Privacy Policy - Personal Data Processing Policy
1. SUBJECT,
PURPOSE AND SCOPE
BALKAN
HOLIDAYS SERVICES LTD conducts activities as a tour operator, travel agency,
and auxiliary tourist activities and is an administrator of personal data. The
company processes personal data independently or by assigning data processing
to ensure compliance with the requirements of the Personal Data Protection Act
(PDPA), applicable European legislation (Regulation (EU) 2016/679 of the
European Parliament and of the Council and related documents), sub-legislative
acts regarding the protection of personal data, certified Information Security
Management System (ISO/IEC 27001:2013), and internal rules for the processing
and protection of personal data. This Data Protection Policy of BALKAN HOLIDAYS
SERVICES EOOD (hereinafter the Policy) defines the basic principles and rules
related to the processing of personal data, the rights of data subjects, the
obligations and responsibilities of BALKAN HOLIDAYS SERVICES EOOD as a data
controller, and the functions of the data protection officer and the registers
maintained by BALKAN HOLIDAYS SERVICES EOOD for the processing of personal
data. The Policy is part of a comprehensive system of internal regulations,
technical and organizational measures that BALKAN HOLIDAYS SERVICES EOOD
maintains to ensure that its employees, contractors, and all other natural and
legal persons who process personal data on behalf of BALKAN HOLIDAYS SERVICES
EOOD strictly comply with the requirements of applicable European and national
legislation and internal rules, thereby ensuring the protection and security of
personal data of individuals (data subjects). The principle of protection and
security of personal data is a fundamental principle in the execution of the
business processes of BALKAN HOLIDAYS SERVICES EOOD. Compliance with it is an
obligation and responsibility of every employee and is shared by all
organizational units in BALKAN HOLIDAYS SERVICES EOOD. This Policy develops
this principle into specific rules and aims to assist employees in their daily
work with personal data to avoid its violation. Violation of the security of
personal data may pose a high risk to the rights of the affected individuals
and may have significant negative consequences for BALKAN HOLIDAYS SERVICES
EOOD and its employees who have violated the requirements of applicable
regulatory requirements and the Company’s internal regulations. Therefore, any
noncompliance with this Policy is treated as a serious violation. To maintain
compliance with European and national legislation in the field of personal
data, the management of the Company has approved and maintains a set of
documented policies and rules for security and protection of the personal data
processed in BALKAN HOLIDAYS SERVICES EOOD. All employees are required to be
familiar with and apply the relevant policies and rules of BALKAN HOLIDAYS
SERVICES EOOD. The Company requires external parties with whom it establishes
commercial relationships to comply with the principles outlined in this policy.
II. RELATED
DOCUMENTS
1. Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation) 2. Personal Data Protection Act 3. Labour
Code (in force since 01.01.1987, promulgated SG No. 26 of April 1, 1986, amend.
and suppl. SG No. 30 of April 3, 2018) – (LC); 4. Social Security Code
(promulgated SG No. 110 of December 17, 1999, amend. and suppl. SG No. 30 of
April 3, 2018) – (SSC); 5. Health and Safety at Work Act (promulgated SG No.
124 of December 23, 1997, SG No. 97 of December 5, 2017) – (HSWA); 6.
Regulation No. 4 of May 11, 1993, on the documents necessary for concluding an
employment contract (issued by the Minister of Labour and Social Policy,
promulgated SG No. 44 of May 25, 1993, amend. and suppl., SG No. 99 of December
12, 2017) 7. Other laws specific to BALKAN HOLIDAYS SERVICES EOOD 8.
