PRIVACY NOTICE
in reference to providing Services and other Services all defined in our Terms of Agreement (abbreviated “Services and Other Services” below) through the Enorama.org Platform
(notification for confidential treatment of personal data)
To
CUSTOMERS, who wish to use the sofiawinespot.com Platform
OUR PARTNERS and other CONTRACTORS
WE, Sip En Bite LTD., UIC: 208504303, address: Sofia, Sredets, G.S.Rakovski street, Entrance C., have committed, during and in reference to the providing of our Services and Other Services through the enorama.org Platform, to process personal data in accordance with the General Data Protection Regulation (GDPR Policy, (EU) 2016/679), the Bulgarian Personal Data Protection Act and in compliance with the Constitution of the Republic of Bulgaria, a number of procedural laws and the rest applicable law to our profession.
When we determine the purposes and means of the processing of personal data, such as when we process the data of our Customers, Partners and contractors, we are responsible for that data as a controller within the meaning of the General Data Protection Regulation(GDPR Policy).
During and in reference to the use of our enorama.org Platform, we are required to process a range of personal data, incl. data of our Customers who wish to use our Services and Other Services. When we provide our Customers with the use of our enorama.org Platform, we process personal data on behalf of our Customer, who has provided the data to us, and in his capacity of administrator of the personal data, has determined the purposes and means for the data processing.
Whenever we process personal data of our Customers, either as an administrator or as a processor, we are guided solely by the legitimate interests of the particular Customer(s), to whom we have a duty to provide with the possibility to use our Leave your luggage in Sofia Platform, bearing the relevant responsibility with respect to the data subjects under the General Data Protection Regulation (GDPR Policy) and by law in general.
The personal data we collect and process:
Basic personal data of the Customers – identification data, contact details.
The personal data mentioned above includes ordinary (general) personal information such as names, email address; date of birth; telephone number and etc., but also special categories of personal data might be processed, such as: payment details (details of credit/debit cards in order to make a reservation through the Leave your luggage in Sofia Platform).
Basic personal data of our Partners and contractors – identification data; contact details; available space in their location(s), email address.
Source: We receive the above personal data from you personally, from the Customer, who uses the enorama.org Platform, or we collect data from publicly available databases or databases to which we are entitled to access for the provision of our Services and Other Services.
We declare that the personal data we collect will only be used for legitimate purposes, such as:
We process Customer’s data for the purpose of their identification, communication with them, for review and rating purposes (the Customer has the option to rate and review our Services and Other Services provided via the enorama.org Platform);
We process the data of our partners and contractors for the purpose of establishing their representative power, for concluding and properly executing a contract.
The data collected for Customers, partners and contractors under the AML Act is processed solely to prevent money laundering and terrorist financing;
We may process part of the personal data (rate and review) for direct marketing purposes;
The grounds that entitle us to process your data:
We process the personal data of our Customers on the basis of the steps taken by them to use the enorama.org Platform and the Services and Other Services provided through the latter; when the Customer is a legal entity, as well as always when the Customer is represented by another person, we have a legitimate interest in establishing the proper exercise of representative powers, in view of the legal consequences under the Bulgarian Obligations and Contracts Act and the Commerce Act, as well as in the preparation of the necessary documentation and communication;
When it is necessary to process special categories of personal data, it is usually carried out in order to establish, exercise or protect the interest of the Customer; the information about the payment details of the Customer is necessary in order for the Customer to purchase the Services and Other Services provided via the enorama.org Platform;
We process the personal data of our partners and contractors on the basis of the need to fulfil our contractual relations with them, as well as on the legitimate interest in establishing the proper exercise of representative power, in view of the legal consequences of the Bulgarian Obligations and Contracts Act and the Commerce Act and keeping of communication;
The processing of data of Customers, partners and contractors for the purposes of the prevention of money laundering and terrorist financing is carried out solely on the basis of the need to fulfil specific obligations under the Bulgarian AML Act (BgAML act), its Implementing Regulations, and the Bulgarian Measures Against the Financing of Terrorism Act;
For the purposes of direct marketing, in the case of established relationships with our Customers, partners and contractors, we process personal data on the basis of our legitimate interest in marketing communication, but in the other cases of direct marketing by our firm or our partners, we will request the explicit written consent of the subjects, who themselves may give such consent at any time; We use the email address of our Customers to send them emails containing information about how they can rate us and/or write a review about the Leave your luggage in Sofia Platform and the Services and Other Services provided via the said Platform.
