Skip to content
  1. Legal Basis
Art. 1. These regulations are issued on the basis of the Personal Data Protection Act (PDPA) and Regulation (EU) 2016/679. With Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General regulation on data protection) defines the rules regarding the protection of natural persons in relation to the processing of personal data, as well as the rules regarding the free movement of personal data. Regulation (EU) 2016/679 protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. The free movement of personal data within the Union shall not be restricted or prohibited for reasons related to the protection of natural persons in connection with the processing of personal data. These Internal Rules govern the organization of personal data protection in accordance with the requirements of the Regulation and apply to the processing of personal data in whole or in part by automatic means, as well as to their processing by other means that are part of a personal data register or which are intended to form part of a register of personal data.
  1. Objectives and Scope of the Regulations
Goals Art. 2. These regulations aim to regulate: (1) the mechanisms of keeping, maintaining and protecting personal data of employees and customers of “AJM-GRUP” EOOD (hereinafter referred to as the “Company”), as a personal data administrator under the Personal Data Protection Act, as well as the level of technical and organizational measures when processing personal data and the permissible type of protection. (2) The regulations for the protection of personal data apply to the hotel complex “Oasis” of “AJM-GRUP” EOOD and to its official website (3) the obligations of authorized persons processing personal data and their liability in case of failure to fulfill these obligations; (4) the necessary technical and organizational measures to protect personal data from illegal processing (accidental or illegal destruction, accidental loss or alteration, illegal disclosure or access, unregulated modification or distribution, as well as from all other illegal forms of personal data processing). Scope Art. 3. The Rules are mandatory for Personal Data Processors designated by the Personal Data Administrator.
  • Technical and organizational measures and purpose of registers
  • The premises where personal data is collected, stored and processed are predetermined and locked.
  • Only duly authorized employees have access to premises where information systems with personal data are located.
  • Registers with personal data on paper are stored in lockers / safes with locking devices.
  • Premises where personal data is collected, stored and processed are maintained in a good fireproof condition. The necessary fire extinguishers determined by the project of the given premises are provided.
  • When the need for access to the relevant database ceases, it is revoked.
  • Granting, changing or terminating authorized access to databases is done only by authorized employees.
  • All employees with access to a personal data base sign a declaration of compliance with the rules for the protection of personal data in the Company and acceptance of the responsibilities related to the work with personal data, as well as an agreement to assume an obligation not to distribute personal data. Declarations are registered and stored in a previously regulated place.
  • Each personal data processor (user) has his own account and password for the directory to which he has access in information systems and software products.
  • When a third-party information system password is reported, it is immediately changed.
  • After finishing work with the corresponding program product, it is closed for use without minimizing to the desktop.
  • The use of portable personal data carriers is not permitted.
  • Backups are created to ensure data recovery.
  • All workstations used to work with automated information systems have anti-virus software and a firewall installed that are updated automatically.
  • In the event of a breach of personal data security, the personal data protection official (if any) is notified within 72 hours of becoming aware of the breach, and accordingly he contacts CPLD.
Collection and storage of personal data Art. 4. (1) The registry collects and stores personal data on paper, electronic video recording device (DVR, NVR) and on a web-based platform with a view to:
  1. Labor relations;
  2. Compliance with labor legislation;
  3. Compliance with the requirements of the Law on Obligations and Contracts;
  4. Compliance with legal requirements for the provision of information to the National Revenue Agency and the Norwegian National Insurance Institute for natural persons working in the Company;
  5. On the basis of control of the work process and observance of working hours and self-protection for continuous video surveillance, prevention of fraud, theft and other violations of and by the staff, counterparties, customers or other persons on the territory of the Company;
  6. Reservations and accommodation in the Hotel Complex;
  7. Contractual and commercial relations with customers;
Forms of keeping the register Art. 5. (1) On paper:
  1. Form of organization and storage of personal data – written (documentary);
  2. Location of the filing cabinet/cash register – Room with limited access by means of a locking mechanism on the entrance door of the room to which only Company Representatives and personal data processing employees designated by the personal data administrators in the case of Company Representatives;
  3. A medium (form) for the provision of data by natural persons – invoices and contracts with and to customers. The personal data of the individuals are submitted to the personal data administrator and the authorized persons appointed to process them – personal data processor, on the basis of a legal obligation in all cases where it is necessary;
  4. Access to the personal data – only the personal data processors designated by the personal data administrator have such access.
