PRIVACY POLICY AND CONFIDENTIALITY IN THE PROCESSING OF PERSONAL DATA OF Sozopol Resorts EOOD, Bansko Resorts EOOD, Pamporovo Resorts EOOD - commonly referred to as GREEN LIFE OR GREEN LIFE COMPANIES

This document describes the responsibilities and privacy and data protection policies.

The General Data Protection Regulation (GDPR) is applicable to all data processors of EU citizens.

The purpose of this policy is to define the relevant legislation and to describe the actions that the companies of the Green Life Group must take in order to comply with the requirements.

Purpose: protection of individuals in connection with the processing of personal data of customers, staff and other counterparties of the companies of the Green Life Group.

Applicable legislation: The obligations of Green Life as an administrator arise on the basis of the following regulations:

General Regulation on Personal Data Protection (Regulation (EU) 2016/679) and the Constitution of the Republic of Bulgaria; Personal Data Protection Act; Electronic Communications Act; Rules of Procedure of the Commission for Personal Data Protection and its administration; Ordinance № 1 of 30 January 2013 on the minimum level of technical and organizational measures and the permissible type of personal data protection; Instruction № 1 of 21 December 2016 on the circumstances under which undertakings providing public electronic communications services notify users of breaches of personal data security, the form and manner of notification at national level.

Definitions / according to the General Regulation /:

Personal data means any information relating to an identified or identifiable natural person ("data subject"). These are most often name, identification number, PIN, address, telephone number, e-mail and others. Processing of personal data means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission , disseminating or otherwise making the data accessible, arranging or combining, restricting, deleting or destroying it. Administrator means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its determination may be laid down in Union law or in the law of a Member State.

Processor of personal data means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.

Legality of processing
Processing is lawful if at least one of the following conditions is met:

- the data subject has consented to the processing of his personal data for one or more specific purposes;

- the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject before the conclusion of a contract;

- the processing is necessary for compliance with a legal obligation that applies to the administrator;

- the processing is necessary in order to protect the vital interests of the data subject or of another individual;

- the processing is necessary for the performance of a task in the public interest or in the exercise of official powers conferred on the controller;

- the processing is necessary for the legitimate interests of the controller or of a third party, except where such interests take precedence over the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child .

Good faith and transparency
The principles of fair and transparent processing require that the data subject be informed of the existence of a processing operation and of its purposes. The principles of fair and transparent processing relate to the obligation of Green Life as an administrator to provide information.

III. Limitation of objectives

Green Life undertakes to collect personal data for specific, explicit and legitimate purposes and personal data must not be further processed in a way incompatible with those purposes.

Minimize data
Personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed.

Accuracy
The accuracy of personal data is monitored and kept up to date. They shall take all reasonable steps to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed.