Spring Offers with 25% discount See more

08d36478e2ea7b11740988928bf89171eda9d1b4.jpg

Personal data

At "Sv. Sv. Konstantin I Elena Holding" AD, ensuring the confidentiality of the personal data you provide us for the fulfillment of our obligations to you is a leading priority.

With this policy ("Policy"), we want to transparently inform you how we use your data, what categories of personal information we collect about you, for what purposes and to whom we disclose it when you use our services or when you visit our website.

Specifically, from this document you will learn:

  1. Who is the administrator of your personal data;
  2. What categories of personal data we collect about you;
  3. How and from where we collect your personal data;
  4. For what purposes and on what grounds we collect your personal data;
  5. How and with whom we share your data;
  6. What are your rights;
  7. Other information related to your personal data; and
  8. How to contact us.

In addition, this Policy aims to inform you about the processing of your personal data collected:

  • when making an online reservation through our managed websites, from which you access this Policy, including www.visitstconstantine.bg, www.hotelprimorski.com, and other websites owned or administered by "Sv. Sv. Konstantin I Elena Holding" AD(collectively referred to as "Our Websites");
  • when making a reservation at our hotel through a tour operator or a third-party online booking platform, our partner;
  • through our profiles on various social networks (collectively referred to as "Our Social Networks");
  • for the purpose of sending e-mail, online newsletters, and other communication with you;
  • when using internet systems, including wireless networks on the territory of our hotels, smart or mobile devices, and when interacting with our other security systems and technologies (video surveillance);
  • through third parties, our partners and service providers related to web analytics, email marketing, and retargeting; and
  • when you make your reservation on-site, when visiting or staying as a guest in one of our hotels (facilities) and/or during other offline interactions.

Our websites (web pages), social networks, and internet systems will be referred to collectively as "Online Services" below in this document, and together with visits to facilities and offline interactions -- "Services."

1. WHO IS THE ADMINISTRATOR OF YOUR PERSONAL DATA?

The administrator of your personal data, collected and processed for the purposes described in this Policy, is the company "Sv. Sv. Konstantin I Elena Holding" AD, with UIC 813194292, with registered office and management address in the Republic of Bulgaria, Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort -- Administrative Building (hereinafter referred to as the "Company," "we," "our," "us").

The Company is the administrator of your personal data, processed for the purposes of fulfilling our contractual obligations to you, as well as for the purposes of providing hotel accommodation services, including Online Services.

In certain situations, in order to fulfill our contractual obligations to you, as well as to ensure your participation in our loyalty program, your personal data is collected, stored, and processed by the following personal data administrators, with whom an Agreement within the meaning of Art. 26 of the General Data Protection Regulation has been concluded, as follows:

  1. "KARACHI" EAD, with UIC 203295839, with registered office and management address in the Republic of Bulgaria, Varna, P.O. Box 9000, Primorski District, St. St. Constantine and Helena Resort -- Administrative Building;
  2. "Azalia I" EAD, with UIC 201717688, with registered office and management address in the Republic of Bulgaria, Varna, P.O. Box 9000, Primorski District, St. St. Constantine and Helena Resort -- Administrative Building;
  3. "Grafit Galeri" EOOD, with UIC 103812011, with registered office and management address in the Republic of Bulgaria, Varna, P.O. Box 9000, Odessos District, 65 Knyaz Boris I Blvd.;
  4. "Borovete I" AD, with UIC 204605689, with registered office and management address in Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort, Administrative Building;
  5. "Astera I" EAD, with UIC 103872649, with registered office and management address in Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort, Administrative Building;
  6. "Atlas I" EAD, with UIC 202487733, with registered office and management address in Varna, P.O. Box 9006, Primorski District, Golden Sands Resort, Atlas Hotel;
  7. "Astera Parva Bansko" EAD, with UIC 202558290, with registered office and management address in Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort, Administrative Building.

Below in this Policy, you will find comprehensive information regarding the processing of your personal data by our partners -- joint administrators.

2. WHAT CATEGORIES OF PERSONAL DATA DO WE COLLECT ABOUT YOU?

During your stay in our hotels, we collect personal data about you in accordance with the law and for the purpose of providing you with our Services. Personal data is information that may allow your identification as an individual or be associated with you in a way that allows your indirect identification.

