Privacy policy

PRIVACY POLICY

Contact details of the Supervisory Authority
Commission for Personal Data Protection
Address: Sofia, P.O. Box 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Website: www.cpdp.bg

It is advisable to take time to familiarize yourself with this Privacy Policy and to review it periodically, because we may change it at some point.

1. Scope

The protection of your personal data is a high priority for “Hermes Group” Ltd. This Privacy Policy discloses how “Hermes Group” Ltd collects, stores, processes, protects, uses and discloses personal and other data collected about you in writing, orally, electronically, or while you use the websites (together with any other and any future website, hereinafter referred to collectively as the “Website”). Our personal data protection practices comply with the applicable Bulgarian data protection legislation and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1. Key definitions

For the purposes of this Privacy Policy, the following terms are used:

Personal data is any information relating to an identified person or a natural person who can be identified, including, but not limited to: (a) first name or initial and last name; (b) personal identification number; (c) permanent or current address; (d) telephone number; (e) e-mail address or online identifier associated with the person; (f) data regarding financial or health status or data regarding professional experience; (g) behavioral or demographic characteristics when linked to personal identifiers; (h) voice data and video image; or (i) any other information relating to a person that is combined with any of the above.

Other data, as defined by applicable law, which may be anonymized and/or aggregated information, as well as any other information that does not reveal the identity of the person or is not directly linked to them. Other data may include, but is not limited to: cookies, IP address and information obtained from an IP address, information contained in HTTP headers. Other data stored in Internet protocols, browsers or various devices, operating systems and information used by “APPS” applications on your mobile device, screen resolution, behavioral data about your use of the websites and preferred languages.

Processing of personal and other data means any operation or set of operations performed on personal or other data by automatic or other means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

Sensitive personal data is a type of personal data which may include, but is not limited to, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Suppliers of goods and services are third parties whom we use under contractual relationships, to fulfill our legal obligations and carry out our commercial activity and to provide you with many of our services, functions and aspects of the Website.

1. What personal and other data we collect

Our privacy policies depend on the type of relationship you have with “Hermes Group” Ltd and on legal requirements. We aim to collect personal and other data only to the extent necessary to provide you with products, services or information that you have requested, or to recruit the necessary staff for the normal functioning of the Company. We may use information to improve functionality when using our Website, in accordance with this Privacy Policy. Below are the grounds and some of the ways in which we collect and use information.

Your personal data may also be collected in connection with Customer Programs and games organized by “Hermes Group” Ltd. Each Customer Program and Game has individual terms, with a detailed description of the participation rules, prize pools, the necessary personal data that will be collected, the methods of collection, retention periods and processing purposes.

When organizing such Customer Programs and games, “Hermes Group” Ltd also complies with the general personal data protection rules determined by the specific social platform on which the Game is distributed. Usually, but not only – Facebook, Twitter, Instagram.

3.1. Users

“Hermes Group” Ltd collects user data in various ways. In all cases, we collect only the personal data that you have voluntarily provided to us and we do not collect any other data that has not been provided to us without your voluntary consent.

3.1.1. Personal data you have provided voluntarily

You may choose to communicate with us and provide personal data, such as your:

• names, postal and e-mail address, telephone and/or mobile number, city, postal code, age, bank account and other information.

3.1.2. For what purpose we use your personal data

“Hermes Group” Ltd uses the above-described data when provided by Users in the following cases:

1. performance of a contract concluded with a client, including the delivery of goods and services;

2. submission by clients of opinions, complaints, suggestions, objections, etc.;

3. customer satisfaction survey;

4. providing a response;

5. connection to the Wi-Fi network provided by the restaurants and accommodation facilities of “Hermes Group” Ltd;

6. contacting us by phone, e-mail or post with a question, recommendation or complaint;

7. responding to your inquiries and complaints related to the quality of the offered goods;

8. in connection with Customer Programs and in case you are a winning participant in the Games organized by “Hermes Group” Ltd.

