A new General Data Protection Regulation enters into force from 25 May 2018 adopted by the European Union. The Regulation aims at guaranteeing the protection of the data of the natural persons from all the member-states of the EU and equalizing the regulations for their processing.
In its capacity of a processor of personal data for the provision of tourist services, THEIA TOURS satisfies all the requirements of the new Regulation, collecting only data of the persons in so far as they are needed for the provision of the service and keeping them in a responsible manner and in conformity with the law.
Information about the administrator of personal data
Title: THEIA TOURS OOD
UIC (Unified Identification Code)/BULSTAT: 203492362
Headquarters and management address: 1510 Sofia, Khadji Dimitar area, ap. Bldg. 177, entr. V, ap. 50
Correspondence data: 1510 Sofia, Khadji Dimitar area, ap. Bldg. 177, entr. V, ap. 50
Telephone: +359 878 976 009
Information about the competent supervisory authority
Title: Commission for Personal Data Protection
Headquarters and management address: 1592, city of Sofia, 2, Prof. Tsvetan Lazarov Blvd.
Correspondence data: 1592, city of Sofia, 2, Prof. Tsvetan Lazarov Blvd.
Telephone: 02 915 3 518
Email: firstname.lastname@example.org, email@example.com
Web site: cpdp.bg
THEIA TOURS OOD implements its activity in conformity with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data.
Grounds for protection, processing and storage of your personal data
Art. 1. (1) THEIA TOURS collects and processes your personal data in connection with the provision of tourist services and conclusion of contracts with the Company on the grounds of Art. 6, Para. 1, Regulation (EU) 2016/679, and on the grounds of the following:
- Explicitly received consent from you as a customer;
- Fulfillment of the obligations of THEIA TOURS under a Contract with you;
- Observation of a legal obligation which is applied regarding THEIA TOURS;
- For the purposes of the legitimate interest of THEIA TOURS.
(2) THEIA TOURS is a processor of personal data regarding your data as users of our services. With regard to the personal data we provide for processing of third persons aimed at providing the services to you, THEIA TOURS acts in its capacity of an administrator of personal data.
Objectives and principles at the collection, processing and storage of your personal data
Art. 2. (1) THEIA TOURS collects and processes the personal data you provide us with in connection with the use of our tourist services and for conclusion of a contract with the Company as well as for registration for participation in our events, inclusive of for the following objectives:
- Creation of a profile and provision of full functionality at the provision of our services;
- Individualization of a party under the Contract;
- Registration of a participant in an event organized by THEIA TOURS;
- Accounting objectives;
- Statistical objectives;
- Protection of the information security;
- Provision of the execution of the Contract for rendering the relevant service;
- Sending information messages, communications for changes in the service and so on.
- Improvement and individualization of the service through proposing appropriate for you offers for renewal, events and other products and services which may be of interest to you.
(2) THEIA TOURS observes the following principles at the processing of your personal data:
- Conformity with the law, conscientiousness and transparency;
- Limitation of the objectives of processing;
- Commensurability with the objectives of the processing and reduction to a minimum of the collected data;
- Precision and topicality of the data;
- Limitation of the storage with a view to the attainment of the objectives;
- Entirety and confidentiality of the processing and guaranteeing an appropriate level of security of the personal data.
(3) At the processing and storage of the personal data, THEIA TOURS may process and store the personal data aimed at protection of its following legitimate interests:
- Fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal authorities.
What kinds of personal data does THEIA TOURS collect, process and store?
Art. 3. (1) THEIA TOURS performs the following operations with the personal data for the following objectives:
- Registration of a user’s profile and the reservation system of the Company in execution of a Contract for provision of tourist services, registration of a user’s profile in a reservation system of a counteragent of THEIA TOURS (if needed) in execution of a Contract for provision of tourist services and so on – the objective of this operation is the realization and the tracing down of the service selected by you. Conclusion from the assessment of the impact: On the grounds of the impact assessment indicated hereinabove, the personal data protection official considers that the operation “Conclusion of a Contract for a Tourist Service” is admissible for the performance and provision of sufficient guarantees for protection of the rights and the legal interests of the data subjects in compliance with the requirements of the GDPR.
- Sending information messages – the objective of this activity is the administration of the process for sending communications to the customers, which refer to improvements or changes in the services, exceeded parameters and expiring services in conformity with the Contract for the provision of the service.
- Sending an information bulletin (newsletter) – the objective of this operation is the administration of the process for sending bulletins to the customers who declared that they wish to receive such;
- Registration of a user in the platforms of the Company and conclusion of a Contract for provision of a service for the creation of reservations and access to prices and availability for hotels and airplane tickets.
(2) THEIA TOURS processes the following categories of personal data and information about the following objectives and on the following grounds:
- Data: Your individualizing data (name and surname, electronic mail, state, telephone, a personal document (identity card, passport and so on))
- Objective which the data are collected for: 1) Provision of a reservation for traveling or stay or both; 2) Registration of a user; 3) Realization of a connection with the user and sending information to him, inclusive of an expressed desire – for sending bulletins and advertising communications; 4) For creation of a user’s profile in the reservation platforms of the Company.