Information Security Policies and Procedures of the Information Security System
9. Policies and procedures of the Personal Data Management System: – POL 02
Policy for Employee Personal Data Protection – POL 03 Policy for Personal Data
Protection Training – PRO 01 Data Confidentiality Procedure – PRO 02 Subject
Consent Procedure – PRO 03 Consent Withdrawal Procedure – PRO 04 Subject
Requests Management Procedure – PRO 05 Data Breach Response and Notification
Procedure – PRO 06 Supplier/Subcontractor Process Management Procedure
III. TERMS,
DEFINITIONS AND ABBREVIATIONS
Personal Data:
Any information relating to an identified or identifiable natural person
(“data subject”). Data Subject: A natural person who has been
identified or who can be identified based on specific information, in
particular by reference to an identifier such as a name, identification number,
location data, online identifier, or one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural, or social
identity of that natural person. Processing of Personal Data: Any operation or
set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure, or
destruction. Register of Personal Data: Any structured set of personal data
accessible according to specific criteria, whether centralized, decentralized,
or distributed on a functional or geographical basis. Data Subject Consent: Any
freely given, specific, informed, and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him
or her. Personal Data Breach: A breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access
to, personal data transmitted, stored, or otherwise processed. Data Controller:
A natural or legal person, public authority, agency, or other body which, alone
or jointly with others, determines the purposes and means of the processing of
personal data. Where the purposes and means of such processing are determined
by Union or Member State law, the controller or the specific criteria for its
nomination may be provided for by Union or Member State law. Data Processor: A
natural or legal person, public authority, agency, or other body which
processes personal data on behalf of the controller. Recipient: A natural or
legal person, public authority, agency, or another body, to which the personal
data are disclosed, whether a third party or not. However, public authorities
which may receive personal data in the framework of a particular inquiry in
accordance with Union or Member State law shall not be regarded as recipients;
the processing of those data by those public authorities shall be in compliance
with the applicable data protection rules according to the purposes of the
processing. Processing Restriction: The marking of stored personal data with
the aim of limiting their processing in the future. Profiling: Any form of
automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular
to analyze or predict aspects concerning that person’s performance at work,
economic situation, health, personal preferences, interests, reliability,
behavior, location, or movements. Pseudonymization: The processing of personal
data in such a manner that the personal data can no longer be attributed to a
specific data subject without the use of additional information, provided that
such additional information is kept separately and is subject to technical and
organizational measures to ensure that the personal data are not attributed to
an identified or identifiable natural person. Third Party: A natural or legal
person, public authority, agency, or body other than the data subject,
controller, processor, and persons who, under the direct authority of the
controller or processor, are authorized to process personal data. Rights of the
Data Subject: The subjective rights of individuals, whose personal data is
being processed, as specified in Articles 12-23 of Regulation 2016/679,
including but not limited to: – Right to information and access to personal
data (including obtaining a copy); – Right to rectification and erasure
(“right to be forgotten”); – Right to restriction of processing; –
Right to data portability; – Right to object, including in the context of
automated decision-making.
IV. ROLES
AND RESPONSIBILITIES
Data
Controller Role: Balkan Holidays Services Ltd. acts as the data controller and,
in certain cases, processes personal data. Management Responsibility:
Management is responsible for developing and promoting compliance with
principles and best practices for personal data processing within and on behalf
of the Company, in order to comply with European and national legislation.
Responsibilities and Duties: Specific responsibilities and duties are outlined
in this policy, as well as in all policies and rules within Balkan Holidays
Services Ltd. related to the processing, security, and protection of personal
data. Responsibility of Departmental Managers: All managers of structural units
within the Company are responsible for controlling compliance with the implemented
rules for the protection of personal data and report directly to management.
Specific responsibilities and duties by functions and levels are outlined in
the policies and procedures of the present Data Management System.
Responsibilities of the Data Protection Officer (DPO): The responsibilities and
duties of the Data Protection Officer are documented in RD 1.1 – Job
Description of the Data Protection Officer. The employee is familiar with them
and confirms acceptance by signing the job description. Responsibilities of the
Data Protection Officer (DPO): – Ensuring compliance of processes and
activities of Balkan Holidays Services Ltd. with this policy and all Company
policies and rules in the field of personal data protection and security. – As a
contact person, the Data Protection Officer has specific responsibilities and
makes decisions regarding requests from data subjects, clarifies issues related
to personal data to employees, and communicates with the supervisory authority
– Commission for Personal Data Protection. Maintaining Compliance: Compliance
with data protection legislation is the responsibility of all employees working
in the Company and performing personal data processing operations. Training
Policy: Balkan Holidays Services Ltd. has implemented POL 03 – Training Policy
on Personal Data Protection, which sets out specific requirements for training
and raising awareness and understanding of data protection among employees.
