**General Terms and Conditions for Use and Protection of Personal Data**
Information about us:
Positiv IM EOOD
VAT ID: BG204666642
Wishmore Guest House processes your personal data with the aim of providing its guests with better, higher quality, and more diverse services. In this regard, data security is important for the success of our business and our public image. Therefore, we strive to protect your data by applying all appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss, or premature deletion of information.
This “Personal Data Protection Policy” aims to explain how and why we process your personal data.
**How and Why We Use Your Personal Data**
For compliance with regulatory obligations and contracts
We collect and process your personal data and other personal data to fulfill obligations imposed on us by regulatory acts, such as the Tourism Law.
We collect and process your personal data and other personal data to fully provide the services you have requested and want to use with us, as well as to fulfill our contractual obligations to you.
Personal Identification Number, names, gender, citizenship, permanent address;
email, letters, information about your requests, other feedback we receive from you, preferences for the services we provide;
data provided through our website;
IP address when visiting our website;
The processing is carried out with the aim of:
identifying the client when staying at Wishmore Guest House;
managing and fulfilling your service requests;
preparing and sending an invoice/bill for the services you use with us;
to provide you with the necessary comprehensive service, as well as to collect the amounts due for the services used;
**To Whom We Disclose Your Personal Data:**
We process your identification data and other personal data to comply with obligations provided in regulatory acts, such as:
providing information to the Consumer Protection Commission or third parties, as provided in the Consumer Protection Law;
providing information to the Personal Data Protection Commission in connection with obligations provided in the personal data protection regulatory framework – Personal Data Protection Law, Regulation (EU) 2016/679 of April 27, 2016, and others;
obligations provided in the Accounting Law and the Tax and Social Insurance Procedure Code and other related regulatory acts, in connection with maintaining proper and lawful accounting;
providing information to the court and third parties, within the framework of court proceedings, in accordance with the requirements of the applicable procedural and substantive legal regulatory acts;
**How We Protect Your Personal Data**
To ensure adequate protection of the company’s data and its clients, we apply all necessary organizational and technical measures provided in the Personal Data Protection Law and its implementing regulations.
The company has designated a Data Protection Officer to assist in the processes of preserving and ensuring the security of your data.
To ensure maximum security in the processing, transmission, and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
**When We Delete Your Personal Data**
As a rule, we stop using your personal data for the purposes related to the contractual relationship after the termination of the contract, but we do not delete them before one year from the termination of the contract or until the final settlement of all financial obligations and the expiration of the regulatory obligations for data storage, such as obligations under the Accounting Law for storage and processing of accounting data (5 years), expiration of the limitation periods for claims determined in the Obligations and Contracts Law (5 years), obligations to provide information to the court, competent state authorities, and other grounds provided in the current legislation (5 years). Please note that we will not delete or anonymize your personal data if they are necessary for pending judicial, administrative proceedings, or proceedings for reviewing your complaint with us.
Your data may also be anonymized. Anonymization is an alternative to deleting data. In anonymization, all personally identifiable elements/elements allowing your identification are irreversibly deleted. There is no regulatory obligation to delete anonymized data, as they do not represent personal data.
**Your Rights in Connection with the Processing of Your Personal Data**
Right to Information:
You have the right to request:
information about whether data related to you is being processed, information about the purposes of this processing, about the categories of data, and about the recipients or categories of recipients to whom the data is disclosed;
a message in a comprehensible form containing your personal data being processed, as well as any available information about their source;
information about the logic of any automated processing of personal data related to you, at least in the cases of automated decisions.
Right to Correction:
If we process incomplete or incorrect/wrong data, you have the right at any time to request:
that we delete, correct, or block your personal data, the processing of which does not comply with the law;
to notify third parties to whom your personal data have been disclosed, of any deletion, correction, or blocking, except in cases where this is impossible or involves excessive effort.
Right to Deletion /the right to be forgotten/:
At any time, you have the right to request the deletion of the personal data processed by us if:
the personal data is not necessary for the purposes for which they were collected and processed;
you withdraw your consent and there is no other legal basis for their processing;
the personal data are processed unlawfully.
Right to Object:
At any time, you have the right to:
object to the processing of your personal data if there is a legal basis for this; when the objection is justified, the personal data of the respective individual cannot be processed further;
object to the processing of your personal data for the purposes of direct marketing.
Right to Restrict Processing*:
You may request the restriction of processing of your personalizing data if:
you dispute the accuracy of the data, for the period in which we need to verify their accuracy; or
the processing of the data is without a legal basis, but instead of deleting them, you want their limited processing; or
we no longer need these data (for the specified purpose), but you need them for the establishment, exercise, or defense of legal claims; or
you have filed an objection to the data processing, pending verification of whether the administrator’s grounds are lawful.
Right to Data Portability*:
You can ask us to provide the personal data that you have entrusted to our care in an organized, orderly, structured, commonly accepted electronic format if:
we process the data according to the contract and based on the declaration of consent, which can be withdrawn or a contractual obligation and
the processing is carried out automatically.
Right to Complain:
If you believe that we are violating the applicable regulatory framework, please contact us to clarify the issue. Of course, you have the right to file a complaint with the Personal Data Protection Commission. After May 25, 2018, you will also be able to file a complaint with a regulatory authority within the EU.
Requests for access to information or correction are submitted personally or by a person expressly authorized by you, through a notarially certified power of attorney. A request can also be made electronically, according to the Law on Electronic Document and Electronic Signature.
We will decide on your request within a 14-day period from its submission. If a longer period is objectively necessary – in view of collecting all requested data and this seriously hinders our activity, this period may be extended to 30 days. With our decision, we grant or refuse access and/or the information requested by the applicant, but we always motivate our response.