Tourist Management Ltd.
VAT ID: BG202369208
Our main aspiration when working with personal data
Lejanki.bg processes your personal data in order to provide its guests with better, higher quality and more diverse services. In view of this, data security is important for the success of our business and for our public image as a first-class hotel. That is why we try to protect your data by applying all appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss, or premature deletion of information.
How and why we use your personal data
For fulfillment of normative obligations and under contract
We collect and process your personal data and other personal information in order to fulfill obligations assigned to us under a normative act, such as the Tourism Act.
We collect and process your personal data and other personal information in order to fully provide the services that you have requested and that you want to use with us, as well as to fulfill our contractual obligations to you.
- PIN, names, gender, citizenship, permanent address
- e-mail, letters, information about your requests for troubleshooting, complaints, requests, grievances;
- other feedback we receive from you;
- video recordings that are made to improve security
- preferences for the services we provide you;
- information about credit or debit card, bank account number or other bank and payment information in connection with payments made to the hotel – when paying for a product or service in the reservation system on the hotel website The user does not provide Tourist Management Ltd. bank details / credit cards. Payment by bank card is made through a Virtual POS terminal of the Bank, where the data from the bank card are entered directly into the Secure platform of the bank. Thus, the data from the bank card of the User are maximally protected and do not become available to Tourist Management EOOD. To prevent abuse when paying with your Visa or MasterCard, we apply the best practices recommended by international card organizations:
- Security when entering and transferring card data is ensured by using SSL protocol to encrypt the connection between our server and the payment page of our servicing bank
- The authenticity of your card is verified by entering a security code (CVV2)
- In addition, to identify you as a cardholder, the payment server for e-commerce of our servicing bank supports the authentication schemes of international card organizations – Verified by VISA and MasterCard SecureCode, in case you are registered to use them. “
Other information such as:
- data provided through the hotel’s website;
- IP address when visiting our website;
- demographic data, household information when you agree to participate in our surveys, prize draws or other feedback you provide to us in connection with the services used;
The processing is performed in order to:
- establish the identity of the client upon check-in at the hotel;
- manage and execute your service requests;
- prepare and send an invoice for the services you use with us;
- provide you with the necessary comprehensive service, as well as to collect the amounts due for the services used;
- analyze customer history and prepare a user profile in order to determine a suitable offer for you;
- research and analyze customer consumption of our services, based on anonymous or personalized information, to identify key trends, improve our understanding of our customers’ behavior and work with third parties to develop new services for our customers;
- processing by the data processor at the conclusion of a contract, assignment, reporting, acceptance, payment;
After your consent
In some cases, we process your personal data only with your prior written consent. Consent is a separate basis for the processing of your personal data and the purpose of the processing is stated in it, and is covered by the purposes listed in this policy. If you give us the relevant consent until its withdrawal:
- we prepare proposals for programs and services that are offered by the hotel and suitable for you;
Concessions granted may be withdrawn at any time. Withdrawal of consent will affect the provision of the relevant services and for the provision of the relevant programs.
We have a large portfolio of programs and services. When you give us consent to data processing, that consent applies to all programs and services you use.
To withdraw your consent, you only need to use our site or just our contact information.
To whom do we provide your personal data:
We process your identification data and other personal data in order to comply with the obligations set out in a regulatory act, such as:
- providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
- providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation on personal data protection – Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc .;
- obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related normative acts, in connection with the maintenance of correct and lawful accounting;
- providing information to the court and third parties, within the proceedings before a court, in accordance with the requirements of the procedural and substantive legal regulations applicable to the proceedings;
- verification of payment for online registrations.
How we protect your personal data
To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and regulations on its implementation.
The company has appointed a Data Protection Officer to support the processes of protecting and securing your data.
For maximum security in the processing, transmission and storage of your data, we may use additional security mechanisms such as encryption, pseudonymization and more.
When we delete your personal data
As a rule, we terminate the use of your personal data for the purposes of the contractual relationship after the termination of the contract, but we do not delete them before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations and expiration of statutory obligations. For data storage, such as obligations under the Accounting Act for storage and processing of accounting data (5 years), expiration of the statute of limitations for filing claims (5 years) specified in the Obligations and Contracts Act, obligations for providing information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years). Please note that we will not delete or anonymize your personal data if it is necessary for pending court, administrative or pending proceedings before us.
Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items that allow you to be identified are irrevocably deleted. There are no legal obligations for anonymized data, as they do not constitute personal data.
Your rights in connection with the processing of your personal data
Right to information:
You have the right to request:
- information on whether data relating to you are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data are disclosed;
- a message in an understandable form containing your personal data that is being processed, as well as any available information about their source;
- information on the logic of any automated processing of personal data concerning you, at least in the case of automated decisions.
Right of correction:
In the event that we process incomplete or erroneous data, you have the right, at any time, to request:
- to delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- notify third parties to whom this personal data have been disclosed of any deletion, correction or blocking, except where this is not possible or involves excessive effort.
Right to erase / the right to be forgotten /:
You have the right to request the deletion of the personal data we process at any time if:
- personal data are not necessary for the purposes for which they were collected and processed;
- withdraw your consent and there is no other legal basis for their processing;
- personal data have been processed illegally
Right of objection:
At any time you have the right to:
- objections to the processing of your personal data if there is a legal basis for it; where the objection is justified, the personal data of the natural person concerned may no longer be processed;
- object to the processing of your personal data for direct marketing purposes.
Right to limit processing *:
You can request a restriction on the personalized data being processed if:
- you dispute the accuracy of the data, for the period in which we have to check their accuracy; or
- the processing of the data has no legal basis, but instead of deleting it, you want its limited processing; or
- we no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims; or
- You have objected to the processing of the data, pending verification that the controller’s grounds are lawful.
Right to data portability *:
You can ask us to provide the personal data that you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
- we process the data according to the contract and based on the declaration of consent, which can be withdrawn or on a contractual obligation, and
- processing is performed automatically
Right of appeal:
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to lodge a complaint with the Data Protection Commission. After 25 May 2018, you will also be able to lodge a complaint with a regulatory body within the EU.
Applications for access to information or for correction are submitted personally or by a person expressly authorized by you, through a notarized power of attorney. An application may also be submitted electronically, in accordance with the Electronic Document and Electronic Signature Act.
We will rule on your request within 14 days of its submission. In case of an objectively necessary longer term – in order to collect all the requested data and this seriously complicates our activity, this term can be extended up to 30 days. With our decision we give or deny access and / or the information requested by the applicant, but we always give a motive for our answer.
Relevance and policy changes