V. BASIC
PRINCIPLES RELATED TO PERSONAL DATA PROCESSING
BALKAN
HOLIDAYS SERVICES LTD processes personal data in compliance with the following
principles: 1. Lawfulness, Fairness, and Transparency The company processes
personal data lawfully, fairly, and in a transparent manner, regarding the data
subjects. 1.1. Lawfulness of Processing Every processing of personal data by
BALKAN HOLIDAYS SERVICES LTD is based on a valid legal basis and is carried out
in compliance with external and internal regulatory framework. The principle of
alternativity applies concerning legal bases. Processing of data is lawful
under the following conditions: – When necessary for compliance with a legal
obligation applicable to the activities of BALKAN HOLIDAYS SERVICES LTD; – When
the data subject has given consent to the processing of their personal data for
one or more specific purposes by providing the Company with relevant written
documents and/or through other actions and technical means (including
electronically); – When necessary for the performance of a contract to which
the data subject is a party, or for taking steps at the request of the data
subject prior to entering into a contract (such as employment contract, client
contract, supplier contract, contractor contract, service provision contract,
or product delivery contract, etc.); – To protect the vital interests of the
data subject or another natural person; – For the performance of a task carried
out in the public interest or in the exercise of official authority vested in
the controller (including processing related to providing information to a
public authority); – For the purposes of the legitimate interests pursued by
BALKAN HOLIDAYS SERVICES LTD or a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data subject,
particularly where the data subject is a child. Lawfulness of Processing of
Clients’ and Suppliers’ Data BALKAN HOLIDAYS SERVICES LTD processes personal
data of its clients and suppliers in accordance with legal requirements and for
the purposes of its legitimate interests, and in connection with the
performance of contracts between the parties. Lawfulness of Processing of
Employees’ Data BALKAN HOLIDAYS SERVICES LTD processes personal data of its
employees based on applicable labor, social security, and tax legislation, as
an employer (insurer), and in connection with activities related to the
conclusion and performance of employment contracts. Lawfulness of Processing of
Non-Employment-related Contractors’ Data BALKAN HOLIDAYS SERVICES LTD processes
personal data of non-employment-related contractors – natural persons, based on
applicable social security and tax legislation, as a principal (insurer), and
in connection with activities related to the conclusion and performance of
contracts with contractors. 1.2. Fairness and Transparency In compliance with
the principle of transparency in the processing of personal data, BALKAN
HOLIDAYS SERVICES LTD informs its employees, clients, suppliers, contractors,
and partners, in an appropriate, clear, and understandable manner, about the
collection and processing of their personal data by BALKAN HOLIDAYS SERVICES
LTD and about their rights regarding the protection of their personal data,
including through information on its website. BALKAN HOLIDAYS SERVICES LTD
assists data subjects in exercising their rights. Employees, suppliers, and
partners, acting as data processors, are informed of the rights of clients as
data subjects and are obliged to provide them with information and assistance
in this regard. 2. Purpose Limitation BALKAN HOLIDAYS SERVICES LTD collects
personal data for specific, explicitly stated purposes in the relevant
regulatory acts, contracts, consents, or other documents and forms, for
legitimate purposes and does not process them further in a manner incompatible
with the initially defined purposes. 3. Data Minimization BALKAN HOLIDAYS
SERVICES LTD processes personal data that is adequate, relevant, and limited to
what is necessary in relation to the purposes for which they are processed. 4.
Accuracy BALKAN HOLIDAYS SERVICES LTD collects and processes personal data and
takes all reasonable measures to ensure the timely correction or erasure of
inaccurate data, considering the purposes for which they are processed. BALKAN
HOLIDAYS SERVICES LTD makes efforts to keep personal data up to date. In
compliance with the principle of accuracy of the collected data and in order to
fulfill its obligations to the data subjects properly, BALKAN HOLIDAYS SERVICES
LTD encourages them to inform about any changes in their personal data and
provides assistance for updating their data. 5. Data Storage Limitation BALKAN
HOLIDAYS SERVICES LTD stores personal data in a format that allows the
identification of the data subject for a period not exceeding the one specified
by a regulatory act. If there is no such act, the data is retained for a period
not longer than necessary for the purposes for which the personal data is
processed. Upon achieving the processing purpose or upon expiration of a
specific retention period set forth in a regulatory act, BALKAN HOLIDAYS
SERVICES LTD, as the data controller, is obliged to destroy the personal data.
BALKAN HOLIDAYS SERVICES LTD may transfer personal data to another controller
after notifying the Commission for Personal Data Protection (CPDP) if the
transfer is provided for by law, and there is an identity of the purposes of
the processing. 5.1. Storage of Clients’ Personal Data BALKAN HOLIDAYS SERVICES
LTD stores personal data of its clients on paper and/or electronic media for periods
aligned with the purposes of their collection. The retention periods are
defined in the personal data retention procedures adopted within the Company.
