Privacy Policy - Personal Data Processing Policy

1.       SUBJECT, PURPOSE AND SCOPE

BALKAN HOLIDAYS SERVICES LTD conducts activities as a tour operator, travel agency, and auxiliary tourist activities and is an administrator of personal data. The company processes personal data independently or by assigning data processing to ensure compliance with the requirements of the Personal Data Protection Act (PDPA), applicable European legislation (Regulation (EU) 2016/679 of the European Parliament and of the Council and related documents), sub-legislative acts regarding the protection of personal data, certified Information Security Management System (ISO/IEC 27001:2013), and internal rules for the processing and protection of personal data. This Data Protection Policy of BALKAN HOLIDAYS SERVICES EOOD (hereinafter the Policy) defines the basic principles and rules related to the processing of personal data, the rights of data subjects, the obligations and responsibilities of BALKAN HOLIDAYS SERVICES EOOD as a data controller, and the functions of the data protection officer and the registers maintained by BALKAN HOLIDAYS SERVICES EOOD for the processing of personal data. The Policy is part of a comprehensive system of internal regulations, technical and organizational measures that BALKAN HOLIDAYS SERVICES EOOD maintains to ensure that its employees, contractors, and all other natural and legal persons who process personal data on behalf of BALKAN HOLIDAYS SERVICES EOOD strictly comply with the requirements of applicable European and national legislation and internal rules, thereby ensuring the protection and security of personal data of individuals (data subjects). The principle of protection and security of personal data is a fundamental principle in the execution of the business processes of BALKAN HOLIDAYS SERVICES EOOD. Compliance with it is an obligation and responsibility of every employee and is shared by all organizational units in BALKAN HOLIDAYS SERVICES EOOD. This Policy develops this principle into specific rules and aims to assist employees in their daily work with personal data to avoid its violation. Violation of the security of personal data may pose a high risk to the rights of the affected individuals and may have significant negative consequences for BALKAN HOLIDAYS SERVICES EOOD and its employees who have violated the requirements of applicable regulatory requirements and the Company’s internal regulations. Therefore, any noncompliance with this Policy is treated as a serious violation. To maintain compliance with European and national legislation in the field of personal data, the management of the Company has approved and maintains a set of documented policies and rules for security and protection of the personal data processed in BALKAN HOLIDAYS SERVICES EOOD. All employees are required to be familiar with and apply the relevant policies and rules of BALKAN HOLIDAYS SERVICES EOOD. The Company requires external parties with whom it establishes commercial relationships to comply with the principles outlined in this policy.

II. RELATED DOCUMENTS

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 2. Personal Data Protection Act 3. Labour Code (in force since 01.01.1987, promulgated SG No. 26 of April 1, 1986, amend. and suppl. SG No. 30 of April 3, 2018) – (LC); 4. Social Security Code (promulgated SG No. 110 of December 17, 1999, amend. and suppl. SG No. 30 of April 3, 2018) – (SSC); 5. Health and Safety at Work Act (promulgated SG No. 124 of December 23, 1997, SG No. 97 of December 5, 2017) – (HSWA); 6. Regulation No. 4 of May 11, 1993, on the documents necessary for concluding an employment contract (issued by the Minister of Labour and Social Policy, promulgated SG No. 44 of May 25, 1993, amend. and suppl., SG No. 99 of December 12, 2017) 7. Other laws specific to BALKAN HOLIDAYS SERVICES EOOD 8. Information Security Policies and Procedures of the Information Security System 9. Policies and procedures of the Personal Data Management System: – POL 02 Policy for Employee Personal Data Protection – POL 03 Policy for Personal Data Protection Training – PRO 01 Data Confidentiality Procedure – PRO 02 Subject Consent Procedure – PRO 03 Consent Withdrawal Procedure – PRO 04 Subject Requests Management Procedure – PRO 05 Data Breach Response and Notification Procedure – PRO 06 Supplier/Subcontractor Process Management Procedure

III. TERMS, DEFINITIONS AND ABBREVIATIONS

Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). Data Subject: A natural person who has been identified or who can be identified based on specific information, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Processing of Personal Data: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Register of Personal Data: Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed on a functional or geographical basis. Data Subject Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Recipient: A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Processing Restriction: The marking of stored personal data with the aim of limiting their processing in the future. Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Third Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. Rights of the Data Subject: The subjective rights of individuals, whose personal data is being processed, as specified in Articles 12-23 of Regulation 2016/679, including but not limited to: – Right to information and access to personal data (including obtaining a copy); – Right to rectification and erasure (“right to be forgotten”); – Right to restriction of processing; – Right to data portability; – Right to object, including in the context of automated decision-making.

