Last edited: 13 March 2019 and 2 February 2020
Definitions: The terms “personal data”, “processing”, “controller”, “processor”, “third country”, “international organization”, “data subject”, “representative” and “member state” (and their derivatives) used in this Policy have the meaning specified in the General Data Protection Regulation (EU) 2016/679 (GDPR).
1. CONTROLLER AND CONTACT DATA
1.1. The personal data Controller with regards to this Policy and provider of the Services is the company THE POINT ENTERTAINMENT OOD, registered in the Republic of Bulgaria under UIC 203523068 with its seat and registered address at Children Entertainment Centre Park Boby & Kelly (Patilantsi), Philip Avramov blvd, Mladost 3, Sofia municipality, Mladost district, 1712 Sofia, Bulgaria (“The Point”, “we”, “us”). If you have any questions regarding this Policy, you can contact us by e-mail at firstname.lastname@example.org, by mail to Park Boby & Kelly’s address at Park Boby & Kelly – former Patilantsi, Philip Avramov blvd, Mladost 3, Sofia (“the Park”) or by phone at 2 974 4839.
2. PERSONAL DATA WE COLLECT AND USE
2.1. The Point processes the following categories of personal data:
- data, that you provide to us when booking an event or making a request for Services or concluding a Service contract, and in particular name and surname, address and email address, telephone number, name of child, if applicable, number of guests, event date/reservation. We may process the same data also when providing an offer on your request, but without subsequent reservation or Service contract;
- history of your orders and contracts;
- information that you provide to us when you contact us or establish any kind of interaction with us through any type of communication regarding specific requests, orders, Services, complaints, claims or inquiries, or social media activity (e.g. Facebook), including contact by phone, mail, through forms on our websites, by e-mail, through social media or other, in particular, name, surname, email, telephone number, social media profile, photos, address, etc. When you contact us through social media, e.g. Facebook, our profiles there could be public and your interaction and information you publish in them may be public. Please note that we do not control and are not responsible for the use of your social media profile;
- information that you provide to us when buying subscription cards or vouchers, such as names and e-mail address of the user, the size of the discounts provided and the history of their use;
- data in relation to payments and refunds in the cases provided for, e.g. bank account, debit/credit card used, card holder, etc.;
- photos and images from public events held at the Park. You can also ask for individual photos of you or your friends and relatives as part of the Services of the Park.
- information about your device, which you use to visit our respective website and online identifiers such as IP address, device used, location, device software, “cookies” data;
2.2. We usually collect the data directly from you. In rare cases we could receive data about you from third parties, such as a courier company with regard to delivered goods and collected payments, a bank institution for a payment that has been made, from your friends or relatives when ordering Services for you or a gift voucher for you.
2.3. In some cases, the provision of personal data by you is necessary for the conclusion and execution of a contract (e.g. for making a reservation or placing an order and provision of Services, for making a payment and a delivery under a contract, etc.). In those cases, if you do not provide the respective personal data required, you will not be able to receive services by us or it would not be possible to duly provide the services. For example, if you do not provide us with the a date and number of guests for an event at the Park planned by you, we would not be able to make a reservation, if you do not provide us an email, we would not be able to contact you by email or if you do not provide us with a delivery address for the food ordered from the restaurant, we would not be able to fulfill the delivery.
2.4. Your responsibilities:
- We advise you to limit the personal data you provide to us to only the explicitly required by us and necessary for the exercise of rights and the fulfilment of your and our obligations;
- Third party websites and external links: For your convenience, our websites might contain ads or links to other websites or services, managed by other persons, such as Facebook. This Policy does not refer to and we are not responsible for the processing of personal data by such third persons. We advise you, if you choose to visit or use any of those websites or services by third persons to get acquainted with their privacy policies, which be different than our Policy;
- When you provide us data, including personal data, you declare and guarantee that they are correct and accurate, that you have the right to provide us such data for the purposes specified in this Policy and this does not infringe the rights of third persons, including the right to integrity, right to liberty of the person, copyright and related rights, intellectual property rights, etc.
3. PURPOSES OF THE DATA PROCESSING (HOW WE SHALL USE YOUR DATA)
3.1. The primary purpose of the processing of your personal data is the conclusion and execution of a contract for the provision of Services by us to you (including identification, invoicing, payment, delivery, communication, exercise of rights and obligations under the contract, etc.).