The specified periods are lawful and justified by the legitimate interests of
both parties. 5.2. Storage of Employees’ Personal Data In accordance with the
requirements of the Labor Code, the Social Security Code, the Accounting Act,
and the Regulation on Employment Records and Employment History, BALKAN
HOLIDAYS SERVICES LTD stores, for a period not shorter than 50 years from the
termination of the relevant employment relationship, on paper and/or electronic
media, the employment records and documents certifying the remuneration paid to
employees. 5.3. Storage of Personal Data of Civil Contract Counterparties In
accordance with the requirements of the Obligations and Contracts Act, BALKAN
HOLIDAYS SERVICES LTD stores, for the entire duration of their validity and 3
years after their termination, the contracts with civil contract counterparties
and the documents related to them, on paper and/or electronic media. In
accordance with the requirements of the Social Security Code and the Accounting
Act, BALKAN HOLIDAYS SERVICES LTD stores, for a period not shorter than 50
years from the termination of the relevant relationship, on paper and/or
electronic media, the documents certifying the remuneration paid to civil
contract counterparties. 5.4. Storage of Personal Data of Suppliers and Joint
Controllers BALKAN HOLIDAYS SERVICES LTD stores personal data of its suppliers
and joint controllers for lawful periods justified by a contract or the
legitimate interests of both parties. 6. Integrity and Confidentiality BALKAN
HOLIDAYS SERVICES LTD processes personal data in a manner that ensures an
appropriate level of their security, including protection against unauthorized
or unlawful processing and against accidental loss, destruction, or damage, by
implementing appropriate technical and organizational measures and complying
with the standards and requirements for information security of the Integrated
Quality and Information Security Management System ISO 9001:2015 and ISO/IEC
27001:2013. 7. Accountability BALKAN HOLIDAYS SERVICES LTD is responsible for
complying with the principles outlined in this policy and requires their
compliance by its employees, counterparts, suppliers, and all natural and legal
persons processing personal data on behalf of BALKAN HOLIDAYS SERVICES LTD and
under its instruction.
VI.
CATEGORY OF PERSONAL DATA AND DATA
SUBJECTS
BALKAN HOLIDAYS SERVICES LTD processes personal data provided by the data
subject through a contract, consent declaration, or another document initiated
by the individual, for the purpose of performing an activity requested by the
data subject or in connection with the exercise of rights. BALKAN HOLIDAYS
SERVICES LTD processes data of clients and potential clients for the purposes
of entering into and performing contracts with them. This category includes
data of natural persons representing specific legal entities, clients of the
Company, and their contact persons or of natural persons as direct consumers of
the products/services provided by the Company. As an employer, BALKAN HOLIDAYS
SERVICES LTD processes personal data of its employees in compliance with
regulatory requirements and the acts of the National Revenue Agency (NRA) and
National Insurance Institute (NII). For additional purposes beyond the
regulatory ones, the Company processes personal data of its employees for
purposes such as social benefits, organizing team-building activities,
consulting and team building, and others; control of activities in accordance
with the Video Surveillance Policy; insurance, and others, based on consent
from the employees. BALKAN HOLIDAYS SERVICES LTD processes personal data of
civil contract counterparties – natural persons with whom it has concluded a
contract for the performance of a specific activity. BALKAN HOLIDAYS SERVICES
LTD processes personal data of suppliers and joint administrators, specifically
of natural persons representing the specific legal entities, suppliers,
partners, and joint administrators of the Company and their
employees/representatives listed for contact. BALKAN HOLIDAYS SERVICES LTD does
not process special categories of personal data except for: – Data concerning
the health status of its employees: – In connection with legal requirements,
during the appointment of employees; – For the purposes of occupational
medicine and the health and safety conditions of work for employees; – Legal
basis: Labor Code, Article 40a; Regulation on cash compensations and aids from
the National Social Security Institute (NSSI); Regulation on the procedure for
submission to the NSSI of data from issued sick leave certificates and
decisions on their appeal. – In connection with the exercise of employees’
rights during temporary incapacity for work; – In connection with the exercise
of employees’ rights during permanently reduced working capacity.
VII.