IV. ROLES AND RESPONSIBILITIES

Data Controller Role: Balkan Holidays Services Ltd. acts as the data controller and, in certain cases, processes personal data. Management Responsibility: Management is responsible for developing and promoting compliance with principles and best practices for personal data processing within and on behalf of the Company, in order to comply with European and national legislation. Responsibilities and Duties: Specific responsibilities and duties are outlined in this policy, as well as in all policies and rules within Balkan Holidays Services Ltd. related to the processing, security, and protection of personal data. Responsibility of Departmental Managers: All managers of structural units within the Company are responsible for controlling compliance with the implemented rules for the protection of personal data and report directly to management. Specific responsibilities and duties by functions and levels are outlined in the policies and procedures of the present Data Management System. Responsibilities of the Data Protection Officer (DPO): The responsibilities and duties of the Data Protection Officer are documented in RD 1.1 – Job Description of the Data Protection Officer. The employee is familiar with them and confirms acceptance by signing the job description. Responsibilities of the Data Protection Officer (DPO): – Ensuring compliance of processes and activities of Balkan Holidays Services Ltd. with this policy and all Company policies and rules in the field of personal data protection and security. – As a contact person, the Data Protection Officer has specific responsibilities and makes decisions regarding requests from data subjects, clarifies issues related to personal data to employees, and communicates with the supervisory authority – Commission for Personal Data Protection. Maintaining Compliance: Compliance with data protection legislation is the responsibility of all employees working in the Company and performing personal data processing operations. Training Policy: Balkan Holidays Services Ltd. has implemented POL 03 – Training Policy on Personal Data Protection, which sets out specific requirements for training and raising awareness and understanding of data protection among employees.

