I.”BULGARIAN FAIRY TALE” Ltd., registered in the Commercial Register at the Registry Agency with UIC 205111490, with headquarter and address of management: Sofia – 1606, Krasno Selo district, 20, Ivaylo Str., with license for Tour Operator No. PK-01-7893
1. “BULGARIAN FAIRY TALE” Ltd, according to the subject of its activity, performs the following activities: guiding services for incoming foreign tourists and Bulgarian tourists in Bulgaria and abroad, all kinds of alternative tourism, cultural tourism and historical tourism, transport activity.
2. By the fulfillment of its purposes and legal obligations, “BULGARIAN FAIRY TALE” Ltd is an Administrator and Processor of Personal Data of Personal Data Entities, hereinafter referred to as “Customers”.
3.These Internal Rules govern the organization of the internal order of “BULGARIAN FAIRY TALE” Ltd (hereinafter referred to as the COMPANY) as Administrator and Processor of Personal Data, as well as the level of technical and organizational measures for the processing of personal data and the acceptable type of protection.
The internal rules have been drawn up in accordance with the provisions of Regulation 2016/679 / EC.
II.For the purposes of these Internal Rules, the mentioned below terms have the following meanings:
A. “personal data” means any information relating to a natural person identified or identifiable, directly or indirectly, in particular by name, identification number, location data, online identifier or by one or more signs.
B. “Processing of Personal Data” – is any action or a set of actions that “BULGARIAN FAIRY TALE” Ltd performs with regard to personal data with automatic and non-automatic means as collecting, recording, organizing, storing, adapting or modifying, restoring, consulting, using, revealing by delivering, sharing, distributing, providing, updating or combining, blocking, deleting or destructing of data, etc.
C. “Personal Data Administrator” is “BULGARIAN FAIRY TALE” Ltd, which independently or together with other administrators and third parties, or through an assignment, processes personal data.
D. “Personal data processor” means a person who, under the authority of the Administrator and / or for the purpose of distinguishing specific obligations, processes personal data. A person might be both an Administrator and a Personal Data Processing Person.
E. “Specific data” – this term includes: – genetic data – a person’s definite data, giving unique information for distinguishing traits and physical health, obtained from a person’s biological sample analysis;
– biometric data – these are personal data, obtained as a result of technical processing, related to the physical, physiological or behavioral characteristics of the individual, which confirm the unique identification of the individual;
– health status data – data, related with the physical and mental health of the individual.
F. REGISTER OF PERSONAL DATA ACTIVITIES
– A structured set of personal data, available under certain criteria, in accordance with the Agency’s internal rules and documents, which could be centralized and decentralized and is distributed on a thematic and / or functional basis.
G. “AGREED GOALS” – these are the objectives, agreed between the Agency and the Clients in the contracts for tourist services, concluded between them.
H. “INDIVIDUAL CONSENT” It means any free expressed, specific, concrete, informed will, by which the natural person, to whom the personal data refer, unambiguously agrees the processing of his/her/ personal data
III.1. “BULGARIAN FAIRY TALE“ Ltd. processes only data, gathered in a lawful, conscientious and transparent manner with respect to the LAD. Personal data are collected for specific, explicit and legitimate purposes and are not processed further in a way inconsistent with these purposes. The personal data gathered of this way are necessary for the statutory duty of the controller and for certain legitimate purposes. The data are gathered following explicit, clear and unambiguous consent of the data subject.
A. Personal data are gathered and processed as necessary in connection with the purposes, for which it is being processed.
B. The personal data gathered and processed by “BULGARIAN FAIRY TALE“ Ltd. should be accurate and, if necessary, updated.
C. Personal data could be deleted or corrected when they are found to be inaccurate or inconsistent with the purposes for which they are being processed.
2. “BULGARIAN FAIRY TALE” Ltd. maintains the personal data in the form and format that allow identification of the individuals for a period not longer than necessary for the fulfillment of the purposes for which the personal data are being processed and in accordance with the legally established terms for storage and deletion, mentioned in the regulatory framework regulating the activity of the tourist company – Law for tourism, SOCIAL INSURANCE CODE, INSURANCE CODE,LABOUR CODE, as well as by-laws regulating the tourist activity and the tourist area services.
Some of the following data could be collected: names, date of birth, personal identification number, passport / ID card details: number, date of issue and validity, publisher, citizenship, address, telephone, e-mail, education, other personal data required for the service. For some specific services, it is possible to process special personal data, such as health information. The data gathered and processed in the company is realized both by direct contact, by clients visits in the company’s office and by visiting the web page of ” BULGARIAN FAIRY TALE“ Ltd. using the e-mail link.