(2) On a technical medium:
  1. Form of organization and storage of personal data – personal data is stored on a hard disk, on isolated (with limited access) computers;
  2. Location of the computers – A room with limited access, by means of a locking mechanism on the entrance door of the room, to which only the personal data processors in the case of the accountant and the hotel administrators designated by the Administrator have access. The computer in the hotel reception is positioned in the desk in a way that does not allow free access to it;
  3. Access to personal data and protection – access to the operating system containing files for processing personal data is available only to the processors of personal data, through an account and password to open these files;
  4. Periodic archiving – Archiving of personal data on a technical medium is carried out periodically every five days by the personal data processor in order to keep the information about the relevant persons in an up-to-date form.
(3) On a video recording device (DVR,NVR):
  1. Form of organization and storage of personal data: personal data in the form of a video recording of the movement of employees and visitors to the approaches to the adjacent yard, the premises and those used by the Company themselves are stored on a recording device for no more than of 60 days provided for in the Chat Security Act, after which they are automatically deleted from the device;
  2. Location of the recording device – Room with limited access by means of a locking mechanism on the entrance door of the room, to which only the personal data processors in this case, the employees performing security work on the territory of the hotel complex and the representatives of the Company have access;
  3. Access to personal data and protection – access to the recording device containing video recordings is only available to the representatives of the Company and the employees assigned by them, performing round-the-clock security on the territory of the hotel complex “CREDO” through an account and password to access the recordings;
  4. >
  5. The data in the register are provided voluntarily by the persons upon entering the Company’s building. At the entrances to the building warning signs have been placed that the site is under permanent video surveillance;
Groups of data in the registry Art. 6. (1) Regarding the physical identity of the persons – names, social security number, address, telephone, passport data; (3) Education – document of acquired education, qualification, legal capacity, when required; (4) Employment – according to the attached documents for work experience and professional biography; (5) Medical data – a preliminary medical examination card when required by law; (6) Criminal record certificate, when required; (7) Salaries and fees; (8) Other personal data, sample forms; Art. 7. The types of personal data that the administrator collects and processes are different, according to the purposes for which they are collected and the grounds for their processing: (1) For reals In order to request and confirm a reservation, AJM-GRUP EOOD collects and processes the following types of data: a/ When booking, through a website or travel operator: – The three names of the contact person; – e-mail address and telephone number of the contact person; b/ When booking by phone: – phone number for feedback and e-mail address to confirm the reservation – The three names of the contact person; These data are stored until the reservation is made. After that, the data is destroyed and their subsequent processing is impossible. (2) For the purposes of accommodating guests in the Oasis Hotel Complex, the Administrator processes and stores the following data: – Name of the person (for Bulgarian citizens – in Cyrillic, for foreigners – in Latin, according to the national document); – Date of birth; – Gender; – Citizenship; – Identity card number/ valid national identity document; – Country that issued the national document. The data collected for the purposes of registration at the hotel are collected on the basis of Art. 116, para. 2 of the Law on Tourism and are necessary for keeping a register of accommodated tourists. The data is stored for a period of 5 /five/ calendar years. (3) For the purposes of holding corporate or personal events in the “Oasis” Hotel Complex, the following data are processed and stored: – Name of the person organizing the event. In case of corporate events, a contact person specified by the legal entity, organizer of the event; – e-mail address and telephone number of the contact person; These data are stored for up to 3 /three/ calendar years after the realization of the event. (4) For the purposes of direct marketing, including analyzing and profiling the target audiences and to track the satisfaction of our customers, the following data is processed: – e-mail address – IP address – Location – Language – Years – Paul – Interests – Behavior of users of the site The purpose of collecting this data is to provide personalized offers and services that meet the needs and