V. BASIC PRINCIPLES RELATED TO PERSONAL DATA PROCESSING

BALKAN HOLIDAYS SERVICES LTD processes personal data in compliance with the following principles: 1. Lawfulness, Fairness, and Transparency The company processes personal data lawfully, fairly, and in a transparent manner, regarding the data subjects. 1.1. Lawfulness of Processing Every processing of personal data by BALKAN HOLIDAYS SERVICES LTD is based on a valid legal basis and is carried out in compliance with external and internal regulatory framework. The principle of alternativity applies concerning legal bases. Processing of data is lawful under the following conditions: – When necessary for compliance with a legal obligation applicable to the activities of BALKAN HOLIDAYS SERVICES LTD; – When the data subject has given consent to the processing of their personal data for one or more specific purposes by providing the Company with relevant written documents and/or through other actions and technical means (including electronically); – When necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract (such as employment contract, client contract, supplier contract, contractor contract, service provision contract, or product delivery contract, etc.); – To protect the vital interests of the data subject or another natural person; – For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (including processing related to providing information to a public authority); – For the purposes of the legitimate interests pursued by BALKAN HOLIDAYS SERVICES LTD or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly where the data subject is a child. Lawfulness of Processing of Clients’ and Suppliers’ Data BALKAN HOLIDAYS SERVICES LTD processes personal data of its clients and suppliers in accordance with legal requirements and for the purposes of its legitimate interests, and in connection with the performance of contracts between the parties. Lawfulness of Processing of Employees’ Data BALKAN HOLIDAYS SERVICES LTD processes personal data of its employees based on applicable labor, social security, and tax legislation, as an employer (insurer), and in connection with activities related to the conclusion and performance of employment contracts. Lawfulness of Processing of Non-Employment-related Contractors’ Data BALKAN HOLIDAYS SERVICES LTD processes personal data of non-employment-related contractors – natural persons, based on applicable social security and tax legislation, as a principal (insurer), and in connection with activities related to the conclusion and performance of contracts with contractors. 1.2. Fairness and Transparency In compliance with the principle of transparency in the processing of personal data, BALKAN HOLIDAYS SERVICES LTD informs its employees, clients, suppliers, contractors, and partners, in an appropriate, clear, and understandable manner, about the collection and processing of their personal data by BALKAN HOLIDAYS SERVICES LTD and about their rights regarding the protection of their personal data, including through information on its website. BALKAN HOLIDAYS SERVICES LTD assists data subjects in exercising their rights. Employees, suppliers, and partners, acting as data processors, are informed of the rights of clients as data subjects and are obliged to provide them with information and assistance in this regard. 2. Purpose Limitation BALKAN HOLIDAYS SERVICES LTD collects personal data for specific, explicitly stated purposes in the relevant regulatory acts, contracts, consents, or other documents and forms, for legitimate purposes and does not process them further in a manner incompatible with the initially defined purposes. 3. Data Minimization BALKAN HOLIDAYS SERVICES LTD processes personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. 4. Accuracy BALKAN HOLIDAYS SERVICES LTD collects and processes personal data and takes all reasonable measures to ensure the timely correction or erasure of inaccurate data, considering the purposes for which they are processed. BALKAN HOLIDAYS SERVICES LTD makes efforts to keep personal data up to date. In compliance with the principle of accuracy of the collected data and in order to fulfill its obligations to the data subjects properly, BALKAN HOLIDAYS SERVICES LTD encourages them to inform about any changes in their personal data and provides assistance for updating their data. 5. Data Storage Limitation BALKAN HOLIDAYS SERVICES LTD stores personal data in a format that allows the identification of the data subject for a period not exceeding the one specified by a regulatory act. If there is no such act, the data is retained for a period not longer than necessary for the purposes for which the personal data is processed. Upon achieving the processing purpose or upon expiration of a specific retention period set forth in a regulatory act, BALKAN HOLIDAYS SERVICES LTD, as the data controller, is obliged to destroy the personal data. BALKAN HOLIDAYS SERVICES LTD may transfer personal data to another controller after notifying the Commission for Personal Data Protection (CPDP) if the transfer is provided for by law, and there is an identity of the purposes of the processing. 5.1. Storage of Clients’ Personal Data BALKAN HOLIDAYS SERVICES LTD stores personal data of its clients on paper and/or electronic media for periods aligned with the purposes of their collection. The retention periods are defined in the personal data retention procedures adopted within the Company. The specified periods are lawful and justified by the legitimate interests of both parties. 5.2. Storage of Employees’ Personal Data In accordance with the requirements of the Labor Code, the Social Security Code, the Accounting Act, and the Regulation on Employment Records and Employment History, BALKAN HOLIDAYS SERVICES LTD stores, for a period not shorter than 50 years from the termination of the relevant employment relationship, on paper and/or electronic media, the employment records and documents certifying the remuneration paid to employees. 5.3. Storage of Personal Data of Civil Contract Counterparties In accordance with the requirements of the Obligations and Contracts Act, BALKAN HOLIDAYS SERVICES LTD stores, for the entire duration of their validity and 3 years after their termination, the contracts with civil contract counterparties and the documents related to them, on paper and/or electronic media. In accordance with the requirements of the Social Security Code and the Accounting Act, BALKAN HOLIDAYS SERVICES LTD stores, for a period not shorter than 50 years from the termination of the relevant relationship, on paper and/or electronic media, the documents certifying the remuneration paid to civil contract counterparties. 5.4. Storage of Personal Data of Suppliers and Joint Controllers BALKAN HOLIDAYS SERVICES LTD stores personal data of its suppliers and joint controllers for lawful periods justified by a contract or the legitimate interests of both parties. 6. Integrity and Confidentiality BALKAN HOLIDAYS SERVICES LTD processes personal data in a manner that ensures an appropriate level of their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical and organizational measures and complying with the standards and requirements for information security of the Integrated Quality and Information Security Management System ISO 9001:2015 and ISO/IEC 27001:2013. 7. Accountability BALKAN HOLIDAYS SERVICES LTD is responsible for complying with the principles outlined in this policy and requires their compliance by its employees, counterparts, suppliers, and all natural and legal persons processing personal data on behalf of BALKAN HOLIDAYS SERVICES LTD and under its instruction.