The information we collect about you may vary depending on the Services you use and/or your preferred method of interaction and communication. In this regard, we may receive and process the following categories of personal data about you:

  • Data regarding physical identity: names, gender, nationality, passport data, identity card, visa or other document issued by a public authority, date of birth, signature;
  • Contact data: telephone number, email address, address, postal code;
  • Data for official identity: employer, position (for corporate event reservations);
  • Financial information: bank account number, credit or debit card number or other transaction-related information;
  • Information related to your stay and reservation: hotels where you have stayed or have reserved your stay, arrival and departure dates, Services used during your stay, special requests for amenities, service preferences (room and vacation preferences), feedback and complaints you provide to us regarding the Services;
  • Data about your travel itinerary, the tourist (organized) group you are part of, or other related data;
  • Data regarding your subscription to our loyalty program: electronic card number, level, discount amount you can use;
  • Data for a unique identifier of your social network profile, profile picture, and other publicly available data or information made available when connecting and/or transferring data between your social network profiles and profiles in our loyalty program.
  • Personal data of your family members and information about family relationships (for special requests, event celebrations, birthdays, or other special occasions);
  • Photos and videos collected through video surveillance and security cameras located in the common areas of our facilities, such as corridors and lobbies.

We also collect information about your "stay preferences," which we use to make your current and future stays and experiences with us more enjoyable, including information about your interests and other relevant information we learn about you while you are our guest. This may also include any likes and recommendations for our services that you share with us so that we can improve our service, as well as specific dietary and health restrictions or personal needs to ensure your comfort during your stay. We also collect and process data about your "personal preferences," which may include details of special anniversaries (e.g., birthday or wedding anniversary), preferred sports and recreational activities, and hobbies.

If you provide personal data about other people, for example, when making a reservation for another person, you declare that you have this right and authorize us to use the personal data received in accordance with this Policy.

In some cases, we may receive and retain special categories of personal data about you ("sensitive personal data") such as:

  • Data related to health and other sensitive information: regarding allergies, health complaints, religion, and other information you provide or we receive to fulfill your specific requests regarding the Services, provide medical assistance, etc.

TECHNICAL INFORMATION WE COLLECT

We also collect your personal data when you use our Online Services. We collect so-called "other data," which does not directly identify you but allows your indirect identification. To the extent that other data reveals your specific identity or is related to a third party, we will treat the other data as personal data.

Other data includes:

System data: When you use desktop and mobile devices to access Online Services, we automatically collect certain data through your browser or through your device, such as the type and version of the web browser you are using, screen resolution, operating system name and version, device manufacturer and model, language and interface preferences, and others.

IP address: We also collect your IP address. The IP address is automatically identified and recorded in our server's log files when a user accesses Online Services and contains data about the time of the visit and the pages visited. We use IP addresses to analyze data about the use of Online Services, diagnose server problems, and administer Online Services. By processing your IP address, we can also collect information about your approximate location.

Precise Location-Based Services: With your consent, we collect data about the precise physical location of your terminal device, using satellite data, cellular tower, Wi-Fi signals, or other technologies. We will collect this data if you give your consent through our website or through another application (during initial access to your profile or later) to improve our personalized offers and allow the use of features of your terminal device related to your location. If you have given your consent to share location data, our website or another application will continue to collect location data based on how you have chosen to share the data.

Precision Location Opt-out: You have the option, through the operating system of your terminal device (via the "Settings" menu), to choose whether to share location data always, when using our website, or not to share such data. If you choose to share your location data only when using our website, we will have access to this personal data until you stop using our application/website or change the settings of your terminal device, by prohibiting the sharing of your location data for our application/website.

"Cookies" and other similar tracking technologies:

When you visit Our Websites, whether through a computer or mobile device, we may collect personal information about you through "cookies" and other similar technologies such as tags, pixels, and web beacons. These technologies allow us to track and analyze your user behavior on Our Websites to respond to your preferences (language settings, for example), as well as to provide you with personalized advertising content for Services or third-party products on the internet.

You can learn more about the "cookies" and other technologies used on Our Websites, respectively how to block their use, in our Cookie Policy.

