The policy of KOKO HILLS EOOD aims to ensure compliance with the provisions of the Regulation.
KOKO HILLS EOOD collects and processes personal data lawfully, fairly, and in accordance with the principles and rights of individuals regarding the processing of their personal data.
KOKO HILLS EOOD processes personal data of individuals only in the following cases:
The processing is necessary to comply with a legal obligation of KOKO HILLS EOOD;
The processing is necessary for the performance of a contract (including an order) with KOKO HILLS EOOD, in which the individual is a party, or to take steps at the request of the individual before entering into a contract, where identification is required;
The individual has given their explicit consent for a clear and transparently defined purpose by KOKO HILLS EOOD, for which processing of their personal data is required;
The processing is necessary to protect the vital interests of the individual whose personal data is being processed or those of another individual;
The processing is necessary for the purposes of the legitimate interests of KOKO HILLS EOOD or a third party, in accordance with the provisions of the Regulation;
Other cases as provided in the Regulation.
KOKO HILLS EOOD does not collect or process personal data of individuals beyond its legal obligations or its business needs.
In all cases where collected and processed personal data needs to be used for purposes other than the original ones, KOKO HILLS EOOD informs the respective individuals, seeks their consent, and processes their data for other purposes only after obtaining their explicit consent.
KOKO HILLS EOOD collects and processes only the minimum necessary personal data of individuals, which:
Are provided for by law;
Are necessary for the performance of a contract;
Are necessary for the fulfillment of the purposes for which they are collected.
KOKO HILLS EOOD ensures that the processing of individuals' personal data is conducted with maximum accuracy and is updated whenever possible.
KOKO HILLS EOOD ensures that access to and processing of personal data is carried out by the minimum number of individuals (operators) with the required competence and commitment to protect the data.
DATA RETENTION PERIODS
KOKO HILLS EOOD retains personal data for the following periods:
Data for the tourist register under Article 116 of the Tourism Act, including identification data of accommodated persons and data related to hotel accommodation - According to the provisions of the Tourism Act and applicable subordinate legislation.
Information related to requested and used hotel accommodation services, events, and restaurant services, including canceled reservations (insofar as they relate to refunds or withholding of due amounts) - From the time of the reservation/request until 5 years from the provision of the service/completion of the contract/ cancellation of the reservation.
Financial and accounting documents, invoices, authorization forms, and other information related to tax and social security control - Up to 10 years, counted from the beginning of the year following the year in which the obligation for the respective year arises.
Unstructured communication, correspondence, complaints, signals, etc. - 5 years.
Video recordings - Up to 1 week.
Data processed based on explicit consent - From the moment consent is given until its withdrawal by the data subject.
Until a request for deletion from the individual, provided there is a basis for such a request.
The personal data outlined in this policy may be processed for longer periods if required to achieve the purposes set forth in it or to protect the rights and/or legitimate interests (including judicially) of KOKO HILLS EOOD, or if applicable legislation provides for a longer processing period.
KOKO HILLS EOOD ensures that at least once a year, the collected and processed personal data is reviewed, and any data falling under the above hypotheses is deleted without undue delay.
RULES FOR PROCESSING PERSONAL DATA
Personal data is processed with necessary levels and measures of protection.
KOKO HILLS EOOD ensures the necessary levels of physical, organizational, and technological protection regarding:
The nature, scope, context, and purpose of the processed personal data;
The likelihood, impact levels, and severity of the risk to the rights and freedoms of individuals in case of a breach of the security of personal data;
Its financial and organizational capabilities.
KOKO HILLS EOOD provides all necessary measures for the timely recovery of collected and processed personal data in the event of loss due to accidental, malicious, or force majeure events.
Personal data is processed with controlled and traceable access.
KOKO HILLS EOOD ensures the necessary and appropriate technical, organizational, and technological measures for controlled and traceable access to personal data.
Personal data is processed with the required accountability to comply with the Regulation.
KOKO HILLS EOOD ensures the necessary accountability and registers to demonstrate compliance with the Regulation's provisions.
DATA SUBJECTS
In connection with the services provided, KOKO HILLS EOOD processes information about the following data subjects:
Individuals visiting the hotel’s website;
Individuals making reservations on their own behalf or on behalf of other individuals or legal entities via the website;
Individuals using the services provided by KOKO HILLS EOOD, including but not limited to hotel accommodation, restaurant services, and related customer services, as well as individuals representing or acting on behalf of legal entities using these services.
RIGHTS OF DATA SUBJECTS
KOKO HILLS EOOD ensures compliance with the rights of individuals whose personal data is collected and processed, including:
Right to be informed about the processing of personal data;
Right of access to personal data – to know what data is held;
Right to rectification of inaccurate personal data;
Right to erasure of personal data – the "right to be forgotten";
Right to restriction of processing;
Right to be informed about actions resulting from a request for rectification, erasure, or restriction of processing;
Right to data portability;
Right to object to the processing of personal data;
Right not to be subject to automated decision-making, including profiling.
PROCESSING OF PERSONAL DATA
Personal Data Processed as a Controller:
Of employees;
Of individual clients;
Of individual suppliers.
PURPOSES FOR PROCESSING PERSONAL DATA
As a controller, KOKO HILLS EOOD performs the following operations and processes only the necessary personal data for the following purposes:
For concluding, executing, and terminating employment contracts and calculating salaries and benefits for employees;
Receiving, managing, and processing reservations and their cancellations;
Managing, executing, and delivering purchases made via the website;
Administering and receiving payments for services provided, including remotely;
For providing customer services;
Ensuring personalized service tailored to user preferences;
For concluding and executing contracts with individual suppliers;
For direct marketing purposes related to sales.
RECIPIENTS AND CATEGORIES OF RECIPIENTS
For the execution of the purposes mentioned above, KOKO HILLS EOOD provides personal data to the following recipients:
The National Revenue Agency (NRA);
The National Social Security Institute (NSSI);
Occupational health service providers;
Labor Inspectorate, NSSI, and Ministry of Internal Affairs in the event of work-related accidents;
Ministry of Internal Affairs for guest information;
Other state and municipal authorities upon lawful requests or obligations;
Subcontractors for contractual obligations.
VIDEO SURVEILLANCE AND SECURITY
In compliance with applicable legislation, KOKO HILLS EOOD applies security measures, including a video surveillance system for 24/7 monitoring and recording in public access areas, with a storage period of 7 days.
Individuals are informed about surveillance through visible signs in monitored areas.
CONTACT DETAILS
For inquiries or to exercise your rights:
Website: www.cpdp.bg
Telephones
Address
SUPERVISORY AUTHORITY
For the territory of Bulgaria, the competent supervisory authority is the Commission for Personal Data Protection:
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