expectations of customers. Declaration of consent for the use of data provided by the subjects for marketing purposes of the “Oasis” Hotel Complex. (5) Personalization and cookies New technologies allow us to customize the website for each individual client. Cookies are text files containing information that allows the identification of returning users. Cookies are stored locally on the device used by customers to access the Company’s website and do not cause damage to their system. Cookies eliminate the need to enter data more than once, facilitate the delivery of specific content and help identify customer preferences. The accumulation and analysis of this information enables and improves electronic services and the overall user experience so that they meet customer needs as closely as possible. Obligations of the persons responsible for keeping and storing the data in the register Art. 8. The duties of the persons responsible for keeping and storing the data in the register (the authorized persons) include collecting, processing, updating and storing and deleting personal data. Personal Data Update Art. 9. (1) An update of personal data is an addition or amendment to existing information in the company. Update of personal data is carried out:
  • at the request of the person to whom the personal data refer, when he has established that there is an error or incompleteness in them, and certifies this with a document;
  • at the initiative of the personal data processor – in the presence of a document giving grounds for updating;
  • if an error is detected in the processing of personal data by the personal data processor;
(2) When updating personal data, the registration number of the document, the source of the data for the update, and the date of the update shall be reflected in the relevant person’s file. The update is carried out by the person processing the personal data. Protection measures when processing personal data Art. 10. (1) The rules for protection in the processing of personal data regulate technical measures which:
  • reject access of unauthorized persons to the data processing equipment – equipment access control;
  • prevent the unauthorized reading, copying, modification or destruction of information media – control of information media;
  • prevent the unauthorized addition, entry, viewing, modification or deletion of stored personal data – storage control;
  • prevent its use by unauthorized persons using data communication equipment – user control;
  • guarantee that the persons who are authorized to use a system for automated data processing and mat access only to the data included in the scope of their access – data access control;
  • ensure the possibility of checking and establishing to which authorities the personal data have been or can be sent or provided by using data communication equipment – control of communications;
  • provide the possibility of subsequent verification and establishment of what personal data was entered into automated data processing systems, when and by whom the data was entered – input control;
  • prevent unauthorized reading, copying, modification or deletion of personal data when transferring personal data or transporting data carriers – transport control;
  • ensuring the possibility that the installed systems can be restored in case of interruption of functioning – recovery;
  • ensure the proper functioning of the system, reporting the occurrence of errors in functions (reliability) and ensure that stored data cannot be damaged by system malfunction – integrity.
Employees processing personal data take measures to ensure reliability in processing by implementing technical and organizational measures to protect personal data. (2) During the automatic processing of personal data, technical protection measures are implemented against:
  • unauthorized reading, reproduction, modification or removal of the data carrier;
  • unauthorized entry, change or deletion of stored personal data;
  • unauthorized use of personal data systems by means of data transmission;
  • unauthorized access to personal data.
Providing individuals with access to their personal data Art. 11. (1) Employees under employment and civil legal relations, as well as customers, have the right to access their personal data, for which they submit a written application to the administrator and personal data processor, including electronically in person or through an authorized person. (2) The application contains the name of the person and other data that identify him – social security number, position, place of work, description of the request, preferred form for granting access to personal data, signature, date and address of correspondence; power of attorney – when the application is submitted by an authorized person. The application is filed in the administrator’s general incoming register. (3) Access to the person’s data is provided in the form of:
  1. verbal reference;
  2. written reference;
  3. review of the data by the person himself or one authorized by him;
  4. provide a copy of the requested information.