Anonymized and segmented data

We may anonymize the personal data we collect, after which anonymization it will no longer be able to identify you or another user personally. We use the method of so-called "segmentation" of personal data and other data to divide our customers into segments or groups, so that we are able to provide them with more relevant and personalized online content, including third-party advertisements.

3. HOW AND FROM WHERE DO WE COLLECT YOUR PERSONAL DATA?

We process your personal data collected through:

  • Companies from the "St. St. Constantine and Helena Holding" AD group, including "Karachi" EAD, with UIC 203295839, "Azalia I" EAD, with UIC 201717688, and "Grafit Galeri" EOOD, with UIC 103812011, for the purposes specified below in this Policy, such as when making an online reservation through Our Websites, when providing the Services, communicating with you, maintaining and developing our loyalty program, and fulfilling our business goals.
  • Tour operators and online hotel booking platforms. We may receive the information described above about you when you make a reservation through our partners -- tour operators and online hotel booking platform providers.
  • Service providers on the territory of hotels. We collect your personal data from companies and organizations that own and/or manage spa and wellness centers, restaurants, health facilities, fitness, concierge, and other facilities located in our hotel, so that they can provide you with their services in connection with your stay or visit to such a facility.
  • Other commercial partners and connected user profiles. We also collect personal data and other data when you use your personal number from our loyalty program or your user profile in Online Services to receive or register for certain third-party services. These third parties include companies and organizations such as airlines, car rental providers, and restaurant reservation partners and other hotel and tour operator services. Additionally, if you connect your social network profile with your profile for using our Online Services, respectively the loyalty program, we receive personal data and other data about you from the respective online platform providers (social networks).
  • Online Services. We collect personal or other data when you use our Online Services and perform actions such as, but not limited to: browsing, making a reservation, communicating with us, or otherwise connecting with us, signing up for an online newsletter.
  • Events, contests, and other events organized in hotels. If you sign up to participate in a hotel event or contest organized by our business partner, we may receive data about you.
  • Customer service centers. We collect your personal data when you make a reservation by phone, communicate with us by email, fax, or through online chat services, or contact our customer service center. Any communication with our customer service centers may be recorded to improve the quality of our Services.
  • Internet-connected devices. We collect your personal and other data from internet-connected devices that you use during your stay in hotels -- e.g., when connecting to the wireless network at the respective facility. Through these devices, we can collect your personal data related to your interests and preferences when browsing the internet to provide you with personalized offers and improve our Services.

4. FOR WHAT PURPOSES AND ON WHAT GROUNDS DO WE COLLECT YOUR PERSONAL DATA?

Below in the table you can find information about all the purposes for which we collect and process your personal data, a description of the processing activities, as well as the specific legal basis under the applicable legislation, in particular Regulation (EU) 2016/679 on the protection of personal data (General Data Protection Regulation or GDPR):