There is no obstacle, when we process personal data, in certain cases to rely on the explicit consent of the data subject, but considering the possibility of such consent to be withdrawn at any time and the consequences of such withdrawal, the consent will be used by us, only when there is no alternative legal basis for processing.
Processing period:
We will only process your personal data as long as necessary to achieve the set purposes. In general, where a relationship with a Customer, partner or contractor is in place, personal data (including payment details of the Customer) will be processed throughout the lifetime of that relationship, resp. all the time while we are providing the Service and/or Other Service, after which the data shall be archived until the expiry of the limitation periods for claiming responsibility by/to the data subject and/or by a public authority in reference with the legal relationship (5 years in the general case, unless otherwise required by law).
Outside the general situation, we process personal data within the following time periods:
personal data processed in fulfillment of the obligations under the BgAML Act will be stored for a period of 5 years. In the case of establishment of business relations with customers, partners and contractors, as well as in the case of entering into correspondent relations, the period starts at the beginning of the calendar year following the year of termination of the relations; in the case of incidental operations or transactions, the period starts at the beginning of the calendar year following the year in which they were carried out; in the case of disclosure of information to the Financial Intelligence Directorate of the State Agency for National Security, the period starts at the beginning of the calendar year following the year of disclosure; at the written instruction of the Director of the Financial Intelligence Directorate of the State Agency for National Security, the term may be extended by not more than two years, unless there is explicit and voluntary written consent from the data subject allowing the data to be processed for a longer period;
when acting as a personal data processor, we are obligated, at the Customer’s choice, to delete or return to the Customer (data controller) all personal data after the completion of the processing services and to delete the existing copies, unless EU or Bulgarian law requires their storage.
Beyond the periods specified above, we may only process personal data for a period of time specified in a special law or for the time necessary for us to provide required by law assistance to competent authorities for the investigations they carry out and also if personal data will be processed for archiving purposes, for purposes in public interest, for scientific or historical research purposes and for statistical purposes.
Whenever processing outside the time limits specified is necessary, such processing shall be carried out in a justified and proportionate manner, by taking appropriate technical and organizational measures to ensure the interests and fundamental rights and freedoms of the data subjects.
If personal data is processed only on basis of the consent of the data subject, we will delete the personal data when the data subject has withdrawn his or her consent for the processing.
When personal data is processed on the basis of legitimate interest and the data subject objects to the processing, we will delete the personal data unless we are able to prove that there are compelling legal grounds for processing that that have priority over the interests, rights and freedoms of the objecting subject, or for the establishment, exercise or protection of legal claims.
When personal data is provided to us by the data subject without a legal basis under Art. 6, § 1 of the GDPR Policy or in contradiction with the principles under Art. 5 of the GDPR Policy, within one month of knowing, we will return them, and if this is impossible or requires a disproportionate effort, we will delete or destroy them.
We do not perform automated individual decision-making (without human intervention) in the processing of your personal data for any of the above purposes.
Recipients of your personal data:
We will only provide personal information to individuals and authorities (organizations) who are relevant to the achievement of the purposes described above.
Above all, these are our Partners, who we work with on the basis of established contractual relations, our assistants and technical staff, accountants, third-party service providers to provide website and application development, hosting, maintenance as well as individuals who assist us in achieving the purposes described above.
These persons, as processors of personal data, resp. sub-processors (as the case might be) act on the basis of a written agreement with us, in accordance with our explicit instructions and with the implementation of appropriate technical and organizational measures to protect personal data. We guarantee that these individuals are committed to the confidentiality of the personal information we provide to them for processing and we inform you that we may obtain information about you from third parties and sources, such as our Partners.
Except as described in this GDPR Policy, we will not disclose your information to third parties (except if we are legally required to do so) without your consent. However, we may disclose your information to other third parties if you consent to it. For example, we may share data you shared with us, such as email addresses, with your consent, with third parties and their tools to perform services on our behalf such as TripAdvisor and other social networks.
