Privacy Policy
- Home
- Privacy Policy
Effective from: May 25, 2018
Last updated: July 25, 2020 г.
DATA PROTECTION POLICY
This privacy policy is an integral part of the General Terms and Conditions of Business Travel Agency EOOD for use of the website www.reshapebg.com. The following rules are designed to help you understand what information we collect as a Data Controller, how we use it, and what rights you have in this connection.
CONTACT DETAILS OF THE DATA CONTROLLER
Name of the data controller: “Business Travel Agency” EOOD; UIC: 200144329
Registered office and business address: Sofia, 42 Lyubotran Str.
Contact phone: 0887 477 790
E-mail: adelina.kolomanova@businesstravel.bg
CONTACT DETAILS OF THE DATA PROTECTION OFFICER
E-mail: adelina.kolomanova@businesstravel.bg
Contact phone: 0887 477 790
WHAT INFORMATION WE COLLECT ABOUT YOU AND HOW:
- When you provide it to us with your explicit consent or give us permission to receive it.
When you register or use our website, you give us some information voluntarily. This includes:
– PIN, full name, gender, nationality, permanent address, telephone number, e-mail
– e-mail, letters, information on your troubleshooting requests, appeals, requests, complaints
– other feedback we receive from you;
– demographic data, household information when you agree to participate in our surveys, prize draws or other feedback you provide to us in connection with the services used; - When you use the website, we also get technical information. Each time you use any website or other Internet service, certain information is created and saved automatically. The same applies when you use our website. Here are some of the information categories we collect: Data in the log files.
When you use the site, our servers record information (‘log files’) that your browser automatically sends when you visit the website. This log data includes your device’s Internet address (IP), browser type, browser language, date and time of your request, requested resource (URL), and one or more ‘cookies’ that can uniquely identify your browser or profile. Data on ‘cookies’
We also use ‘cookies’ (small text files sent to your computer every time you visit our website, unique to your account or your browser. When we use ‘cookies’ or other similar technologies, we use two types of cookies. To learn more about how we use the ‘cookies’, please see our policy in this regard. Device information.
In addition to log data, we collect information about the device on which you use our website, including device type, operating system, settings, unique device identifiers, and crash data to help us understand when something breaks down. Whether we collect some or all of the information, it often depends on the type of device you are using and its settings. To learn more about what information your device provides, please check also the device manufacturer’s or the software provider’s policies.
WHAT ARE WE DOING WITH THE INFORMATION WE COLLECT – PURPOSES OF PROCESSING:
- We collect and process your personal data and other personal information in order to fulfill obligations assigned to us pursuant to a regulatory act, such as the Tourism Act.
- We collect and process your personal data and other personal information in order to fully provide the services that you have requested and that you want to use with us, as well as to fulfill our contractual obligations to you.
- We use the information we collect to provide you with the services on our website.
- establishing your identity when using the services on our website;
- management and execution of your service requests;
- preparing and sending a bill/ invoice for the services you use with us;
- to provide you with the necessary comprehensive service, as well as to collect the amounts due for the services used;
- analysis of the customer history and development of a user profile in order to make an offer suitable for you;
- we study and analyze customer demand for our services based on anonymous or personalized information in order to identify key trends, to improve our understanding of the behavior of our customers and to cooperate with third parties to develop new services for our customers;
- In addition to the above and for similar reasons, we have a legitimate interest in using your information in this way. This is essential for the nature of the service we provide. Furthermore, if necessary, we work with law enforcement and judicial authorities and institutions to protect and preserve our website as a safe space.
ONLY AFTER YOUR EXPLICIT CONSENT USE YOUR DATA FOR THE FOLLOWING:
In some cases, we process your personal data only with your prior written consent. The consent is separate grounds for personal data processing and the aim of processing is referred to therein and coincides with the purposes listed in this policy. If you give us the relevant consent and until its withdrawal, we:
- Send marketing materials via email, text message, or push notification, depending on your account or operating system settings.
Important: Consents provided may be withdrawn at any time. Every time we send you marketing materials, we give you the opportunity to unsubscribe. - Determine your location and customize the content we show you depending on your account or operating system settings
- We will also rely on your consent when we use cookies to:
– Show you ads that may interest you. We use ‘cookies’ to identify your interests based on your external behavior. We do this both for existing users and new users. To learn more about how we use ‘cookies’ and about your choice how we use them, please see our policy in this regard.