EMPLOYEE OBLIGATIONS REGARDING PERSONAL DATA PROTECTION
All employees of BALKAN HOLIDAYS SERVICES LTD
are required to be familiar with and comply with the requirements of this
policy, as well as all Company policies and rules regarding the protection and
security of processed personal data. All employees processing personal data in
the performance of their duties must ensure that: – Information is accurate and
up-to-date; – The use of information is necessary for the purpose and is not
retained longer than necessary, including not creating unregulated copies; –
Information is protected. Employees are not permitted to export personal data
in any form off-site, except with explicit permission from their direct
supervisor and solely for the purposes of performing job duties. The Company
will provide training for all employees regarding the policies, rules, and
procedures for the protection of personal data. All employees are required to
adhere to the principles of processing and protecting personal data outlined in
this policy and its accompanying policies and procedures. Failure to comply
with the principles of personal data protection may lead to data security
breaches. The employee is responsible for actions performed by them, and in
case of breaches, they are subject to administrative and disciplinary measures according
to the applicable legislation.
VIII.
INFORMATION PROVIDED BY THE COMPANY WHEN PROCESSING PERSONAL DATA
In cases where
BALKAN HOLIDAYS SERVICES LTD receives personal data from a data subject, it
provides them with information about: – The company’s details and its
representatives; – Contact details for the data protection officer; – The
purposes of processing personal data and the legal basis for processing; – The
recipients or categories of recipients to whom the data may be disclosed; –
Information on whether providing personal data is mandatory, contractually
required, or necessary for entering into or performing a contract, or requested
by the data subject (i.e., it is voluntary) and the consequences of refusing to
provide it; – Information about the data subject’s rights; – The retention
period for the data or the criteria determining the storage period; – The right
to lodge a complaint with a competent authority. The above information is
provided even when personal data has not been obtained from the data subject
(at the first contact with them), unless the data subject already has this
information. When personal data has not been obtained from the data subject,
BALKAN HOLIDAYS SERVICES LTD is obliged to provide the data subject, upon
request, with any available information about its source. The above
requirements do not apply in cases where personal data has not come from the
data subject, but the receipt or disclosure thereof is expressly authorized by
EU law or national legislation, and appropriate measures are provided to
protect the legitimate interests of BALKAN HOLIDAYS SERVICES LTD.
IX. DATA
SUBJECT RIGHTS
According to
Regulation 2016/679 and applicable Bulgarian legislation, data subjects have
the following rights: 1. Right of Access The data subject has the right to
obtain from BALKAN HOLIDAYS SERVICES LTD information on whether the Company
processes his personal data and, if so, he has the right to access them and
information about: – The purposes of processing; – The relevant categories of
personal data being processed; – The recipients or categories of recipients to
whom his personal data have been or may be disclosed, including recipients in
third countries or international organizations; – The envisaged period for
which the personal data will be stored, or if that is not possible, the
criteria used to determine that period; – The existence of the right to request
rectification or erasure of his personal data or restriction of processing, or
to object to such processing; – The right to lodge a complaint with the
supervisory authority; – The source of personal data, when they are not
collected directly from the data subject; – The existence of automated
decision-making, including profiling, and the significance and envisaged
consequences of such processing for the data subject. 2. Right to Rectification
The data subject has the right to request from the Company without undue delay
the rectification of inaccurate personal data concerning him and to have
incomplete personal data completed. 3. Right to Erasure (Right to be Forgotten)
The data subject has the right to request from the Company the erasure of his personal
data, and the Company is obliged to erase them without undue delay when one of
the following grounds applies: – The personal data are no longer necessary for
the purposes for which they were collected or otherwise processed; – The data
subject withdraws consent on which the processing is based, and there is no
other legal ground for the processing; – The data subject objects to the
processing pursuant to Article 21(1) of Regulation 2016/679 and there are no
overriding legitimate grounds for the processing, or the data subject objects
to the processing pursuant to Article 21(2) of Regulation 2016/679; – The
personal data have been unlawfully processed. The Company ceases processing
personal data in cases specified in Article 7.3, item “v”: – Whenever
it receives an objection under Article 7.7.2 for the purposes of direct
marketing; – Upon receiving an objection under Article 7.7.1, if it does not
demonstrate compelling legitimate grounds for the processing which override the
interests, rights, and freedoms of the data subject, or for the establishment,
exercise, or defense of legal claims. Cessation of processing does not occur
when: – A legally prescribed period for mandatory data retention has not
expired; – The processing is based on an obligation under a contract between
