Privacy Policy

St. Stefan's Villas & Hotel has an obligation to inform you what to expect when processing your personal information.

Cookie Policy

To improve the performance of our website and your user experience, we sometimes use HTTP cookies, or simply cookies. By using the site, you agree to this.

What are cookies?

Cookies are small text files that are stored on your computer or mobile device when you visit our website. They allow the website to store your actions and preferences for a certain period of time so that you do not have to enter them every time you visit the site or go from one page to another, which helps us provide you with content that we think will be useful and interesting to you.

How and what cookies do we use?

Functional cookies

We use cookies that allow the website to store your actions and preferences (such as username, language, age, font size and other display settings) for a certain period of time so that you do not have to enter them every time you visit the site or move from one page to another.

Security cookies

We use cookies from a security point of view, the purpose of which is to prevent fraudulent use of login credentials, as well as to protect information from unauthorized parties.

Analyzing cookies

We use Analytics cookies that help us improve the performance and efficiency of our website by collecting information about the number of unique visits, statistics on the use of the website, most viewed, recently viewed pages.

Third-Party Cookies

We use third-party cookies that allow you to like or share content on Social Networks, cookies from Google Analytics that help track website traffic and other cookies related to external systems and sites integrated into the website.

Advertising cookies

We use cookies that, based on your behaviour on our website, may show you advertisements that we assume are relevant to your preferences and interests.

Personal data from cookies

The personal data collected by the cookies is used solely for the implementation of specific functions on the site related to the user himself.

How to manage cookies

Most standard browsers allow you to change your cookie settings. You can usually find these settings in your browser’s “options” or “preferences” menu.

You can easily accept or refuse cookies on our site by clicking on one of the following links: I accept cookies / I refuse cookies.

Please note that limiting and disabling cookies may result in the suspension of functionalities, incorrect operation and limitation of your user experience with our website.

More information

More information about how cookies are used on the Internet can be found here: www.aboutcookies.org.

Transparency in information processing

I. Declaration on Personal Data Protection Policy

  1. With this document, the management of Villas St. Stefan ensures compliance with EU and Member State legislation regarding the processing of personal data and the protection of the “rights and freedoms” of persons whose personal data Villas St. Stefan collects and processes under the General Data Protection Regulation (Regulation (EU) 2016/679).
  2. In accordance with the General Regulation, other relevant documents as well as related processes and procedures are described to this policy.
  3. This policy applies to all activities related to the processing of personal data, including those carried out regarding personal data of customers, employees, suppliers and partners and any other personal data that the organization of Villas St. Stefan processes from various sources.
  4. The Controller keeps a Register of Processing Activities. In cases where the keeping of the register(s) is entrusted to a data protection officer/data protection officer, he/she is responsible for entering into this register(s) any changes in the activities of Villas St. Stephan, as well as any other additional requirements, including data protection impact assessments. This register must be available at the request of the supervisory authority.
  5. This policy applies to all employees/workers (and stakeholders) of Villas St. Stefan, as well as for the processors and their staff members. Any violation of the General Regulation will be considered as a violation of labour discipline and, in case there is a suspicion of a crime, the matter will be submitted to the relevant state authorities for consideration as soon as possible.
  6. Third parties who work with or for Villas St. Stefan, including partners, external suppliers, customers, etc., as well as those who have or may have access to the personal data of the controller, are obliged to familiarize themselves with and comply with this policy. The Controller is obliged to conclude a data confidentiality agreement with any third party to which it provides access to the personal data processed by it, which entitles Villa St. Stefan to carry out checks on compliance with the obligations imposed by the agreement, unless the processing is required by EU law or by the law of a Member State.

