I. Purpose and scope
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) come into effect on 25 May 2018.
Personal data means any information relating to a natural person who can be identified or is identifiable, directly or indirectly, by reference to an identification number or to one or more specific factors.
Processing of personal data means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
III. Processing of personal data
As Controller of personal data, the Regional Development Foundation processes personal data: 1. Autonomously, through its employees, who under its authority perform personal data processing operations within the meaning of Article 29 of Regulation (EU) 2016/679 and in compliance with the need-to-know principle; 2. Through assignment to a processor, in which case the Foundation determines the purposes and means of the processing of personal data, where relevant lawful basis for it exists, in accordance with the provisions of the Personal Data Protection Act and the GDPR.
IV. Principles relating to the processing of personal data
As Controller of personal data, the Regional Development Foundation processes personal data in accordance with the principles of protection of personal data specified in the GDPR, namely:
1. Lawfulness – the collection and processing of personal data is performed only on a lawful basis, as specified in Article 6 (1) of Regulation (EU) 2016/679;
2. Fairness – personal data may only be processed in relation to the purpose for which they have been collected;
3. Transparency – refers to the right of the subject to be informed of the processing of personal data, as well as of the information to be provided within the meaning of Article 13 and Article 14 of Regulation (EU) 2016/679;
4. Storage limitation – includes an assessment, prior to processing, as to whether and to what extent the processing of personal data is necessary to achieve the purposes for which it is performed. Personal data may not be collected in advance; nor may they be stored for potential future purposes;
5. Erasure – means that personal data which are no longer necessary and whose storage is not otherwise lawfully grounded will be erased;
6. Accuracy – means that personal data must be accurate, complete and kept up to date;
7. Integrity and confidentiality – refers to the appropriate organisational and technical measures taken to protect personal data against unauthorised access or dissemination, accidental loss, alteration or destruction;
8. Accountability – refers to the traceability and documentation of any processing of personal data.
As Controller of personal data, the Regional Development Foundation respects the principle of processing special (sensitive) categories of personal data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. This shall not apply if the processing is necessary for the purposes of carrying out obligations and exercising specific rights on behalf of the Controller in the field of employment law and for the purposes of occupational medicine.
V. Processing of personal data over the website holysites.me
The Regional Development Foundation processes personal data for the following purposes:
- When we carry out activities related to contracting, amendment and termination of contractual relationships, preparation of documents and other information for the purposes of the website. In such cases, the following data is processed: full name(s), identity document data, bank account, address, telephone, e-mail etc.
- When you contact us through our website, as well as when you have to complete or take part in one of the following: online questionnaire; request; online form; contact form or registration/reservation form; participation in online chat lines, forums and online discussions; sending in different types of enquiries etc. When contacting us, you provide, partially or in full, the following information: given name and surname, e-mail, telephone or other means of internet connection, as well as other data, where the information already provided is not sufficient to process the service.
- When you purchase services or packages from us, whether in our office or online, using different payment tools, we collect and process data appearing on your identity document (name(s), address, personal identification number, date of birth, place and date of issue, validity), financial information (bank account, credit card or other payment tool), health data (when travelling), additional insurance or visa information (copy of identity document etc.), if necessary.
- When participating in video productions which we promote through the website, you voluntarily agree that the data you disclose will be disseminated through the website, as well as through other media channels, without it having to be explicitly requested from you in advance.
- Technical information collected through cookies, e.g. user activity data; site browsing data; site visit data; information about the type of browser and operating system used; pages visited and ads followed etc.; pixels and codes of various social media, analytics tools and websites allowing platforms like Facebook, Booking.com, Google Adwords, Google Analytics and others to interact with the website and provide feedback on your actions.
- Third party personal data: when making online reservations on platforms like booking.com, Airbnb and others linked to the website, you agree to the terms and privacy policies used on those platforms concerning the protection of your personal data.
- When you visit our website, our web servers store information about the your browsers and operating systems, our webpages you visit, the date of your visit and the IP-address provided by your internet service provider for a period of 7 days for protection purposes, for example for identifying attacks against our website.
