“Be Reg”, Ltd Privacy Policy
The purpose of the privacy policy of “Be Reg”, Ltd is to provide to a natural person – a data subject – with information about the purpose, scope, and protection of personal data processing, the period of processing, the data subject’s right during the data acquisition, and the processing of data and when transferring the data to competent authorities or any other data controller.
1. Data controller and its contact information
1.1. The controller of personal data processing shall be “Be Reg”, Ltd (hereinafter – the Controller), unified registration No. 175321583, legal address: Pozitano, 34, Sofia – 1000, Bulgaria, website: https://www.hotelmoreto.com/;
1.2. Contact information of the data protection officer of the controller on issues related to personal data processing: legal@mogotel.com.
2. Applicable laws and regulations
2.1. Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as – the GDPR);
2.2. Personal Data Processing Law (announced on 4 July 2018).
3. The purpose of personal data processing
3.1. Provision of services:
3.1.1. customer identification;
3.1.2. preparation and conclusion of contracts;
3.1.3.provision/maintenance of services;
3.1.4. improvement of services, development of new services;
3.1.5. advertising and distribution of services or commercial purposes;
3.1.6. customer service;
3.1.7. review and processing of objections/complaints;
3.1.8. customer retention, loyalty building, satisfaction measurement;
3.1.9. administration of accounts;
3.1.10. effective cash flow management / debt recovery;
3.1.11. maintenance and improvement of operation of the webpage;
3.1.12. provision of franchise relations.
3.2. Business planning and analytics:
3.2.1. statistics and business analysis;
3.2.2. planning and accounting;
3.2.3. effectiveness measurement;
3.2.4. data quality provision;
3.2.5. performance of market and public opinion studies;
3.2.6. preparation of reports;
3.2.7. performance of customer surveys;
3.2.8. risk management within the framework of different activities.
3.3. Fulfilment of requirements of regulatory enactments, provision of replies upon requests of state authorities.
3.4. Management implemented by the Controller, maintenance of accounting records, provision of internal processes.
3.5. Record-keeping of the Controller, data archiving.
3.6. Ensuring the operation of the whistle-blowers system.
3.7. Legal employment relations and personnel recruitment of the Controller.
3.8. Entering into the commercial activity agreements of the Controller and ensuring their implementation.
3.9. Provision of safety of the customers, visitors, and employers of the Controller, protection of the property of the Controller.
3.10. Protection of rights and interests of the Controller at the state and municipal authorities and institutions, representation during court proceedings.
3.11. Film recording, photographing, and audio recording of work events organized by the Controller.
3.12. Other specific purposes, regarding which the data subject shall be informed at the time when he/she provides the relevant data to the Controller.
4. Categories of personal data being processed by the Controller:
4.1. name, surname, personal identity number or date of birth, correspondence address, address of the declared place of residence, phone number, e-mail address;
4.2. data of the identification document;
4.3. list of received and planned services;
4.4. bank account numbers;
4.5. payment administration information;
4.6. phone, electronic communication information;
4.7. Curriculum vitae;
4.8. information included in the personal file, including information about education, dependants, a copy of the certificate of birth of a child, a copy of the certificate of death, a copy of the certificate of marriage, data on health checks of employees;
4.9. photo images;
4.10. work station auditing records;
4.11. work e-mail, internet, and phone auditing records;
4.12. video surveillance system records;
4.13. data regarding website visits;
4.14. auditing records of access control devices and alarm devices with the data of employees, visitors, or subcontractors;
4.15. for the purposes referred to in Paragraph 3, other data of which the data subject notifies the Controller by him/herself shall be also processed.
5. Justification of the personal data collection and processing:
5.1. consent of the data subject – the data subject has provided his/her consent to data collection and processing for one or several specific purposes;
5.2. before or after conclusion of the contract – customer relations (including remote) control, ensuring conclusion and fulfilment of the contract, as well as provision of the implementation of processes related to that, cooperation with customers and provision of the implementation of processes related to that;
5.3. Legitimate interests of the Controller – to implement commercial activity, to provide services, retention of customers, identification of data subjects, customer segmentation for more effective service provision, popularization and improvement of the image and services of the Controller, prevention of fraud, review of complaints and provision of support in relation to the provided services, marketing activities, company and financial risk management, corporate management, financial, business, and analytical recording, record-keeping, data archiving, provision of internal processes, video surveillance for the safety purposes of customers and the Controller, analysis of auditing records of the website, effective cash flow management, debt administration, administration of customer payments, court proceedings, provision of franchise relations, health safety of employees and customers (visitors) and fulfilment of the requirements of legal acts to be referred to that, as well as other legitimate interests of the Controller in force at the time of data processing;
5.4. legal basis – fulfillment of requirements of regulatory enactments in force;
5.5. vital interests of the data subject or any other natural person – data processing is necessary in order to protect vital interests of the data subject or any other natural person.
6. Sources of acquisition of the personal data of the data subject:
6.1. documents and information submitted by data subjects;
6.2. data of other controllers, processors, and sub-processors;
6.3. service provision process;
6.4. video and/or photo equipment data of the Controller;
6.5. computer network equipment data of the Controller;
6.6. Visiting and browsing data of the website of the Controller https://www.hotelmoreto.com/.
7. Data processing process of the data subject:
7.1. when identifying the data subject;
7.2. during commercial activity;
7.3. when entering into commercial agreements and controlling the fulfillment thereof;
7.4. when selecting employees, establishing and maintaining legal employment relations;
7.5. when fulfilling the requirements of regulatory enactments;
7.6. when participating in court proceedings;
7.7. when providing information to state and municipal authorities and officials, as well as receiving information from them.
