tourist services and/or carrying out other commercial transactions are processed for the purpose of analyzing whether these services can be provided to individuals for the relevant period, for the purpose of protecting their health, as well as for the purpose of proper identification of the parties to the commercial transactions carried out in fulfillment of the hotel’s legally and normatively established obligations.
7. The processing of personal data is most often in fulfillment of statutory obligations of Hotel Cosmopolitan AD, resulting from legal requirements regulating the hotel and other accompanying commercial activities, financial and accounting activities, money laundering prevention activities, for the purposes the automatic exchange of financial information in the sense of the Tax and Insurance Procedural Code, pension, health and social security activity, human resources management activity, etc.
8. Except in cases where it is necessary to fulfill a legally established obligation of the personal data administrator, processing of personal data is permissible and when it is necessary to fulfill obligations under a contract with Hotel Cosmopolitan AD, according to which the natural person for whom is a party to which the data refer, as well as for actions preceding the conclusion of a contract with Hotel Cosmopolitan AD, undertaken at the request of the person or when the natural person to whom the data refer has expressly given his consent to the processing.
Apart from the described cases, processing of personal data of data subjects is permissible in the presence of a legitimate interest of Hotel Cosmopolitan AD or of a third party, when the same have priority over the interests or fundamental rights and freedoms of the data subject /customer/, for example for the purpose crime prevention including fraud, money laundering and terrorist financing prevention, other legitimate purposes.
9. The personal data of the subjects are stored within the statutory periods according to the requirements of the applicable special laws.
10. Persons under the age of 18 (eighteen) are data subjects with the right to a higher level of protection of their personal data. In connection with the direct offering of information society services to children, the processing of a child’s data is lawful if the child is at least 16 years old. If the child is under 16 years of age, this processing is lawful only if and to the extent that such consent is given or authorized by the holder of parental responsibility for the child.
11. Rights of data subjects (customers, individuals to whom the data relates)

11.1 Information – the data subject has the right to information including: identification data of Hotel Cosmopolitan AD, contact details for the hotel and the data protection officer; The purposes and legal basis for the processing; The recipients or categories of recipients of the personal data, if any; The controller’s intention to transfer the personal data to a third party/third country (when applicable); The period of storage of personal data; The existence of automated decision-making, including profiling (if any); Information about any rights that the data subject has; The right to appeal to the supervisory authority.

11.2 Access to his own personal data – the data subject has the right to receive from Hotel Cosmopolitan AD confirmation whether personal data related to him is being processed and, if so, to

get access to the data and the following information: Purpose of processing; The relevant categories of personal data; The recipients or categories of recipients of the personal data, if any; The controller’s intention to transfer the personal data to a third party (where applicable); The period of storage of personal data; Existence of the right to correct personal data, as well as the right to object to the processing of personal data; The existence of automated decision-making, including profiling (if any); Information about any rights that the data subject has; The right to appeal to the supervisory authority.

11.3 Correction (if the data is inaccurate) – the data subject has the right to ask Hotel Cosmopolitan AD to correct the inaccurate personal data related to him without undue delay.

11.4 Deletion (right “to be forgotten”) – The data subject may request from Hotel Cosmopolitan AD deletion if one of the following conditions is present:
 The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
 The data subject withdraws his consent, on which the data processing is solely based, and there is no other legal basis for the processing / processing pursuant to a legal obligation of Hotel Cosmopolitan AD, a contract concluded with the company/;
 The data subject objects to the processing and there are no overriding legal grounds for the processing;
 Personal data were processed illegally;
 Personal data must be deleted in order to comply with a legal obligation under the law of the European Union or the law of the Republic of Bulgaria, which applies to Hotel Cosmopolitan AD in its capacity as an administrator;
 The personal data was collected in connection with the provision of information society services to children and the consent was given by the holder of parental responsibility for the child.

11.5 Restriction by Hotel Cosmopolitan AD or the personal data processor – for the possibility of using this right, specific conditions are necessary, such as:
 The accuracy/timeliness of the personal data is contested by the data subject. In this case, the restriction of processing is for a period that allows Hotel Cosmopolitan AD to check the accuracy of the personal data;
 The processing is unlawful, but the data subject does not wish the personal data to be deleted, but instead requests the restriction of its use;
 Hotel Cosmopolitan AD no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims;
 The data subject has objected to the processing pending verification of whether the legal grounds of Hotel Cosmopolitan AD take precedence over the interests of the data subject.