VI. CATEGORY OF PERSONAL DATA AND DATA

SUBJECTS BALKAN HOLIDAYS SERVICES LTD processes personal data provided by the data subject through a contract, consent declaration, or another document initiated by the individual, for the purpose of performing an activity requested by the data subject or in connection with the exercise of rights. BALKAN HOLIDAYS SERVICES LTD processes data of clients and potential clients for the purposes of entering into and performing contracts with them. This category includes data of natural persons representing specific legal entities, clients of the Company, and their contact persons or of natural persons as direct consumers of the products/services provided by the Company. As an employer, BALKAN HOLIDAYS SERVICES LTD processes personal data of its employees in compliance with regulatory requirements and the acts of the National Revenue Agency (NRA) and National Insurance Institute (NII). For additional purposes beyond the regulatory ones, the Company processes personal data of its employees for purposes such as social benefits, organizing team-building activities, consulting and team building, and others; control of activities in accordance with the Video Surveillance Policy; insurance, and others, based on consent from the employees. BALKAN HOLIDAYS SERVICES LTD processes personal data of civil contract counterparties – natural persons with whom it has concluded a contract for the performance of a specific activity. BALKAN HOLIDAYS SERVICES LTD processes personal data of suppliers and joint administrators, specifically of natural persons representing the specific legal entities, suppliers, partners, and joint administrators of the Company and their employees/representatives listed for contact. BALKAN HOLIDAYS SERVICES LTD does not process special categories of personal data except for: – Data concerning the health status of its employees: – In connection with legal requirements, during the appointment of employees; – For the purposes of occupational medicine and the health and safety conditions of work for employees; – Legal basis: Labor Code, Article 40a; Regulation on cash compensations and aids from the National Social Security Institute (NSSI); Regulation on the procedure for submission to the NSSI of data from issued sick leave certificates and decisions on their appeal. – In connection with the exercise of employees’ rights during temporary incapacity for work; – In connection with the exercise of employees’ rights during permanently reduced working capacity.

VII. EMPLOYEE OBLIGATIONS REGARDING PERSONAL DATA PROTECTION

 All employees of BALKAN HOLIDAYS SERVICES LTD are required to be familiar with and comply with the requirements of this policy, as well as all Company policies and rules regarding the protection and security of processed personal data. All employees processing personal data in the performance of their duties must ensure that: – Information is accurate and up-to-date; – The use of information is necessary for the purpose and is not retained longer than necessary, including not creating unregulated copies; – Information is protected. Employees are not permitted to export personal data in any form off-site, except with explicit permission from their direct supervisor and solely for the purposes of performing job duties. The Company will provide training for all employees regarding the policies, rules, and procedures for the protection of personal data. All employees are required to adhere to the principles of processing and protecting personal data outlined in this policy and its accompanying policies and procedures. Failure to comply with the principles of personal data protection may lead to data security breaches. The employee is responsible for actions performed by them, and in case of breaches, they are subject to administrative and disciplinary measures according to the applicable legislation.

VIII. INFORMATION PROVIDED BY THE COMPANY WHEN PROCESSING PERSONAL DATA

In cases where BALKAN HOLIDAYS SERVICES LTD receives personal data from a data subject, it provides them with information about: – The company’s details and its representatives; – Contact details for the data protection officer; – The purposes of processing personal data and the legal basis for processing; – The recipients or categories of recipients to whom the data may be disclosed; – Information on whether providing personal data is mandatory, contractually required, or necessary for entering into or performing a contract, or requested by the data subject (i.e., it is voluntary) and the consequences of refusing to provide it; – Information about the data subject’s rights; – The retention period for the data or the criteria determining the storage period; – The right to lodge a complaint with a competent authority. The above information is provided even when personal data has not been obtained from the data subject (at the first contact with them), unless the data subject already has this information. When personal data has not been obtained from the data subject, BALKAN HOLIDAYS SERVICES LTD is obliged to provide the data subject, upon request, with any available information about its source. The above requirements do not apply in cases where personal data has not come from the data subject, but the receipt or disclosure thereof is expressly authorized by EU law or national legislation, and appropriate measures are provided to protect the legitimate interests of BALKAN HOLIDAYS SERVICES LTD.