8. Processing of cookies of the data subject:
8.1. Cookies are small text files which are created and saved on the device of the data subject (computer, tablet, or mobile phone) upon visiting websites of the Controller. Cookies “remember” user experience and basic information, thus making the use of the site more convenient;
8.2. With the help of cookies information about users habits and history of use of the site are processed, problems and deficiencies in the operation of the site are diagnosed, statistics of user habits are collected, and complete and convenient use of the site is ensured;
8.3. If the data subject does not want to use cookies, it is possible to refuse their use in the browser’s settings; however, in such a case use of the site may be significantly disrupted and made difficult. Deletion of saved cookies is possible in the settings of a device’s browser by deleting the history of saved cookies.
9. Period of storage of data:
9.1. as long as the period for storage of data determined by the regulatory enactments in force has not expired;
9.2. as long as the agreement concluded with the data subject is in force;
9.3. as long as the consent of the data subject is in force;
9.4. as long as it is necessary in order to implement and protect the legitimate interests of the Controller;
9.5. as long as the legal obligation to store the data exists;
9.6. upon expiry of any of the above-mentioned time periods, all data shall be deleted or anonymized in accordance with the procedure determined by the Controller.
10. Sharing and issuing of personal data of the data subject:
10.1. In order to provide the services and perform the work tasks, the Controller may share the data of the data subject, including in the countries of the European Union and EEA (European Economic Area);
10.2. When providing special data protection, like the GDPR regulation requires, in order to guarantee the fulfillment of functions and duties, as well as the work of the Controller, the Controller may transfer the data to a third country (outside of the European Economic Area) or international organizations;
10.3. In order to fulfill the provisions of regulatory enactments, the Controller may share the data of the data subject with the state and municipal authorities, law enforcement authorities, court, or other institutions;
10.4. The Controller shall issue the data only to the extent determined by the regulatory enactments in force, including the GDPR and Personal Data Processing Law.
11. Protection of the data subject’s personal data:
11.1. The Controller shall protect the data of the data subject from unauthorized access, accidental loss, disclosure, or destruction. In order to achieve this, the Controller shall use modern technological possibilities, considering the existing privacy risks and organizational requirements, including using firewalls, break-in detection and analysis software, as well as encryption with standard SSL and anonymization;
11.2. The Controller shall carefully examine all processors and sub-processors who process the data of the data subject on behalf of it; the Controller shall assess whether the relevant safety measures are used, whether the data processing is performed in the way delegated by the Controller, whether it is performed in accordance with regulatory enactments in force and data protection requirements and standards;
11.3. Processors and sub-processors shall not be entitled to process the data of the Controller for their own purposes;
11.4. The Controller shall not bear any responsibility for any unauthorized access to the data of the subject or the loss of that data, if they are not under the competence of the Controller, for example due to the fault or negligence of the data subject.
12. Profiling logic:
12.1. With regard to the data subject the Controller may adopt automated decisions and perform personal data profiling. The data subject shall be informed on such activities of the Controller separately, in accordance with regulatory enactments in force. The data subject may object to the automated decision-making, in accordance with the provisions of regulatory enactments in force.
13. Rights of the data subject:
In accordance with regulatory enactments in force, the data subject shall have the following rights in relation to his/her personal data’s processing:
13.1. rights of access – the data subject shall be entitled to request a confirmation from the Controller regarding whether the personal data of the data subject are processed, as well as information about all processed personal data;
13.2. right to rectify – if the data subject considers that the information about him/her is incorrect or incomplete, he/she shall be entitled to request the Controller to rectify them;
13.3. objecting to processing based on lawful interest – the data subject is entitled to object to the processing of personal data processed based on legitimate interests of the Controller, except in cases when legal acts determine the processing of such data;
13.4. erasure – in certain circumstances the data subject has the right to request the erasing of his/her personal data, except in cases when legal acts determine the time period for storage of such data;
13.5. restriction of processing – in certain circumstances the data subject shall be entitled to restrict his/her personal data processing, except in cases when legal acts determine the volume of data processing;
13.6. data transmission – the data subject shall be entitled to receive or transfer his/her personal data to any other personal data controller. This right shall also include personal data which were provided to the Controller pursuant to consent of the data subject, on the basis of a contract or in cases where data processing is performed automatically. The data subject may use the above-mentioned rights to the extent the Controller does not implement the processing, upon fulfilling the obligations and tasks imposed under the regulatory enactments in force;
13.7. revocation of consent – the data subject shall be entitled at any time to revoke the consent given for data processing, in the same way as it was provided or by sending a relevant notification to the e-mail: legal@mogotel.com. In this case, further processing based on prior consent regarding the specific purpose will not be performed. Revocation of the consent does not affect data processing carried out while the consent of the data subject was effective. Withdrawal of the consent cannot terminate data processing that is carried out by the Controller based on other legal grounds.
In order to carry out the above-mentioned rights, please submit a written application to the Controller or the data protection officer.
14. Other
14.1. Links to the websites of third persons, which have their own rules for usage and personal data protection, for which the Controller does not bear any responsibility, may be posted on the websites of the Controller.
15. Communication
15.1. In case of any questions and uncertainties, the data subject may contact the Controller – in person at its office at Latgales iela 240–3, Riga, LV-1063, Latvia; in presence at the hotel; or via the personal data protection officer: legal@mogotel.com;
15.2. The Controller shall contact the data subject by using the contact information (phone number, e-mail address, correspondence address) specified by the data subject.
If the data subject is not satisfied with the received reply, he/she shall be entitled to submit a complaint to the Data State Inspectorate (www.dvi.gov.lv).
The Controller shall be entitled to regularly improve or supplement the privacy policy. The Controller shall inform the data subject of any changes by publishing the updated version of the privacy policy on the website https://www.hotelmoreto.com/.