+359 (0) 885 419493 info@excedotravel.com

Privacy Notice

Information on the Company that processes your data:

NameExcedo Travel Ltd.
UIN/BULSTAT203315188
Seat and registered addressBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Address for correspondenceBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Emailinfo@excedotravel.com
Websitewww.excedotravel.com

Information on the competent Personal Data Protection supervisory authority

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg
Excedo Travel Ltd (hereinafter “the Controller” or “the Company”) carries out its activity in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This notice has the purpose to inform you about all aspects pertaining to the processing of your personal data by the Company and of your rights regarding said processing 

Grounds for collecting, processing and storing your personal data

Art. 1. (1) The Controller collects and processes your personal data in connection with the use of services rendered via the website www.excedotravel.com, as well as under an organized tour program booking contract and/or issued tour product voucher, pursuant to Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular on the following grounds:

  • Your explicit consent as a client;
  • The Controller’s performance of their obligations towards the client under a respective service agreements between you;
  • Compliance with a legal obligation to which the Controller is subject;
  • For the purpose of the Controller’s or a third party’s legitimate interests;
  • In order to protect the vital interests of the data subject or another natural person.

(2) Excedo offers its clients the following services, among others:

  • Organized tour visits to sites and locations on a pre-announced route and program;
  • Performance of specific sport activities within the organized trips and programs, including such activities of extreme nature or with special physical requirements;
  • Guided tours of sites and locations under the respective product and/or program in a language of your choice;
  • Ensuring necessary specialized equipment (if applicable) for performance of respective sports or other activities provided by Excedo to the client;
  • Instructions and supervision during sports and other activities as per the GTC and the respective product and/or program as chosen by the client;
  • Individual tailor-made products and services, mutually agreed upon and according to the specific requirements of the client.

Objectives and principles when collecting, processing and storing your personal data

Art. 2. (1) We collect and process personal data you provide to us in connection with services rendered via our website www.excedotravel.com and though entering into contractual relations with the Company, including for the following purposes:

  • booking and purchasing travel products and/or services;
  • individualization of contracting party;
  • accounting purposes;
  • statistical purposes;
  • ensuring information security;
  • ensuring the implementation of the agreement for a respective travel service;
  • ensuring appropriate conditions for provision of travel services in accordance with the client’s requirements and needs and the applicable legislation;
  • sending information materials and blog posts, upon request by the client;
  • communication and response to received inquiries;
  • organizing games, campaigns and other events.

(2) We shall observe the following principles when processing your personal data:

  • lawfulness, fairness and transparency;
  • processing purpose limitation;
  • relevance with regard to possessing purposes and data minimization;
  • data accuracy and currentness;
  • storage limitation in achieving objectives;
  • integrity and confidentiality of processing and ensuring an adequate protection level for personal data.

(3) When processing and storing personal data, the Controller may do so for the purpose of complying with their legal obligations and protecting their legitimate interests, as follows:

  • fulfilling their obligations towards the National Revenue Agency, the Ministry of Interior and other state and municipal bodies.

What kind of personal data is collected, processed and stored by our Company

Art. 3. The Company performs below-described operations with personal data you provide for the following purposes:

  • Concluding and executing a trade transaction or contract with a client – the purpose of this operation is to conclude and execute a contract with a trading partner or client, or its respective administration. In some cases, the purpose of the operation may also be to protect the Company’s legitimate interests in executing the transaction.
  • Making travel and accommodation arrangements and carrying out other necessary preparations – the purpose of this operation is to execute the organized tour program contract, concluded between Excedo and the client, to provide the travel service and all related preparatory activities and services;
  • Sending out informational and promotion materials – the purpose of this operation is to administrate the process of sending newsletters and blog posts to clients, who have requested to receive such information.
  • Exercising right of withdrawal from a distance or off-premises contract – the purpose of this operation is to administrate the process of exercising right of withdrawal from a distance or off-premises contract.
  • Processing inquiries sent through any and all contact forms at www.excedotravel.com – the purpose of this operation is to contact the enquiring party via email for the purpose of identifying the data subject as said enquiring party and providing a response to their inquiry;

Art. 4. (1) The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:

