PRIVACY POLICY
of Borovete I AD
WE CARE ABOUT PROTECTING YOUR PRIVACY
Who are we?
Borovete I AD is a trade company, entered in the Commercial Register and the Register of Non-Profit Legal Entities at the Registry Agency under UIC 204605689, with seat and management office at: Varna City, Sv. sv. Konstantin i Elena resort, Administration building, represented by Miglena Yankova Mednikarova, as an Executive Manager ("Controller", "Company", "we", "our", "us"); and is Controller of personal data, according to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR", "Regulation")and under the Personal Data Protection Act ("PDPA").
How to contact us?
Address: Varna City, Sv. sv. Konstantin i Elena resort, Administration building;
Telephone: +359 52 812 100
Email: gdpr@stconstantine.bg
Contact Person for personal data protection: [*]
Borovete I AD highly values your personal data privacy.
The protection of your personal information during the whole period of processing personal data, as well as the security of all business data are our priority. We process personal data which we collect when you visit our website - www.aquahousehotel.com ("Website"), as well as the personal data which you disclose upon undertaking a contractual relationship with us, in privacy and in compliance with the applicable national and European legislation.
Our corporate policy includes data protection and security of information.
What is Privacy Policy and Privacy Declaration?
This Privacy Policy aims at providing you with thorough information, in clear and accessible manner, about what actions are taken regarding the personal data which you disclose to the Company, including:
- What personal data do we collect from you?
- For what purpose do we collect such data?
- For how long do we keep the personal data disclosed by you?
- Who do we share your personal data with?
- How do we inform you about Privacy Policy changes?
- What cookies do we use to improve your experience on our website?
- What rights do you have regarding the disclosed personal data?
By this Privacy Policy the Company declares that it applies all technical and organisational measures to protect personal data of natural persons, prescribed by any law or other national or European regulation.
What is personal data?
According to GDPR and the local PDPA, 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly.
Your mobile phone number, for instance, is an indirect identifier. Direct identification, on the other hand, is made by disclosing a unique identifier, such as your PIN, Personal Number of Foreigner, etc.
What personal data does the Company collect from you?
In order to provide efficient access to our products/services, the Company collects the following information on yourself:
Physical identity data: full name, location, permanent address, etc.;
Contact information: email address, incl. business email, telephone (mobile, home);
Technical data that are automatically sent upon access to our Website -- IP address, GPS coordinates, information about the device that you use to access the Website;
Cookies -- to identify your browser or your device.
On what basis does the Company process your personal data?
Processing of personal data includes collection, storage, destruction, transmitting, rectification, updating, erasure, destruction, or any other operation which is performed on your personal data.
In relation to the specific activity of the Controller, data for hotel registration are collected under Art. 6, Para 1, point (c) of GDPR - for compliance with a legal obligation applicable to the Controller, namely obligations under Art. 116, Para 2 of the Tourism Act -- for keeping a guest book.
The Company collects your personal data for the performance of a contract regarding any contract which you entered into for the delivery of services -- on a contract basis -- Art. 6, Para 1, point (b) of GDPR.
The Company also collects personal data after you have given an explicit, clear, free and unambiguous consent to the purposes of the processing, according to Art. 6, Para 1, point (a) of GDPR. For instance, we can use such data for marketing purposes or for sending you promotional newsletters.
Your consent to personal data processing is given by visiting our office in person or by checking the box on our Website for receiving marketing messages and notifications.
You can withdraw your consent at any time by visiting our office in person or by sending a written request to the following email address: gdpr@stconstantine.bg.
If you have given your consent by checking the box for receiving marketing messages and notifications, you can withdraw your consent at any time by replying to the commercial message that you received by email.
The Company processes personal data to comply with legal obligations, as well as in cases in which it is necessary to protect the life and the health of the physical person to whom the data relates.
The Company may process personal data also in case the Company has legal (legitimate) interest, unless the interests of the physical person to whom the data relates prevail over the Company interests.
What personal data do we collect and for what purposes?
Personal data that you disclose shall be used for the fulfilment of the obligations towards you, as well as to assist you to exercise your rights, including without limitation:
- For delivering you hotel accommodation services in Aquahouse Hotel & SPA, under the Tourism Act provisions, including:
- For performing, request for and confirmation of a reservation, Borovete I AD collects and processes the following data:
a) For a reservation through our website or through a partner platform (e.g. Booking.com): - Name and surname of the contact person; - Email address and phone number of the contact person;
b) For a phone reservation: - phone number for further contact and an email address for the confirmation of the reservation; - Name and surname of the contact person
For accommodation of guests at Aquahouse Hotel & SPA, the following data are processed and stored by the Controller:
Physical identity data -- full name (in Cyrillic for nationals and in Latin alphabet for foreign or EU citizens, following the data in the particular national ID document), PIN/Personal Number of Foreigner or other ID number, data of the ID document, including gender, nationality, date of birth, ID document number, issuing authority and issuing country;
The data collected for hotel registration are collected according to Art. 6, Para 1, point (c) of GDPR - for compliance with a legal obligation applicable to the Controller under Art. 116, Para 2 of the Tourism Act -- for keeping a guest book.
- For organising corporate or private events at Aquahouse Hotel & SPA, the following data are processed and stored:
Physical identity data: full name of the organiser of the event, email address, telephone number;
Corporate identity data: Position of the organiser of the event, business phone number, business email address.
The personal data collected for the purposes of organisation of corporate or private events are processed according to Art. 6, Para 1, point (b) of GDPR for the performance of a contract to which the data subject is party;
Personal data collected for the purposes of organisation of corporate or private events are to be stored for the duration of 5+1 years (i.e. total of 6 years), according to the statutory limitation period for making legal claim, defined by Bulgarian legislation.
For granting you access to our Website, and therefore showing you relative and personalised content, limited following the criteria set by you;
For replying to your queries, reviews or recommendations, sent by email;
For the purposes of direct marketing, for sending you information about specific campaigns and new services, including analysis and profiling of target groups, and for the feedback on the satisfaction of our customers, we collect the following data about physical identity: name, email address, phone number.
Digital (email) newsletter and direct marketing
Upon sending a query to Aquahouse Hotel & SPA (for prices, new reservation, clarifications of an existing reservation, holding an event, and/or other matters related to the services which our hotel provides), you give your consent to Borovete I AD to store and process the personal data you disclosed for the purposes of replying to your query.
Following your query, you will receive by Borovete I AD a request to consent the processing of your data for the following:
for the purposes of direct marketing, as well as for receiving information newsletters on our current offers, trip ideas, and organised games and events;
for inquiries on your satisfaction with our services.
In our digital newsletter, we shall regularly inform you about offers and services of our hotels, both those which belong to the A Hotels chain and the partner hotels: Graffit Gallery Hotel, Cooks Club Sunny Beach, Sunrise Hotel, Primorski Hotel, Aquahouse Thermal & Beach. By giving your consent for processing your personal data for the purposes of direct marketing, you shall not only receive current information about our best offers, but you shall also help us improve our services. If we receive your consent, we shall provide you information about preferential conditions and special offers, as well as about a wide range of products and services, or we shall bring to your attention what you might find interesting among them. This information may include references to special offers, new products and services.
To subscribe for our digital newsletter, we would ask you for a valid email address. We shall apply the double confirmation procedure on the subscribers of the newsletter. Therefore, after registration, we shall send you an email to the address provided, asking you to confirm your wish to receive our newsletter. In case you do not confirm in two-weeks term, the personal data which you disclosed shall be blocked and shall be automatically erased after one month. However, we shall store the information about the IP addresses from which our Website was accessed, the date and time of the access and the consent for each particular case. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any potential misuse of your personal data. As a subscriber of our newsletter, you are entitled to withdraw your consent for personal data processing at any time, and you may request update or erasure of the email address to which the newsletter is sent. You may withdraw your consent by clicking the link which is included in every newsletter email, or by sending an email to gdpr@stconstantine.bg, using "Unsubscribe" as subject of the letter.
How do we process your personal data?
In order to deliver products and services, the Company processes (collects) the personal data disclosed by you, related to your physical and economical identity, as follows:
by entering into contract relationship with you regarding the delivery of our hotel accommodation services;
by updating your data upon request, by filling in an update form, in paper or digitally;
by processing information about your visits to the Company Website;
by processing information about IP addresses, cookies, OS and browser.
For how long do we store and process your personal data before destroying it?