IX. DATA SUBJECT RIGHTS

According to Regulation 2016/679 and applicable Bulgarian legislation, data subjects have the following rights: 1. Right of Access The data subject has the right to obtain from BALKAN HOLIDAYS SERVICES LTD information on whether the Company processes his personal data and, if so, he has the right to access them and information about: – The purposes of processing; – The relevant categories of personal data being processed; – The recipients or categories of recipients to whom his personal data have been or may be disclosed, including recipients in third countries or international organizations; – The envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; – The existence of the right to request rectification or erasure of his personal data or restriction of processing, or to object to such processing; – The right to lodge a complaint with the supervisory authority; – The source of personal data, when they are not collected directly from the data subject; – The existence of automated decision-making, including profiling, and the significance and envisaged consequences of such processing for the data subject. 2. Right to Rectification The data subject has the right to request from the Company without undue delay the rectification of inaccurate personal data concerning him and to have incomplete personal data completed. 3. Right to Erasure (Right to be Forgotten) The data subject has the right to request from the Company the erasure of his personal data, and the Company is obliged to erase them without undue delay when one of the following grounds applies: – The personal data are no longer necessary for the purposes for which they were collected or otherwise processed; – The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing; – The data subject objects to the processing pursuant to Article 21(1) of Regulation 2016/679 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of Regulation 2016/679; – The personal data have been unlawfully processed. The Company ceases processing personal data in cases specified in Article 7.3, item “v”: – Whenever it receives an objection under Article 7.7.2 for the purposes of direct marketing; – Upon receiving an objection under Article 7.7.1, if it does not demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. Cessation of processing does not occur when: – A legally prescribed period for mandatory data retention has not expired; – The processing is based on an obligation under a contract between BALKAN HOLIDAYS SERVICES LTD and the data subject, and the contract has not been terminated; – The processing is necessary for the establishment, exercise, or defense of legal claims; – The processing is necessary to comply with a legal obligation to which the Company is subject. 4. Right to Restriction of Processing The data subject has the right to request from BALKAN HOLIDAYS SERVICES LTD restriction of processing if: – The processing is unlawful, but he opposes the erasure of the personal data and requests the restriction of their use instead; – BALKAN HOLIDAYS SERVICES LTD no longer needs his personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims. Data whose processing is restricted pursuant to Article 7.4 are processed only with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or the Republic of Bulgaria. When the data subject has requested a restriction of processing pursuant to Article 7.4, BALKAN HOLIDAYS SERVICES LTD informs him before lifting the restriction on processing. Upon carrying out rectification, erasure, or restriction of processing of personal data, BALKAN HOLIDAYS SERVICES LTD informs the data subject about each action taken to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company informs the data subject about these recipients if the data subject requests it. 5. Right to Object The data subject has the right to object, on grounds relating to his particular situation, at any time to processing of personal data concerning him which is based on the performance of a task carried out in the public interest or the exercise of official authority vested in BALKAN HOLIDAYS SERVICES LTD or the processing is necessary for the purposes of the legitimate interests pursued by BALKAN HOLIDAYS SERVICES LTD or by a third party. BALKAN HOLIDAYS SERVICES LTD shall cease processing personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. When BALKAN HOLIDAYS SERVICES LTD processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of his personal data for such marketing, including profiling related to such direct marketing. In case of an objection, BALKAN HOLIDAYS SERVICES LTD ceases processing personal data for direct marketing purposes. At the time of first communication with the data subject, BALKAN HOLIDAYS SERVICES LTD expressly informs him of his right to object in a clear and separate manner from any other information. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him. The Company applies internal rules and Procedure PRO 04 – Procedure for Managing Data Subject Requests, which regulate the procedure and conditions for acceptance, consideration, and response to requests from individuals to exercise their rights as data subjects.

X. COLLABORATION OF DATA SUBJECTS IN EXERCISING THEIR RIGHTS

BALKAN HOLIDAYS SERVICES LTD is obliged to provide transparent and accessible information to the data subjects whose personal data it processes, in writing, orally, or by other means, upon their request. BALKAN HOLIDAYS SERVICES LTD assists in the exercise of the rights of the data subject whose personal data it processes and cannot refuse to take action upon his request to exercise his rights, unless it is unable to identify him. BALKAN HOLIDAYS SERVICES LTD provides the data subject with information about the actions taken upon his request regarding the exercise of his rights without undue delay and in any case within one month of receiving the request. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. BALKAN HOLIDAYS SERVICES LTD informs the data subject of any such extension within one month of receiving the request, stating the reasons for the delay. When the data subject submits a request electronically, if possible, the information is provided in the same manner, unless the data subject has requested otherwise. His right to receive a copy of the information or access to his personal data must not adversely affect the rights and freedoms of other data subjects whose data are processed. If BALKAN HOLIDAYS SERVICES LTD does not take action on the data subject’s request, it notifies him without delay and no later than one month after receiving the request of the reasons for not taking action and of the possibility of lodging a complaint with the Commission for Personal Data Protection (CPDP) and seeking judicial remedy. Information provided to the data subject upon his request and any communication and actions related to the exercise of his rights are provided free of charge. When the data subject’s requests are manifestly unfounded or excessive, especially because of their repetitive nature, BALKAN HOLIDAYS SERVICES LTD may: – impose a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the requested action, or – refuse to take action on the request. When BALKAN HOLIDAYS SERVICES LTD has reasonable doubts about the identity of the individual submitting a request to exercise his rights, it may request additional information and/or documents necessary to confirm the identity of the data subject.

