INFORMATION ON THE CONDITIONS AND PROCEDURE FOR INTERNAL REPORTING

This information is provided pursuant to Art. 12, para. 4 of the Law on Protection of Persons Reporting or Publicly Disclosing Information on Violations, promulgated in the State Gazette, No. 11 of February 2, 2023, in force since May 4, 2023. (”ZZLPSPOIN“).

Who has the right to send signals?

current or former employees;
persons working under a civil contract;
persons engaged in liberal professions or handicrafts;
volunteers and interns;
contractors, subcontractors or suppliers;
job applicants or participants in competitions for a certain position;
all persons to whom information about infringements has become known in a work context.

Important!Anonymous signals are NOT considered.

What violations can you report?

For violations of Bulgarian and European legislation in various fields, among which:

public procurement;
public health;
safety of transport;
consumer protection;
the protection of privacy and personal data;
the security of networks and information systems;
infringements related to cross-border tax schemes;
committed a crime of a general nature;
labor legislation;
legislation related to the performance of civil service;
the rules for payment of due public state and municipal debts and other areas specified in the ZZLPSPOIN.

Important!Infringement alerts that do not fall within the scope of ZZLPSPOIN, as well as alerts made more than two years ago, are not considered.

How can you report to “PIRIN - SHARLOPOV HOTELS” Ltd.?

You may submit a written report by filling out a sample form in one of the following ways:

personally, to our employee in charge of the alerts;
electronically by sending it to the following e-mail: trz@parkhotelpirin.com
by post or by courier service — to the address of “PIRIN - SHARLOPOV HOTELS” Ltd with an explicit indication as the addressee of the postal/courier shipment the person responsible for ZZLPSPOIN or writing on the mailbox/courier shipment a text indicating that they contain a ZZLPSPOIN signal.

Important!The alerts must be signed by the persons submitting them. When submitted electronically, the form shall be signed with a qualified electronic signature.

Important! The form is NOT mandatory, but is for your convenience and contains the mandatory data that you must fill in. If your alert does not comply with any of the legal requirements, our alert officer will send you a message to correct the irregularities within 7 days of receiving the alert. If the irregularities are not corrected within this period, the alert along with the attachments to it will be returned to you.

It is a good idea to attach all the written evidence you have. You may also indicate persons who could confirm the reported data or provide additional information.

You can give an oral signal in one of the following ways:

on the phone of our officer in charge of alerts— 0746 35643
In a personal meeting with our officer in charge of alerts, which you have agreed in advance on the specified phone.

In these cases, our alert officer will fill in the data in the form according to the template and will give you the opportunity to check, correct and agree with the text of the conversation in writing, as well as the content of the form by signing them.

What happens after the signal is given?

We will confirm receipt within 7 days and register it with a unique identification number. If the alert does not comply with the requirements of the law, we will notify you to correct the irregularity within 7 days.
A verification will be carried out on the signal by a person who does not have a conflict of interest.
Within three months of confirming receipt of the alert, we will provide you with feedback with the results of the verification and the actions taken.

What protection do whistle-blowers have?

Persons entitled to report, as well as related persons (e.g. colleagues and relatives), are protected against unjustified disclosure of their identity, except in cases permitted by law.
It is forbidden to take retaliatory measures against protected persons, namely: temporary dismissal, dismissal, demotion, negative assessment for work, application of property and disciplinary responsibility, physical and verbal coercion, threat, hostility and damage to their dignity, discrimination, etc.

What are the conditions for granting protection?

The reporting person must have good reason to believe that the information submitted about the breach in the alert was true at the time of filing and that this information falls within the scope of the ZZLPSPOIN; and
The violation report was submitted under the conditions and in accordance with the procedure of ZZLPSPOIN.

Important!Persons identified in the alert as violators shall be entitled to compensation for all material and non-pecuniary damage where it is established that the reporting person knowingly made a false report.

How can you report to the DATA PROTECTION COMMISSION?

