Policy on confidentiality and personal data protection
- Introduction
- This Policy on Confidentiality and Personal Data Protection ("the Policy") governs the manner in which we collect, process and store your personal data in accordance with the requirements of "General Regulation on Data Protection " – Regulation (EU) 2016/ 679, the Personal Data Protection Act of the Republic of Bulgaria and other normative Bulgarian and international acts.
- Confidentiality of information about our users is a top priority for us. The partners in their capacity as Personal Data Controllers and in accordance with the legislation and best practices apply the required technical and organizational measures for personal data protection of natural persons. The Platform www.Questour-Project.eu meets all the requirements of the new regulation, by collecting data on persons, only in so far as it is necessary respectively for the implementation: of the activity of the company; for provision of our services; for the use of our website and for marketing purposes.
- This Policy provides information on how and what types of personal data we collect from and about you, why we need it, whom it may be submitted or disclosed to and how it is protected.
- Definitions:
- "personal data" means any information related to an identified natural person or a natural person who can be identified ("data subject"); a natural person who can be identified, is a person who can be identified, directly or indirectly, in particularly by an identifier such as a name, identification number, location data, online identifier, or by one or more signs, specific for the physical, physiological, genetic, psychological, mental, economic, cultural or social identity of this natural person;
- "We", "us", "Partners" mean the Partners on the project “QuesTour – Valorization and capitalization of unexplored tourism cultural and historical routes in the cross-border region Bulgaria-Serbia”, contract number RD-02-29-59/14.04.2020, ref. number: CB007.2.13.225, funded by the Interreg-IPA CBC Bulgaria-Serbia Programme 2014-2020, namely:
- National Tourism Cluster, "The Bulgarian Guide", a non-profit association, established under the laws of Bulgaria, with head office in the city of Sofia, ("NTC").
- ENECA - Association of Economic Experts, a non-profit association, established under the laws of Serbia, with head office in the city of Nis (“ENECA”).
- Vratsa Municipality, Bulgaria.
which jointly administer the Platform and collect and process personal data in this respect.
- The "Platform" means the site www.Questour-Project.eu
- "processing" means any operation or set of operations, carried out with personal data or set of personal data, by automated or other means, such as collection, recording, organization, structure, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise, in which data becomes available, arrangement or combination, restriction, deletion or destruction;
- "Regulation" means "General Regulation on Data Protection" – Regulation (EU) 2016/679.
Please, read this Policy carefully. By providing your personal data to our Partners, whether electronically or on paper, you accept and agree to the practices described in this Policy on confidentiality and personal data protection.
Please, in case you have any questions about this Policy, contact us – the officer on data protection and, in the case, you do not agree with some of the conditions contained in the Policy on Data Protection, we do not recommend the use of products and services provided by the Platform, which require you to provide your personal data.
- Contacts and links
- Information about Partners in their capacity as Data Controllers.
In connection with the processing of your personal data you can contact us through the following contacts:
Name: National Tourism Cluster, "The Bulgarian Guide"
Address for correspondence: 1404 Sofia, Gotse Delchev, bl. 26, office 2
Telephone: + 359 2 850 50 09
E-mail: questour@bg-guide.org
Website: www.bg-guide.org
- Information on the competent supervisory authority:
Name: Commission for personal data protection
Seat and address of management: Sofia, p.o. box 1592, Blvd. "Prof. Tsvetan Lazarov " No. 2
Address for correspondence: Bulgaria, city of Sofia, p.o. box 1592, Blvd. "Prof. Tsvetan Lazarov " No. 2
Telephone: + 359 2 915 3518
In case you believe that we violate your rights related to processing of your personal data, and in accordance with the requirements of the "General Regulation on Data Protection – Regulation (EU) 2016/679 you have the right to file a complaint to the officer for Data Protection, to file a complaint to a supervising authority or to seek protection through the courts as follows:
Right to appeal to a supervisory authority
In case you wish to file a complaint concerning the processing of personal data carried out by us, or regarding the way in which we handled your complaint, you have the right to lodge a complaint with the Commission for Personal Data Protection and the data protection officer (if such is available).
You can lodge a complaint in one of the following ways:
- Personally, on paper carrier in the records office of KZLD at the address: 1592 Sofia, blvd. "Prof. Tsvetan Lazarov "No 2.
- By letter to the address: 1592 Sofia, blvd. "Prof. Tsvetan Lazarov "No. 2, Commission for Protection of Personal Data.
- By fax at: 029153525.
- Electronically to the e-mail address of the KZLD (kzld@cpdp.bg). In this case, your complaint should be formed as an electronic document signed with an electronic signature (not scanned).
- Through the website of the KZLD at the address https://cpdp.bg/?p=pages&aid=6 as described on that page. In this case your complaint should be formed as an electronic document signed with a digital signature.