- Grounds for processing of your personal data – With the acceptance of the General Conditions and registration in the web site and the purchase of a service, a contractual relationship is created between THEIA TOURS and you, on the grounds of which we process your personal data – Art. 6, Para. 1, letter (b) of the GDPR.
- Other data which THEIA TOURS processes – At the entry into our web site or your profile, THEIA TOURS collects data about the used IP address.
- Objective which the data are collected for: Improvement of the security of the service and localization of the interface, statistical and marketing research.
- Grounds for processing of the data: The processing is needed for the execution of a contract, which the data subject is a Party under – Art. 6, Para. 1, letter (b) of the GDPR. Up to the creation of a profile of the user, the IP address is collected on the grounds of the realization of the legitimate interests of the administrator – Art. 6, Para. 1, letter (f) of the GDPR;
- Your data about the issuance of an invoice of a natural person – If you wish to be issued an invoice in your capacity of a natural person, you should provide your Personal Identification Number (PIN).
- Objective, which the data are collected for: Issuance of an invoice for effecting payments under a contract concluded for the provision of tourist services.
- Grounds for processing your personal data – With the acceptance of the General Conditions and a reservation through the web site or at the conclusion of a contract in writing, a contractual relationship is created between THEIA TOURS and you, on which grounds we process your personal data – Art. 6, Para. 1, letter (b) of the GDPR.
(3) THEIA TOURS does not collect and does not process personal data, which refer to the following:
- Disclose racial or ethnic origin;
- Disclose political, religious or philosophical convictions, or membership in trade union organizations;
- Genetic and biometric data, data about the health status or data about the sexual life or the sexual orientation.
(4) The personal data are collected by THEIA TOURS from the persons whom they refer to or from administrators of personal data authorized by them.
(5) The Company does not make automated making decisions with data.
Term of storage of your personal data
Art. 4. (1) THEIA TOURS stores your personal data for a term of 7 (seven) years counted from the completion of the last service used, except in the events in which another term is anticipated in conformity with the applicable legislation. After the expiration of this term, THEIA TOURS takes the needed care to delete and destroy all your data without undue delay.
(2) THEIA TOURS notifies you that the term for storage of the data should be extended with a view to the attainment of the objectives, execution of the contract, with a view to legitimate interests of THEIA TOURS or other.
(3) THEIA TOURS stores the personal data which it should keep under the virtue of the applicable legislation for the relevant anticipated term, which may exceed the term indicated hereinabove.
Transmission of your personal data for processing
Art. 5. (1) THEIA TOURS may at its own judgment transmit a part of or all your personal data to processors of personal data for the attainment of the objectives for processing with observation of the requirements of Regulation (EU) 2016/679.
(2) THEIA TOURS notifies you in event of an intention to transmit a part of or all your personal data to third states or international organizations.
Your rights at the collection, processing and storage of your personal data
Withdrawal of the consent for processing your personal data
Art. 6. (1) If you do not wish all or a part of your data to continue to be processed by THEIA TOURS for a specific or for all the objectives of processing, you may at any time withdraw your consent for processing through a request in a freely composed text.
(2) THEIA TOURS may request from you to certify your identity and identification with the person whom the data refer to.
(3) With the withdrawal of the consent for processing personal data, which are mandatory for the creation and maintenance of your registration for use of the services, your profile will become inactive and you will not be able to use the services offered.
Right of access
Art. 7. (1) You are entitled to require and receive from THEIA TOURS confirmation whether personal data related to you are processed.
(2) You are entitled to receive access to the data related to your profile as well as to the information referring to the collection, processing and collection of your personal data.
(3) THEIA TOURS presents to you at request a copy of the processed personal data related to you in an electronic or another appropriate form.
(4) The provision of access to the data shall be gratuitous but THEIA TOURS shall preserve its right to impose an administrative fee in event of repeatability or excess of the requests.
Right of correction or filling up
Art. 8. You may correct the inaccurate or incomplete personal data related to you by sending a request to THEIA TOURS.
Right of deletion (“to be forgotten“)
Art. 9. (1) You are entitled to request from THEIA TOURS deletion of the personal data related to you and THEIA TOURS shall be obligated to delete them without any undue delay when any of the grounds indicated herein below are available at hand:
- The personal data are no longer needed for the objectives they were collected for or processed in another manner;
- You withdraw your consent which the processing of the data is based on and there are no other legal grounds for the processing;
- You object to the processing of the personal data related to you, inclusive of for the purposes of the direct marketing and there are no legal grounds for the processing, which should be with priority;
- The personal data were not processed in conformity with the law;
- The personal data should be deleted aimed at the observation of a legal obligation related to the law of the EU or the law of a member-state which is applied regarding THEIA TOURS;
- The personal data were collected in connection with the offering of services to the information society.