II. Duties and responsibilities under Regulation (EU) 2016/679

  1. Villas of St. Stefan is a data controller under Regulation (EU) 2016/679 and bears all responsibility and the risks of possible non-compliance with the requirements of the GDPR, including being responsible for developing and promoting good practices in the field of personal data processing at Villas St. Stephen.
  2. A personal data processor is any person outside the controller’s organization who processes personal data directly on behalf of the controller – stores, digitizes, catalogs, etc. all information.
  3. The Data Protection Officer, respectively. The person who, by job description or assignment, performs tasks related to personal data protection (Data Protection Officer/Data Protection Officer), participates in the meetings of the Controller’s management at which issues in the field of personal data protection are discussed, and advises the Controller to demonstrate compliance with data protection legislation and good practices.

This accountability of the Data Protection Officer includes:

  • developing and implementing the requirements of REGULATION (EU) 2016/679 as required by this policy;
  • security and risk management in terms of policy compliance.
  • The data protection officer, who should be suitable, qualified and experienced, is selected by the controller’s management body (depending on its structure and legal form). The Data Protection Officer is obliged to advise and inform the controller about the application of the GDPR and other acts of domestic and European legislation in the field of personal data protection, in accordance with their contractual obligations and in accordance with the requirements of the GDPR, including monitoring the implementation of this policy.
  • The Data Protection Officer also has specific obligations under the GDPR – all requests of data subjects are addressed to him under the Subject Requests Management Procedure and is a point of contact for the controller’s employees who want clarification on any aspect of data protection compliance. The Data Protection Officer is also the contact person to the supervisory authority.
  • Compliance with data protection legislation is the responsibility of all employees of the controller who process personal data.
  • The training policy of Grand Hotels Management and Marketing Ltd. (Training Policy) defines the specific training and awareness requirements in relation to the specific roles of the company’s employees/workers.

III. Data protection principles

The processing of personal data shall be carried out in accordance with the data protection principles set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of Grand Hotels Management and Marketing Ltd. aim to ensure compliance with these principles.