VI. Use of personal data
You personal data is used in the following cases:
- When we provide you with the specific service you have requested;
- When we provide you with the information you need and have expressed interest in through the communication channels you have chosen;
- When we send you information about our products and services, as well as offers from other companies and organisations which we believe might be of interest to you, including online advertisements and commercials, after obtaining your prior consent;
- When you complete feedback forms which help us learn more about you as user and enable us to provide you with personalised offers and services;
- When completing online questionnaires, forms, requests and inquiries, you agree that they may be used by the Regional Development Foundation for reporting purposes with regard to the financing institutions and bodies providing funding to our organisation;
- When we can assist you in any situation which may occur or when we need to notify you of important changes to our terms of service or to our internal policies, including in the event of break of data;
- When voluntarily participating in one of our video productions, you agree to its distribution either through the website or through other media channels;
- When we respond to requests from local or foreign regulatory, government or judicial authorities in connection with legal claims, proceedings initiated by competent authorities etc.
VII. Legal basis for the processing of personal data
The personal data of each natural person are provided voluntarily by the person him/herself. Depending on the purpose for which the data are used, the Regional Development Foundation recognises the following legal bases for processing of personal data: 1. Legal obligation; 2. Conclusion of a contract and/or fulfilment of contractual obligations in accordance with the provisions of national, European and international law; 3. Fulfilment of obligations arising from a normative act, e.g. the Accountancy Act and the Tax and Social Security Procedure Code, when we provide information to judicial and other government bodies in our legitimate interest; 3. In the event of explicit consent – when sending enquiries, you may be asked if you prefer to receive promotional and information messages from us. Should you opt to change your selected preferences, you can do so by e-mail or by using the contact telephone number provided on the webpage.
VIII. Categories of data subjects
As Controller of personal data, the Regional Development Foundation processes personal data of the following categories of subjects: 1. Website users; 2. Counterparties (clients, suppliers, trading partners, subcontractors etc.) – as long as they are natural persons, or their representatives and/or contact persons – as long as they are legal persons; 3. Target groups involved in the projects implemented by the Regional Development Foundation; 4. Participants in audio and video productions of the Regional Development Foundation, such as audio/video clips, announcements, films or any other audio/video production.
IX. Categories of personal data processed
As Controller of personal data, the Regional Development Foundation processes the following categories of personal data for the purposes of the website:
1. Counterparty data (refers to clients, suppliers, trading partners, subcontractors, landlords, tenants etc.): identification data – names, identification number, permanent address, telephone number, e-mail, unique national identification number (EГН for Bulgaria); economic and financial information – bank account, credit and debit card data and data relating to other payment instruments required to process payments and conclude contracts. Such data is processed in connection with fulfilment of regulatory obligations, conclusion of contracts and/or fulfilment of contractual obligations in accordance with the provisions of national, European and international law.
2. Video recordings by technical means – by voluntarily participating in copyright productions (videos, films, video and audio commercials) of the Regional Development Foundation, the participant agrees to their future processing and distribution.
3. Data about clients or users of website services – by completing questionnaires, submission of requests, e-mail or telephone enquiries, online reservations etc., you agree that your identification data (such as names, biographical data, address, е-mail, personal identification number, date of birth, bank account, payment instruments, financial identification or other information relating to the service requested or provided) may be processed for the purposes of the service.
X. Consequences of refusal to provide personal data
The explicit consent of natural persons whose data are processed is not always required when there exists other legal basis allowing the Controller to process personal data, namely: 1. Conclusion or implementation of a contract; 2. Legal obligations of the Controller; 3. Protection of vital interests of the data subject or of another natural person; 4. Carrying out a task of public interest or exercising official powers conferred on the Controller; 5. Legitimate interests of the Controller or of a third party, as long as these interests prevail upon the interests or fundamental rights of the data subject; 6. Mutual agreement between the two parties, arising in the events of submission of a request, e-mail correspondence, participation in a video production. The personal data requested by the staff of the Regional Development Foundation shall be consistent with the purposes with regard to which they are being processed and shall be binding upon the parties. In case of refusal of voluntary provision of requested personal data, the Regional Development Foundation will not be able to fulfil its statutory obligations, including being to deliver its services.