XI. MANAGEMENT OF THE RELATIONSHIP BETWEEN DATA CONTROLLER AND DATA PROCESSOR

 As the data controller, BALKAN HOLIDAYS SERVICES LTD implements appropriate technical and organizational measures, including the current Policy, to ensure and be able to demonstrate that it processes personal data in accordance with Regulation 2016/679 and applicable national legislation, taking into account the nature, scope, context, and purposes of processing, as well as the risks, with varying likelihood and severity, to the rights and freedoms of individuals. These measures are reviewed and updated as necessary. BALKAN HOLIDAYS SERVICES LTD has implemented a certified Integrated Management System for Quality and Information Security ISO 9001:2015 and ISO/IEC 27001:2013, which is a prerequisite for adequate protection of data and the rights of data subjects. Data Processors Data processors acting on behalf of BALKAN HOLIDAYS SERVICES LTD include all employees and contractors under civil contracts when processing personal data in connection with the performance of their official or contractual duties. For the purposes of this Policy, data processors also include all natural and legal persons who, based on contracts concluded with BALKAN HOLIDAYS SERVICES LTD, perform data processing operations. When entrusting the processing of personal data, BALKAN HOLIDAYS SERVICES LTD only uses data processors who provide sufficient guarantees to apply appropriate technical and organizational measures in such a way that the processing complies with the requirements of Regulation 2016/679, applicable national legislation, and ensures the protection of data and the rights of data subjects. Data processors acting on behalf of BALKAN HOLIDAYS SERVICES LTD do not involve other data processors without the prior, specific, or general, written permission of BALKAN HOLIDAYS SERVICES LTD. In the event that BALKAN HOLIDAYS SERVICES LTD provides the data processor with general written permission, the data processor must inform BALKAN HOLIDAYS SERVICES LTD in advance of any planned changes to include or replace data processors, with BALKAN HOLIDAYS SERVICES LTD reserving the right to challenge these changes. Processing by data processors is regulated by a contract or other legal act specifying the nature and purpose of the processing, the duration of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the processor and BALKAN HOLIDAYS SERVICES LTD. For the data processor, the following obligations are mandatory: – to act solely on the instructions of BALKAN HOLIDAYS SERVICES LTD; – to ensure that persons authorized to process personal data have committed to confidentiality or are under a legal obligation to maintain confidentiality; – to assist BALKAN HOLIDAYS SERVICES LTD with all appropriate means to ensure compliance with the provisions regarding the rights of data subjects; – to take all necessary security measures in processing; – at the option of BALKAN HOLIDAYS SERVICES LTD, to delete or return to BALKAN HOLIDAYS SERVICES LTD all personal data upon completion of the data processing services and to delete existing copies, unless the law of the European Union or the legislation of the Republic of Bulgaria requires the retention of personal data; – to provide BALKAN HOLIDAYS SERVICES LTD with all information necessary to demonstrate compliance with the agreed commitments; – to comply with the conditions mentioned above for the inclusion of another data processor; – to assist BALKAN HOLIDAYS SERVICES LTD in fulfilling its obligations under Articles 32- 36 of Regulation 2016/679, taking into account the nature of the processing entrusted to it and the information to which it has access; – to promptly notify BALKAN HOLIDAYS SERVICES LTD of any breaches related to personal data processed or accessible by it. When a data processor entrusted with the processing of personal data on behalf of BALKAN HOLIDAYS SERVICES LTD, through a contract or other legal act, involves another data processor for carrying out specific processing activities, the same obligations for data protection apply to that other data processor as those provided for in the contract or act between BALKAN HOLIDAYS SERVICES LTD and the data processor. The other data processor must provide sufficient guarantees for the application of appropriate technical and organizational measures to ensure that the processing it performs complies with legal requirements. In all cases, the initial data processor bears full responsibility to BALKAN HOLIDAYS SERVICES LTD for the fulfillment of the obligations of the other data processor to whom it has entrusted specific processing activities.