Personal data may also be shared with other recipients such as with competent public authorities (such as the Bulgarian National Revenue Agency, National Insurance Institute, court bodies, etc.) and/or private persons (Bailiffs, Notaries-Public, etc.) at and in the exercise of their powers of authority.
We may provide personal data processed in the performance of our obligations under the BgAML Act to the Financial Intelligence Directorate of the State Agency for National Security, only if there are prerequisites in the legislation, such as suspicion and/or knowledge of money laundering and/or available funds with criminal origin, as well as any payment in excess of BGN 30,000 or their equivalent in a foreign currency.
Personal data will not be shared outside the European Union or the European Economic Area, unless otherwise instructed by our Customer or Partner or when we are obliged to do so under EU or Member State law, in which case we will inform the Customer and/or our Partner for this legal requirement prior to processing, unless the right which obliges us to transfer the data prohibits us from such information on important grounds of public interest.
COOKIES
When you use the enorama.org Platform or the Services or Other Services, we may send one or more cookies (i.e. small text files containing a string of alphanumeric characters) to your device. We may use both session cookies and persistent cookies.
A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the enorama.org Platform.
You should review your web browser’s help resources to learn the proper way to modify your cookie settings.
Please note that if you refuse not to accept cookies from us, you may not be able to use the features of the enorama.org Platform to their fullest potential.
Security of personal data:
We will process personal data, either as an administrator or as a processor, upon taking necessary and sufficient technical and organizational measures for their protection.
Among others, we have adopted the necessary internal policies and have taken steps to protect your personal data at the design stage; all staff members responsible for the data, as well as the outsourcers engaged are well informed of the personal data protection requirements; the processing of your personal data is limited to the minimum necessary to achieve the relevant purposes; we have implemented the necessary security measures for data confidentiality and integrity.
Your rights as a personal data subject:
At any time while we store or process your personal data, you are the subject of this data and you have the following rights:
Right of ACCESS
You can request confirmation that personal data relating to you are being processed and, if so, access to the data, respectively a copy of the same, as well as processing information. The right to receive a copy of personal data should not adversely affect the rights and freedoms of others. Additional copies requested by the entity may be subject to a reasonable fee in view of the administrative costs involved;
Right to RECTIFICATION
You have the right to request the correction of personal data when it is inaccurate and when it is no longer up-to-date, as well as the filling in of your personal data which is incomplete. We will notify all recipients to whom personal data have been provided, of any correction of personal data, except where this is not possible or involves excessive efforts and, upon request, will inform the data subject of such notified recipients.
Right of ERASURE (right “to be forgotten”)
You have the right to wish to erase your personal data without undue delay, if and to the extent necessary for the purposes of Art. 17 of the GDPR Policy and / or Bulgarian law, in the cases inter alia when: personal data are no longer necessary for the purposes for which they were collected; when the subject has withdrawn its consent; when the subject has objected to the processing and there are no legitimate grounds for processing to take precedence; when processing is unlawful; when personal data have to be deleted in order to comply with a legal obligation under EU law or Bulgarian law. In exercising this right, similar to the right of rectification, we will notify all recipients to whom personal data have been provided, of the deletion of the data, except where this is not possible or involves excessive efforts and, upon request, will inform the subject of the data of the recipients so notified.
When we have made personal data public and are required to delete personal data, we, taking into account available technology and implementation costs, will take reasonable steps, including technical measures, to notify the data controllers that the data subject has requested the deletion from these administrators of any links, copies or replicas of this personal data.
Right to RESTRICT the processing
You have the right to request a restriction on processing, if and to the extent applicable in the light of the grounds of art. 18 of the GDPR Policy and / or the Bulgarian law, in cases, inter alia: when challenging the accuracy of the time data required for their verification; in case of irregularity of processing and the subject’s desire to limit the use of the data instead of deleting them; in the case of objection to processing based on public interest, the official powers of the controller, the legitimate interest of the controller or third parties.
