VAT №: BG148049809
Our main goal in dealing with personal data
APARTMENT GARDEN PALACE processes your personal data in order to provide our guests with better, more qualitative and more varied services. For this reason, data security is important for the success of our business and for our public image as a premium hotel. That is why we strive to protect your data by applying all the appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
How and why we use your personal information
To fulfill statutory and contractual obligations
We collect and process your personal data and other personal data in order to perform the duties assigned to us by virtue of a legal act such as the Tourism Act
We collect and process your personal data and other personal data in order to provide the services you have requested and which you wish to use with us as well as to fulfill our contractual obligations to you.
Personal identification number, names, sex, citizenship, permanent address
emails, letters, information about your troubleshooting requests, complaints, petitions, complaints;
another feedback we get from you;
video recordings that are made to improve security
preferences for the services we provide you;
credit card or debit card information, bank account number or other bank and payment information related to payments made to the hotel – payment of a product or service in the reservation system on the hotel site The user does not provide GARDENPALACE.BG with data from the bank / cards. Bank card payments are made via the Bank’s Virtual POS Terminal, where the bank card data is entered directly into the Bank’s Secure Platform. In this way, the data from the User’s bank card is protected to the maximum extent and does not become available to GARDENPALACE.BG. To prevent misuse of payment with your Visa or MasterCard card, we apply the best practices recommended by international card organizations:
The security of card data input and transfer is provided by using SSL protocol to encrypt the connection between our server and the payment page of our serving bank
The authenticity of your card is verified by entering a security code (CVV2)
In addition, for your identification as a cardholder, the payment server for e-commerce of our serving bank supports the authentication schemes of the international card organizations – Verified by VISA and MasterCard SecureCode, in case you are registered to use them.
Other information such as:
data provided through the hotel’s website;
IP address when visiting our website
demographics, household information, when you agree to participate in our surveys, prizes, or other feedback you provide to us about the services we use;
Processing is done to:
identify the customer’s identity at hotel accommodation;
manage and execute your service requests;
prepare and send an account / invoice for the services you use with us;
provide you with the full service required, and to collect the due amounts for the services used;
analyze customer history and create a profile to determine the right offer for you;
research and analyze customer use of our services based on anonymous or personalized information to identify major trends, improve our understanding of customer behavior, and collaborate with third parties to develop new services for our customers;
processing by data processor when entering into a contract, assignment, reporting, acceptance, payment;
Upon your consent
In some cases, we process your personal data only upon your prior written consent. The consent is a separate basis for the processing of your personal data and the purpose of the processing is specified therein and is covered by the objectives listed in this policy. If you give us the appropriate consent and until it is withdrawal:
we prepare suitable proposals for programs and services offered by the hotel;
The submitted consents may be withdrawn at any time. Withdrawal of consent will have an impact on the provision of relevant programs for the provision of the relevant programs.
We have a large portfolio of programs and services. When you give us consent for data processing, this consent applies to all the programs and services you use.
To withdraw your consent, you only need to use our site or simply contact us.
To whom do we provide your personal information:
We process your identification and other personal data in order to comply with obligations that are provided in a legal act, for example:
providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
provision of information to the Commission for the protection of personal data in connection with obligations provided by the legislation on the protection of personal data – Data Protection Act, Regulation (EC) 2016/679 of 27 April 2016, etc .;
obligations provided by the Accountancy Act and the Tax and Social Security Procedure Code and other related statutory instruments in relation to the conduct of correct and lawful accounting;
providing information to the court and third parties, in proceedings before a court, in accordance with the requirements of procedural and substantive legal acts applicable to the proceedings;
payment authentication for online sign-ups.
How we protect your personal information
In order to ensure adequate data protection for the company and its customers, we apply all the necessary organizational and technical measures provided by the Personal Data Protection Act and the regulations for its implementation.
The company has appointed a Data Protection Officer to support the processes of protecting and safeguarding your data.
For the sake of maximum security when processing, transferring and storing your data, we may use additional security mechanisms such as encryption, pseudonymisation, and more.
When do we delete your personal information
As a rule, we terminate the use of your personal data for the purposes of the contractual relationship after termination of the contract but we do not delete them before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations and the expiration of the statutory obligations for keeping the data, such as obligations under the Accountancy Act for the storage and processing of accounting data (5 years), expiry of the limitation periods specified in the Law on Obligations and Contracts (5 years), obligations to provide information to the court, competent state bodies and other grounds provided by current legislation (5 years). Please note that we will not delete or anonymize your personal details if they are necessary for pending court, administrative proceedings or proceedings to examine your complaint before us.
Your data can also be anonymised. Anonymisation is an alternative to data deletion. In the case of anonymization, any personal identifiable elements / elements that allow to identify yourself are irrevocably deleted. Anonymized data is not legally obligatory for deletion because it does not constitute personal data.
Your rights in relation to the processing of your personal data
Right to information:
You have the right to request:
information on whether data relating to you are being processed, information for the purpose of such processing, the categories of data and the recipients or categories of recipients to whom the data are disclosed;
a message in comprehensible form containing your personal data being processed, as well as any available information about their source;
information about the logic of any automated processing of personal data relating to you, at least in the case of automated solutions.
Right of correction:
In the event that we process incomplete or erroneous / erroneous data, you are entitled, at any time, to request from us:
to erase, correct or block your personal data, the processing of which does not meet the requirements of the law;
to notify third parties to whom personal information has been disclosed of any erasure, correction or blocking, except where this is impracticable or involves excessive effort.
Right to delete / right to be forgotten /:
You have the right, at any time, to request the termination of personal data processed by us if:
personal data are not necessary for the purposes for which they were collected and processed;
you withdraw your consent and there is no other legal basis for their processing;
personal data is being processed unlawfully
Right of objection:
You may, at any time:
object to the processing of your personal data, if there is a legitimate reason for doing so; where the objection is justified, the personal data of the individual concerned can no longer be processed;
object to the processing of your personal data for direct marketing purposes.
Right to Restrict Processing *:
You may request the limitation of the processed customizable data if:
you dispute the correctness of the data for the period, in which we have to verify their accuracy; or
the processing of the data is without legal basis, but instead of deleting it, you want their limited processing; or
we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of legal claims; or
you have filed an objection to processing the data, pending verification that the reasons for the administrator are legal.
Data portability right *:
You may ask us to provide the personal data you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
process the data under the contract and based on the declaration of consent that may be withdrawn or based on a contractual obligation and
the processing is done automatically
Right to appeal:
If you believe that we are violating the applicable legal framework, please contact us to clarify the matter. Of course, you have the right to file a complaint with the Personal Data Protection Commission. After 25 May 2018, you will also be able to appeal to a regulatory body within the EU.
Requests for access to information or for correction are filed in person or by an explicitly authorized person by a notarized power of attorney. An application may also be made electronically, in accordance with the Electronic Document and Electronic Signature Act.
We give our opinion on your request within 14 days of filing. If a longer period is objectively necessary – in order to collect all the requested data and this seriously impedes our activity, this period can be extended to 30 days. By our decision we give or deny access and / or the information requested by the applicant, but always motivate our response.
Updates and policy changes