According to the grounds on which we process your personal data, the personal data storage period may differ.
We shall store your personal data for the period of 5 years after our contractual relationship is terminated, if we process personal data for the performance of a contract obligations to you. After the end of this period and in case there is no other legal provision for continuing the storage of your personal data, the information about you shall be destroyed. We shall not destroy or make anonymous any personal data of yours, in case they are requested under judicial or administrative proceedings or proceedings which deal with a complaint of yours against us.
Personal data, collected for reservation, are to be stored for the period of 5 (five) years, according to the requirements under Art. 116, Para 2 of the Tourism Act.
In case your data are collected on the grounds of your explicit consent for the purposes of direct marketing, we shall limit their processing to 2 (two) years from the date of automatic receipt of your consent.
All entries on you shall be permanently erased from our database, as well as all paper records which contain your personal data shall be destroyed.
To whom can we transmit the personal data which you disclose?
The Company is obliged not to provide your personal data to third parties, without your explicit consent, unless it is necessary for the compliance with the contract obligations to you.
The Company may reveal your personal data for the compliance with the obligations under a current contract or prior to entering into a contract to the following entities: delivery companies and other partners, providers, subcontractors which deliver the Company's services, as well as to any state or regional bodies, as requested by law.
The Company shall not reveal or transmit your personal data to entities foreign to the EU and the EEA. Your personal data may be transmitted to other companies of the Sts. Constantine and Helena Holding AD Group.
This transmitting, as well as any other transmitting, shall be performed under the strict compliance with confidentiality and security of your personal data, by applying all the necessary technical and organisational measures for data protection.
The Company ensures that it shall provide an adequate, high-level personal data protection, in compliance with the provisions of the European legislation.
Are there any other cases in which we might share your personal data?
Your personal data shall be provided to third parties in the following cases:
Upon request by the physical person who disclosed the data and who is a subject of personal data protection;
Upon request by competent organs, according to the current provisions of the Bulgarian or the European legislation.
Borovete I AD may reveal and transmit personal information in compliance with applicable legislation, upon order or request by a court or an administration body, or in case the transmitting of personal data is related to the fulfilment of a legal obligation of Borovete I AD.
The data collected for the purposes of accommodation at Aquahouse Hotel & SPA shall be accessible for the third parties designated by the Tourist Act -- the Ministry of Tourism, Varna Municipality, the Minister of Interior, the National Revenue Agency, and the National Statistics Institute.
Which cookies do we use and what data are collected by them?
In order to optimise our website and make it more user-friendly, we use cookies, like many other webpage operators.
The cookies are small text files that are saved in your browser. These files help us understand some of your preferences, set while surfing on our Website and the pages it contains, and allow us to manage our Website in a more effective manner. Although cookies do not represent personal data, some of them, depending on their type, may contain data which may identify you. Cookies are saved locally on the device you use to access our Website, www.aquahousehotel.com, and do not harm your system. By accumulating and analysing this information, we are able to improve our digital services and the overall customer experience, so that it meets your needs to the greatest extent. You may find out more about the cookies we use and other technologies in the Cookies Policy.
Principles of processing
We respect the following principles for processing personal data:
Legality -- upon collecting, processing and storage of personal data, we follow the applicable provisions of Bulgarian and European legislation;
Fairness and transparency -- the processes performed on personal data processing are fully based on this Privacy Policy, which is accessible for every customer;
Purpose limitation of the processing and m******inimising data (de minimis principle) -- data categories that we collect are minimised and are processed only in relation to previously established purposes;
Limited storage -- we process and store collected data only for the period of duration of the established purposes for which we need such data, and after the end of the period the data is destroyed;
Customer consent for data processing -- in order to use your data for marketing purposes and to improve our services, we need your explicit consent.
What are your rights related to provided personal data?