(4) Upon submission of a request for providing access, the representative of the administrator examines the application for access or orders the processor of personal data to provide the access requested by the person in the form preferred by the applicant. The term for considering the application and ruling on it is 14 days from the day of submission of the request, respectively 30 days when more time is needed to collect the personal data of the person in view of possible difficulties in the activity of the administrator. The decision is communicated in writing to the applicant in person against a signature or by mail with return receipt. When the data do not exist or cannot be provided on a certain legal basis, the applicant is denied access to them with a reasoned decision. The refusal to grant access can be appealed by the person to the authority and deadline specified in the letter. (5) Only the personal data processor has access to the personal data of the persons contained on a technical medium, and in his absence and when these data relate to the remuneration of the persons, access to them is temporarily authorized by the person processing the personal data, to whom it is the password to access the files is known. Legitimate access of authorized persons to personnel and customer files Art. 12. In addition to the personal data processor, access is also lawful for the Company’s Personal Data Protection Officer, designated by the Company Representatives. The processor of personal data provides access to them upon their request. Legitimate third-party access to staff and customer files Art. 13. (1) No authorized person or third party has the right to access the register with the personal data of the persons, unless it is required in a proper way by the bodies of the supervision or the judicial authority (Commission for Financial Supervision, court, prosecutor’s office , investigative bodies, etc.). The access of these bodies to the personal data of individuals is lawful. (2) The consent of the person is not required if the processing of his personal data is carried out only by or under the control of a competent state body for personal data related to the commission of crimes, administrative violations and unauthorized disabilities. Such persons are provided with access to personal data, and, if necessary, with are providing appropriate conditions for work in the company’s premises. (3) The access of the revising state bodies is also lawful, duly legitimized with relevant documents – written orders of the relevant body, in which the reason, the names of the persons are indicated, and for the purposes of their activity it is necessary to provide them with access to the personnel personnel or customer files. (4) In case of changes in the status of the company (transformation, liquidation, etc.), requiring the transfer of the personal data registers from the company to another personal data administrator, the transfer of the register is carried out after the permission of the Commission for Personal Data Protection. (5) The administrator communicates his decision to grant or deny access to personal data for the relevant person to third parties within 30 days of submitting the request, resp. the request. (6) When implementing a new software product for the processing of personal data, a preliminary check of the product’s capabilities is carried out with a view to complying with the requirements of the GDPR and Regulation (EU) 2016/679 and ensuring their maximum protection against unlawful access, loss, damage or destruction . Art. 13. The address where requests for access and provision of personal data are accepted from the registers of “AJM-GROUP” EOOD, EIK: 106621253, represented by ANGEL GEORGIEV PETROV is: reg. Vratsa, Mezdra, Zverino village, hotel complex “Oasis”. Destruction of Personal Data Art. 14. The administrator periodically, but not less than once a year, makes an inventory of the personal data stored by him in order to establish the presence of personal data subject to destruction/deletion. Upon establishing the existence of such data, the administrator destroys/deletes them. Actions are recorded.
  1. Concepts
For the purposes of these regulations, the terms below have the following meanings: –           “Personal Data” means any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person; –           “Specific signs” – signs related to physical, physiological, genetic, mental, psychological, economic, cultural, social or other identity of the person. –           “Register with personal data” – any structured set of personal data, accessible according to certain criteria, according to internal documents of the Company, which can be centralized, decentralized or distributed on a functional or geographical basis. –           “Processing of personal data” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other means by which the data is made available, arranged or combined, restricted, deleted or destroyed; –           “Processor of personal data” – natural or legal person, state authority or local self-government body that processes personal data on behalf of the controller of personal data. –           “Provision of personal data” – means actions of total or partial transfer of personal data from one controller to another or to a third party within the territory of the country or outside it. –           “Third party” – natural or legal person, body of state power or local self-government, other than the natural person to whom the data refer, the personal data administrator, the personal data processor and the persons who under the direct management of the administrator or processor has the right to process personal data. –           “Recipient” – a natural or legal person, state authority or local self-government body to whom personal data is disclosed, regardless of whether it is a third party or not. Authorities that may receive data within the framework of a specific study are not considered recipients. –           “Consent of the data subject” means any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his consent to the personal data relating to him being processed; –           “Pseudonymisation” – processing of personal data in such a way that they can no longer be associated with a specific data subject without the use of additional information, where lovie that it is stored separately and is subject to technical and organizational measures to ensure that personal data is not linked to an identifiable natural person.