Activity requiring the processing of personal data Purposes of the processing of personal data Legal basis for the processing of personal data
Reservations and registration of guests in our hotels For the purposes of making and administering reservations for hotel accommodation and related Services; carrying out pre-arrival communications (logistics, changes, preferences, etc.); processing payments and security deposits 1. For the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract, including to meet the individual preferences of our guests (Art. 6, paragraph 1, b. "b" of the GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, paragraph 1, b. "c" of the GDPR).
Reception and services for stay and tourist accommodation For the purposes of facilitating check-in and check-out; processing payments; providing consistent and personalized service and advice regarding our services (including based on previous use of our services or explicit preferences); providing concierge services, luggage storage and parking; negotiating with third parties on behalf of guests (such as arranging taxi services, transfers and chauffeur services); facilitating restaurant and event reservations and bookings; administering and facilitating access to Wi-Fi, television and other connectivity services (including access to business center services such as fax and photocopying services) and entertainment systems (such as PlayStation and music players); facilitating in-room dining (including taking into account any dietary, health restrictions or other personal needs expressed by the guest); housekeeping services (including preferences for special pillows, duvets and other amenities expressed by the guest) and dry cleaning services; handling customer requests, inquiries and complaints; determining the right to use goods and services with age restrictions (such as the sale of alcohol, tobacco products, etc.). 1. For the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, including to meet the individual preferences of our guests (Art. 6, paragraph 1, b. GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, paragraph 1, c. GDPR).
3. Where the data subject has consented to the processing of his or her personal data for one or more specific purposes – e.g. for the preparation of an individual diet, in accordance with personal preferences, etc. (Art. 6, paragraph 1, a. GDPR).
Conferences and events To communicate with clients regarding conferences and planning of other events (“Events”); facilitating reservations and registrations for Events; carrying out communications before the Events (logistics, accommodation, changes, etc.); preparing and coordinating the Events in accordance with the instructions, expectations and preferences of the customers; facilitating catering; communicating about invoicing and refunding amounts due; processing payments and security deposits; carrying out credit checks; processing customer requests, inquiries and complaints; communicating with participants during the Events. 1. For the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, including responding to complaints and recommendations (Art. 6, Paragraph 1, Point "b" of the GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, Paragraph 1, Point "c" of the GDPR).
Carrying out the Company's usual business activities To administer customer service services to facilitate and address inquiries, comments and complaints about any of our services (for example, in person, via telephone lines, email or on social media); to provide security and fraud prevention services; to administer the Online Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and data hosting); to monitor and analyze the use of the Services and use data analytics to improve services, marketing, programs, the overall customer experience, collect feedback, conduct pilot programs for potential new Services, to improve existing Services; to facilitate mergers, acquisitions and other reorganizations and restructurings of our business (including future transactions). 1. For the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, including to satisfy an individual the preferences of our guests (Art. 6, paragraph 1, b. GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, paragraph 1, b. GDPR).
3. When the data subject has consented to the processing of his or her personal data for one or more specific purposes - e.g. for the preparation of an individual diet, according to personal preferences, etc. (Art. 6, paragraph 1, b. GDPR).
4. For the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6, paragraph 1, b. GDPR).
Emergency and incident response To ensure the safety of our guests and property; responding to, processing and documenting on-site accidents and medical and other emergencies (including facilitating the services of in-house doctors); actively monitoring our sites to ensure adequate prevention, response and documentation of incidents (including video surveillance); requesting assistance from emergency services; sending notifications and alerts in the event of incidents or emergencies (e.g. via SMS, e-mail, call, invitations from audiovisual devices, etc.). 1. For the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, including to meet the individual preferences of our guests (Art. 6, para. 1, lit. "b" of the GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, para. 1, lit. "c" of the GDPR).
3. To ensure the protection of the vital interests of the data subject or of another natural person (Art. 6, para. 1, b. "d" of the GDPR).
4. For the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6, para. 1, b. "f" of the GDPR).
To ensure legal and administrative compliance of our activities with legal requirements To comply with applicable laws and legal procedures; to respond to requests from public and government authorities; to comply with national security or law enforcement requirements; to enforce our Terms and Conditions; to protect our business interests and operations; to protect the rights, privacy, safety or property of the Company, its guests, visitors and other persons; to use available legal protection mechanisms, limit the damages that the Company may incur on the basis of contractual or non-contractual liability. 1. For the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, including to satisfy the individual preferences of our guests (Art. 6, paragraph 1, b. "b" of the GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, paragraph 1, b. "c" of the GDPR).
3. To ensure the protection of the vital interests of the data subject or of another natural person (Art. 6, paragraph 1, b. "d" of the GDPR).
4. For the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6, para. 1, lit. "f" of the GDPR).
Provision of SPA, beauty and fitness services For the administration of hotel accommodation reservations; determining the right to use Services; respecting restrictions related to disabilities or other health problems and ensuring appropriate and safe activities, services and procedures; providing consistent and personalized Services based on previous use of our Services and preferences expressed by our guests; processing payments; providing requested specialists for specific procedures and services; handling customer requests, inquiries and complaints. 1. For the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, including to meet the individual preferences of our guests (Art. 6, paragraph 1, point "b" of the GDPR).
2. For compliance with a legal obligation to which the controller is subject (Art. 6, paragraph 1, point "c" of the GDPR).
3. To ensure the protection of the vital interests of the data subject or of another natural person (Art. 6, paragraph 1, point "d" of the GDPR).
4. Where the data subject has consented to the processing of his or her personal data for one or more specific purposes – e.g. for preparing an individual diet, according to personal preferences, etc. (Art. 6, paragraph 1, b. "a" of the GDPR).
5. For the purposes of the legitimate interests of the administrator or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6, paragraph 1, b. "f" of the GDPR).
Providing personalized services To improve the quality and your stay, we provide personalized services in view of your specific reservation and personal preferences: respecting taste preferences, allergies and intolerance to certain foods; respecting your preferences, complaints, requests and inquiries based on previous stays; 1. For the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, including to meet the individual preferences of our guests (Art. 6, paragraph 1, point "b" of the GDPR).
2. Where the data subject has consented to the processing of his or her personal data for one or more specific purposes - e.g. to accommodate allergies, diets, food preferences when ordering food or intolerances (Art. 6, paragraph 1, point "a" of the GDPR, or Art. 9, paragraph 2, point "a" of the GDPR).
3. For the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) GDPR).
4. For compliance with a legal obligation to which the controller is subject, e.g. relating to payments, keeping accounting records (Article 6(1)(c) GDPR).
5. For the protection of the vital interests of the data subject or another natural person, e.g. to provide medical care to a sick customer in one of the hotels (Article 6(1)(d) GDPR).
Services related to children (for parents and guardians) To provide Services adapted to children: activities and games in a children's club; processing reservations with regard to the needs of children; coordinating hotel accommodation and services in accordance with the preferences, instructions and expectations of guests; taking into account the dietary preferences of children (special menus for children). 1. For the performance of a contract to which the data subject is a party, related to the accommodation of a child of a certain age in the room together with his/her parents, which may result in additional fees or discounts (Art. 6, paragraph 1, letter "b" of the GDPR).
2. For the purposes of the legitimate interests of the controller, for example, to provide a cot or child-sized bathrobes and other amenities for children (Art. 6, paragraph 1, letter "f" of the GDPR).
3. For compliance with the legal obligation applicable to the controller, for example, related to payments, keeping accounting records (Art. 6, paragraph 1, letter "c" of the GDPR).
4. To ensure the protection of the vital interests of the data subject or another natural person, for example to provide medical care to a child during his/her stay in one of the hotels (Art. 6, paragraph 1, b. "d" of the GDPR).
Loyalty program, customer relationship management Various activities are associated with this purpose, such as: registering users in our loyalty program; for administration in the loyalty program and determining the right to a discount on reservations; providing access to the online platform of our loyalty program; processing payments; notifying members of changes in the programs, rules and conditions; processing requests, inquiries and complaints of users of the program. 1. For the performance of a contract to which the data subject is a party, related to participation in the loyalty program, providing a discount on reservation prices (Art. 6, paragraph 1, b. "b" of the GDPR).
2. For the purposes of the legitimate interests of the controller, for example to manage the loyalty program and make changes to it (Article 6, paragraph 1, letter "f" of the GDPR).
3. For compliance with the legal obligation applicable to the controller, for example related to payments, keeping accounting books, etc. (Article 6, paragraph 1, letter "c" of the GDPR).
Marketing, promotional services and products, competitions and events of third parties To provide promotional offers to customers, discounts on reservations that may be of interest to hotel guests; to provide personalized content for our services on selected websites and applications; to send an electronic newsletter through a communication channel selected by the user; to participate in our campaigns, competitions (for example, for the best photo from a stay in our hotel), and other marketing events 1. When the data subject has consented to the processing of his/her personal data for one or more specific purposes - e.g. to send him/her personalized advertising content via the communication channel chosen by him/her - email, web application, social networks, etc. (Art. 6, paragraph 1, b. "a" of the GDPR, respectively Art. 9, paragraph 2, b. "a" of the GDPR);
2. For the purposes of the legitimate interests of the administrator, for example when we send you advertising content regarding similar products and services (Art. 6, paragraph 1, b. "f" of the GDPR in conjunction with Art. 261, para. 2 of the Electronic Communications Act).
3. For compliance with a legal obligation to which the controller is subject, for example obligations regarding the conduct and processing of lotteries organized by us (Art. 6, paragraph 1, point "c" of the GDPR);
4. For the performance of a contract to which the data subject is a party, for example to ensure your participation in ongoing campaigns, competitions and lotteries (Art. 6, paragraph 1, point "b" of the GDPR).