“Hermes Group” Ltd does not collect personal data from its clients unless they contact us directly. In order to respond adequately to clients’ inquiries, it is possible that personal data may be shared with third parties.

3.1.3. Other data collected automatically

We collect data automatically through the Website. However, if we combine your personal data with those that we collect automatically (e.g., geographic location from your IP address and we combine it with behavioral information about your use of the Website, with your name) we treat the information as personal.

“Hermes Group” Ltd and its online advertising and marketing partners may use various technologies to collect information, including:

3.1.4. Cookies

Like many other websites, we use devices that collect data, such as “cookies”. We collect this data for the purpose of analyzing traffic on our page and measuring the effectiveness of the promotions we offer. A cookie is a text string of information that the Website sends to the cookie file in the browser on your computer’s hard drive so that the Website can remember you.

A cookie usually contains the name of the domain from which the cookie came, the cookie’s “life cycle” and a value, which usually is a randomly generated unique code.

This helps us provide you with better use of our Website and also allows us to improve the services we offer.

Some important things you should know about cookies:
“Hermes Group” Ltd offers certain functions that are available only through the use of cookies.

• they are used to improve the use of the Website;

• most cookies are “session cookies”, which means they are automatically deleted from your hard drive at the end of the session.

You have the option to accept or refuse cookies by changing your browser settings. If you refuse cookies, this may prevent you from using all interactive features of the Website.

3.1.4. Internet Protocol (“IP”) Addresses

The IP address is associated with your computer or mobile device. “Hermes Group” Ltd may use your IP address to help diagnose problems with the “Hermes Group” Ltd server, administer the Website and maintain contact with you while you use the Website.

3.2. Potential employees

If you wish to be part of the team of “Hermes Group” Ltd and submit an application for employment or submit your CV, we process and store the personal data entered in the specified documents for a period not longer than 6 months after completion of the selection process. The collected personal data may include, but is not limited to:

• Identification: names, address, telephone number, e-mail address, date of birth, citizenship, bank account;

• Education and professional qualification: data related to education, work experience, professional and personal qualifications and skills, when necessary and required for the position held.

This personal data is stored in accordance with the personal data privacy rules provided when applying for a job at “Hermes Group” Ltd.

3.3. Employees

With regard to its employees, “Hermes Group” Ltd processes the following personal data:

• Identification: full name, personal identification number, date of birth, permanent address, education and professional qualification; professional experience, bank account number;

• Data concerning health status, including a medical certificate for all employees and data from the personal health booklets of employees working directly with food;

• Data concerning criminal record – certificate of criminal record.

This personal data is stored in accordance with the internal personal data protection rules of “Hermes Group” Ltd and the Employee Personal Data Privacy Notice.

3.4. Contractors and suppliers

With regard to our suppliers of goods and services who are natural persons /as self-employed persons/ and the representatives or contact persons of our suppliers of goods and services who are legal entities, “Hermes Group” Ltd processes the following personal data:

• Identification: names, personal identification number, address, telephone number, e-mail address, date of birth;

• Professional activity: position, official capacity;

This personal data is stored in accordance with the internal personal data protection rules of “Hermes Group” Ltd and the Privacy Notice for suppliers and partners.

3.5. Visitors to premises

With regard to persons who visit premises of “Hermes Group” Ltd where video surveillance is carried out, “Hermes Group” Ltd processes the following personal data:

• Identification: voice data and video image;

This personal data is stored in accordance with the personal data protection rules for video surveillance and monitoring of “Hermes Group” Ltd.

1. How we collect the data

Clients

The Company usually collects and processes clients’ personal data in the preparation, drafting and provision of a reservation and accommodation in the facilities of “Hermes Group” Ltd.

The Company usually does not process clients’ personal data in the preparation and sale of drinks and food in its establishments.

Clients’ personal data are processed when the client decides to participate in one of the programs or games organized by the Company. In such case, the clients’ personal data (the processed personal data may include, depending on the specific case, the client’s first and last name, current address, e-mail address, date of birth, telephone number, payment data and, where applicable, information about the order and the places of purchase) are processed solely with the client’s consent, provided voluntarily in accordance with the rules of the respective program and game.

