Personal data protection policy
for company Noya LTD

In connection with the provision of our services and the performance of our activities, we, as a controller, process the personal data of our customers, our employees, as well as the personal data of other individuals listed below, in accordance with the rules and the principles provided in this Policy.

What is personal data?
Personal data is any information to an identified person or information, which identifies an individual.

What is personal data processing
Personal data processing is any operation performed on your personal data whether by automated means or by others such as collection, recoding, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or combination, restriction, erasure or destruction.

Data protection responsible employee
The data protection responsible employee of the Administrator is the single point of contact for all data subjects to exercise their rights while the controller is processing their personal data in accordance with this Policy and the applicable law for personal data protection. You can address all your requests and questions regarding exercising your rights on data protection to the data protection officer.

Contact data protection responsible person at:
Zvezdelina Kioseva – hotel manager –

Data subjects
We, as data controllers, have the right to collect and process information about the following categories of individuals (Data subjects):
• Former, current or prospective clients who have used, use or wish to use any of the services we provide;
• Former, current or potential our employees;
• Persons other than those mentioned above who contact us or bring directly or indirectly a claim against us.

What categories of personal data do we collect from you?
• Identification data;
• Contact data;
• Data collected on payments;
• Information about complaints and other correspondence with us;
• Information regarding the type and parameters of the services that you use;
• Any other information you provide regarding the services that you use;
• We do not collect or store information about your web browsing history through our wireless internet network, nor do we collect or store information about devices that have been connected to the network.

What is our Cookie Policy?
We use cookies when you visit our website to improve the quality of services, statistical purposes, market research, etc. This is done only with your explicit consent. Cookies allow the website to store actions and preferences for a certain period, so that you do not have to enter them each time you visit the page or move from one page to another. Cookie-related information is not used to identify you.

Video surveillance
Within the limits allowed by law, we carry out video surveillance to ensure the safety of our customers and employees, as well as to protect our property. Surveillance is only carried out at public places marked with notice boards. Video surveillance is not carried out in the guest rooms, sanitary facilities or staff rest rooms. We provide videos only to the competent authorities who are legally entitled to request them. Videos are stored for up to two months. They can be stored and used for longer than the specified period in case of legal disputes, inspections by competent authorities, etc. until the final proceedings are completed.

Direct marketing
With your explicit and voluntary consent, we may process personal data for direct marketing purposes such as offering services; conducting surveys in order to improve the quality of the services provided, in accordance with the scope of the specific consent given. You may at any time to object or to withdraw your consent to the processing of personal data. In such cases, the processing of personal data is terminated.

Photo and video capture
We perform photo and video capturing for the purpose of marketing and advertising including on sites, print media, the Internet and social media only with your explicit written consent. We use photo and video images that are not agreed upon only after anonymization of the data subjects.

Objectives for processing personal data
We collect, use and process information for the objectives set out in this Policy, which, depending on the legal basis for the processing may be:
• Objectives related to our legal obligations: keeping records of accommodated clients; activities related to the payment of tourist tax; invoicing, accounting and reporting activities for payments; complaint processing activities and other activities to fulfill our legal obligations;
• Objectives related to and / or necessary for the execution of the contracts: Client bookings; Client registrations, administration and management of services; customer payment processing activities; registration and account maintenance activities on our website and other contract related activities;
• Objectives of our legitimate interest: the exercise and protection of our legal rights and interests; assistance in the exercise and protection of the legal rights and interests of Customers and Employees, data processers on our behalf and of our trading partners; analysis and planning of our customer relations policy and improvement of service quality;
• Objectives for which the data subject has consented to the processing of his / her data: activities for sending marketing messages and advertisements; use of cookies when you visit our site; other activities for which the Client has given his explicit consent.
How long do we store the information?
We process and store information about the Data Subject for up to 5 (five) years after the service has been provided, except in cases where longer retention of relevant information is required in accordance with the requirements of applicable law or this Policy.