MORE INFORMATION ABOUT YOUR PERSONAL PREFERENCES

Our goal is to provide you with the best possible service, in accordance with your expectations and preferences at every stage – from the moment you make your reservation with us until your departure from the hotel. Below, we present more detailed information regarding the processing of your data in special cases.

Personal preferences Purposes Legal grounds
Anniversaries During your stay, we can help you celebrate a special occasion, such as an anniversary and/or birthday. For the performance of a contract to which the data subject is party, related to your request to organize a special event and/or provide a gift (Art. 6, para. 1, letter "b" of the GDPR).
Recreational activities and hobbies (e.g., beach visits, gym, organizing trips, kids' club, theater, restaurant, etc.) To take into account and satisfy your preferences regarding the types of activities you like and want to participate in during your stay in our hotels, including to ensure these personalized services for your future stays. For the performance of a contract to which the data subject is party, related to your preferences and requests for access and participation in specific recreational activities (Art. 6, para. 1, letter "b" of the GDPR).
Family and other relationships (information about spouse, son, daughter, etc.) To plan in advance and provide additional accommodation and stay conditions in our hotels, according to the people you travel and stay with, such as providing a baby cot or an extra, fold-out bed. For the performance of a contract to which the data subject is party, related to your preferences and requests for personalized services during your stay (Art. 6, para. 1, letter "b" of the GDPR).

5. HOW AND WITH WHOM DO WE SHARE YOUR DATA?

To fulfill our obligations and commitments to you during your stay, we need to share your personal data and other information with the following persons:

-   Companies within the "Sv. Sv. Konstantin I Elena Holding" AD hotel group for the purposes described in this Policy, such as for: providing services, part of joint packages with the hotels in the chain, for the management of our loyalty program, providing discounts on reservations in the hotels in the chain, for the purposes of operational management of hotels and business forecasting. These companies are described in item 1 of this Policy and the Company has concluded an explicit agreement with them for the processing of personal data in accordance with Art. 26 of the GDPR.

-   Service providers on the territory of the hotels and/or when traveling. We share your personal information with companies and organizations that provide their own services on the territory of the hotels, including those conducting their own marketing activities. This sharing also allows us to provide you with a single source for purchasing travel packages related to travel -- airline tickets, car rentals, etc.

-   We partner with certain third parties who allow you to create user profiles for the use of their services or to purchase their products. Such as social network providers whose services allow you to connect your account in the respective social network with the one in the Online Services. When you register for the purposes of using the Online Services, we disclose your personal data and other information to these third parties. If you do not wish to share your personal data in this way, please do not link your social network profile for the use of our Online Services.

-   We also share your personal data with insurance companies providing travel insurance, including travel insurance, when you use their products. The data shared in this way is processed in accordance with the privacy policy of the respective insurance company, and not this Policy.

-   We also partner with third parties who may organize promotional activities and events on the territory of the hotels, such as lotteries, contests, and others. If you decide to participate in these advertising events, your data may be transferred to these persons.

-   Corporate partners. If you are an employee of a company that participates in the corporate program of the hotels in the "Sv. Sv. Konstantin I Elena Holding" AD chain, respectively make a reservation in one of our hotels using a corporate discount code or pay your accommodation expenses with a corporate credit card, a statement from your account with detailed information about the services provided to you may be sent to your employer and to the company that issued the credit card. This Policy does not apply to the processing of your data by your employer, the credit and/or payment institution that issued your payment card. We are not responsible for their data processing practices and standards.

-   We also disclose personal data to our other suppliers, including companies that provide hosting and support in connection with our Online Services, web analytics and remarketing, payment and transaction processing, order fulfillment, customer service, marketing, audit, legal advice, and other services.

-   We also share your personal data (contained in video recordings) with the private security company that manages the video surveillance and security system installed on the territory of the hotels, to ensure your safety, health, and property during your stay.

We use and disclose your personal data only when we believe it is necessary or appropriate: (a) to comply with the applicable legislation to which we are subject; (b) to fulfill our contractual obligation to you as a user under a contract, terms and conditions, etc.; (c) to respond to requests from public authorities, including bodies and institutions outside your country of residence, so as to comply with national security or law enforcement regulations; (d) to protect and ensure the continuity of our business operations, including in cases of transformation and reorganization, merger, sale, establishment of a joint venture, or other disposition of all or part of the Company's assets (including personal data); (e) to protect your rights, privacy, and health, the employees of the Company, and all persons on the territory of the hotels, to secure the property of the Company or the guests of the hotels; and (e) to use the legal remedies guaranteed to us by law to protect our legitimate interests.