You are entitled to the following, as long as in compliance with the Bulgarian and European legislation on personal data protection, incl. GDPR:
The right of access to the personal data which the Company processes, and to request a copy of such data;
The right to request a rectification by the Company, in case there are inaccuracies or in case you need to update your personal data, by sending an email to gdpr@stconstantine.bg;
The right to request that your personal data is blocked, or to request a restriction of the processing, for the cases determined by the applicable law and GDPR;
The right to request an erasure, i.e. deletion, of your personal data by the Company, in case applicable conditions for such a procedure are met;
The right, at your discretion, to withdraw the consent you have given for processing your personal data for the specific purpose, e.g. for marketing purposes, by sending an email to gdpr@stconstantine.bg, or by replying to the commercial message which you received from us by email;
The right to request the portability of your personal data in a structured, machine-readable common format;
The right to submit a complaint or to file a request for protection of your rights before the Commission for Personal Data Protection (CPDP) in case the applicable conditions are met.
You may execute all the above rights at any time of processing of your personal data.
What do the above rights mean?
Right of access to personal data.
This right entitles you to receive information about the data which identifies the Controller and their representative, the purposes of the processing of personal data, the receivers or the categories of receivers to whom the data might be revealed, the data about the mandatory or voluntary nature of disclosing the data, and the consequences of refusing to disclose it, as well as information about the right of access and the right to rectification of collected data.
Data is not provided in case the physical person to whom they relate already has them, or in case there is an explicit ban for providing by law.
Right to erasure, of access, to rectification, and to blocking
The right to request erasure, rectification or block of personal data by the Controller, at any time, when processing does not comply with the requirements of PDPA, as well as the right to request that the Controller informs any third parties to whom your personal data might have been revealed, for each erasure, rectification or block performed, excluding cases in which such actions are impossible or too requiring.
Right to object
The right to object before the Controller to the processing of personal data of a physical person, when such objection is based on legal provisions, as well as to the processing and revealing your personal data to third parties for the purposes of direct marketing. You are entitled to be informed prior to the revealing of your personal data to a third party, or before such data are used on behalf of them for the first time for the purposes of direct marketing, given that you are entitled to objection to such revealing or use.
Right to portability
If data processing is automatic, you are entitled to receive the personal data related to you, those which you have disclosed to the Controller, in a structured, common, machine-readable and OS compatible format, and to transmit them to another controller.
This right is to be applied in case the data subject has provided their personal data on the grounds of their consent or if the processing is required to fulfill contract obligations. This right is not to be applied, if the processing is based on legal grounds different from consent or contract. For its nature this right is not applicable for collectors who process data as part of their public duties. Therefore, this right is not to be applied, if personal data processing is necessary for compliance with a legal obligation of the Controller, or for the completion of a task of public interest, or upon exercising public authority conferred to the Controller. The data subject's right to transmit or receive personal data related to them, does not oblige the Controller to adopt or maintain technically compatible processing systems. If there is a package of personal data that relates to more than one data subject, the right to receive personal data shall not affect the rights and freedoms of other data subjects, according to the applicable legal provisions.
Right to submit a complaint or file a request to the CPDP
In case of violation of your rights, you are entitled to refer the case to the CPDP in 6-months period from coming to knowledge, but not later than 2 (two) years since the violation occurred. In case of violation of your rights, you are entitled to appeal any actions or acts of the Controller before any court, including the Supreme Administrative Court. The latter cannot be seized, if there are ongoing proceedings before CPDP or if a decision of CPDP regarding the same violation has been appealed, but there is no effective court decision.
You may contact CPDP, as follows:
By letter: 1592 Sofia, Stolichna Municipality, 2, Prof. Tsvetan Lazarov Blvd.;
By phone: +359 2 91 53 519; +359 2 91 53 555;
By fax: +35929153525; or
By email: kzld@cpdp.bg.
You may visit the CPDP website here: www.cpdp.bg
Updates to the Privacy Policy
You may always find the latest version of the Privacy Policy on our Website.
Thus, you shall be able to interrupt some or all our services and/or to execute your rights, some of which are explicitly defined above.
In case an update is applied to this Personal Data Protection Policy, Borovete I AD shall communicate the changes by publishing them on our Website www.aquahousehotel.com, and shall give you a reasonable term to read them. After the end of the term, these changes shall apply to the processing of your personal data, without further notification. If you inform us on refusing such changes during this term, we shall consider it as a withdrawal of your consent for processing personal data, and Borovete I AD shall interrupt further processing. This might lead to interrupting your registration for our games, services, digital newsletters, etc., for which purposes you initially provided your personal data.
This Privacy Policy has been accepted by Borovete I and shall come into force on 15.03.2022.