  • Data to individualize the natural person (name, unique identification number or equivalent, address, e-mail, telephone number, identity card information, health information)
  • Data collection purpose: 1) concluding and executing a contract, including a distance or off-premises contract, 2) concluding insurance contracts, making reservations, accommodation arrangements and other required preparatory activities for the travel product and/or service in question, and 3) contact and communication with regard to provision of requested services.
  • Grounds for processing your personal data – Your data are processed on the grounds of concluding and performing a contract to which you are party or in order to take steps at your request prior to entering into a contract – Art. 6, para. 1(b) GDPR; Data concerning health are processed based on your explicit consent – Art. 9, para. 2(a) GDPR.
  • Data for receiving information and promotion materials (е-mail)
  • Data collection purpose: 1) Sending out information and promotion materials and blog posts.
  • Grounds for processing your personal data – Your data used for sending information and marketing messages are processed based on your explicit consent – Art. 6, para. 1(a) GDPR.
  • Data used to respond to an inquiry sent through our website www.excedotravel.com (name and surname, e-mail address)
  • Data collection purpose: 1) Identification of the inquiring person; 2) Contacting a person, who has sent an inquiry via the contact forms at excedotravel.com and 3) Sending a response to an inquiry.
  • Grounds for processing your personal data – Your data used for responding to an inquiry sent via the Company’s website are processed based on your explicit consent – Art. 6, para. 1(a) GDPR.

(2) The Controller does not collect and process personal data which disclose the following:

  • racial or ethnic origin;
  • political, religious or philosophical beliefs, or trade union membership;
  • genetic and biometric data, health data or sex and gender data,

except on the basis of expressly specified provisions under Art. 9 GDPR.

(3) Personal data are collected by the Controller from the data subject.

(4) In some cases, the Controller may process personal data of data subjects provided to them by third parties, who declare that they have obtained the explicit consent of the relevant data subject to provide their data for the purpose of contracting and provision of travel services by the Company.

(5) The Company does not make automated data decisions.

(6) The Company does not collect and process data of persons under the age of 16, except with the express consent of their parents or legal guardians.

Retention period for your personal data

Art. 5. (1) The Controller retains your personal data, provided in connection with online bookings and concluded booking contracts, for a term of 5 years after their termination/execution for the purpose of protecting the Controller’s legal interests in legal or administrative disputes with the Company’s clients, whereas any accounting documents are kept for the relevant statutory period.

(2) Data you provide based on consent is stored by the Controller until said consent is withdrawn or until the data collection purpose is fulfilled, unless there is another reason to process it further.

(3) The Controller shall notify you if the data retention period needs to be extended for the purpose of fulfilling a statutory obligation or in connection with the Controller’s legitimate interests, etc.

Transmission of your personal data for processing

Art. 6. (1) The Controller may, at their own discretion, transmit some or all of your personal data to data processors for  processing purposes that you have agreed to, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

(2) The Controller shall notify you if they intend to transfer some or all of your personal data to third countries or international organizations and you are deemed to have been duly notified of such transfer when concluding a booking contract for an organized tour program, which involves performance in a third country.

Your rights when collecting, processing and retaining your personal data

Withdrawal of consent to personal data processing

Art. 7. (1) If you do not wish all or some of your personal data to continue to be processed by the Company for specific or all processing purposes based on given consent, you may at any time withdraw your consent to processing by completing the Withdrawal of Consent template form in Enclosure № 1 below or through a request in free text sent to us via email.

(2) The Controller may ask to verify your person and identity with the relevant data subject.

(3) If you have made a booking that is currently being processed, the earliest time you can withdraw your consent to processing is when the booking has been successfully completed.

(4) You may at any time withdraw your consent to your personal data being processed for the purposes of direct marketing. 

Right of access

Art. 8. (1) You have the right to request and receive confirmation from the Controller whether your personal data is being processed.

(2) You have the right of access to your personal date, as well as to information on collecting, processing and retaining your personal data.

(3) The Controller may ask to verify your person and identity with the relevant data subject.

(4) The Controller shall provide you, upon request, with a copy of your processed personal data in electronic or other appropriate form.

(5) Granting access to such data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repeated or excessive requests. 

Right to rectification and supplementation

Art. 9. (1) You have the right to request from the Controller to:

  • rectify inaccurate personal data related to you;
  • supplement incomplete personal data related to you;

(2) The Company may ask to verify your person and identity with the relevant data subject.

Right to erasure (“right to be forgotten”)

Art. 10. (1) You have the right to request from the Controller the erasure of your personal data without undue delay and they shall be obliged to carry out such request where one of the following grounds applies:

  • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you have withdrawn your consent upon which processing is based and there are no other legal grounds for it;
  • you have objected to your personal data being processed, including for the purpose of direct marketing, and there are no overriding legitimate grounds for such processing;
  • personal data have been unlawfully processed;
  • personal data have to be erased for the purpose of compliance with a legal obligation in Union or Member State law to which the Controller is subject;
  • personal data have been collected in relation to the offer of information society services.

(2) The Controller is not obliged to erase personal data to the extent that retaining and processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • for the establishment, exercise or defense of legal claims.