– Analyze how visitors use our site and to monitor the performance of our site. This allows us to offer you customized content and to identify quickly and troubleshoot various issues.
STORAGE AND TRANSMISSION OF PERSONAL DATA:
- All data collected and stored by our website are stored in our own server located on the territory of the Republic of Bulgaria.
- To ensure adequate data protection of the company and our customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and in the regulations on its implementation.
- The Company has appointed a Data Protection Officer to assist in the processes of protecting and securing your data.
- For maximum security in the processing, transmission and storage of your data, we may use additional security mechanisms such as encryption, pseudonymisation, etc.
WITH WHOM DO WE SHARE INFORMATION ON YOUR PERSONAL DATA:
- Your personal data is shared with hotels in Bulgaria and abroad, as well as with other partners of ours when booking your vacations and trips.
- We process your identification data and other personal data in order to comply with obligations stipulated in a regulatory act, for example:
- providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
- providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation on personal data protection – Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc.;
- obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related regulations in connection with the maintenance of proper and lawful accounting;
- providing information to the court and third parties, in the framework of proceedings before the Court, in accordance with the requirements of the procedural and substantive legal regulations applicable to the proceedings;
- Your personal data is shared with our wholly owned subsidiaries, branches and divisions. In the event that we decide to perform a transformation, to proceed to dissolution and winding up, declare bankruptcy, reorganization or similar activity or procedure that involves transfer of the information described in this Policy, we will share your information with a party involved in such a process. (E.g. potential buyer, successor).
HOW LONG DO WE STORE YOUR PERSONAL DATA:
- We store your information only for as long as we need it, for the purposes of the contractual relationship,
- As a rule, we stop using your personal data for the purposes of the contractual relationship after the termination of the contract, but we do not delete it before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations and the expiration of the statutory obligations on data storage, such as obligations under the Accounting Act for storage and processing of accounting data (5 years), expiration of the limitation periods for bringing claims specified in the Obligations and Contracts Act (5 years), obligations to provide information to the Court, to the competent state authorities, etc. grounds provided for in the current legislation (5 years).
- Please note that we will not delete or anonymise your personal data if it is necessary for pending judicial proceedings, administrative proceedings or pending proceedings before us.
- Your data can also be anonymised. Anonymization is an alternative to deleting data. Upon anonymization, all identifiable personal particulars/ particulars that allow your identification/ are permanently deleted. There is no legal obligation for anonymised data to be deleted, as they do not constitute personal data.
RIGHTS YOU ARE ENTITLED TO EXERCISE, REGARDING THE PROCESSING OF YOUR PERSONAL DATA:
RIGHT OF ACCESS TO INFORMATION
You have the right to access your personal data collected that affect you, and to exercise this right easily and at reasonable intervals in order to be informed of the processing and to verify its legality. At any time, while we store or process your personal data, you have the following rights:
- As a personal data subject, you have the right to request confirmation from the controller whether your personal data is processed and, if so, to access your data and the following information: for what purpose the data is processed, what personal data, data recipients, processing period.
- Requests for access must be made in writing /electronically and addressed to the controller or directly to the Data Protection Officer /at the above contact details/.
- The controller has the right to deny access to your personal data in the following cases: where the exercise of your right adversely affects the rights or freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software. However, these considerations do not constitute grounds for refusing to provide all the information to the data subject concerned, but only an option for restriction.
ENTITLEMENT TO CORRECTION
As a personal data subject, you have the right to request the correction of your personal data that is inaccurate /out of date. To do this, you must submit a separate request as follows:
- Requests are made by a data subject using a Sample Request Form. When making a request, the following rules shall be followed:
The data subject shall indicate the specific type of request contained in the sample form;
The data subject may request all his/her personal data stored by the controller without indicating a specific type;
The data subject provides the controller with his /her credentials that identify him /her securely and unambiguously (data from personal documents, customer number, electronic identification card, etc.). - Your request will be answered by the controller as follows:
Upon receipt of the request, the controller must verify the credentials to ensure that the request has been submitted by the subject that the data identify;
The controller shall document the date of receipt of the request;
Once the request is received, it is immediately forwarded to the Data Protection Officer, who initiates the process of processing the request and sending a response to the data subject;
The Data Protection Officer keeps a Register of requests by data subjects;
The Data Protection Officer enters in the Register of Requests by data subjects the date, the identifying information and all other data relevant to the examination of the request;
The controller should answer your request in writing or electronically, according to the manner of its submission, within one month of receiving it. If you have not explicitly stated an order for responding to the requests, for reasons of personal data security, the controller will send the data only to the e-mail address that was specified at the time of registration.