  1. Personal data must be processed lawfully, in good faith and transparently.
    Lawful – to identify a lawful basis before processing personal data. These are the so-called “grounds for processing”, for example “consent”. The consent of the subject is one of the grounds for the processing of personal data. This can also be the performance of a contract or a legitimate interest of the controller, in which cases consent does not need to be given.
    Good faith – in order for the processing to be in good faith, the data controller must provide certain information to the data subjects necessary in each specific case and for each specific purpose, in an understandable, concise and accessible manner to the data subject. This applies regardless of whether the personal data is obtained directly from the data subjects or from other sources.
    Transparent – Regulation (EU) 2016/679 sets requirements on what information must be made available to data subjects, which is covered by the principle of ‘transparency’ regulated in Articles 1213 and 14 of the GDPR. According to the cited provisions of the GDPR, the information must be communicated to the data subject in an understandable form, using clear and understandable language, i.e. the privacy statements to be signed by the data subjects must be detailed and specific, understandable and accessible. The rules for notifying the data subject by Grand Hotels Management and Marketing Ltd. are set out in the relevant transparency procedure, and the notification is carried out through a notification for confidential treatment of personal data.
    The specific information that the company provides to the data subject includes, as a minimum: data that identifies the controller and the contact details of the controller and the DPO contacts, if any; the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing; the period for which the personal data will be stored; the existence of the following rights – to request access to the data, rectification, erasure (right to be forgotten), restriction of processing, as well as the right to object to the conditions (or lack thereof) in relation to the exercise of these rights; categories of personal data; the recipients or categories of recipients of personal data, where applicable; where applicable, whether the controller intends to transfer the personal data to a recipient in a third country and the level of data protection; any additional information necessary to ensure fair processing.
  2. Personal data may only be collected for specific, explicitly stated and legitimate purposes
    Data obtained for specific purposes are not used for purposes that differ from those officially announced as part of the Register of Data Processing Activities (Art. 30 GDPR) of Grand Hotels Management and Marketing EOOD. A procedure for transparency in the processing of personal data lays down the relevant rules.
  3. The personal data that the controller collects must be limited to what is necessary for the respective purpose of processing(principle of minimizing the data that can be processed for the specific subject)
    The person responsible for data protection ensures that only this information is collected that is strictly necessary for the purpose of processing.
    • All forms for data collection (electronic or on paper), including the requirements for data collection in the new information systems, should include a declaration of fair processing or a link to a Privacy Policy (notification of confidential treatment of personal data) and be approved by the responsible person, unless they are public on the company’s websites.
    • The Data Protection Officer has obligations to carry out periodic checks at least once a year to ensure that the data collected continues to be adequate, relevant and not excessive.
  4. Personal data must be accurate and up-to-date at all times, and necessary efforts must be made to enable immediate (within the scope of possible technical solutions) erasure or rectification.
    • The data stored by the data controller must be reviewed and updated as necessary. No data should be stored in cases where it is likely to be inaccurate.
    • The Data Protection Officer/Data Protection Officer must ensure that all staff are trained in the importance of collecting accurate data and maintaining it.
    • Also, it is the obligation of the data subject to declare that the data transmitted for storage by Grand Hotels Management and Marketing Ltd. are accurate and up-to-date. The completion of a form by the data subject intended for the controller will include a statement that the data contained therein is accurate as of the date of submission.
    • Employees, customers and anyone else are required to notify Grand Hotels Management and Marketing Ltd. of any changes in circumstances so that personal data records can be updated. It is the responsibility of Grand Hotels Management and Marketing Ltd. to ensure that any notification regarding the change of circumstances is recorded and adequate action is taken.
    • The Data Protection Officer/Data Protection Officer shall ensure that appropriate procedures and policies are in place to maintain the accuracy and up-to-date of personal data, taking into account the volume of data collected, the speed with which it may change, and other relevant factors.
    • At least once a year, the Data Protection Officer/Data Protection Officer will review the retention periods of all personal data processed by Grand Hotels Management and Marketing Ltd., referring to the data inventory and identifying any data that is no longer required in the context of the registered purpose. This data shall be duly destroyed in accordance with the procedures and rules of the controller.
    • The Data Protection Officer/Data Protection Officer shall ensure that requests for data correction are answered within one month. This period can be extended by a further two months for complex requests. If Grand Hotels Management and Marketing Ltd. decides not to comply with the request, the Data Protection Officer / Data Protection Officer must reply to the data subject to explain the reasons for the refusal and inform him of his or her right to lodge a complaint with the supervisory authority, and to seek legal protection.
    • The Data Protection Officer/Data Protection Officer should inform all third parties to whom inaccurate or outdated personal data has been provided that the information is inaccurate or outdated and not used to make decisions about data subjects, as well as forward any correction of personal data to third parties, where necessary.
  5. Personal data must be stored in such a form that the data subject can only be identified for as long as necessary for the processing.
    • Where personal data is retained after the date of processing, it is stored appropriately (minimized, encrypted, pseudonymizedin order to protect the identity of the data subject in the event of a data breach.
    • Personal data are stored in accordance with the Data Storage and Destruction Procedure and after their storage period has passed, they must be securely destroyed in accordance with the procedure specified in this procedure.
    • The Data Protection Officer / Data Protection Officer must specifically approve any data retention that exceeds the retention period defined in the relevant procedure and must ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.
  6. Personal data must be processed in a way that ensures appropriate security (Art. 24, Art. 32 GDPR)
    The Data Protection Officer will carry out an initial impact assessment, where necessary, taking into account all circumstances related to the data processing operations of Grand Hotels Management and Marketing Ltd. In each specific case, where there is a breach of personal data protection, the data protection officer as the responsible person in the controller’s undertaking should carry out a risk assessment and, taking into account a high risk, notify the supervisory authority and/or the data subject. When taking into account the risk in a particular case, the Data Protection Officer must consider the extent of possible damage or loss that may be caused to individuals (e.g. staff or customers) if a security breach occurs, any possible damage to the reputation of the controller, including possible loss of trust of customers, etc. Ensuring the security of personal data is also linked to taking appropriate technical measures, which the Data Protection Officer monitors and which may include, at least:
    • Password protection;
    • Automatic locking of idle workstations in the network;
    • Removal of access rights for USB and other portable memory media (there may be an exception when mandatory virus checking and data transfer logging are provided);
    • Antivirus software and firewalls;
    • Role-based access rights, including those of temporarily appointed staff
    • The protection of devices that leave the organization’s premises, such as laptops or others;
    • Security of local and wide area networks;
    • Privacy-enhancing technologies, such as pseudonymization and anonymization;
    • Identification of appropriate international security standards suitable for Grand Hotels Management and Marketing Ltd.
      When assessing the appropriate organisational measures, the Data Protection Officer will take into account the following:
    • The levels of appropriate training at Grand Hotels Management and Marketing Ltd.;
    • Measures that take into account the reliability of employees (e.g. appraisals, recommendations, etc.);
    • The inclusion of data protection in employment contracts;
    • Identification of disciplinary measures for violations with regard to data processing;
    • Regular inspection of personnel for compliance with relevant security standards;
    • Control of physical access to electronic and paper-based records;
    • Adoption of a “clean workplace” policy – upon leaving the workplace, all work documentation should be removed or put away in appropriate and restricted places – special cabinets, locked rooms, destruction of documents no longer needed, etc.;
    • Storage of database paper in lockable wall cabinets;
    • Limiting the use of portable electronic devices outside the workplace;
    • Limiting employees’ use of personal devices in the workplace;
    • Adoption of clear rules for creating and using passwords;
    • Regular backup of personal data and physical storage of media with copies outside the office;
    • Imposing contractual obligations on counterparty organisations to take appropriate security measures when transferring data outside the EU.
      When assessing appropriate measures, the identified risks to personal data are taken into account, as well as the possibility of harm to the persons whose data are processed.
  7. Compliance with the principle of accountability
    Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Article 5 (2) requires the controller to prove that it complies with the other principles in the GDPR and explicitly states that this is his responsibility.
    Grand Hotels Management and Marketing Ltd. demonstrates compliance with the principles of data protection by applying data protection policies, by adhering to codes of conduct, implementing appropriate technical and organizational measures, as well as by adopting data protection techniques at the design stage and data protection by default, assessing the impact on personal data protection, procedure for notification of personal data breaches, etc.