ХI. Provision of personal data outside the Regional Development Foundation
The personal data processed by the Controller are provided to: 1. The natural persons to whom the data refer; 2. Public bodies, judicial bodies, regulatory, state and control bodies, local governments etc. to an extent which does not exceed the purposes with regard to which they were requested; 3. Personal data processors (a natural or a legal person processing personal data on behalf of the Controller and acting on an order or assignment issued by the Controller); 4. Business partners – for the purposes of contract implementation etc. – such as your travel provider, including other tour operators, airlines, hotels, insurance and transportation companies etc.; 5. Credit institutions (banks) in connection with receipts of payment, payments and refunds; 6. Courier companies in connection with receiving, transporting and delivering, and addressing parcels to natural persons. When personal data are shared with other companies, we only share the absolute minimum, requiring them to protect the data and not use them for their own marketing purposes.
XII. Protection of your personal data
XIII. Timeframe for the storage of personal data
Personal data are stored depending on the type of information collected and the purpose for its collection. When performing a particular service, we store your data for at least 5 years after the service delivery. In cases of questionnaires, online requests and enquiries of any type, we store the information for as long as necessary, in accordance with the specific purpose, as specified in our internal rules, but for no longer than 5 years of the receipt of the information related to personal data.
ХIV. Links to other websites
The website contains links to other websites, which are operated by other organisations, platforms or social media. All of them have their own privacy policies, which you must study carefully before providing your personal data. The Regional Development Foundation shall assume no responsibility or liability in the event of unauthorised use, loss, alteration or disclosure of your personal data by such parties.
ХV. Rights of the data subject
Natural persons whose data are processed have the following rights: 1. Right to be informed about the data which are identified by the Regional Development Foundation and its representative, the purposes of the processing of persona data, the recipients or categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of data provision, as well as the consequences of refusal to provide data; 2. Right of access to data referring to the subject; 3. Right to rectification or supplementation of inaccurate or incomplete personal data; 4. Right to erasure (right to be forgotten) of personal data which are unlawfully processed or in relation to which there is no legal ground for the processing (expired storage period, withdrawn consent, fulfilment of the original purpose of collection etc.) This is not an absolute right and applies in a limited number of cases; 5. Right to restriction of processing – in the event of a legal claim between the Regional Development Foundation and the natural person pending their resolution and/or for the establishment, exercise or defence of legal claims; 6. Right to data portability – if the processing is carried out by automated means based on consent or on a contract. To this end, the data must be provided in a structured, commonly used and machine-readable format. Where technically feasible, the data will be transmitted directly from one controller to another. The right to data portability applies only to data provided directly by the subject, as well as to personal data generated and collected as a result of his/her activity; 7. Right to object – at any time and on grounds relating to the subject’s particular situation, unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment exercise or defence of legal claims; 8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for the data subject or similarly significantly affects him or her; 9. Right to withdrawal of consent for the processing of personal data when the processing is based on consent.
ХVI. Procedure for exercising the rights of data subjects
The data subject can exercise his/her right to access, erasure, rectification and restriction of processing by filing a written request to the Regional Development Foundation. We will then, without undue delay and within one month of the receipt, provide you with information about the action we have taken in connection with your request. Should we fail to take any action, we will, without undue delay and within one month, at the latest, of the receipt, notify you of the reasons to do so, as well as of the opportunity to file a complaint to a supervisory body and to seek judicial protection.
NB! In cases requests made to the Regional Development Foundation which are ungrounded, repetitive or excessive, we will be entitled to impose an administrative fee for the processing and provision of information or for the initiation of other action, or to refuse to act on the request. Where reasonable grounds for concern as to the identity of the person filing the request arise, the Regional Development Foundation will be further entitled to request provision of any additional information deemed necessary to confirm the person’s identity. Should this information not be received, we will be entitled to refuse to act on the request made to us.
ХVII. Personal data breach and notification of a personal data breach
A data breach occurs when the data for which the Regional Development Foundation is responsible have been affected by a security incident leading to destruction of its confidentiality, availability or integrity. Hence, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed. In the event of a personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons, the Regional Development Foundation (through the relevant employee) will, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Commission for Personal Data Protection. We will document any personal data breach, comprising the facts relating to the personal data breach, its effects and the remedial action taken.