RIGHT TO RESTRICT THE PROCESSING OF YOUR PERSONAL DATA
As a personal data subject, you have the right to ask the data controller to restrict the processing of your personal data. Restriction is allowed in the following cases:
- When you believe that your personal data is inaccurate, in which case the restriction is for the period necessary for the controller to verify the accuracy;
- When the processing of your personal data is unlawful, but you do not want it to be deleted, but only want to restrict its use;
- When the controller no longer needs your personal data for the purposes of processing, but you, as the data subject, require it for the establishment, exercise or defence of legal claims;
- When you have objected to the processing pending the verification whether the legitimate grounds of the controller take precedence over your interests.
For this purpose, in the presence of any of the above conditions, you should submit a request or an application in the manner described above.
The controller should answer your request in writing or electronically, according to the manner of its submission, within one month of receiving it. If you have not explicitly stated an order for responding to the requests, for reasons of personal data security, the controller will send the data only to the e-mail address that was specified at the time of registration.
RIGHT TO ERASURE
As a personal data subject, you have the right to request that your personal data be deleted without undue delay, i.e. the controller will delete your personal data from all systems and records where they are stored, including to notify all third parties /processors of personal data to whom the data has been provided.
A request for erasure may be made in the presence of any of the following grounds:
– personal data are no longer necessary in relation to the purposes for which they were collected;
– when you have withdrawn your consent;
– when you have objected to the processing,
– when the processing is unlawful;
– where personal data must be erased in order to comply with a legal obligation under the EU law or the law of a Member State applicable to the controller;
– when personal data have been collected in connection with the provision of information society services.
For this purpose, in the presence of any of the above conditions, you should submit a request or an application in the manner described above.
The controller may refuse to erase personal data for the following reasons:
– Exercising the right of freedom of expression and information;
– For compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller;
– For reasons of public interest in the area of public health;
– For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the erasure is likely to make it impossible or seriously impede the achievement of the purposes of such processing; or for the establishment, exercise or defense of legal claims;
RIGHT TO OBJECT
As a data subject, you have the right to object to the processing of your personal data at any time.
- You have the right to object to certain types of processing, such as direct marketing (unsolicited advertising messages);
- You have the right to object to automated processing, including profiling;
- You have the right not to be subject to a decision based solely on automated processing, including profiling;
For this purpose, you should submit a request or an application in the manner described above.
The data controller should give a reason why he accepts the objection, resp. why he continues to process personal data if he rejects the objection.
RIGHT TO APPEAL
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue.
You have the right to file a complaint to the Commission for Personal Data Protection – address: Sofia 1592, 2, Blvd. “Prof. Tsvetan Lazarov” (www.cpdp.bg.
After May 25, 2018 you can also submit a complaint to a regulatory authority within the EU.
RIGHT TO DATA PORTABILITY:
You can ask us to provide your personal data that you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
- we process the data according to the contract and based on the declaration of consent, which may be withdrawn or on a contractual obligation, and
- the processing is carried out by automated means
GENERAL POLICY
- When there is a risk of your personal data breach, the controller is obliged to inform you about the nature of the breach and what measures have been taken to eliminate it, as well as whether the supervisory authority has been notified of the breach.
- You have the right to judicial or administrative redress if your personal data rights have been violated.
- When processing your personal data, all of the above requests will be forwarded if there is a third party (recipients, including outside the EU and international organizations).
OUR POLICY REGARDING THE USE OF PERSONAL DATA OF CHILDREN
Children under the age of 16 cannot use our site.
TIMELINESS AND POLICY CHANGES
In order to implement the most up-to-date protection measures and in order to comply with the current legislation, we will regularly update this personal data protection policy. We invite you to regularly review the current version of this Privacy Policy, to be constantly informed about how we take care of the protection of personal data that we collect.