BALKAN HOLIDAYS SERVICES LTD and the data subject, and the contract has not
been terminated; – The processing is necessary for the establishment, exercise,
or defense of legal claims; – The processing is necessary to comply with a legal
obligation to which the Company is subject. 4. Right to Restriction of
Processing The data subject has the right to request from BALKAN HOLIDAYS
SERVICES LTD restriction of processing if: – The processing is unlawful, but he
opposes the erasure of the personal data and requests the restriction of their
use instead; – BALKAN HOLIDAYS SERVICES LTD no longer needs his personal data
for the purposes of processing, but the data subject requires them for the
establishment, exercise, or defense of legal claims. Data whose processing is
restricted pursuant to Article 7.4 are processed only with the data subject’s
consent or for the establishment, exercise, or defense of legal claims or for
the protection of the rights of another natural or legal person or for reasons
of important public interest of the EU or the Republic of Bulgaria. When the
data subject has requested a restriction of processing pursuant to Article 7.4,
BALKAN HOLIDAYS SERVICES LTD informs him before lifting the restriction on
processing. Upon carrying out rectification, erasure, or restriction of
processing of personal data, BALKAN HOLIDAYS SERVICES LTD informs the data
subject about each action taken to each recipient to whom the personal data
have been disclosed, unless this proves impossible or involves disproportionate
effort. The Company informs the data subject about these recipients if the data
subject requests it. 5. Right to Object The data subject has the right to
object, on grounds relating to his particular situation, at any time to processing
of personal data concerning him which is based on the performance of a task
carried out in the public interest or the exercise of official authority vested
in BALKAN HOLIDAYS SERVICES LTD or the processing is necessary for the purposes
of the legitimate interests pursued by BALKAN HOLIDAYS SERVICES LTD or by a
third party. BALKAN HOLIDAYS SERVICES LTD shall cease processing personal data
unless it demonstrates compelling legitimate grounds for the processing which
override the interests, rights, and freedoms of the data subject or for the
establishment, exercise, or defense of legal claims. When BALKAN HOLIDAYS
SERVICES LTD processes personal data for direct marketing purposes, the data
subject has the right to object at any time to processing of his personal data
for such marketing, including profiling related to such direct marketing. In
case of an objection, BALKAN HOLIDAYS SERVICES LTD ceases processing personal
data for direct marketing purposes. At the time of first communication with the
data subject, BALKAN HOLIDAYS SERVICES LTD expressly informs him of his right
to object in a clear and separate manner from any other information. The data
subject has the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or
similarly significantly affects him. The Company applies internal rules and
Procedure PRO 04 – Procedure for Managing Data Subject Requests, which regulate
the procedure and conditions for acceptance, consideration, and response to
requests from individuals to exercise their rights as data subjects.
X.
COLLABORATION OF DATA SUBJECTS IN EXERCISING THEIR RIGHTS
BALKAN
HOLIDAYS SERVICES LTD is obliged to provide transparent and accessible
information to the data subjects whose personal data it processes, in writing,
orally, or by other means, upon their request. BALKAN HOLIDAYS SERVICES LTD
assists in the exercise of the rights of the data subject whose personal data
it processes and cannot refuse to take action upon his request to exercise his
rights, unless it is unable to identify him. BALKAN HOLIDAYS SERVICES LTD
provides the data subject with information about the actions taken upon his
request regarding the exercise of his rights without undue delay and in any
case within one month of receiving the request. If necessary, this period may
be extended by a further two months, taking into account the complexity and
number of requests. BALKAN HOLIDAYS SERVICES LTD informs the data subject of
any such extension within one month of receiving the request, stating the
reasons for the delay. When the data subject submits a request electronically,
if possible, the information is provided in the same manner, unless the data
subject has requested otherwise. His right to receive a copy of the information
or access to his personal data must not adversely affect the rights and
freedoms of other data subjects whose data are processed. If BALKAN HOLIDAYS
SERVICES LTD does not take action on the data subject’s request, it notifies
him without delay and no later than one month after receiving the request of
the reasons for not taking action and of the possibility of lodging a complaint
with the Commission for Personal Data Protection (CPDP) and seeking judicial
remedy. Information provided to the data subject upon his request and any
communication and actions related to the exercise of his rights are provided
free of charge. When the data subject’s requests are manifestly unfounded or
excessive, especially because of their repetitive nature, BALKAN HOLIDAYS
SERVICES LTD may: – impose a reasonable fee, taking into account the
administrative costs of providing the information or communication, or taking
the requested action, or – refuse to take action on the request. When BALKAN
HOLIDAYS SERVICES LTD has reasonable doubts about the identity of the
individual submitting a request to exercise his rights, it may request
additional information and/or documents necessary to confirm the identity of
the data subject.
XI.