IV. Rights of data subjects

  1. Under the GDPR, the data subject has the following rights with regard to the processing of their personal data:
  2. To receive information about the personal data related to him/her, which are processed by the controller, and about the purpose for which they are processed, including to gain access to the data, as well as information about the recipients of such data and the third parties to whom the data is transferred.
  3. Request a copy of their personal data from the controller;
  4. To ask the administrator to correct personal data when they are inaccurate, as well as when they are no longer up-to-date;
  5. To request from the controller the deletion of personal data (right to be forgotten);
  6. To request from the controller to restrict the processing of personal data, in which case the data will only be stored, but not processed.
  7. To object to the processing of his/her personal data;
  8. To object to the processing of personal data relating to him for the purposes of direct marketing.
  9. To lodge a complaint with a supervisory authority if it considers that any of the provisions of the GDPR have been violated;
  10. Request and be provided with personal data in a structured, widely used and machine-readable format;
  11. Withdraw his/her consent to the processing of personal data at any time with a separate request addressed to the controller;
  12. Not to be subject to automated decisions that affect him to a significant extent, without the possibility of human intervention;
  13. Oppose automated profiling that occurs without their consent;
  14. Grand Hotels Management and Marketing Ltd. provides conditions to ensure the exercise of these rights by the data subject:
  15. Data subjects may make requests for access to data as described in the relevant procedure, and this procedure also describes how Grand Hotels Management and Marketing Ltd. will ensure that the response to the data subject’s request complies with the requirements of the General Regulation.
  16. Where the requests of a data subject are manifestly unfounded or excessive, in particular because of their repetitiveness, Grand Hotels Management and Marketing Ltd. may either impose a reasonable fee, taking into account the administrative costs of providing the information, communication or taking the requested action, or refuse to act on the request.
  17. Data subjects have the right to file objections to Grand Hotels Management and Marketing Ltd. related to the processing of their personal data. The processing of a request by the data subject and the submission of objections by the data subject is carried out in accordance with the rules adopted by the company. The supervisory authority in Bulgaria is the Commission for Personal Data Protection, address: Sofia. Sofia 1592, blvd. “Prof. Tsvetan Lazarov” No 2 (cpdp.bg).

V. Consent

  1. By “consent” Grand Hotels Management and Marketing Ltd. means any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear confirmation action that expresses his consent to the processing of the personal data related to him. The data subject may withdraw their consent at any time. Consent of the subject of personal data is required whenever there is no alternative legal basis for the processing.
  2. Grand Hotels Management and Marketing Ltd. understands by “consent” only the cases in which the data subject has been fully informed of the planned processing and has expressed his consent without being pressured to do so. Consent obtained under pressure or on the basis of misleading information will not be a valid basis for processing personal data.
  3. Consent cannot be inferred from the failure to respond to a message to the data subject. In order for there to be consent, there should be active communication between the controller and the subject. The controller requires and obtains consent for processing activities where consent is required for these activities.
  4. For special categories of data, explicit written consent must be obtained under the Consent Procedure for the processing of personal data of data subjects, unless there is an alternative legal basis for processing.
  5. The consent of the data subject for the processing of personal or special categories of data is given – on the basis of the relevant consent document provided by the data subject to the controller for each specific purpose of processing. When an entity signs a contract, consent is not necessary because their data is collected on another legal basis.
  6. When Grand Hotels Management and Marketing Ltd. processes personal data of children, it receives permission from the persons exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.

VI. Data security

  1. The employees of the controller who, according to their job descriptions, have an obligation to process certain personal data on behalf of the controller are obliged to ensure the security of the processing and storage of the data on their part, including to ensure that they will not disclose the data to third parties, unless Grand Hotels Management and Marketing Ltd. has granted such rights to that third party to access the data.
  2. Personal data or part of it should be accessible only to those who have an obligation to process/store it, and access can only be granted in accordance with the established access control rules. All personal data must be stored, for example:
  3. in a room with controlled access; and/or in a locked cabinet or in a file cabinet; and/or
  4. if it is computerised, password-protected in accordance with the internal requirements set out in the organisational and technical measures for controlling access to information (e.g. access control rules); and/or
  5. stored on portable computer media, which are protected in accordance with organizational and technical measures to control access to information.
  6. To establish an organization to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees/workers of Grand Hotels Management and Marketing Ltd. All employees/workers are required to be trained and accept the relevant contractual clauses/declaration of compliance with organizational and technical access measures, as well as workstation locking rules, before being granted access to information of any kind.
  7. Paper records should not be left where they can be accessed by unauthorized persons and may not be removed from designated office premises without express permission. As soon as paper documents are no longer needed for ongoing customer support work, they must be destroyed in accordance with a procedure/rules established for this purpose and an appropriate protocol.
  8. Personal data may only be erased or destroyed in accordance with the accepted procedure. Paper records for which the storage (archiving) period has expired should be cut and destroyed as “confidential waste”. The data on the hard drives of the redundant personal computers must be deleted or the disks destroyed, according to the established rules/procedures.
  9. Processing personal data “outside the office” poses a potentially greater risk of loss, theft or breach of personal data. The staff is specifically authorized to process the data outside the sites of the controller.