3. “BULGARIAN FAIRY TALE” Ltd. complies with the principle of prohibiting the processing of special categories of data pursuant to Article 9, paragraph 1, disclosure of racial or ethnic origin, disclosure of political, religious or philosophical beliefs, membership in trade unions, sexual life or the human genome. Exceptions are only allowed in the following cases: the subject explicitly agrees, the processing is necessary in order to protect the vital interests of the data subject or of another individual or the data subject is physically or legally incapable of being – Article 9, paragraph 2 of the Regulation.
RIGHTS OF PERSONAL DATA SUBJECTS
I. Conditions for giving explicit consent to the collection of personal data and ensuring the rights of personal data subjects
The storage and processing of personal data is necessary to fulfill the claims, declared by the SPD (the subject of personal data) to use any of the tourist services, offered by the company.
The subject has given his or her consent or “BULGARIAN FAIRY TALE” collects personal data in connection with the purposes of performing its duties and exercising its rights and obligations.
The consent of the subject of personal data is obtained both during the visit of the clients in the office of the tourist company as well as by visiting the website of the company through the registration made there.
When the collection and processing is necessary for the purposes of establishing, exercising or protecting legal claims, courts, police and other administrators and third parties outside the scope of the activity of the tourist company, it shall only be carried out under the supervision of the relevant official body.
The consent of the personal data subject, expressed by a written declaration that relates and to other matters, shall be given in an accessible form and manner that clearly distinguishes it from other matters, in an understandable and easily accessible form.
The administrator – “BULGARIAN FAIRY TALE” Ltd., shall create a register for recording of the given information by the SPD/ subject of personal data/ under the conditions of article 5, paragraph 5 of these rules. There shall be stated the grounds for requesting such data, the authority or person requiring them and the details of the person, to whom it concerns and the period when it has happened.
II. The rights of the personal data subjects in ”BULGARIAN FAIRY TALE” Ltd. are secured as follows:
1. Subject of personal data – The client has the right to unrestricted access to his or her own data and at any time to obtain information about whether his or her data, goals, and storage period are being processed. When personal data are not taken directly from the client, any available information about their source. The presence of automatically decision taking , including profiling, as well as additional information about this in the cases provided by law. The data are provided voluntarily by the data subjects, by signing the contracts for tourist services, as well as by the inquiries made by the company through its e-mail address on the company’s web site. Upon multiple requests for information when technical difficulties appear, as well as when much longer time for processing is needed, the request is paid.
2. SPD – The Client has the right to request correction without undue delay of the inaccurate personal data,concerning him/her and the Administrator is obliged without undue delay to correct them.
3. SPD – the client has the right to withdraw his obtained consent at any time. After withdrawal of the consent, “BULGARIAN FAIRY TALE“Ltd. discontinues the processing of personal data of the subject, but the withdrawal of the consent does not affect the conformity with the law of the processed data, performed on the basis of consent given previously.If there is a different reason than the one for which the consent for processing of the data has been given, or there is an exception, related to the ordinary and lawful activity of the company (such as the data is needed for providing another service, that has already been purchased “BULGARIAN FAIRY TALE” Ltd. could continue processing the same data.
4.SPD – The Client has the right to request the deletion of his / her data without undue delay, “BULGARIAN FAIRY TALE“ Ltd. is obliged to erase this personal data without undue delay when any of the following reasons mentioned below has been applied:
– the personal data is no longer needed for the purposes for which it was collected or otherwise processed;- personal data has been processed unlawfully;- client has objected to the processing of his / her personal data;- when the client has already withdrawn the given consent for processing and there is no other ground for their processing;- personal data must be deleted to comply with a legal obligation; Exceptions to this rule could be made and “BULGARIAN FAIRY TALE” Ltd. has no obligation to delete the data if the processing of personal data is necessary:– to comply with a legal obligation that requires treatment, or for the performance of a task of public interest or in the exercising of official authority delegation to “BULGARIAN FAIRY TALE” Ltd; – for purposes of archiving in the name of public interest and for scientific or historical research or statistical purposes, in accordance with Article 89, paragraph 1 of the Data Protection Regulation, in so far as it is likely that the deletion of the data could make it impossible or seriously hindering the achievement of the purposes of such processing – for the establishment, exercise or protection of legal interests.