3.2. We might use your personal data also for the following specific purposes:
- communicating with you and providing you the information requested by you with regard to our Services and how to use them;
- sending you administrative and legal information, such as information about changes to our Policies, terms, etc.
- sending you newsletters, promotional materials and other notifications by mail, email, text messages (SMS) or by phone. These are messages or materials for the purposes of direct marketing used to advertise our products and services, current or upcoming promotions and campaigns to you, as we shall always and at any time give you the right to easily and cost-free object to receiving such messages and shall respectively process such objections and denials;
- complying with or performing our duties, pursuant to laws, legal acts, acts of the executive or the judiciary authorities, for example for the purposes of accounting, controlling and reporting, auditing and tax purposes, etc.
- exercising our rights or protecting yours, ours, third persons’ or public legitimate interests, such as, for example, detection, investigation and prevention of theft, crimes, frauds, misuse of the Services and other violations of the law, exercising rights under contracts to which we are a party, etc.
- statistical purposes and analyses with the goal to improve and modify our products, services, procedures and policies, our Services and websites and their functionalities (including using data collected from your web browser or app, such as IP address, operation system, browser type, details about sessions, location, etc).
- when conducting special promotional campaigns with prizes, in which case there might be additional special rules about data processing.
4. LEGAL BASIS OF DATA PROCESSING
4.1. When making a reservation, making an offer and concluding Service contracts and for their execution, the processing of your data is necessary for the conclusion and execution of a contract to which you are a party.
4.2. For other purposes and in particular cases we might also rely on another legal basis for processing your data, as follows:
- you have given your consent for the processing – when you have opted to receive promotional messages or materials from us;
- processing is necessary for complying with a legal obligation we have – e.g. for accounting and controlling, tax purposes, etc.
- processing is necessary for the purposes of ours or a third party’s legitimate interests, such as: for some cases of direct marketing to our customers; for a reservation or ordering a gift voucher by your friends and relatives; for public coverage of an event held at the Park; for investigation and prevention of thefts, crimes, frauds, misuse of services or the websites; for improvements and modifications of our products, services, procedures and policies, websites and their functionalities.
5. RECIPIENTS OR PERSONAL DATA
5.1. Your personal data can be disclosed to the following categories of recipients:
- our service providers and contractors, such as: courier company for food deliveries; our accounting firm for payments processing and accounting records; companies, from which we have licensed specialized software products, e.g. accounting, warehouse, communication software, etc.; companies, which deliver services and technical support to us in relation to the provision of our Services, as well as other similar service providers, insofar as they need access to the data for the provision of their services;
- providers of payment services for the purpose of identification and payments processing;
- persons, to whom we are obliged to disclose data according to the applicable legislation, acts of the executive or the judiciary authorities, or as part of court proceedings, or in relation to investigation of illegal activity or in case of suspicion thereof, or at the lawful request of state, government or regulatory bodies;
- third persons, when we can reasonably assume that such disclosure is necessary, in order to prevent death or damage, or financial losses or in relation to detection, investigation and prevention of theft, crime, fraud, misuse of services or our websites, other violations of the law, including violations of our rights and contracts and the rights of third persons, such as copyright, intellectual property rights or right to privacy;
- a partner organization in case of a joint campaign, event or action and while explicitly indicating it;
- third persons in case of restructuring, merger, takeover, sale, joint venture, transfer or other disposition of our business or a part of it.
6. TRANSMISSION TO A THIRD COUNTRY
6.1. In some cases when providing our services in accordance with this Policy, a transfer of personal data to jurisdictions outside the European Union can be made, which have a different personal data protection legislation. In particular, such may be the case when we use specialized software product by a provider from USA. In such cases we shall transfer personal data to such third countries only pursuant to: a) a decision by the European Commission regarding and adequate level of protection of this country (art. 46 of GDPR); or b) appropriate guarantees, specified in art. 46 of GDPR, including relying on the Standard contractual clauses for processors in compliance with Annex to European Commission Decision of 5 February 2010 (available as of the date of preparation of this Policy at the following address: https://eur-lex.europa.eu/legal-content/BG/TXT/HTML/?uri=CELEX:32010D0087&from=EN), as amended or replaced from time to time by the European Commission, or appropriate guarantees when there is a specific authorization by a competent supervisory authority; or c) approved by a competent supervisory authority binding corporate rules (art. 47 of GDPR).