MANAGEMENT OF THE RELATIONSHIP BETWEEN DATA CONTROLLER AND DATA PROCESSOR
As the data controller, BALKAN HOLIDAYS
SERVICES LTD implements appropriate technical and organizational measures,
including the current Policy, to ensure and be able to demonstrate that it
processes personal data in accordance with Regulation 2016/679 and applicable
national legislation, taking into account the nature, scope, context, and
purposes of processing, as well as the risks, with varying likelihood and
severity, to the rights and freedoms of individuals. These measures are
reviewed and updated as necessary. BALKAN HOLIDAYS SERVICES LTD has implemented
a certified Integrated Management System for Quality and Information Security
ISO 9001:2015 and ISO/IEC 27001:2013, which is a prerequisite for adequate
protection of data and the rights of data subjects. Data Processors Data
processors acting on behalf of BALKAN HOLIDAYS SERVICES LTD include all
employees and contractors under civil contracts when processing personal data
in connection with the performance of their official or contractual duties. For
the purposes of this Policy, data processors also include all natural and legal
persons who, based on contracts concluded with BALKAN HOLIDAYS SERVICES LTD,
perform data processing operations. When entrusting the processing of personal
data, BALKAN HOLIDAYS SERVICES LTD only uses data processors who provide
sufficient guarantees to apply appropriate technical and organizational
measures in such a way that the processing complies with the requirements of
Regulation 2016/679, applicable national legislation, and ensures the
protection of data and the rights of data subjects. Data processors acting on
behalf of BALKAN HOLIDAYS SERVICES LTD do not involve other data processors
without the prior, specific, or general, written permission of BALKAN HOLIDAYS
SERVICES LTD. In the event that BALKAN HOLIDAYS SERVICES LTD provides the data
processor with general written permission, the data processor must inform
BALKAN HOLIDAYS SERVICES LTD in advance of any planned changes to include or
replace data processors, with BALKAN HOLIDAYS SERVICES LTD reserving the right
to challenge these changes. Processing by data processors is regulated by a
contract or other legal act specifying the nature and purpose of the
processing, the duration of the processing, the types of personal data and
categories of data subjects, and the obligations and rights of the processor
and BALKAN HOLIDAYS SERVICES LTD. For the data processor, the following
obligations are mandatory: – to act solely on the instructions of BALKAN
HOLIDAYS SERVICES LTD; – to ensure that persons authorized to process personal
data have committed to confidentiality or are under a legal obligation to
maintain confidentiality; – to assist BALKAN HOLIDAYS SERVICES LTD with all
appropriate means to ensure compliance with the provisions regarding the rights
of data subjects; – to take all necessary security measures in processing; – at
the option of BALKAN HOLIDAYS SERVICES LTD, to delete or return to BALKAN
HOLIDAYS SERVICES LTD all personal data upon completion of the data processing
services and to delete existing copies, unless the law of the European Union or
the legislation of the Republic of Bulgaria requires the retention of personal
data; – to provide BALKAN HOLIDAYS SERVICES LTD with all information necessary
to demonstrate compliance with the agreed commitments; – to comply with the
conditions mentioned above for the inclusion of another data processor; – to
assist BALKAN HOLIDAYS SERVICES LTD in fulfilling its obligations under
Articles 32- 36 of Regulation 2016/679, taking into account the nature of the
processing entrusted to it and the information to which it has access; – to
promptly notify BALKAN HOLIDAYS SERVICES LTD of any breaches related to
personal data processed or accessible by it. When a data processor entrusted
with the processing of personal data on behalf of BALKAN HOLIDAYS SERVICES LTD,
through a contract or other legal act, involves another data processor for
carrying out specific processing activities, the same obligations for data
protection apply to that other data processor as those provided for in the
contract or act between BALKAN HOLIDAYS SERVICES LTD and the data processor.
The other data processor must provide sufficient guarantees for the application
of appropriate technical and organizational measures to ensure that the
processing it performs complies with legal requirements. In all cases, the
initial data processor bears full responsibility to BALKAN HOLIDAYS SERVICES
LTD for the fulfillment of the obligations of the other data processor to whom
it has entrusted specific processing activities.
XII.