In each of these cases, the complaint should contain:
- applicant's data – name, address, telephone number, email address (if available)
- nature of the complaint
- other information and documents that you consider relevant to the complaint
- date and signature (for electronic documents – electronic signature, for paper documents – personally signed)
KZLD provides a complaint form to the Commission (for support and facilitation of citizens) in connection with the abuse during personal data processing in the lists of voters, supporting the registration of political entities. The form can be downloaded from the following page: https://cpdp.bg/userfiles/file/Documents_2017/Forma_jalba_politicheski subekti.doc
- Principles and Reasons for collection, processing and storage of personal data
- In order that processing of personal data is in accordance with the legal requirements, personal data is collected and used lawfully, the adequate security of processing operations is provided and we have taken the necessary measures in order that processing of personal data is not to subject to unauthorized disclosure. In accordance with the fundamental principles observed by us, your personal data is:
- processed lawfully, fairly and in a transparent manner in respect of the data subject ("legality, good faith and transparency”);
- collected for specified, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes ("limitation on the purposes");
- appropriate, connected with and limited to what is necessary in relation to the purposes for which it is processed ("reducing data to a minimum");
- accurate and maintained in an up-to-date form; we have taken all reasonable measures to ensure the timely deletion or correction of inaccurate personal data, with regard to the purposes for which it is processed ("precision");
- kept in a form which permits identification of the data subject, for a period not longer than is necessary for the purposes for which personal data is processed; ("limiting storage");
- processed in such a way as to ensure an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures ("integrity and confidentiality");
- Each Partner is responsible and is able to prove that he complies with the General principles related to processing of personal data ("accountability").
- Reasons for personal data collection:
- Partners collect and process your personal data in connection with the use of the company’s site and subsequent provision of information pursuant to art. 6, para. 1 of Regulation (EU) 2016/679 and in particular – on the basis of an explicit consent from you as a customer/potential customer. You are not obliged, and we do not require you to register or provide personal data in order to have a look at our Platforms, or to access the majority of their content. The provision of personal data through our Platforms is made via a request form. By providing your personal data in the request form – you should give your consent to the provision of the data, which automatically means you consent to our processing it in order to respond to your inquiry;
- Partners collect and process your personal data in case you give your consent to receive notifications from us, related to our projects, events, campaigns, offers, suggestions related to our activities and news about the company;
- Partners administer personal data also for the purposes of the legitimate interests of the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject prevail over such interests which require protection of personal data;
- Partners collect and process personal data in connection with the selection of staff for various positions, announced by the company. Vacancies may be advertised in the section "Job exchange" of the Virtual center, with the possibility to apply for a position by using a special contact form or by sending a message, and the necessary documents to the specified e-mail;
and in other legally binding hypotheses.
- Purposes of personal data processing
- In accordance with the requirements of Section I – Transparency and the terms of Regulation (EU) 2016/679 the Partner provide transparent information, communication and conditions for exercising the rights of data subjects in conformity with article 12 of the Regulation.
- Partners collect, process and store personal data for the following purposes:
- The provision of educational services;
- For marketing activities – associated with our projects, events, campaigns, offers, suggestions related to our activities and news (and when explicit desire for receipt of such information is expressed), etc.
- To communicate with you;
- For legal purposes – for resolution of legal disputes and the protection of rights and legitimate interests of the Partners;
- Types of data collected, processed and stored by the Partners
- For carrying out the purposes referred to in paragraph 4 of this Policy, the Partners collect, process and store the following categories of data:
Data for the identification of persons: name, surname, family name;
Contact details: address, phone number, email address, position, etc.;
Details of used IP address (when you sign in to the site);
Data depending on the specifics of the services used, respectively, of the type of relations in which you participate;
- We do not collect: personal data which is related to racial or ethnic origin; which reveal political, religious or philosophical belief; genetic and biometric data;
- Time limit for storing personal data:
Partners store your personal information for the period necessary to carry out the purposes, described in this Policy, unless a longer period of storing is needed, or such is allowed by applicable law. The storing is carried out in compliance with the statutory time limits for the particular category of documents (forms, financial statements, accounting records, etc.), as well as the statutory limitation periods in the Tax Insurance Procedure Code (TIPC), the Accounting Act, the Social Security Code (SSC), the Law on Obligations and Contracts. After the expiry of the period of storage, we take the necessary care to erase and destroy any data, without undue delay, pursuant to the adopted procedure for destruction of personal data.
- Sources of personal data
Personal information collected by us shall be collected by the persons concerned; through the contact forms on the company sites; by third parties – our contractors and/or intermediaries, in compliance with the requirements of the Regulation.