We may use and share other data for any purpose, except where prohibited by applicable law. When sharing your personal data, we apply all appropriate organizational and technical measures to ensure confidentiality, including when transmitting information, by requiring our partners and suppliers to whom we transmit the data to take at least the same level of care and security measures to protect your personal information.

Transfer of personal data outside the European Union and the European Economic Area

Some of our suppliers and partners to whom we transfer your personal data are located in countries outside the EU and the EEA. For these countries, there may not be an adequacy decision from the European Commission, respectively, the level of personal data protection may be lower than that in the EU and the EEA. In any case, however, when transferring data, we provide and guarantee the existence of appropriate safeguards to ensure the secure processing of your data in the third country for the EU. For example, we conclude standard contractual clauses approved by the EC with our suppliers or partners, obliging them to apply at least the same level of technical and organizational security measures to your personal information as we do.

The suppliers to whom we transfer personal data about you are two groups: (a) suppliers providing hosting services for us, whose servers are located outside the EU and the EEA; or (b) suppliers of web analytics, remarketing, and email marketing services. The latter are located in the USA, for which the European Commission has declared that there is an adequate level of protection under the EU-US Data Privacy Framework of July 11, 2023.

6. WHAT ARE YOUR RIGHTS?

In accordance with the applicable legislation -- the GDPR and the Bulgarian Personal Data Protection Act (PDPA), as data subjects, you can exercise the following rights:

-   The right to access the personal data that the Company processes about you, as well as to receive a "copy" of them;

-   The right to request the Company to correct if you find inaccuracies or the need to update your personal data;

-   The right to request the blocking of your personal data or the restriction of processing, in the cases specified by the GDPR;

-   The right to request deletion, i.e., deletion of your personal data from the Company, if there are legal conditions for this;

-   The right, whenever you wish, to withdraw your consent to your personal data being processed for the purposes for which you have given consent, for example for marketing, by sending an email in free text to gdpr@stconstantine.bg, or by unsubscribing from receiving such messages through the corresponding button in the last email you received;

-   The right to request the portability of your personal data in a structured, machine-readable, and commonly used format;

-   The right to object to the processing of your personal data, which is based on our legitimate interest or that of a third party, including profiling based on the legitimate interest.

You can exercise all rights during the processing of your personal data by sending an email in free text to gdpr@stconstantine.bg, or by sending a letter to the address: Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort -- Administrative Building.

What does each of the above rights mean?

Right of access to personal data

This right allows you to obtain information about the data that identifies the Company as the administrator of your data, the purposes of their processing, the recipients or categories of recipients to whom the data may be disclosed, data on the mandatory or voluntary nature of providing the data and the consequences of refusing to provide them, as well as information on the right of access and the right to correct the collected data.

The data is not provided when the individual to whom it relates already has it or there is an explicit prohibition in the law for their provision.

In case of doubts about the identity of the data subject who has made a request for access, the Company reserves the right to request additional information in accordance with the applicable legislation.

Right to deletion, correction, blocking

You can at any time request the Company to delete, correct, or block personal data, the processing of which does not meet the requirements of the GDPR, as well as the right to request that third parties to whom the personal data has been disclosed be notified of any deletion, correction, or blocking, except in cases where this is impossible or involves excessive effort.

Right to restriction

You can send a request for restriction against the processing of your personal information if:

a) you have disputed the accuracy of the personal data, for the period in which we perform a check; b) the processing is unlawful, but you require restriction of their use instead of their deletion; c) we no longer need the personal data for the purposes described in this Policy, but you have requested them for the establishment, exercise, or protection of legal claims; d) you have objected to the processing pending verification of whether the Company's legitimate interests override yours; You have the right to be notified before your personal data is disclosed for the first time to third parties or used on their behalf for direct marketing purposes, and you have the right to object to such disclosure or use.