The Commission for Personal Data Protection is the Central Authority for External Reporting. You can also submit your alert directly to it in one of the following ways:

in writing:
by e-mail: whistleblowing@cpdp.bg
by mail to the address: gr. Sofia 1592, blvd. “Prof. Tsvetan Lazarov” № 2
through the Secure Electronic Delivery System

oral— on the spot in the CPDP at the address: Gr. Sofia 1592, blvd. “Prof. Tsvetan Lazarov” № 2

You could use the sample form for reporting violations, which can be downloaded from the CPDP website. The form is optional. However, if you decide to use it, you only have to fill in Part I — V inclusive and sign it: when sending the form by mail — with a handwritten signature; when sending by e-mail — with a qualified electronic signature.

If you use the Secure Electronic Service System, the CPDP employee responsible for examining the alert will contact you in order to fill in the Form for registering an alert for submitting information about violations under the ZZLPSPOIN.

PRIVACY NOTICE ON INTERNAL CHANNEL WHISTLEBLOWING

We from “PIRIN - SHARLOPOV HOTELS” Ltd. (“we“,”us“) we pay serious attention to the privacy of all natural persons reporting or publicly disclosing information about breaches.

Please read this Notice to understand how and why personal data is processed in connection with the functioning of our internal whistleblowing channel.

The data subject in relation to the submitted alert may be:

the author of the alert (also referred to as the reporting person);
the person against whom the alert is made or persons related to him (affected persons);
the witness (s) and other persons whose personal data may become available in the course of the verification.

WHAT ARE THE PURPOSES OF PROCESSING PERSONAL DATA?

Personal data are processed for the purposes of receiving, registering, checking and taking action on reports of alleged violations committed by persons of our staff.

When you provide your personal data in the submitted report, we will collect and store your personal data in order to investigate and investigate your report. The information you provide to us will be kept strictly confidential and secure.

In certain cases, we may also need to process your data in connection with legal disputes, as set out in section How long we keep your personal data, as well as for purposes specified elsewhere in this Notice.

We will notify you in the event that we wish or need to use your personal data for purposes and in a manner significantly different from what we have informed you about and, if necessary, we will seek your consent.

ON WHAT GROUNDS DO WE PROCESS PERSONAL DATA?

In the context of the functioning of our internal whistleblowing channel, we process personal data in fulfillment of our obligations under the Law on Protection of Persons Reporting or Public Disclosure of Infringement Information (ZZLPSPOIN). The legal basis to which we refer is Article 6 (1) (c) GDPR.

If the information we receive in connection with the infringement report contains a special category of data revealing racial or ethnic origin, political views, religious or philosophical beliefs, data on the state of health, sexual life, sexual orientation of the natural person, etc., then the legal basis on which we will process such personal data is Article 9 (2) letter “g” GDPR, because processing is necessary for reasons of important public interest on the basis of EU law and Bulgarian law.

We may also process your personal data on the basis of our legitimate interest in connection with the possibility of initiating criminal, civil and administrative proceedings in relation to the submitted report and the actions taken on it.

WHAT PERSONAL DATA DO WE PROCESS AND WHERE DO WE COLLECT IT FROM?

We process only such personal data that is strictly necessary for the above purposes.

We receive the data from the submitted signals on our internal channel. In particular, we may obtain such data because you provide it to us (by reporting) or because other whistleblowers from our staff or our suppliers and contractors or other third parties provide it to us (e.g. if you appear in a report as a potential infringer or witness).

If necessary, we may request additional information so that we can investigate all the grounds for your report, along with any supporting documents or evidence.

In the process of receiving, registering, checking and taking action on the alert, we may process the following types of personal data:

names, job/position, telephone number, email address and other contact details (e.g. address) of a reporting person;
signature, electronic signature or other identification of the sender of the signal;
names, position/position and contact details of persons referred to in the alert;
names, position/position and contact details of persons checking the alert;
personal data in relation to circumstances that are the subject of the alert and those collected during its verification;
personal data in relation to measures taken on the alert.

The processing of the above-mentioned personal data is necessary for the regularity of the alert and the verification of the information indicated in it. Failure to provide this data would not allow the processing of the alert and the related investigation to be carried out.

According to the Law on Protection of Persons Filing Reports or Publicly Disclosing Information about Violations, no proceedings are initiated on anonymous reports.

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

Personal data collected in connection with an infringement report (and in particular data on the identity of the person who submitted the report) are processed under the conditions of complete confidentiality, as required by the Law on Protection of Persons Reporting or Public Disclosure of Information on Infringements. This personal data will be available only to the persons designated by the company, who will accept and carry out verification on the signal. These persons are specially trained and aware of their obligation of confidentiality regarding all aspects of the verification.