(2) THEIA TOURS shall not be obligated to delete the personal data if it stores and processes them:
- For exercise of the right of freedom of expression and the right of information;
- For observation of a legal obligation which requires processing anticipated in the law of the EU or the law of the member-state which is applied with regard to the Administrator or for the fulfillment of a task of a public interest or at the exercise of official powers which he was provided with;
- For reasons of public interest in the sphere of public health;
- For the purposes of archiving in a public interest, for scientific or historical investigations or for statistical purposes;
- For the establishment, the exercise or the protection of legal claims.
(3) To exercise your right of “forgetting”, you should submit a request through the option in your profile or a request in writing sent to THEIA TOURS, as well as to certify your identity and identification with the person whom the data refer to before THEIA TOURS, presenting on the spot your identity card for the purposes of the establishment of your identity and in events of need entering your data for entry into the profile of the person, whom the data refer to before an official of THEIA TOURS.
(4) THEIA TOURS does not delete the data, which it has the legal obligation to store, inclusive of for protection on the occasion of lodged against it court claims or proving its rights.
Right of limitation
Art. 10. You are entitled to require from THEIA TOURS to limit the processing of the data related to you when:
- You dispute the accuracy of the personal data, for a term, which lets THEIA TOURS verify the accuracy of the personal data;
- The processing is illegal, but you do not wish your personal data to be deleted but only that their use should be limited;
- THEIA TOURS does not need the personal data any longer for the purposes of the processing but you require them for the establishment, the exercise or the protection of its legal claims;
- You have objected to the processing in expectation of verification whether the legal grounds of THEIA TOURS have priority to your interests.
Right of portability
Art. 11. (1) You may at any time withdraw the data which are stored and processed for you in connection with the use of the services of THEIA TOURS, by a request by e-mail.
(2) You may request from THEIA TOURS directly to transfer your data to an administrator indicated by you when this is technically feasible.
Right of receipt of information
Art. 12. You may request from THEIA TOURS to inform you about all the recipients whom the personal data, for which correction, deletion or limitation of the processing as requested for, were disclosed. THEIA TOURS may refuse to provide this information, if this would be impossible or requires disproportionately big efforts.
Right of objection
Art. 13. You may object at any time against the processing of personal data by THEIA TOURS, which refer to you, inclusive of if they are processed for the purposes of profiling or direct marketing.
Your rights at violation of the security of your personal data
Art. 14. (1) If THEIA TOURS established violation of the security of your personal data, which may generate high risk for your rights and freedoms, we inform you without any undue delay about the violation as well as about the measures which were taken or are to be taken.
(2) THEIA TOURS shall not be obligated to inform you if:
- It took appropriate technical and organizational measures for protection regarding the data affected by the violation of the security;
- It has taken consequently measures which guarantee that the violation shall not result in high risk for your rights;
- The notification would require disproportionate efforts.
Persons whom your personal data are presented to
Art. 15. For making reservation / purchase of a tourist service (traveling or stay) and after a submitted request on your part, THEIA TOURS shall transmit the needed information to the relevant owner of a service, who processes your data as an administrator for the purposes of the provision of the service requested by you.
Art. 16. The Administrator does not make transfer of your data to third states if this is not explicitly needed for the provision of the service requested by you.
Art. 17. In event of infringement of your rights in conformity with the indicated hereinabove or the applicable legislation for personal data protection, you are entitled to submit a complaint to the Commission for Personal Data Protection.
Art. 18. You may exercise all your rights about the protection of your personal data through the forms attached to this information. Naturally, these forms are not mandatory, and you may send your requests in any form which contains a statement for the purpose and identifies you as the holder of the data.
Art. 19. If the consent refers to transfer, the Administrator shall describe the possible risks for the transfer of data to third states with the absence of a solution for adequate protection and appropriate means for protection.
Art. 20. (1) When you assign to THEIA TOURS to process personal data of a third person for the purposes of the use of the service, THEIA TOURS shall act in the capacity of a personal data processor.
Grounds for collection, processing and storage of your personal data
Kinds of cookies we use:
These cookies are needed for the correct work of the web site. For instance, with these cookies we show you the information on our site in the correct language and the prices – regarding the currency and VAT for the relevant state. Such cookies are also those for inclusion of caching.
Thanks to these cookies we exercise monitoring over the attendance of our site and may analyze the degree to which our users work easily with it (cookies of Google Analytics). These cookies do not provide us with any information about your personal data. They show us which pages of our site you have viewed, whether you have visited our site through a mobile or a desktop device and other anonymous data. For Google Analytics we also use anonymization of the IP addresses through_anonymizelp. The maximal period during which we keep the analytical data in Google Analytics is 50 months.
These cookies let you use the full functionality of our site, provide correct access to promotions and menus, remember the preferred language, which the information on our site should be uploaded in.
Cookies for precise targeting
These cookies contain information about how you have used our site and may be activated by our advertising partners. They do not store personal information. Thanks to them no information which is irrelevant for you will be shown to you. These are dynamic cookies of Facebook, Google, Adform, Adwise and so on.
You may make the settings of the cookies you receive from our site in the browser you use. Keep in mind that if you limit some kinds of cookies it is possible that our site will not function correctly, and you might not be able to make use of its full functionalities.