5. SPD – The client has the right to limit the processing, if following prerequisites exist:-the accuracy of personal data is disputed by the subject of personal data for a period that allows the administrator to verify the accuracy of the data;- the processing is illegible, but the SPD does not want his/her data to be erased, but only temporary restricted;-By the time when “BULGARIAN FAIRY TALE” Ltd. does not need any more personal data for the purpose of the processing, but the SPD requires them for the establishment, exercise or protection of legal claims;-in case if the SPD has objected to the processing, pending verification if the legal grounds of the Administrator have an advantage over the interests of the subject;In a situation of processing restriction, “BULGARIAN FAIRY TALE” Ltd. could process the relevant personal data, in different way than its preservation only with the consent of the SPD or for the establishment, exercise or protection of legal claims or for the protection of the rights of another individual or upon important grounds of public interest for Republic of Bulgaria or the European Union.
6. SPD – The client has the right for data portability, which is expressed in his / her right to receive data that concerns him / her , which data is been provided to the administrator in a structured, widely used and machine readable format, and is entitled to transfer such data to another administrator without obstruction by “BULGARIAN FAIRY TALE” Ltd., in case the company processes the data according of a consent or when the processing of the data is necessary for the fulfillment of a contractual obligation between the subject and “BULGARIAN FAIRY TALE” Ltd;
-in case the processing is being done in an automated manner;
The right for direct transferring of personal data could only be realized if it is technically possible.
7. SPD – the client has the right not to be a subject of a decision, based solely on automated processing, including profiling, which produces legal consequences for the data subject or in a similar manner affects him/her significantly.An exception to this rule could be made if:- this action is necessary for the conclusion or performance of a contract between the data subject and the administrator;- based on the explicit consent of the subject;- or there is a legitimate permission for that, applicable in the activity of the administrator, and in which appropriate measures for protection the rights and freedoms and the legitimate interests of the data subject are foreseen;
8. SPD – The Client has the right at any time to object to the processing of personal data, if they are processed for direct marketing purposes against this type of marketing, including also profiling, as far as it is connected to the direct marketing.When the SPD makes objections against processing for the purposes of direct marketing , the processing of personal data has to be terminated.
9. SPD – The Client has the right to appeal to a Supervisory Authority, if he/she considers that “BULGARIAN FAIRY TALE” Ltd. processes his or her personal data in violation of the provisions of the applicable law, including but not limited to the General Data Protection Act and the Law for the protection of personal data, the subject has the right to make a complaint by the supervisory authority in the Member State of the European Union in his/her habitual residence, working place or place of supposed violation. In Republic of Bulgaria the competent supervisory authority is the Commission for Protection of Personal Data.
RELATIONSHIPS OF “BULGARIAN FAIRY TALE” Ltd WITH OTHER ADMINISTRATORS OF PERSONAL DATA AND PROCESSING PERSONAL DATA THIRD PARTIES
I. “BULGARIAN FAIRY TALE” Ltd. develops activity of common processing of personal data with other Data Administrators in accordance with the requirements of Regulation 2006/679 / EC
1. Personal data administrators, with whom “BULGARIAN FAIRY TALE” Ltd. collects and exchanges data of SPD, are: Insurance Company GROUPAMA INSURANCE AD, D COMMERCE BANK, accounting company M & M CONSULTING, Ministry of Tourism ,Ministry of Interior, Ministry of Foreign Affairs, National Health Insurance Fund, National Insurance Institute, Revenue Agency and other tourist, insurance and transport companies.
2. The exchange of personal data of natural persons – clients should be carried out only for strictly defined purposes, in fulfillment of the tasks of the administrators themselves and in protection of the interests of the SUBJECTS OF PERSONAL DATA. / pursuant to Article 25, Section 2 of Regulation 2006/679 / EC /.
3. The relations between the Administrators are settled by the legislation regulating their activities, the Personal Data Protection Act and the Regulation 2006/679 / EC, approved mechanisms, specialized forms and certified software products, specialized web portals, which ensures the protection of the exchangeable data between the Administrators.
4. In connection with the fulfillment of its goals, the travel agency also transfers personal data to third countries and international organizations. The transmission of these data is realized in accordance with Articles 45 and 49 of the Regulation for protection of the personal data.
II. 1. The personnel, occupied with data processing at “BULGARIAN FAIRY TALE” Ltd are the employees of the company and specially authorized representatives, if any.
2. The personnel, occupied with data processing collect and process personal data on behalf of and with the explicit consent of the Administrator.
