Policy for Personal Data Protection

We understand that your personal data and the protection of the information that you share with us is extremely important. This is why our Policy for Personal Data Protection describes how we process your data and what are the measures we take to protect this data. It also describes where and how do we collect your personal data and what are your rights concerning all of the stored information about you.

The current Policy for Personal Data Protection is an expression of our readiness to defend your personal information and it applies to you in case you provide your personal data over the phone (by a phone call or SMS), online, by post or through a courier, on social media, on a corporate or promotional website, through a mobile application or otherwise.

          1. Who are we?

When we say ‘we’ or ‘our/ours’ in this Policy for Personal Data Protection, we mean:
Bilta EAD (with headquarters and management address: Gotse Delchev, 12 Tsaritsa Ioanna str., BULSTAT: 203401986) and the touristic sites, managed by the company.
The current list can be completed with new legal entities which could be part of our group in the future.

           2. What type of information about you do we store and process?

• The information that you share with us when requesting information on services/prices, at the following sites:
• www.bilta.bg
• www.ibparkhotels.com
• www.uvanestum.com;
• moments.uvanestum.com;
• Information you share with us, such as your names, data from personal documents, postal address, phone number, email address, bank account or bank card data, information about vehicles, data on invoicing, as well as any feedback that you provide us with personally, by phone, email or via messages on the social networks;
• Profile in the social networks (when you use a social network to get in touch with us);
• Information about the products and services that we provide you with (including what we have provided you with, when and where, what amount you have paid for those, ways in which you use our products and services, participation in a loyalty program, membership, contest, marketing program etc.);
• We collect additional personal data upon registration in our sites, including security-related data that may be required by law. At our sites we use a monitoring system and other security measures which could take or save photos of guests and visitors to public places, as well as information regarding your location during your stay at our sites (via access cards and other technology). We use a monitoring system and other technology for video or sound recording to ensure the protection of our employees, guests and visitors to our sites, when this is allowed by law.
• Information about the device or devices that you use or have used to access our services (for example, make and model of the device, type of operation system, type of browser or IP address) as well as how you use our services. For example, we are trying to identify which of our websites or applications you use, as well as when and how;
• Your contact details and details about the emails and other electronic messages that you receive from us, including whether those messages have been opened and whether you have clicked on any of the links therein. We want to make sure that our messages are useful and important to you. In case that you do not open them and you do not click on the link therein, we know that we should improve the information that we send to you; as well as:
• Information from other sources, such as our partners, specialized companies that provide information about their clients with the consent of the latter, in explicit or anonymized form (eg. marketing research companies, financial institutions, social networks, etc.) including information about you which is publicly available.

          3. What do we use the data you provide us with for and grounds for processing

Being an administrator of personal data and to be able to perform our duties to The General Data Protection Regulation, we could use your personal data for one, several or all purposes listed below:

• To provide you with our products and/or services;
• To process your booking;
• To comply with normative requirements;
• To accept payment from you or to refund payment if necessary;
• То ensure personalized experience during your stay, purchase or during your communication with us;
• To plan meetings and events;
• To make sure that you are a real person as well as to prevent eventual fraud;
• For statistical needs and analysis;
• To help us learn more about you as our client, about the products and/or services that you use, about the way in which you use them and to ensure a better service by our employees;
• To discover ways in which to improve our products, services, applications or website(s);
• To connect with you in relation to products or services, provided by us;
• To send you advertising messages online, by phone or through printed materials;
• To ensure the security of our employees, guests and visitors to our sites, as well as
• To be able to answer your questions in the best possible way and/or to solve any problem that you might have concerning the use of our products and/or services.

The processing of your personal data is based on one of the following conditions:

• The processing is necessary for the compliance with a legal liability applied upon us as an administrator of personal data;
• The processing is necessary for the execution of a contractual liability where you are one of the parties or for taking steps, at your request, before concluding an agreement between us and you;
• You have given your permission for the processing of your personal data for one or more specific purposes;
• Processing is necessary for protecting your or other physical person’s vital interests;
• Processing is necessary for the execution of a task of a public interest or when executing official rights provided to us as a personal data administrator;
• Processing is necessary for the purposes of our or a third party’s legitimate interest, except when your interests or basic rights have an advantage and require a special protection of your personal data.  

          4. With whom can we share your personal data?

                    1. With our partners and/or suppliers

We work with partners and suppliers who can process your data too, on our behalf, but only in the case where their standards correspond to our standards of storage, processing and protection of data. To provide you with the expected level of hospitality and the best service, we can share your personal data with our service providers and other partners.
Such partners are:

• Payment provider companies – when you provide us with data about a payment card in your name, we can exchange this information with our payment provider companies (for example ePay, Borica, Paysera, Visa and/or MasterCard, banks).
• Event organisers or participating members therein, when you take part in a group event or meeting, taking place in our sites.  
• Trade partners and service suppliers with whom we collaborate to provide you with products, services or offers that complement or are based on your experience in our sites.
• Courier or postal companies who should deliver your ordered products, documents or other parcels to you on our behalf.
• Printing houses who can prepare personalized materials for you.
• Mass mailing sending companies when you have to receive an email from us. 
• SMS sending companies when we have to send you an SMS.

We solely provide them with the information that is necessary in order for you to receive the corresponding product and/or service from us, which you have requested or towards which you have shown an interest. For example, if you have indicated that you are interested in receiving marketing information from us and/or our partners, it is possible to see advertising messages of our products and/or services on the websites and social platforms that you visit.