What are the consequences of refusing to provide personal data?
Refusal to provide data and documents or providing incorrect data may result in our inability to provide the relevant services. We do not collect or process any special categories of data within the meaning of Art. 9 and Art. 10 of the Regulation (namely: personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, genetic data, biometric data, health data or sexual life or sexual orientation data; and personal data relating to convictions and violations or related security measures).

Processing of information about the data subject by third parties
For the purposes set out in this Policy, we may outsource personal data processing activities to third parties – processors of personal data, in accordance with and within the requirements of the Regulation and other applicable rules for personal data protection. This will only happen to the extent necessary for the performance of the tasks we have assigned them. Personal data processors act on our behalf and are obliged to process your personal data only and strictly in accordance with our instructions, and will not have the right to use or process in any way the information for purposes other than those stated in this Policy.

Who else can receive your data?
We are obliged not to disclose your personal data and not to provide the collected data to third parties, unless:
• this is necessary for the fulfillment of our legal obligations to competent state and municipal authorities;
• this is explicitly provided for in the Policy;
• this is necessary in order we to be able to provide the service desired by you;
• the data subject has given his explicit consent;
• to protect our rights or our legitimate interests, as well as those of third parties or the data subject;
• in other cases provided for by law.

Regarding the processing of personal data, you have the following rights conferred on you by the Regulation:
• Right of information – you have the right to receive information regarding the processing of your personal data;
• Right of access:
o You have the right to receive confirmation that personal data relating to you is being processed;
o You have the right to access the processed personal data and the detailed information about the processingRight to rectification – you have the right to request your personal data to be corrected or filled in if the data is incorrect or incomplete;
• Right to erasure – you have the right to request the deletion of your personal data if there are grounds for it;
• Right to restriction of processing – you have the right to request a restriction of the processing of your personal data within the limits provided for in the Regulation, if there are grounds for doing so provided for therein;
• Third Party Notification – you have the right to require from us to notify third parties to whom your personal data have been disclosed of any corrections, deletions or restrictions on the processing of your personal data;
• Right to data portability – you have the right to receive your personal data that concerns you and which you have provided to us in a structured, commonly used and machine-readable format and to transfer such data to another controller without our obstruction.
The right of data portability applies when the following two conditions are fulfilled simultaneously:
– processing is based on consent or a contractual obligation; and
– processing is carried out in an automated manner.
• Rights for the automated individual decision – you have the right not to be subject to an automated decision based solely on automated processing (i.e. processing without human intervention), including profiling within the meaning of the Regulation, which has legal consequences for you, unless the grounds provided for in the Regulation are available and appropriate safeguards are in place to protect your rights and freedoms and legitimate interests.
• Right to Withdrawal of the Consent to Processing – when the processing of personal data is based solely on your consent, you may withdraw your consent at any time. Such withdrawal shall not affect the lawfulness of the processing on the basis of the consent given up to the time of its withdrawal;
• Right to object – you have the right at any time object processing of personal data concerning you, including profiling within the meaning of the Regulation based on the public interest, the exercise of official authority or the legitimate interests of the Controller or a third party. In such cases, we terminate the processing of your personal data unless there are compelling legal grounds for processing that take precedence over your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

How can you exercise your rights?
You may exercise your rights related to the protection of personal data by a written request to the Responsible employee of the controller for data protection, either personally or through a notarized request sent by post. The request may also be made electronically, for which purpose it must be signed by you with a qualified electronic signature and sent to the Responsible employee of the controller for data protection at the e-mail address:

Right of complaint to Supervisory authority
Each of you have the right to lodge a complaint to Supervisory authority, in particular in the Member State (EU / EEA) of your habitual residence, place of employment or place of alleged infringement; if you consider that, the processing infringes the provisions of the Regulation or other applicable data protection requirements.

Supervisory authority in Republic of Bulgaria:
Personal Data Protection Commission
Address: 1592 Sofia, Prof. Tsvetan Lazarov bul. № 2