Limited data processing usually comes down to pure storage. In the exercise of this right, similar to the right of rectification and the right of erasure, we will notify all recipients to whom personal data have been provided of the restriction of processing, except where this is not possible or involves excessive efforts, as requested, we will inform the data subject of the recipients so notified.
Right to data PORTABILITY
You may request that your personal data be provided in a structured, widely used and machine-readable format, to you personally or to another administrator, without hindrance on our part, if and as far as is applicable in the light of the grounds of Art. 20 of the GDPR Policy and / or the Bulgarian law, in the case of, inter alia, where the processing is based on the consent given by the subject for a specific purpose or is necessary for the execution of a contract to which the subject is a party and the processing is carried out in an automated manner. The right to portability of personal data should not adversely affect the rights and freedoms of others.
Right to OBJECT
You have the right at any time, and on grounds relating to your particular situation, to object to the processing of your personal data, if and in so far as is relevant in view of the grounds under Art. 21 of the GDPR and / or Bulgarian law, in the cases inter alia, when the processing of data is in the exercise of a public interest task or in the exercise of official powers, where the processing is necessary for the purposes of our legitimate interests or those of a third party, including profiling on those grounds. In the case of objection to the processing of personal data, we will cease processing of the personal data, unless we prove that there are compelling legal grounds for processing it, which have an advantage over the interests or fundamental rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
When we conclude that there is a compelling legal basis for the processing of personal data, we will inform the data subject, providing information also for the possibility of additional data protection and will continue processing the personal data. However, when we conclude that there is no compelling legal basis to process personal data, we will inform the data subject, suspend the processing and delete the personal data. If the objection is against the processing of personal data for the purposes of direct marketing, the processing shall be terminated unconditionally.
Right of the subject not to be subject to automated individual decision-making, incl. profiling
You have the right not to be subject to automated decision-making, incl. profiling that would significantly affect you, without the possibility of human intervention, if and as far as is relevant in view of the grounds under Art. 22 of the GDPR Policy and / or Bulgarian law.
In most cases, your rights as data subjects are not absolute insofar as they are limited by the rights and freedoms of others. In many cases (see Articles 15-23 of the GDPR Policy), the exercise of rights is under certain conditions. We may deny the exercise of a specific right for statutory reasons, according to the law, such as, inter alia, most often the grounds for such a denial shall be: compliance with a legal obligation on our part or for the performance of a task of public interest; in the exercise of the public powers granted to us (if applicable); for the establishment, exercise or protection of legal claims. Our refusal must always be explicit, written, and justified by a specific statutory reason.
You have the absolute right to WITHDRAW YOUR CONSENT for the processing of personal data, which is based solely on that consent, in which case the subsequent withdrawal will not affect the lawfulness of the processing already performed.
We provide conditions to ensure the exercise of your rights as data subjects by contacting us at the contact details above or by email at sipnbitesofia@gmail.com Your claim for the exercise of rights must meet the requirements of Art. 37b and Art. 37c of the LPPD.
To facilitate you, we can provide you with an appropriate form for exercising your right, as well as information on the progress of your request. We will respond to your comments, questions and requests within one month of receiving them. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests for which you will be informed within the original one-month period.
We are not obliged to respond to a request in the event that we are unable to identify the data subject, and because of this, we may request additional information to be provided to verify the identity of the applicant.
Apart from the above rights, you have the absolute right to file complaints relating to the processing of your personal data, the processing of your request and your complaint, or the handling of complaints. You can bring your complaints directly to the Supervisory Authority – Commission for Personal Data Protection (CPDP), address: 2, Prof. Tzvetan Lazarov Str., 1592 Sofia, (КЗЛД), within 6 months of becoming aware of the violation, but no later than two years after it has been committed.
In case you believe that we as data controller or our data processor have violated your rights under the General Data Protection Regulation and the Bulgarian Personal Data Protection Act, you may appeal actions and acts of the data controller and the processor of personal data to the court under the Administrative Procedure Code, as in the same proceedings you may claim compensation for any damages you suffered as a result of the illegal personal data processing by the data controller. This right cannot be exercised if there are pending proceedings before the CPDP for the same infringement.
01.04.2026
Sip En Bite LTD.