                    2. Other organizations or physical persons:

In certain cases, we can provide other organizations with your personal data. For example:  

• If required by law, by public or private institution, in compliance with its obligations required by law (for example the Police, the National Revenue Agency, the National Social Security Institute, the Commission for Personal Data Protection, etc.).
• If we discuss a sale of our business or a part of our business, we can share your data with potential customers – but only in summaries, so that the customers could evaluate the potential of the business.
• If we undergo reorganization or our company is sold to another organization, we can transfer your personal data to this organization in order to continue providing you with the relevant products and/or services.
• If we have to share your personal data to defend our legal interest or to exercise our rights, regulated by law, as well as to protect our clients, the users of our products and/or services, systems and servers; or
• As a response to a request from other physical persons (or their representatives) who are trying to protect their legally regulated rights or the rights of other physical persons or organizations, but only when we are obliged by law to do this.

In any case we will inform you before providing third parties with your data. If this is practically impossible, we will inform you as soon as possible after we have provided them with your data.

          5. International transfer of your personal data

At the moment we do not plan to perform international transfer of data, but if we need to make a transfer of your data to a third party for purposes described in this Policy for Personal Data Protection, the third party being another company within our group or our supplier and/or partner, whose headquarters is situated outside of Bulgaria, as well as outside of the EU, you will be informed about this and about the ways in which your personal data will be protected. The transfer of your data can be realized on the basis of a contract between us and the third party in a way approved by the corresponding regulatory body as well as by external agreement, approved by the corresponding regulatory body (for example EU-US Privacy Shield, etc.)

           6. How will you receive information about our products and/or services?

When you have explicitly indicated that you agree with this, we will happily share information with you by email or phone, about our special offers, ideas, products and/or services in the cases when we hаve something to share with you.   
If you disagree with this or you would like to withhold your agreement for receiving mail from us, you could do so in one of the following ways:

• Through the link for signing out included in each email that we send to you;
• By sending us email for opting out at privacy@bilta.bg.

          7. What are your rights in relation to your data and how can you exercise them?

                    1. Access to and correction of your personal data

You have the right to access your personal data which we process for the purposes mentioned above. If we process this data and receive a request from you (or from a third person, authorized by you) we will provide access free of charge. It is your right to require a copy of your personal data which we process.
Before providing access to your personal data to you or to a person authorized by you, we might require a proof of your identity and details about your relationship with us or with our partners, in order to find the data that corresponds to you. 
If any personal data that we store and process for you is imprecise or outdated, you have the right to require a correction, also by adding a declaration.

                    2. Right to delete your personal data

You have the right to request a deletion of your personal data without further delay if:

• The personal data is no longer necessary for the purposes for which it was collected;
• When you have withdrawn your consent;
• When you have objected to the processing if it is illegal;
• When the personal data has to be deleted in order to comply with a legal obligation in the right of the EU or a member state, which is applied on us as a personal data administrator;
• When the personal data has been collected in relation to the offering of services to the information community.

Under certain conditions, we might refuse to delete your personal data in the cases provided by law.

                    3. Right to data portability and right to appeal

You have the right to receive the data that we process for you, in a structured, widely used and machine readable format, in order to transfer your data towards another data administrator.  
You have the right to file a complaint to the local regulatory body, the Commission for Personal Data Protection (CPDP) or to the Court, if you consider your rights to be violated. To learn more, visit the website of CPDP.

                    4. Right to withdrawal of consent

You have the right, at any time, to withdraw your consent for the processing of your personal data by us, by sending us a request about it;
By sending us an email at privacy@bilta.bg;
By sending us a written request at the following address: Gotse Delchev, 12 Tsaritsa Ioanna str.

                    5. Right to objection

You have the right at any given time to object against the processing of your personal data for purposes related to direct marketing, including profiling as far as it is related to direct marketing. The objection can be made by phone or by email at the given in 7.4. contact details.

                    6. Limitation to the personal data processing

You have the right to request limitation to the processing of your personal data when you consider your personal data to be imprecise, its processing is illegal, we don’t need your personal data for the purposes of processing or you have objected against its processing. In this case your personal data will be stored but not processed.

                    7. Right to not be the subject to automated decision, including profiling

You have the right to not be a subject to a fully automated decision, including profiling, when this generates legal consequences for you or when it affects you significantly.  
If you would like to exercise any of your rights, described hereby, please contact us via the provided in 7.4 contact details.

          8. How long do we store your data for?

We keep a record of your personal data in order to ensure a high quality and consistency of our services within the Group. We always store and process your data in compliance with the law and we never keep it longer than it is necessary. Unless otherwise provided by law, your data will be stored for a 2-year period from the date of its last update. 

          9. Data protection

We treat your personal data as strictly confidential. To protect it, we undertake a number of measures, including:

• We limit the access to the premises in which we work. We only let in people who should be there (we use codes and access cards, passwords and other technology, related to limiting the access to certain premises)
• We apply control to the access to our Information Technology systems with the help of firewalls, ID validation, logical segmentation and/or physical separation of our systems and information;  
• We use means such as encryption and pseudonymization of the information;
• We never require you to send us your password;
• We advise you to never enter account number data, password or other sensitive information in an email message or after clicking on a link contained within an email message.

          10. Contact us

If you would like to exercise any of your rights described in the current Policy for Personal Data Protection, or if you have a question or a complaint, related to this policy or the way in which your personal data is processed, please, contact us in one of the ways described in 7.4.

          11. Change in the Policy

The last change in the current Policy for Personal Data Protection was made on 14.05.2018.