XII. MAINTENANCE OF REGISTERS FOR PERSONAL DATA PROCESSING

The information systems for processing data of clients, employees, and contractors are electronic registers owned by BALKAN HOLIDAYS SERVICES LTD. The automated processing systems maintain records (logs) for at least the following processing operations: collection, alteration, retrieval, disclosure, and deletion. Records of performed retrievals allow for establishing the date and time of such operations and, where possible, the identification of the person who made the retrieval. These records are used solely for verifying the legality of processing, for self-monitoring, for ensuring the integrity and security of personal data, and in criminal proceedings. BALKAN HOLIDAYS SERVICES LTD establishes rules for the collection and storage of personal data, as well as for the periods and methods of data destruction from the respective registers, in accordance with special laws and adopted rules for information security. As the data controller and data processor, in the course of its activities, the Company maintains the following registers electronically: – Register of general terms/declarations for the protection of personal data The information in the registers contains the requirements of Article 30 of Regulation 2016/679, as well as Article 62, paragraph 1 and paragraph 2 of the Personal Data Protection Act. The mentioned registers are maintained in written form, and upon request, the Company provides access to them to the Commission for Personal Data Protection.

XIII. DATA PROTECTION OFFICER

 BALKAN HOLIDAYS SERVICES LTD appoints a Data Protection Officer (DPO) and publishes their contact details on its public website. BALKAN HOLIDAYS SERVICES LTD ensures that the DPO participates appropriately and timely in resolving all matters related to data protection. BALKAN HOLIDAYS SERVICES LTD and the data processors acting on its behalf assist the DPO in performing their designated functions by providing the resources necessary for carrying out these functions, granting access to relevant registers, personal data, and processing operations. BALKAN HOLIDAYS SERVICES LTD ensures that the DPO can develop and maintain their expertise. Data subjects can contact the DPO regarding any issues related to the processing of their personal data and the exercise of their rights. The DPO is obligated to maintain the confidentiality or secrecy of the functions performed by them in accordance with national legislation. The Data Protection Officer may also perform other functions and obligations. BALKAN HOLIDAYS SERVICES LTD takes necessary measures to ensure that these functions and obligations do not conflict with the DPO’s activities in data protection. Key functions and obligations of the Data Protection Officer: – Represents the company to the Commission for Personal Data Protection (CPDP); – Informs and advises BALKAN HOLIDAYS SERVICES LTD or data processors acting on its behalf, including employees involved in processing, about their obligations under Regulation 2016/679 and other provisions of European and national legislation related to data protection; – Ensures compliance with Regulation 2016/679, other provisions of European and national legislation, and internal rules of BALKAN HOLIDAYS SERVICES LTD regarding data protection, including overseeing the assignment of responsibilities related to data processing, raising awareness, and training of staff involved in processing operations; – Provides consultations regarding the data protection impact assessment upon request and ensures its conduct in accordance with Article 35 of Regulation 2016/679; – Collaborates with the Commission for Personal Data Protection (CPDP); – Acts as a contact point for the CPDP on matters related to processing, including during prior consultation as per Article 36 of Regulation 2016/679, and consults with the CPDP on any other relevant matters. In performing their functions, the DPO duly assesses the risks associated with processing operations and takes into account the nature, scope, context, and purposes of the processing.

XIV. DATA SECURITY AND BREACHES OF SECURITY

 BALKAN HOLIDAYS SERVICES LTD implements appropriate technical and organizational measures to ensure a level of security commensurate with the risks, with varying likelihood and severity for the rights of individuals. The company requires its employees and third parties processing personal data on its behalf to adhere to the respective policies and rules described in the Data Management System (DMS). The implementation of specific organizational and technical measures is based on identified risks to personal data, taking into account and ensuring: – Adequate training by function and level; – Integration of data protection into the duties of employees; – Monitoring of staff and external parties for compliance with relevant policies and rules; – Control of physical and logical access to electronic and paper records; – Control over the use of portable electronic devices outside the workplace; – Control over the use of employees’ personal devices; – Imposition of contractual obligations on processing organizations to take appropriate security measures when the data is under their control and others. BALKAN HOLIDAYS SERVICES LTD takes actions to ensure that any individual acting under its direction who has access to personal data processes that data only on the instructions of BALKAN HOLIDAYS SERVICES LTD, unless required to do so by law or direct contractual relationships with the individual. In the event of a breach of the security of personal data, BALKAN HOLIDAYS SERVICES LTD applies the established PRO 05 – Procedure for Response and Notification in Case of Personal Data Breach.