(3) Should you exercise your “right to be forgotten”, the Company shall erase all your data, except for the following information:

  • information required to attest that your “right to be forgotten” has been realized;
  • technical information for our website’s functioning, which cannot in any way be associated with your persona;

(4) If you have made a booking that is currently being processed, the earliest time you can request “to be forgotten” is when the booking has been successfully completed;

(5) In order to exercise your “right to be forgotten”, you need to send to the Controller via e-mail a request in free text or by filling in the template form in Enclosure № 2.

(6) The Controller may ask to verify your person and identity with the relevant data subject.

(7) The Controller shall not delete data they have a legal obligation to keep, including for the purpose of defense in legal claims against them or as proof of their rights. 

Right to restriction

Art. 11. (1) You have the right to request restriction of processing from the Controller where one of the following applies:

  • you contest the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
  • processing is unlawful, but you opposes the erasure of the personal data and request the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of processing, but they are required by you for the establishment, exercise or defense of legal claims;
  • you have objected to processing, pending the verification whether the legitimate grounds of the Controller override those of the data subject.

(2) The Controller may ask to verify your person and identity with the relevant data subject.

Right to data portability

Art. 12. (1) If you have given consent to your personal data being processed or processing is required to perform the contract with the Controller, or if your data is processed in an automated manner, you may:

  • request from the Controller to receive your personal data in a readable format and transmit these data to another controller;
  • request from the Controller to have your personal data transmitted directly to another controller, as specified by you, where technically feasible.

(2) You may at any time request to receive in machine-readable format your personal data, stored and processed in connection with the use of services provided by the Controller, via e-mail request in free text or by filling in the template form in Enclosure № 3.

(3) The Controller may ask to verify your person and identity with the relevant data subject. 

Right to receive information

Art. 13. You may request from the Controller to inform you of any recipients to whom personal data has been disclosed, for which you requested rectification, erasure or restriction of processing. The Controller may refuse to provide such information, if this is impossible or would require disproportionate efforts. 

Right to object

Art. 14. You may object at any time to the processing of your personal data, carried out by the Controller based on their legitimate interest, including for the purpose of profiling or direct marketing. 

Your rights in case of personal data breach

Art. 15. (1) If the Controller establishes a personal data breach, where that personal data breach is likely to result in a high risk to your rights and freedoms, they shall communicate to you said breach without undue delay, as well as any measures they have undertaken or will undertake related thereto.

(2) The Controller shall not be obliged to notify you, when:

  • they have implemented appropriate technical and organizational safeguards with respect to any personal data affected by the breach;
  • they have subsequently taken measures to ensure that the breach would not pose a high risk to your rights;
  • notification would require a disproportionate effort.

Persons to whom your personal data are provided

Art. 16. For the purposes of processing your personal data and providing requested service in its full form and in your interest, the Controller may provide your data to processors (e.g. insurance brokers, hotels, transport companies, tour guides, etc.). Said personal data processors comply with all requirements of legality and security of personal data processing and storage.

Art. 17. Should your rights under the aforementioned or the applicable personal data protection legislation be violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg

Art. 18. You may exercise all your personal data protection rights through the template forms enclosed hereto. Of course, these templates are only optional and you may submit your requests in any form that contains a statement to that effect and identifies you as the data subject.

Art. 19. If your consent concerns data transfer, the Controller shall describe the possible risks of data transferring to third countries in the absence of an adequate protection solution and adequate remedies.

 Storing and use of “cookies”

Art. 20. (1) Excedo has the right to store information or gain access to information stored in the terminal equipment of the recipient of services offered by Excedo (“cookies”), after the website user has agreed to the use of “cookies”. Excedo has the right to use “cookies” that are required for the technical functioning of its website, which users are deemed to be duly informed of.

(2) “Cookies” do not constitute personal data within the meaning of GDPR and their use and processing cannot result in the identification of the data subjects.

(3) Excedo shall ensure that the service recipient has the opportunity to receive information on data stored in terminal equipment at any time. The respective natural person shall exercise that right by sending an inquiry via email to Excedo and by legitimization through their ID card or passport.

(4) If a natural person has not expressly objected to information storing or gaining access to information stored on terminal equipment, Excedo shall be entitled to carry out these actions without the individual’s explicit consent. The natural person shall have the right to submit an objection under the current article via Excedo’s main internet site.

(5) In cases of provision of information society services, which are expressly requested by the recipient of these information society services, Excedo has the right to process “cookies” without the recipient’s explicit consent.

Art. 21. Excedo’s website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about a Client’s use of the website (including Client’s IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating a Client’s use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required by law or where such third parties process the information on Google’s behalf. Google will not associate a Client’s IP address with any other data held by Google. Client’s may refuse the use of cookies by selecting the appropriate settings on their browser, however please note that this may result in inability to use the full functionality of the website. By using Excedo’s website, the Client consents to the processing of data about them by Google in the manner and for the purposes set out above.