The identity of the whistleblower is not disclosed to the persons against whom the charges are brought.

The identity of the reporting person shall be disclosed only if the reporting person consents to this or if disclosure of the identity of the reporting person is required in criminal proceedings, or if the whistleblower has filed a false report with malicious intent.

Personal data may be disclosed to third parties, such as public authorities or external inspectors, where this is a necessary and proportionate obligation imposed by Bulgarian law or European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to ensuring the right of protection of the data subject. In these cases, prior to disclosure of the identity or information related to the breach reports submitted, we will notify the reporting person of the need to disclose them. The notification shall be in writing and shall be motivated. The reporting person shall not be notified where this jeopardises the investigation or legal proceedings.

TRANSFER OF PERSONAL DATA OUTSIDE BULGARIA

We will not transfer your personal data to persons outside the EU or EEA.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Personal data that is the subject of an alert, which is anonymous, is deleted immediately.

If the alert contains personal data that is not necessary for its verification, such personal data shall also be deleted immediately.

We store your personal data for a period of 5 years after the completion of the examination of the alert, except in the presence of criminal, civil, labor and/or administrative proceedings instituted in connection with the submitted report pursuant to Art. 8 of Ordinance No. 1 of July 27, 2023 on keeping the register of alerts under Art. 18 of the ZZLPSPOIN and for sending internal signals to the CPDP.

1. The alert does not apply to this procedure - The data is destroyed immediately.

2. The signal did not lead to any consequences - The data is destroyed within 5 years after the completion of the examination of the signal.

3. Where disciplinary or judicial proceedings are instituted - The data are destroyed at the end of the procedure or the limitation period for appealing the decision

After the expiry of the storage period, personal data is destroyed or anonymised. In the latter case, this means that it will be impossible to identify you by this data.

HOW DO WE PROTECT YOUR PERSONAL DATA?

We highly value your privacy and take the security measures of the personal data we collect and store very seriously.

We use a variety of physical, electronic and organizational measures appropriate to the sensitivity of the information we maintain to protect your personal data from unauthorized access, use or disclosure. For example, we use passwords, we have firewalls and antivirus programs and others. We have adopted data protection policies and procedures.

Only persons expressly designated to verify a received alert will have access to the personal data contained in the alert.

WHAT RIGHTS DO YOU HAVE?

You have the following rights:

Right to accessto personal data relating to you;
Right to object against processingyour personal data where we rely on our legitimate interest;
The right to demand rectificationinaccurate personal data relating to you;
The right to demand erasurepersonal data relating to you (”The right to be forgotten.”
Right to request restriction of processingpersonal data relating to you;
Law to file a complaintto Commission for Personal Data Protection, with address Gr. Sofia, street code 1592, blvd. “Tsvetan Lazarov” № 2. You can also seek protection of your rights in court.

HOW TO CONTACT US?

The administrator of personal data is “PIRIN - SHARLOPOV HOTELS” LTD., EIC 101152503, with registered office and address: Gr. Sandanski, 2800 sq., district “Hydrostroy” № 27.
If you have any questions about this notice or about how we process your personal data, please contact our data protection officer by e-mail: trz@parkhotelpirin.com

‍

Book your stay now and experience the relaxation you deserve.

Book now

Presidential Suite

Apartment VIP

Apartment “Deluxe”

Apartment “Lux”

Double room “Superior”

Double room “Lux”

Double room “Standard”

Balkan Restaurant

Mediterranean Restaurant

Lobby Bar

Night Club "Faces"

About the Hotel

About Sandanski

Gallery

Events

Sport and Health

Swimming Pools

Fitness

Healing SPA Programs

Walking tours

Trekking

Mountain Biking

Picnic and barbecue in nature

Mineral pools and SPA

Cultural excursions

Horseback riding

ATV Adventures

Sports shooting

Fishing

Wine tours

National Park “Pirin”

Nature reserve “Rupite”

The Melnik Rock Pyramids

Popina Laka Waterfall

Town of Melnik

Rila Monastery

May holidays

Easter Package

Vacation Package

Weekday SPA Package