MAINTENANCE OF REGISTERS FOR PERSONAL DATA PROCESSING
The
information systems for processing data of clients, employees, and contractors
are electronic registers owned by BALKAN HOLIDAYS SERVICES LTD. The automated
processing systems maintain records (logs) for at least the following
processing operations: collection, alteration, retrieval, disclosure, and
deletion. Records of performed retrievals allow for establishing the date and
time of such operations and, where possible, the identification of the person
who made the retrieval. These records are used solely for verifying the
legality of processing, for self-monitoring, for ensuring the integrity and
security of personal data, and in criminal proceedings. BALKAN HOLIDAYS
SERVICES LTD establishes rules for the collection and storage of personal data,
as well as for the periods and methods of data destruction from the respective
registers, in accordance with special laws and adopted rules for information
security. As the data controller and data processor, in the course of its
activities, the Company maintains the following registers electronically: –
Register of general terms/declarations for the protection of personal data The
information in the registers contains the requirements of Article 30 of
Regulation 2016/679, as well as Article 62, paragraph 1 and paragraph 2 of the
Personal Data Protection Act. The mentioned registers are maintained in written
form, and upon request, the Company provides access to them to the Commission
for Personal Data Protection.
XIII. DATA
PROTECTION OFFICER
BALKAN HOLIDAYS SERVICES LTD appoints a Data
Protection Officer (DPO) and publishes their contact details on its public
website. BALKAN HOLIDAYS SERVICES LTD ensures that the DPO participates
appropriately and timely in resolving all matters related to data protection.
BALKAN HOLIDAYS SERVICES LTD and the data processors acting on its behalf
assist the DPO in performing their designated functions by providing the
resources necessary for carrying out these functions, granting access to
relevant registers, personal data, and processing operations. BALKAN HOLIDAYS
SERVICES LTD ensures that the DPO can develop and maintain their expertise.
Data subjects can contact the DPO regarding any issues related to the
processing of their personal data and the exercise of their rights. The DPO is
obligated to maintain the confidentiality or secrecy of the functions performed
by them in accordance with national legislation. The Data Protection Officer
may also perform other functions and obligations. BALKAN HOLIDAYS SERVICES LTD
takes necessary measures to ensure that these functions and obligations do not
conflict with the DPO’s activities in data protection. Key functions and
obligations of the Data Protection Officer: – Represents the company to the
Commission for Personal Data Protection (CPDP); – Informs and advises BALKAN
HOLIDAYS SERVICES LTD or data processors acting on its behalf, including
employees involved in processing, about their obligations under Regulation
2016/679 and other provisions of European and national legislation related to
data protection; – Ensures compliance with Regulation 2016/679, other
provisions of European and national legislation, and internal rules of BALKAN
HOLIDAYS SERVICES LTD regarding data protection, including overseeing the
assignment of responsibilities related to data processing, raising awareness,
and training of staff involved in processing operations; – Provides
consultations regarding the data protection impact assessment upon request and
ensures its conduct in accordance with Article 35 of Regulation 2016/679; –
Collaborates with the Commission for Personal Data Protection (CPDP); – Acts as
a contact point for the CPDP on matters related to processing, including during
prior consultation as per Article 36 of Regulation 2016/679, and consults with
the CPDP on any other relevant matters. In performing their functions, the DPO
duly assesses the risks associated with processing operations and takes into
account the nature, scope, context, and purposes of the processing.
XIV. DATA
SECURITY AND BREACHES OF SECURITY
BALKAN HOLIDAYS SERVICES LTD implements
appropriate technical and organizational measures to ensure a level of security
commensurate with the risks, with varying likelihood and severity for the
rights of individuals. The company requires its employees and third parties
processing personal data on its behalf to adhere to the respective policies and
rules described in the Data Management System (DMS). The implementation of
specific organizational and technical measures is based on identified risks to
personal data, taking into account and ensuring: – Adequate training by
function and level; – Integration of data protection into the duties of
employees; – Monitoring of staff and external parties for compliance with
relevant policies and rules; – Control of physical and logical access to
electronic and paper records; – Control over the use of portable electronic
devices outside the workplace; – Control over the use of employees’ personal
devices; – Imposition of contractual obligations on processing organizations to
take appropriate security measures when the data is under their control and
others. BALKAN HOLIDAYS SERVICES LTD takes actions to ensure that any
individual acting under its direction who has access to personal data processes
that data only on the instructions of BALKAN HOLIDAYS SERVICES LTD, unless
required to do so by law or direct contractual relationships with the
individual. In the event of a breach of the security of personal data, BALKAN
HOLIDAYS SERVICES LTD applies the established PRO 05 – Procedure for Response
and Notification in Case of Personal Data Breach.