Art. 22. Excedo’s website uses Google Adsense, a web screens service provided by Google Inc., USA (“Google”).  Google Adsense uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. Google Adsense also uses so-called “Web Beacons” (small invisible images) to gather information. Through the use of Web beacons simple actions such as the visitor traffic to the website can be recorded and collected. The information generated by the cookie and/or Web Beacon about a Client’s use of the website (including their IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information to evaluate a Client’s use of the website with regard to the ads, compiling reports on website activity and ads for website operators and providing others with website and internet related services. Google may also transfer this information to third parties where required by law or where such third parties process the information on Google’s behalf. Google will not associate a Client’s IP address with any other data held by Google. Clients can avoid storing cookies on their hard drive and the display of Web Beacons by choosing ‘Do not accept cookies’ in your browser settings ” (in MS Internet Explorer under ” Tools> Internet Options> Privacy> Settings ” , in Firefox under ” Tools> Settings> Privacy> Cookies ”); however, we point out that this may result in incomplete use all features of this website. By using Excedo’s website, the Client consents to the processing of data about them by Google in the manner and for the purposes set out above.

Enclosure № 1

Withdrawal of Consent to Data Processing

Your name*:

Contact data (email)*:

To

NameExcedo Travel Ltd.
UIN/BULSTAT203315188
Seat and registered addressBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Address for correspondenceBulgaria, Sofia 1784, Mladost District, Block 35, App.  31
Emailinfo@excedotravel.com
Websitewww.excedotravel.com

☐I hereby withdraw my consent to data collection, processing and storage of the following personal data provided by me:

☐All my personal data

☐Only these data ………………………………………………..

for the following purposes:

☐The following purposes: ……………………………………

……………………………………………….

☐All purposes

☐I hereby declare that I am aware of the Company’s terms and conditions for provision of services after consent has been withdrawn.

Should your rights under the aforementioned or the applicable personal data protection legislation be violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg

Enclosure № 2  –

Request “to be forgotten”  – erasure of my personal data

 Your name*:

Contact data (email)*:

 To

NameExcedo Travel Ltd.
UIN/BULSTAT203315188
Seat and registered addressBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Address for correspondenceBulgaria, Sofia 1784, Mladost District, Block 35, App.  31
Emailinfo@excedotravel.com
Websitewww.excedotravel.com

I hereby request that all my personal data that you collect, process and store, as provided by me or third parties who are associated with me, as per stated identification, be erased from your databases.

I hereby declare that I am aware that some or all of my personal data may continue to be processed and stored by the Controller for the purposes of fulfilling their legal obligations.

Should your rights under the aforementioned or the applicable personal data protection legislation be violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg

Enclosure № 3 

Request for data portability

 Your name*:

Contact data (email)*:

 To

NameExcedo Travel Ltd.
UIN/BULSTAT203315188
Seat and registered addressBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Address for correspondenceBulgaria, Sofia 1784, Mladost District, Block 35, App.  31
Emailinfo@excedotravel.com
Websitewww.excedotravel.com

I hereby request that all my personal data that you collect, process and store be sent to:

☐e-mail:

☐Controller – data recepient:

Name 
Identification Number (UIN, BULSTAT, CPDP reg. nr.)  
Email 
API interface 

I hereby request that my personal data be provided in the following format:

☐XML

☐JSON

☐CSV

☐Other:

I request that my personal data in respective format be provided to me/to the controller as indicated by me:

☐Via provided email or through API ………..

☐On physical optical or electronic media (CD, DVD, USB) at your address

Should your rights under the aforementioned or the applicable personal data protection legislation be violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg

Enclosure № 4

Request to rectify data

Your name*:

Contact data (email)*:

 To

NameExcedo Travel Ltd.
UIN/BULSTAT203315188
Seat and registered addressBulgaria, Sofia 1784, Mladost District, Block 35, App. 31.
Address for correspondenceBulgaria, Sofia 1784, Mladost District, Block 35, App.  31
Emailinfo@excedotravel.com
Websitewww.excedotravel.com

I hereby request that the following personal data you collect, process and store, as provided by me or third parties who are associated with me, as per stated identification, be rectified as follows:

Data subject to rectification:

……………………..

Please, rectify as follows:

………………………

Should your rights under the aforementioned or the applicable personal data protection legislation be violated, you have the right to file a complaint with the Commission for Personal Data Protection as follows:

NameCommission for Personal Data Protection
Seat and registered addressBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Address for correspondenceBulgaria, Sofia 1592, 2, Blvd. Tsvetan Lazarov Str. № 2
Phone+359 (0)2 915 3 518
Websitewww.cpdp.bg
en_GBEnglish
en_GBEnglish de_DE_formalGerman bg_BGBulgarian