VII. Data disclosure

  1. Grand Hotels Management and Marketing Ltd. must provide conditions under which personal data is not disclosed to unauthorized third parties, which includes family members, friends, government authorities, even investigating such, if there is a reasonable doubt that they are not required in accordance with the established procedure. All employees/workers should exercise caution when asked to disclose stored personal data about another third party. It is important to consider whether or not the disclosure is related to the needs of the activity carried out by the organization. It is necessary to carry out special training and periodic briefings for employees in order to avoid the risk of such a violation.
  2. All requests from third parties for the provision of data must be supported by appropriate documentation and all such data disclosures must be coordinated with the Data Protection Officer / Data Protection Officer to give an opinion.
  3. Personal data will be provided to the competent public authorities during and on the occasion of the exercise of their public powers.

VIII. Storage and destruction of data

  1. Grand Hotels Management and Marketing Ltd. does not store personal data in a form that allows the identification of the subjects for a longer period than necessary in relation to the purposes for which the data were collected.
  2. Grand Hotels Management and Marketing Ltd. may store data for longer periods only if personal data are processed for archiving purposes, for purposes in the public interest, for scientific or historical research and for statistical purposes, and only if appropriate technical and organizational measures are implemented to guarantee the rights and freedoms of the data subject.
  3. The retention period for each category of personal data is specified in the Data Retention and Destruction Procedure and the criteria used to determine this period, including any legal obligations requiring Grand Hotels Management and Marketing Ltd. to retain the data.
  4. The procedure for storing and destroying data, as well as the rules for the destruction of information on unused recording media, shall apply in all cases.
  5. Personal data must be destroyed, in accordance with the principle of ensuring an appropriate level of security (Art. 5 para. 1 letter (f) of the General Regulation) – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organisational measures (“integrity and confidentiality”);

IX. Data transfer

Any export of data from within the EU to non-EU countries (referred to in the General Regulation as ‘third countries’) is illegal unless there is an appropriate ‘level of protection of the fundamental rights of data subjects’.

The transfer of personal data outside the EU is prohibited unless one or more of the specified safeguards or exclusions apply:

  1. Adequacy Decision
    The European Commission may assess third countries, territory and/or specific sectors in third countries in order to assess whether there is an appropriate level of protection of the rights and freedoms of individuals. In these cases, no authorisation is required. Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision.
  2. Mandatory company rules
    Grand Hotels Management and Marketing Ltd. may adopt approved binding corporate rules for data transfers outside the EU, where applicable. This requires their submission for approval to the relevant supervisory authority.
  3. Standard contractual clauses
    The controller may adopt established standard contractual clauses for data protection when transferring data outside the European Economic Area. If Grand Hotels Management and Marketing Ltd. accepts standard contractual clauses approved by the relevant supervisory authority, there is an automatic recognition of adequacy.
  4. Exclusions
    In the absence of an adequacy decision, binding company rules and/or contractual clauses, the transfer of personal data to a third country or international organization is carried out only under one of the following conditions: the data subject has explicitly agreed to the proposed transfer after being informed of the possible risks of such transfers; the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; the surrender is necessary for important reasons of public interest; the surrender is necessary for the establishment, exercise or defence of legal claims; the transfer is necessary to protect the vital interests of the data subject or of others where the data subject is physically or legally unable to give their consent; the transmission is carried out by a register which, under EU law or the law of the Member States, is intended to provide information to the public and is accessible for consultation by the public in general or by any person who can demonstrate that he or she has a legitimate interest in doing so, but only to the extent that the conditions for consultation laid down in Union law or the law of the Member States, have been fulfilled in the specific case.