3. There are contractual relations between the occupied in the Data Processing and the Administrator.
4. Everyone occupied with data processing uses certified electronic products, personal electronic signature, personal codes, which is a guarantee for the protection of personal data.
5. The provision of data to third parties takes place and is related to the execution of the service in accordance with a contract between the Client and “BULGARIAN FAIRY TALE” Ltd.- companies for flight tickets, cruises, transport services, hotels or booking operators, insurance companies, guides and drivers, hired by the COMPANY for the purposes of communicating with the participants in the concrete voyage and contacting with other service providers, that are implemented as part of a package or a separate tourist service.
6. “BULGARIAN FAIRY TALE” Ltd. provides personal data to third parties only if it is necessary for the execution of the contracts for tourist services and does not provide personal data to persons who are not related to the respective service.
7. “BULGARIAN FAIRY TALE” Ltd. does not provide personal data to third parties for marketing purposes.
8. Paper copies of the electronic forms shall be stored by the Administrator personell in specialized and locked index – cases. The key shall be kept by the manager of the Administrator of or by a person specialy authorized for that purpose.
9. The part of the information, that has legally defined storage periods, will be deleted after the expiration of the deadlines.
TECHNICAL AND PHYSICAL FACILITIES FORPROTECTION OF PERSONAL DATA
I. Gathering, processing and storing of Client’s personal data in “BULGARIAN FAIRY TALE” Ltd. is carried out by technical and physical ways and means. All customer’s data are stored in folders. This data are preserved in electronic version and on paper in folders.
1. The main formats, which contain Client’s data, are the contracts, concluded between the Clients and the travel agency, classified in the folder of the respective tourist service.
2. The main data, reported in the documentation are:
A. The full name of the person;
B. identity card details, including Unified Civil Number and permanent address;C. sex and age of the person;
D. special requirements, related to the health condition of the Client.
3. The contracts concluded between the Clients and the travel agency in connection with the relevant service comply with the requirements of the Tourism Act and have to be signed bilaterally by both sides – by the Client as a subject of personal data and by the Administrator. There could be also bilaterally signed additional agreement with some special Client’s requirements.
4. The contracts, completed with the additional agreements, if any, have to be kept in paper form. A copy of the contract and the additional agreement shall also be provided to the Client.
A. Data protection in the electronic form is secured by a personal password and a personal electronic signature of the data administrator.
B. The paper versions of the contracts and the additional agreements are kept in folders. The folders are kept in special locked index – cases. The key of these records is stored only by the data Administrator. The Administrator has an obligation and responsibility as a job description to prevent that these keys fall into other hands.
DEADLINES FOR THE STORAGE, DELETION AND ARCHIVING OF PERSONAL DATA FROM MEDICAL ACTIVITIES.
I. The terms for storing and deleting of personal data of the activities of “BULGARIAN FAIRY TALE” Ltd. comply with the terms established by the Bulgarian legislation, regulating its activities.Personal data is stored for a different period of time, depending on the purposes for which it were collected and the requirements of the current legislation:
Clients data provided for communication and pre-reservation purposes and for a travel request – 30 days by explicit declared consent, unless the data subject requests “to be forgotten” before expiration of that period;
Client’s data for the execution of specific travel and reservation contracts – 2 years and 6 months from the date of completion of the concrete specific service;
• for concluding a contract for a tourist package, cruise, hotel booking, transfer and other land transport, visa and other tourist services – 2 years from the date of finishing of the service;
• for reservation and issuance of flight tickets – 5 years from the date of finishing of the service;
• for issuing medical insurance for traveling abroad and cancellation of travel – 2 years from the date of termination of the service;• To conclude a contract for organizing of events, meetings, teambuilding, etc. – 2 years from the date of termination of the service;
• Client’s and partner’s data provided for storage by explicitly declared consent beyond the implementation of a specific contract – 5 years, unless the data subject requests “to be forgotten” before the expiration of that period;
• Client’s data for marketing and statistical purposes – 5 years, after an explicit consent, unless the data subject requests “to be forgotten” before the expiration of that period;• Client’s data for accounting purposes – 10 years + 1 year from the date of signing the contract;• employee data – 50 years + 1 year from the date of signing the contract;
• data of other persons – for a period of time until the relevant objective is met, in exception of cases if such persons request “to be forgotten” in accordance with the Regulation.At any time within these time limits, the SPD /subject of personal data/ should have the right to request the administrator to correct inaccurate personal data relating to him/her without undue delay. In accordance with the declared purpose for processing, the data subject has the right his/her incomplete personal data to be filled in, including by adding of a declaration.