Clients’ personal data are processed within customer programs for the purposes of facilitating the fulfillment of the orders of the respective client, for marketing (e.g., as part of the company’s marketing campaigns, for providing information about new products, for delivering commercial messages of the Company or for notifying the client of prizes won or other winnings) and for the purposes of tracking customer satisfaction.

Clients’ personal data (the processed personal data may include, depending on the specific case, the client’s first and last name, current address, e-mail address, date of birth, telephone number, payment data and, where applicable, information about the order and the places of purchase) are also processed in cases of contact initiated by a client with the company in connection with expressing opinions, complaints, suggestions, objections, etc.

Website users

The Company uses cookies on its Website. Cookies ensure faster and more efficient browsing of the Website and adapt the display of products and other content to the User’s personal interests and specific needs. Cookies are used to collect accumulated anonymous statistical data allowing an understanding of how the Website is used and enabling optimization of its structure and content, as well as to provide certain functions of the Website and personalize advertisements.

The Company uses two types of cookies – temporary (session) and persistent cookies. Session cookies are used temporarily and are stored on the User’s device until he/she leaves the Website or closes the application (web browser). In contrast, persistent cookies remain on the User’s device for the time specified in the parameters of the respective cookie or until the User deletes them.

Information obtained through the use of cookies may be collected only for the purposes of mediation and performance of certain user functions. These data are encrypted in a way that prevents unauthorized access to them.

Typically, the application used to browse the Website allows storage of cookie files on the User’s device according to the default settings. This mode can be changed either by completely blocking cookies in the web browser settings or by partially blocking them – in which case the User is notified each time the device stores cookies. More detailed information regarding the possibilities and ways to manage cookies is available in the settings of the application (web browser).

The Website collects information about the User’s IP address (i.e., the number that uniquely identifies the User’s computer network interface), the domain name, as well as the type of web browser and operating system. The purposes of processing these data are similar to those of cookies, meaning that these data are used by the Company to collect statistical data for analyzing the use of the Website and for personalizing advertisements.

Users’ personal data are processed where consent is provided voluntarily by the User through loading the Website or is expected by default in connection with the use of the Website.

The personal data of Users who register or send an inquiry on the website are processed where consent is provided voluntarily by the User when completing the registration or inquiry.

Employees and Potential Employees

The Company processes employees’ and potential employees’ personal data within the limits necessary for selection and appointment of staff and performance of legal obligations (e.g., the obligation to withhold or pay taxes, to keep files for the purposes of health and social insurance, etc.). The employee undertakes to provide these data to the Company. Failure to provide these data should be considered a violation of legal requirements by the employee and/or the Company and may lead to sanctions imposed by the competent state authorities.

The Company processes employees’ personal data separately from legal requirements only with their consent and as part of the certification of the legitimate interests of the Company or the performance of the contract concluded by and between the Company and the employee, more specifically for the purposes of processing personal data in the CVs of job applicants in the Company, preparing advertising materials, managing the Company’s profiles on social networks, keeping records for the use of the Company’s service cars, providing information about Company events, protecting the Company’s property (mainly the use of video surveillance systems) or when providing access of authorized persons to the Company’s premises.

1. What we do with the personal and other data we collect

First of all, we use the data you provide or that we collect to provide you with the products, services or information you have requested. We also use the data to improve functionality when using our Website.

We may use your data to provide you with information concerning products or services that may be of interest to you. In order to automatically address customer inquiries and to provide the services offered through our Website, we may share information with our service providers.

1. Choice

You have the right to opt out of certain uses and disclosures of your personal data, as specified in this Policy. Before disclosing sensitive data to a third party or processing sensitive data for a purpose other than the original purpose or a purpose subsequently authorized by you, “Hermes Group” Ltd will make the necessary effort to obtain your explicit consent. Where consent for processing the data is required by law or contract.