7. YOUR RIGHTS
7.1. Right to withdraw your consent. When we process your date on the basis of your consent (e.g. for the purpose of marketing messages and direct marketing), you have the right to withdraw your consent at any time. This shall be without prejudice to the lawfulness of processing before you consent has been withdrawn. You can execute this right at no additional cost for yourself in one of the following ways:
- send us an email at any time at email@example.com with a clear statement that you withdraw your consent;
- call us by phone at 2 974 4839 during business hours (10:00 to 21:30 on working days, specified on our websites);
- by mail to our company’s registered address or to the address of the Park, specified above in this Policy;
In case you withdraw your consent for processing of your personal data, we shall terminate their use for the respective purposes, for which you have withdrawn your consent, in reasonable time.
7.2. Right to access to the data – you can request at any time information about your personal data which we store and process. You can do that in the ways described in the preceding item.
7.3. Right to rectification – to ask for rectification of your personal data if they are incorrect.
7.4. Right to erasure of the data – “right to be forgotten”. You should note that this is not an absolute right and it is to be applied in accordance with the stipulations of the law. For example, you have the right to ask for erasure of your personal data, if they are no longer necessary for the purposes, for which they have been collected or are being processing in a different way, only provided that we do not have a legal obligation, which requires further processing (e.g. part of your data are still being processed for the purpose of accounting and control in accordance with the requirements of accounting legislation). In all cases, we shall respect every reasonable and lawful request for personal data erasure.
7.5. Right to restriction of processing in accordance with the applicable law.
7.6. Right to data portability – in the situations defined by law you can ask to receive or for us to transfer a copy of your data to a third party in a structured widely used format (this only refers to automatically processed data, processed on the basis of your consent or a contract concluded with you).
7.7. Right to object. This right includes in particular your right to object at any time to processing of your data, which is based on:
- performing a task in the public interest or performing official duties by us; or
- our or a third party’s legitimate interest;
In such cases we shall terminate the processing, unless it is proven that there are plausible legal grounds for the processing, which take precedence over the interests, rights and freedoms of the data subject, or for establishment, exercise or defense of legal claims; or
- for the purposes of direct marketing – you can object at any time by following the instructions in the respective marketing message or by writing to us as firstname.lastname@example.org.
7.8. In case you are established in the European Union, you also have the right to file a claim with a supervisory authority and in particular, with the supervisory authority at the member state of your usual residence, of your place of work or of the place of the alleged infringement. For Bulgaria the supervisory authority for personal data protection is the Commission for Personal Data Protection, whose web address is www.cpdp.bg.
7.9. You can exercise the rights described above in accordance with the applicable law and in particular, the provisions of GDPR. To exercise any of your rights against us, you can contact us at any time at email@example.com. In such cases we might have to confirm your identity and to contact you in connection with your request.
8. RETENTION PERIOD
8.1. We shall store the personal data for as long as it is necessary for the respective purposes of processing and execution our obligations defined by law.
8.2. In particular, we shall store personal data:
- data about the purposes of conclusion and execution of a contract – generally, for a period of 5 years from the end of the year of final execution of the respective contract or from its renewal;
- data for the purposes of accounting and control – in compliance with the statutory accounting and control rules. We shall store data processed in connection with other statutory obligations until the respective obligation expires;
- data for the purposes of direct marketing – until you withdraw your consent (if applicable) or until you object, or after 2 years have passed since our last communication with you;
- you can terminate communication with us on social media at any time and in accordance with the instruments of the respective social media, e.g. if you liked our page on Facebook, you can “unlike” it, etc.
8.3. Personal data we process for other purposes shall be processed and stored as required and in compliance with the data protection legislation and applicable standards.
8.4. For the avoidance of doubt, we can generate and store generalized statistical reports and materials, which do not contain personal data and from which no specific person can be identified. This Policy does not apply to them, as they do not contain personal data.
9. AUTOMATIC PROCESSING
9.1. In particular cases we might use software for automatic processing of personal data. We shall not base our decisions solely on such software or such processing and shall also use human factor.
9.2. If you consider that a particular result of automatic processing is incorrect, you can ask for an explanation. You can also object to any decision that significantly affects you and that has been taken solely by a computer, software or through another automatic process, if such decision exists.
10. CHANGES TO THIS POLICY
Approved on behalf of THE POINT ENTERTAINMENT OOD: ______________