Right to portability

When the processing of personal data is done automatically, you have the right to receive the personal data relating to you in a structured, widely used, machine-readable, and interoperable format, as well as to request that they be transferred to another data controller.

Right to file a complaint with the Commission for Personal Data Protection

You can file a complaint with the Commission for Personal Data Protection ("CPDP") if there is a violation of your rights as a data subject, in the following ways:

-   In writing at the address: Sofia, P.O. Box 1592, 2 Prof. Tsvetan Lazarov Blvd.;

-   Phone: 02/91-53-519; 02/91-53-555;

-   Fax: 029153525; or

-   Email: kzld@cpdp.bg

You can find the CPDP website at: www.cpdp.bg

Alternatively, you can seek protection of your rights from the relevant administrative court in accordance with the general rules of jurisdiction in the Administrative Procedure Code.

"Cookies" and other technologies on Our Websites

For information about your choices regarding individual "cookies," respectively how you can withdraw your consent or block "cookies" and other similar technologies, please review our Cookie Policy.

7. OTHER INFORMATION RELATED TO YOUR PERSONAL DATA

Links to other websites

Our websites contain links to other internet pages. This Policy and our responsibility regarding the processing of personal data are limited only to our own information collection and storage practices, respectively, we are not responsible and cannot guarantee the legality of personal data processing activities by third-party websites. We encourage you to review the privacy and security policies of all external websites before providing any personal information when accessing their services.

Security

The security of your personal information is a top priority for us, and in this regard, we apply the highest level of technical and organizational measures to protect your data. For example, Our Websites use the SSL encryption protocol to protect the transmission of your personal information and other data when you use the Online Services (when making online reservations).

The personal information we collect from you online is stored by us and/or our service providers on servers, combining physical and informational access control measures, firewalls, and other reasonable security measures.

Storage periods

In principle, we store your personal data for the period necessary to fulfill the purposes described in this Policy, unless the law requires or allows a longer storage period. The criteria used to determine retention periods include:

-   The duration of our relationship with you and the provision of services (e.g., as long as you have an account with us or continue to use the services, and as long as necessary to fulfill the terms of the loyalty program);

-   If there is a legal obligation under which we are required to store your data for a certain period of time; and

-   If the storage of your data is necessary to protect our legitimate interests (e.g., within the statute of limitations for filing legal claims; until pending litigation, proceedings before public authorities, and/or regulator checks are completed).

In view of the described criteria, your personal data is stored by us for a period of 5 years from the termination of our contractual basis, if we process personal data for the performance of contractual obligations to you. After the expiration of this period and if there is no legal basis to continue the storage of your personal data, the information about you is destroyed. We will not delete or anonymize your personal data if they are necessary for pending legal or administrative proceedings or proceedings for considering your complaint against us or a complaint/claim of the Company against you.

Personal data collected for the purposes of managing reservations are stored for a period of 5 years, in accordance with the requirements of the applicable legislation in the Republic of Bulgaria, Art. 116, para. 2 of the Tourism Act.

Personal data contained in documents drawn up for accounting or tax purposes are stored for a period of 10 years in accordance with the applicable accounting, respectively tax and social security legislation in the Republic of Bulgaria.

If we have collected your personal data based on your explicit consent for direct marketing purposes, we limit their processing to 2 years from the moment of automatic receipt of consent or until you withdraw it, if you do so earlier.

Personal data contained in video recordings, drawn up for the purposes of property protection and the protection of public order, are stored for a period of 2 months in accordance with the applicable legislation in the Republic of Bulgaria.

Changes to the Policy

In response to technological developments and changes in legislation, this Policy may be amended at some point. When the Policy is amended, we will take appropriate measures to notify you.

This Policy has an effective date indicated at the end of the document.

8. HOW TO CONTACT US?

If you have any questions related to this Policy, please contact the relevant coordinates:

"Sv. Sv. Konstantin I Elena Holding" AD, with UIC 813194292

Mailing address: Republic of Bulgaria, Varna, P.O. Box 9006, Primorski District, St. St. Constantine and Helena Resort - Administrative Building

Executive Directors - Elena Koseva Koseva and Ivelina Kyncheva Shaban

Email address: gdpr@stconstantine.bg

Effective date: April 1, 2025

Още полезна информация