If you participate in any promotion, the personal data you provide will be processed in accordance with the privacy rules applicable to that promotion, to the extent that they differ from this Policy.

1. Where we store your personal data

All personal data sent and collected through the websites are stored on our servers, on shared servers, on the servers of other controllers or processors of personal data with whom “Hermes Group” Ltd has staff recruitment contracts, or on the servers of our suppliers of goods and services. By using our websites, you agree that we store your data at the specified locations.

7.1. Provision of data to third parties

The Company provides already processed personal data only to partners with established technical and organizational measures for data protection and fulfillment of other obligations arising from Regulation (EU) 2016/679 of 27.04.2016 and the PDPA regarding data protection. The Company’s partners have access to personal data only to the extent necessary to perform their obligations. Therefore, in certain cases, the Company provides personal data to other companies and third parties that provide services to the Company related to hosting personal data on shared servers, managing applications for loyalty programs, ensuring payments for purchases from the Company and analyzing marketing research. Employees’ personal data are provided to the external accounting company that collects accounting and tax archives and payroll records of the Company and, in some cases, to companies providing the Company with services that allow employees of the Company to report cases of violation of legal provisions or in cases where the Company, its partners or employees act unethically.

Under no circumstances does the Company provide personal data to third parties for payment.

7.2. Transfer of personal data to third countries

The Company may transfer personal data to countries outside the European Union and in certain cases to third countries (USA), regardless of whether there is a decision of the European Commission on the level of protection of personal data in those third countries equivalent to that existing in the European Union.

The transfer of personal data to other companies and third parties is carried out, if necessary, on the basis of a contract under which the recipient of personal data undertakes to maintain high standards for personal data protection (the transfer of personal data is based on the “standard clauses” for personal data protection pursuant to Article 46(2)(c) of the General Data Protection Regulation) and/or subject to the consent of the person whose personal data are transferred.

Retention period. The personal data you provide will be stored for a period no longer than necessary to achieve the purposes for which they are processed.

1. How we protect your data

“Hermes Group” Ltd applies organizational, physical, information technology and other necessary measures to ensure the security and protection of your personal data and monitoring of the processing of personal data.

Among other things, such security measures include the following activities:

• “Hermes Group” Ltd has established requirements for processing, registration and storage of personal data through internal procedures, compliance with which is monitored continuously;

• access of employees of “Hermes Group” Ltd to personal data and permission to process personal data in the database of “Hermes Group” Ltd is restricted depending on their duties;

• “Hermes Group” Ltd has established confidentiality obligations for its employees;

• access to office equipment of “Hermes Group” Ltd and to each employee’s computers is restricted;

• we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act, as well as best practices from international standards;

• for maximum security during processing, transfer and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

The security measures we apply are subject to continuous improvement and adaptation to the most modern technologies.

1. Access

Where permitted by law, you may use any of the methods in Section 13 of this Policy to obtain confirmation that “Hermes Group” Ltd processes personal data about you and to request access, correction or deletion of personal data processed by us, including where the data have been processed in violation of the principles of Regulation (EU) 2016/679 of 27.04.2016 and the PDPA. Such requests will be processed in accordance with the internal rules of “Hermes Group” Ltd, consistent with Regulation (EU) 2016/679 of 27.04.2016 and the PDPA.

“Hermes Group” Ltd respects and takes the necessary care to comply with the rights of data subjects, but there may be cases where it is impossible to provide the requested information, including but not limited to:

1. where the law takes precedence over the rights of the data subjects;

2. where it would pose a risk to the security of the data subjects;

3. where it would interfere with the privacy of other persons or where it is commercial property.

If the Controller determines that access should be restricted in each specific case, “Hermes Group” Ltd will make the necessary efforts to notify you of the reasons leading to restriction of access to the information you requested and will provide you with contacts for further inquiries.

If necessary, the Data Protection Officer of “Hermes Group” Ltd will contact another person to cooperate and complete the process of providing the data you requested. To protect your data, the Controller will take the necessary steps to confirm your identity before providing access to or before making any changes related to your data.