- Rights of the individuals, whose data is processed
- Right of access: You have the right to request and receive a confirmation from us whether personal data related to you is processed; To get access to the data related to you, as well as information related to collection, processing and storing of your personal data; We provide you on request a copy of the processed personal data related to you in electronic or other appropriate form; Provision of access to the data is free, but we reserve the right to put an administration fee in case a series or excessiveness of requests;
- Right of correction: You can correct or fill out inaccurate or incomplete personal data related to you, directly by sending a request to us.
- The right to delete (the right "to be forgotten"): You have the right to ask us to delete the personal data related to you, and we are obliged to delete it, without undue delay, whenever there are grounds provided for in the law, and if there are no other grounds for legitimate processing or lawful grounds for refusal of the collector to delete the data; The Partners do not delete data, for which there is a legal obligation to keep, including for protection, on the occasion of filed judicial claims against him or proof of his rights.
- Right of limitation: You have the right to request us to limit the processing of personal data related to you when: you contest the accuracy of the personal data, for a period of time that allows us to check the accuracy of the personal data; processing is unlawful, but you do not want your personal data to be deleted, but only its use to be limited; We don't need the personal data any more for the purposes of processing, but you request it for the establishment or defense of your legal claims; You have objected against its processing and await for verification whether the legal bases of the Partners prevail over your interests;
- Right of portability: You may at any time withdraw the data that is stored and processed for you, in connection with your relations with the Partners by sending a written request to the Controllers. When it is technically feasible, you can request a direct transfer of personal data to a Collector specified by you;
- Right to information: You have the right to request to be notified about any action related to correction, deletion or restriction of processing;
- Right to object: You can object at any time against the processing done by us of the personal data related to you when processing is based on: the implementation of a task of public interest, or on the basis of official powers; for the purposes of the legitimate interests of the controller; for the purpose of scientific or historical research or statistical purposes, including for profiling or processing for the purposes of direct marketing;
- You have the right to refuse to be subject of a decision, based solely on automated processing, including profiling, which gives rise to legal consequences for you or concerns you considerably. We do not perform automated decision-making with data.
- Right of complaint: You have the right to lodge a complaint to the Commission for Personal Data Protection in case of violation of Regulation (EC) No. 2016/679 of April 27, 2016 and the right to an effective defense against the KZLD, controller or processor of your personal data;
- Right for compensation: You have the right to compensation for tangible or intangible damages suffered as a result of a breach of Regulation (EU) No. 2016/679.
- For the exercise of the aforementioned rights you should send a request to us, as well as to verify your personality and identity with the person to whom the data is related.
- You have the opportunity to exercise your rights as follows:
- By Internet: E-mail address questour@bg-guide.org
- Withdrawal of consent for processing of your personal data
When you have consented to the processing of your personal data for one or more specific purposes, if you do not want all or part of the data to continue to be processed by us for specific or all purposes of processing, you can at any time withdraw consent for processing by sending a request to the Partners in a free text.
- Transfer of personal data to third parties or international organizations
- Transfer of personal data that is processed or is intended for processing after transfer to a third country or an international organization outside the EU is carried out by us only under the conditions laid down in the General Regulation on Data Protection – Regulation (EC) 2016/679, subject to the conditions set out in chapter V of the regulation. The Partners apply all the provisions of the regulation, so as not to put at risk the necessary level of protection for natural persons, provided by the regulation.
- In the event that the Partners will carry out transfer of personal data to a third country or an international organization outside the EU, this transfer is carried out in accordance with the company's procedure for the transfer of data outside the EU, and the data subjects shall be informed in advance by requiring their consent for the transfer of personal data.
- Persons to whom your personal data is provided
Individuals – employees of the Partners who have access to your personal data are strictly defined in the internal Rules of the company and in the procedures for the processing of personal data, and the level of access to various registers of personal data is also defined.
It is possible for the Partners to transmit your personal data to third parties who are related to processing or are processors of personal data, of administrative structures and authorities of the executive power, etc., or of persons related to the Partners. In all cases, the transfer of personal data is carried out by the Partners in implementation of the purposes of processing and in strict compliance with the requirements of Regulation (EU) 2016/679.
- Breaches and notification of breaches
- "Breaches of security of personal data" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed by the Partners.
- In the event of a breach of security of personal data, which is likely to present a risk to the rights and freedoms of natural persons, without undue delay and where practicable – not later than 72 hours after they have found out about it, the Partners notify of the breach the Commission for the Protection of Personal Data.
- If the Partners establish a breach of security of your personal data, which may pose high risk for your rights and liberties, we inform you without undue delay for the breach, as well as the measures taken or that would be taken.
The Partners may not notify you if:
- they have undertaken appropriate technical and organizational measures to protect the data affected by the breach of security;
- they eventually took measures to ensure that the violation would not lead to a high risk for your rights;
- The notification would require a disproportionate effort.
- Changes in the policy of confidentiality
The Partners have the right to update, amend and supplement the policy on data protection at any time in the future when circumstances request it.