X. Register of data processing (data inventory)

  1. Grand Hotels Management and Marketing Ltd. has established a data inventory process as part of its approach to address the risks and opportunities in the process of complying with the compliance policy with Regulation (EU) 2016/679. The inventory of the data in Grand Hotels Management and Marketing Ltd. and in the data workflow identify:
    • business processes that use personal data;
    • sources of personal data;
    • the number of data subjects;
    • a description of the categories of personal data and the elements of Google in each category;
    • processing activities;
    • the purposes of the processing for which the personal data are intended;
    • the legal basis for the processing;
    • the recipients or categories of recipients of the personal data;
    • basic systems and storage facilities;
    • any personal data that is subject to transfers outside the EU;
    • the terms for storage and deletion.
  2. Grand Hotels Management and Marketing Ltd. is aware of the risks associated with the processing of certain types of personal data.
  3. Grand Hotels Management and Marketing Ltd. assesses the level of risk for persons related to the processing of their personal data. Where mandatory, data protection impact assessments are carried out in connection with the processing of personal data by Grand Hotels Management and Marketing Ltd. and in connection with the processing undertaken by other organizations on behalf of Grand Hotels Management and Marketing Ltd.
  4. Grand Hotels Management and Marketing Ltd. manages all risks identified by the impact assessment in order to reduce the likelihood of non-compliance with these rules. Where a type of processing may lead to a high risk to the rights and freedoms of individuals, in particular with the use of new technologies and taking into account the nature, scope, context and purposes of the processing, Grand Hotels Management and Marketing Ltd. also carries out an assessment of the impact of the envisaged processing operations on the protection of personal data. A general impact assessment may consider a set of similar processing operations that pose similarly high risks.
  5. When, as a result of the Impact Assessment, it is clear that Grand Hotels Management and Marketing Ltd. will start processing personal data that, due to a high risk, could cause harm to data subjects, the decision whether to continue the processing or not will be submitted for review by the Data Protection Officer/Data Protection Officer.
  6. If the Data Protection Officer/Data Protection Officer has serious concerns either about the potential harm or danger or about the quantity of the data concerned, they should refer the matter to the supervisory authority.
  7. The Data Protection Officer periodically reviews the initially inventoried data, reviews the information entered in the “Register of Processing Activities” in the light of any changes in the activities of Grand Hotels Management and Marketing Ltd.

    Additional information to the privacy policy

    1. General Data Protection Regulation
      Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Directive 95/46/EC on data protection. It has direct effect and implies an amendment to the legislation of the Member States in the field of personal data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data are not processed without their knowledge and, where possible, that it is processed with their consent.
    2. Scope outlined by the General Data Protection Regulation
      Material scope       – this Regulation applies to the processing of personal data in whole or in part by automatic means, as well as to the processing by other means of personal data that are part of a register of personal data or that are intended to form part of a register of personal data.
      Territorial scope – the rules of the General Regulation will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU controllers who process personal data for the purpose of offering goods and services or if they monitor the behaviour of data subjects residing in the EU.
    3. Terms
      “Personal Data” – any information relating to an identified natural person or an identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, mental, mental, economic, cultural or social identity of that natural person;
      “Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for unique identification of a natural person, data relating to health or data regarding the sex life of an individual or sexual orientation.
      “Processing” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collection, recording, organizing, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or otherwise making the data available, arranging or combining, restricting, deleting or destroying it;
      “Controller” – any natural or legal person, public authority, agency or other structure that, alone or jointly with others, determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for its determination may be established in Union law or in the law of a Member State;
      “Data Subject” – any living natural person who is the subject of the personal data stored by the Controller.
      “Consent of the data subject” – any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear affirmative action, which expresses his/her consent to the processing of personal data related to him/her;
      “Child” – The General Regulation defines a child as anyone under the age of 16, and under national law anyone under the age of 18. The processing of personal data of a child is lawful only if a parent, guardian or custodian has given consent. The administrator shall make reasonable efforts to verify, in such cases, that the holder of parental responsibility for the child has given or authorized to give consent.

    Contact the data controller:

    Website: www.ststefanvillas.com
    E-mail: office@ststefanvillas.com
    Phone: +359 88 949 2616