PERSONAL DATA MANAGEMENT SYSTEM

 

Administrator: Campfire BG Ltd.

Website: www.Campfire.bg  

Data Protection Officer: Veselin Durgov

Contact email address: office@campfire.bg

 

Protecting your personal data is a responsibility of high priority for us. With this Privacy Policy, CampfireBG Ltd. respects the privacy of the individual and takes it as its duty to protect your personal data.

Introduction

 

  1. General Data Protection Regulation (EU) 2016/679 (GDPR) replaces the Data Protection Directive 95/46/EC. It has a direct effect on and exists alongside national legislation in the field of data protection (known as Data Protection Act). Its purpose is to protect the rights and freedoms of individuals and to ensure that personal data is not processed without their knowledge and, if possible, that it is processed with their consent.
  1. Scope outlined by the General Data Protection Regulation:

Art. 2. Material scope stipulates that GDPR applies to processing of personal data entirely or partially by automated means, as well as to processing of personal data by any other means (e.g. manually and on a hard copy) which are or are intended to be part of a personal data record.

Art. 3. Territorial scope stipulates that GDPR rules apply to all data controllers or processors established in the EU who process personal data while performing their usual professional duties. The Regulation also applies to controllers and processors outside the EU who process personal data in order to offer goods and services or to monitor the behavior of data subjects who reside in the EU.

  1. Definitions

‘Personal data’ means any information relating to an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

‘Special categories of ‘processing’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by electronic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Administrator’ means any natural or legal person, public authority, agency or other entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU legislation or the legislation of a Member State, the controller or the specific criteria for its determination may be laid down in the EU legislation or in the legislation of the Member State;

‘Data subject’ means any living natural person who is the subject of personal data held by the Controller.

‘Consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by means of a statement or a clear affirmative action, which signifies the data subject’s agreement to personal data relating to him or her being processed;

‘Child’ – the General Regulation defines a child as anyone under the age of 16. The processing of a child’s personal data is only lawful if a parent or a guardian has given consent. The data controller shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given, or is authorised to give, consent.

‘Profiling’ means any form of electronic processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of that natural person’s professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘Personal data breach’ means a breach of security resulting in the accidental or unlawful destruction of personal data.

In relation to a processor, its main establishment in the EU will be its administrative centre. If the controller is based outside the EU, it must appoint a representative in the jurisdiction in which the controller operates to act on the controller’s behalf and deal with supervisory authorities. (Article 4(16) of the GDPR)

‘Recipient’ means a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State legislation are not considered to be ‘recipients’; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;

‘Third party’ means any natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are entitled to process the personal data.

 

Obligations and roles under Regulation (EU) 2016/679

  1. ‘CampfireBG’ Ltd is a Data Controller under Regulation (EU) 2016/679.
  2. The CEO of CampfireBG Ltd is responsible for the personal data management system and for the development and promotion of good practices regarding information processing in the company.
  3. The Data Protection Officer (hereafter DPO), with a role defined in Regulation (EU) 2016/679, is responsible for the management of personal data within the company and for ensuring compliance with data protection legislation and establishing good practices. This accountability of the DPO includes regular review of the personal data management system in accordance with Regulation (EU) 2016/679 and security and risk management in relation to policy compliance.
  4. The DPO has specific responsibilities in relation to the ‘Procedure for the management of subject requests’ and should be the point of contact for the controller’s employees requesting clarification on any aspect of data protection compliance.
  5. Compliance with data protection legislation is responsibility of all employees of CampfireBG Ltd. who process personal data.
  6. The Training Policy of CampfireBG Ltd sets out specific training and awareness requirements regarding specific employee roles within the company.

What do we need your personal data for?

  1. To make reservations for individual or group travel, to prepare and purchase a package of services, to book and purchase airline tickets, and all other processes related to the provision of services offered by us, including third-party services such as products of our partners offering organized travel, accommodation etc.
  2. We also use your information for marketing activities. These may include, among others, sending you newsletters and announcements on products and services, processing any requests/bookings, communication with you.
  3. We process the information you send us for a variety of reasons, such as: clarification on a program; bookings; general information; advice; insurance arrangements etc.

Storage and destruction of data

 

  1. CampfireBG Ltd does not store personal data in a form that allows the identification of subjects for a longer period than necessary, in relation to the purposes for which the data were collected.
  2. CampfireBG Ltd collects and processes information that you have agreed to provide us voluntarily. You can contact us using our website or our Facebook page. For this purpose, it is necessary to leave your names and e-mail address, thereby expressing your consent to receive from us the information you are looking for.

You can make a reservation request for our services through our Facebook page CampfireBG or on our web-site www.Campfire.bg.

  1. CampfireBG Ltd uses personal information for the purposes of concluding mandatory insurance policies and carrying out different types of reservations related to the requested trip/service.
  2. The retention period for each category of personal data is set out in the Data Category Collection and Destruction Schedule.
  3. Personal data must be destroyed securely, in accordance with the principle of ensuring an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organizational measures (‘integrity and confidentiality’).

Data transfer

Any export of personal data from within the EU to countries outside the EU (referred to in the General Regulation as ‘third countries’) is illegal unless there is an adequate ‘level of protection of the fundamental rights of data subjects’.

CampfireBG Ltd does not transfer personal data to other countries, including those outside the EU. Nor does it transfer to third parties with whom it does not have a contractual relationship as part of the implementation of a travel program.