1. Data integrity – purpose limitation

“Hermes Group” Ltd processes the personal data it receives while you use the websites or as long as necessary to complete the purpose(s) for which they were collected, including but not limited to: until completion of the provided services, for dispute resolution, for legal protection, when carrying out audits, where there are legitimate business interests, for performance of agreements and for compliance with applicable laws. Your consent for these purposes is not required.

1. Further disclosure

“Hermes Group” Ltd does not provide personal data to third parties unless a client or potential employee requests or has given consent for such disclosure, or disclosure is required by law. The Controller may share personal data with its service providers, consultants and affiliates for internal, business purposes or to supply you with a product or service you have requested.

Payment information will be processed only in order to fulfill the order; it may be stored by our service provider for the purposes of future orders or for accounting reporting needs.

The Controller requires from its suppliers or other personal data processors written confidentiality consent and ensuring protection of the personal data they maintain on behalf of the Controller, including ensuring at least the minimum level of protection required by the principles of Regulation (EU) 2016/679 of 27.04.2016, and that the data are not used for any purposes other than those determined by the Controller. Suppliers must notify the Controller if they have found that they can no longer fulfill their obligations. With regard to further transfers of data provided to third parties, the Controller monitors the processing of personal data by requiring a guarantee from the processing party that it complies with the principles of Regulation (EU) 2016/679 of 27.04.2016.

Your personal data are considered an asset of the company and may be disclosed or transferred to a third party in the event of a change in the legal organizational structure of “Hermes Group” Ltd, e.g., in any reorganization, sale, merger, division, joint venture, transfer, consolidation or other type of acquisition, disposal, or financing of all or part of our activity, or of some of the commercial assets or shares (including in connection with insolvency or similar proceedings). In these cases, your data are transferred to a third party so that you can continue to receive the same products and services or maintain the same relationship with the third party.

Although we make all necessary efforts to maintain the confidentiality of the personal data we collect, “Hermes Group” Ltd reserves the right to disclose personal data to third parties under certain limited circumstances, including: (a) compliance with a law, search warrant, subpoena, legal proceedings, court or administrative order; (b) response to a legal requirement from public authorities, including for meeting national security requirements or law enforcement requirements; (c) enforcement of the Controller’s policies or contracts; (d) collection of amounts due; (e) protecting users of the websites from fraud or abuse; (f) during emergencies when safety is at risk, as determined by the Controller; (g) where necessary to establish, exercise or defend legal claims.

At the Controller’s discretion, server logs may be reviewed for security purposes, e.g., to detect unauthorized activity on the websites. In such cases, server data containing IP addresses will be shared with law enforcement authorities so they can identify users in connection with their investigation of unauthorized activities.

1. Security

Although there is no such thing as “guaranteed security”, we and our partners use commercially acceptable measures (including all steps required by applicable law) designed to protect your personal information from loss, unauthorized access, use, alteration, disclosure or other misuse.

1. Rights of data subjects

You may also submit a complaint to your Supervisory Authority; for Bulgaria this is the Commission for Personal Data Protection, at the addresses indicated in this Policy. “Hermes Group” Ltd will fully comply with recommendations given by the Supervisory Authorities and will take the necessary steps to remedy any non-compliance with regulatory principles.

Commission for Personal Data Protection,
address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2;
website: www.cpdp.bg.

If you suspect a violation of legal requirements, you have the right to submit a complaint to the supervisory authority for personal data protection.

Your statutory rights are:

• To request information as to whether we process your personal data, what they are and for what purpose they are processed.

• To request access to your personal data (“Data access request”). This allows you to obtain a copy of the personal data we hold about you and to check whether we process them lawfully.

• To request correction of your personal data held by us. You have the option to correct any incomplete or inaccurate information that we hold about you.