11.6 Portability of personal data between individual administrators – the data subject has the right to receive the personal data concerning him and which he has provided to Hotel Cosmopolitan AD in a structured, widely used and machine-readable format and has the right to transfer this data to another administrator without hindrance from the company to which the personal data has been provided, when the processing is based on consent or a contractual obligation and the processing is carried out in an automated manner. When exercising the right to data portability, the data subject has the right to obtain a direct transfer of the personal data from Hotel Cosmopolitan AD to another administrator, when this is technically feasible.

11.7 Objection to the processing of their personal data – data subjects have the right to object to Hotel Cosmopolitan AD against the processing of their personal data, and the hotel will terminate the processing, unless it proves that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

In case of objection to the processing of personal data for the purposes of direct marketing, Hotel Cosmopolitan AD will terminate the processing immediately.

11.8 The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for the data subject or similarly significantly affects him;

11.9 Judicial or administrative protection in the event that the rights of the data subject have been violated – if the data subject considers that his right to the protection of personal data and privacy has been violated, he can lodge a complaint with the relevant supervisory authority -Commission for the protection of personal data or to seek his rights in court.

12. Disclosure of Personal Data
12.1. Hotel Cosmopolitan AD may disclose personal data to the following categories of persons:
 The persons to whom the data refer, namely: persons using tourist services or products or who have submitted a request to use the tourist services, as well as persons

parties who are parties to tourist and/or other commercial transactions and contractual relations with the hotel;
 Persons who have the right to access personal data by virtue of a law or other regulatory act;
 Persons for whom the right arises by virtue of a contract concluded with Hotel Cosmopolitan AD.
13. Process for exercising the rights of data subjects:
13.1 Natural persons (data subjects) have the right at any time to request from Hotel Cosmopolitan AD:
 confirmation of whether data relating to them is processed by the hotel, what are the purposes of the processing, the categories of data and the recipients of this data or the categories of recipients to whom the data is disclosed;
 the hotel sends a message to them in an understandable form, containing the personal data being processed and any available information about the source of this data;
 information on the logic of any automated processing of personal data (if available) relating to natural persons, at least in the case of automated decisions pursuant to the General Regulation on the Protection of Personal Data and the Law on the Protection of Personal Data;

13.2 Upon request, Hotel Cosmopolitan AD provides the information described above free of charge.

13.3 Individuals have the right at any time to request Hotel Cosmopolitan AD to:
 delete, correct or block their personal data, the processing of which does not meet the requirements of current legislation
 notify the third parties to whom the personal data of the natural persons have been disclosed of any deletion, correction or blocking carried out in compliance (except for cases where this is impossible or related to excessive efforts for the company).

13.4 Individuals (data subjects) exercise their rights by submitting a written application to Hotel Cosmopolitan AD, containing: name, social security number, address and other identification data of the relevant individual; description of the request; preferred form of providing the information signature, date, mailing address and telephone number.

13.5 Submission of the application is free of charge.

13.6 When submitting an application by an authorized person, an express notarized power of attorney shall be attached to the application.

13.7 In case of death of the natural person, his rights are exercised by his heirs, and a certificate of heirs is attached to the application.

14. The application is considered and Hotel Cosmopolitan AD responds within 1 month from receipt of the request. If necessary, this period can be extended by another two months. The company informs the data subject of any such extension within 1 month of receiving the request, indicating the reasons for the delay.

15. Hotel Cosmopolitan AD provides an answer to the applicant taking into account the applicant’s preferred form of providing the information.
16. When the data do not exist or their provision is prohibited by law, the applicant is denied access to them.

17. In the event that the applicant is not satisfied with the answer received and/or considers that his rights related to the protection of personal data have been violated, the applicant has the right to exercise his right of protection.

18. Contact details of the administrator:
Administrator: Hotel Cosmopolitan AD,
EIK: 201344433
Address: Ruse, 1 Dobri Nemirov St
E-mail: reception@cosmopolitanhotelbg.com
Phone: 082805050
Website: www.cosmopolitanhotelbg.com
19. Contact details of the supervisory authority:
Supervisory authority: Commission for the protection of personal data
Address: Sofia 1592, Prof. Blvd. Tsvetan Lazarov” No. 2
Email: kzld@cpdp.bg
Website: www.cpdp.bg

Last updated: May 25, 2018.