• To request deletion of your personal data. This allows you to request that we delete or remove personal data if:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

  • you withdraw your consent on which the processing is based and there is no other legal ground for processing;

  • the data subject objects to processing, including profiling, and there are no overriding legitimate grounds for processing, or the data subject objects to processing for direct marketing purposes;

  • the personal data have been processed unlawfully;

  • the personal data must be erased to comply with a legal obligation under Union or Bulgarian law;

  • the personal data were collected in connection with the offer of information society services.

• To object to processing against certain types of processing, such as direct marketing (unsolicited advertising messages), as well as where processing is based solely on the Controller’s legitimate interest.

• To object to automated decision-making, including profiling, i.e., not to be subject to any automated decision-making by us using your personal data or profiling.

• To request restriction of processing of your personal data when:

  • you contest the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;

  • the processing is unlawful but the data subject does not want the personal data to be erased and instead requests restriction of their use;

  • the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims;

  • you have objected to processing based on the existence of the Controller’s legitimate interest, pending verification whether the company’s legitimate interests override those of the data subject.

• To request transfer of your personal data in electronic and structured form to you or another person (commonly known as the right to “data portability”). This allows you to receive your data from us in a usable electronic format and to transfer them to another person in a usable electronic format.

• To withdraw your consent. In the rare cases where you may have given consent for collection, processing and transfer of personal data for a specific purpose, you have the right at any time to withdraw your consent for that specific type of processing. After we receive notice that you have withdrawn your consent, we will stop processing your information for the purposes for which you originally consented, unless there is another legitimate reason for doing so by law.

A request may be made by completing a Request Application and sending it to the e-mail address of the Data Protection Officer or to the address of “Hermes Group” Ltd.

To ensure that we have identified the correct person, it is possible that we will contact you to confirm your request.

“Hermes Group” Ltd undertakes to review your request without undue delay and in any case within 30 days of receiving the request. In cases of legal and factual complexity, this period may be extended by an additional 30 days. You do not need to pay a fee to exercise the above rights. In case of repeated request on the same ground, in case of an obviously unfounded request or in case of excessive request, a fee may be charged.

In order to provide complete, accurate and clear information in the Request, it is possible that we will ask you for specific identifying data that will help us confirm your identity. This is an additional security measure ensuring that your personal data will not be disclosed to persons who are not entitled to receive them.

1. Information concerning children

We do not knowingly collect personal information from children under the age of 16. If we learn that we have collected personal information from a child under the age of 16, we will take steps to delete the information as soon as possible or obtain the consent of the person with parental responsibility for the child.

If you are a parent or legal representative of a child whom you believe has provided us with personal data, please contact our data protection officer and they will take immediate actions to delete the information in accordance with applicable law.

1. Links to third-party websites

Please note that the Website may contain links to other websites for your convenience and information. The Controller does not control sites external to the company or their privacy practices. Please note that they may differ from those set out in this Policy. “Hermes Group” Ltd does not endorse and makes no representations regarding third-party websites. Personal data that you choose to provide to websites not affiliated with us are not covered by this Policy. We encourage you to review the privacy policies of other websites before providing your personal data. Some third parties may choose to share their users’ personal information with us. Such sharing is governed by the company’s privacy policy and not by this Policy.

1. Changes to the Privacy Policy

The Controller may update this Privacy Policy. When the Policy changes, we will update the “last revision” date located at the very top of the Policy.

If there are any changes to this Policy, we will notify you. We encourage you to read our Privacy Policy to stay informed about how we protect the information provided by you.

If you continue to use the Website after publication or amendment of the Policy, this will be considered as your consent to be bound by it and all such changes to it.

Any change to this Privacy Policy enters into force immediately after its publication.

1. Other related policies

This Policy may be supplemented by one or more special policies or privacy notices. In case of conflict between this Policy and any special policy, the applicable special policy shall prevail.

In addition, you have the right to submit a complaint to the Commission for Personal Data Protection: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2 or in electronic form on the Commission’s website: https://www.cpdp.bg.

This Policy is approved and enters into force as of April 2023.