POLICY

1. UNIGROUP doo is fully dedicated to absolute compliance with the requirements of the General Data Protection Regulation. UNIGROUP doo will, therefore, implement procedures aimed at ensuring that all employees, candidates, contractors, consultants, partners, and clients of UNIGROUP (Data Subjects) who have access to any personal data held by or on behalf of UNIGROUP are fully aware of and adhere to their obligations in accordance with the General Data Protection Regulation.

 

2. UNIGROUP doo respects the right to privacy of every individual whose personal data is entrusted to us, and UNIGROUP acts in accordance with laws and regulations protecting personal data. We believe that lawful and proper use of Personal Data is extremely important for successful business operations and crucial for maintaining trust between UNIGROUP and our partners. This Policy applies to all personal data collected, processed, shared, or used by UNIGROUP doo

 

3. UNIGROUP doo must collect and use information about Data Subjects with whom it interacts in order to conduct its business and carry out its operational processes. This may include prospective, current, and former employees, contractors, clients, users, suppliers, and individuals utilizing the services we provide. This personal data must be handled properly regardless of how it is collected, stored, or used, whether in paper form, electronic form, or stored in any other way.

 

4. It is the responsibility of every manager at UNIGROUP doo to adhere to this Policy within their scope of operation or business responsibility, to lead by example, and provide guidance to those Data Subjects under their supervision. All Data Subjects are required to adhere to the principles and rules outlined in this Policy, and they are expected to recognize when they are collecting, processing, sharing, or using Personal Data. Data Subjects must be familiar with the general privacy requirements and principles concerning Personal Data and know when to raise any issues with the Data Protection Officer.

DATA PROTECTION PRINCIPLES

5. This Policy explains the appropriate privacy principles for the protection of Personal Data and how such principles should be applied.

6. GDPR sets conditions for processing any personal data. It also distinguishes between Personal Data and data of "special categories."

• Personal Data is defined as any information based on which an individual can be identified or is identifiable.
• Data of special categories are defined as Personal Data containing information such as:
• Racial or ethnic origin
• Political opinions
• Religious/philosophical beliefs
• Membership in a trade union
• Physical or mental health or condition
• Sexual life or sexual orientation

7. Every Data Subject processing Personal Data must comply with 6 principles of good practice. The principles require that Personal Data be:

• Processed lawfully, responsibly towards the individual
• Collected for specific, explicit, and legitimate purposes, not for further processing in a manner incompatible with those purposes
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
• Accurate;
• Stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed
• Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures and acting in accordance with the data subject's rights in accordance with GDPR.

8. The fundamental principle of Data Privacy requires UNIGROUP doo to process Personal Data fairly and lawfully. When collecting Personal Data, consider how you would like a company collecting your personal data to treat you and apply appropriate laws, regulations, and this Policy.

9. All UNIGROUP doo Data Subjects must:

• Collect and use Personal Data only with a legal justification that may include UNIGROUP's legitimate business interests unless explicitly required, the consent of the data subject.
• Inform data subjects how their Personal Data will be used before collecting information ("Privacy Notice"). Important - this does not mean that you need to inform everyone individually, but you can direct them to a specific Privacy Notice that is appropriate and valid.
• Collect only the Personal Data required for a specific business purpose.
• Take into account all contractual obligations regarding the processing of Personal Data (including any specific transfer methods or security requirements).
• Use Personal Data only for specific business purposes as stated in the Privacy Notice or Consent Form or in a manner that would be reasonably expected. "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of his/her personal data. A Privacy Notice means an oral or written statement given to an individual when collecting their Personal Data. The Privacy Notice describes who collects the Personal Data, why Personal Data is collected, how it will be used, shared, stored, and other relevant information that the individual needs to be aware of.
• Use Personal Data in a way that does not have a negative effect on that individual unless such use is justified by law. • Anonymize Personal Data where possible and appropriate in a manner that ensures the necessary preservation of Personal Data and Special Category Personal Data.

10. Responsible handling of Personal Data is necessary to protect rights and comply with data privacy laws.

11. In cases where we collect, use, and/or maintain Personal Data, UNIGROUP doo must take appropriate steps to:

• Ensure that Personal Data is accurate and up-to-date
• Information is retained (from collection to destruction) for only as long as necessary for a given purpose or as required by law.
• Safeguard Personal Data so that it is not shared with others who do not have a legitimate business need/reason to access the information.
• Align with Information Security Policy and procedures when processing Personal Data.
• Prevent misuse of Personal Data for a purpose that is incompatible with the original purpose for which it was collected
• Implement Personal Data Monitoring. "Monitoring" refers to regularly updating information to track all accesses and changes to personal data and locations of Personal Data. It helps UNIGROUP demonstrate transparency, consent, and compliance with regulations.
• Report any breaches of data privacy in accordance with policy rules in the event of a data security breach. Data privacy breach means any unauthorized disclosure, appropriation, access, destruction, alteration, or any similar action involving Personal Data, or any other incident where the confidentiality, integrity, or availability of Personal Data could have been compromised.

12. When unsure whether Personal Data can be used for a purpose different from that for which it was collected, or in case of any questions regarding the handling of Personal Data, consult with your supervisor.

LEGAL BASIS FOR DATA PROCESSING

13. In accordance with GDPR (and applicable rules on the protection of Personal Data), there must be a legal basis for processing Personal Data. Data cannot be processed unless there is at least one legal basis to do so:

14. Key "legal bases" for processing data to be applied at UNIGROUP are:

• Processing is necessary for the performance of a contract in which the data subject is a party (as is the case with an employment contract) or for taking steps at the request of the data subject prior to entering into a contract - this will often be the case when it comes to Human Resources (HR) data.
• Processing is necessary to comply with our legal obligations.
• Processing is necessary for the legitimate business interests of UNIGROUP.
• Consent is given to us in cases where we are Data Controllers - and by the individual whose Personal Data is being processed. When relying on consent as a legal basis for processing, that consent must be explicit regarding the collection of data and about the purpose for which the data is used, and a record of such consent is kept.

DATA TRANSFERS

15. Personal Data may need to be shared with government agencies and third parties for legitimate business reasons or as otherwise permitted or required by law. Data Subjects who share Personal Data with third parties must ensure that the third party has the capabilities and intent to protect Personal Data, in accordance with the standards and principles contained in this Policy. This can be done through the goodwill of the third party, risk assessment, and/or contract. If risks are identified, then appropriate requirements (including technical protection and organizational measures) must be put in place to ensure adequate protection of Personal Data. A data processing agreement will usually be required when a third party gains access to Personal Data to process such Personal Data for UNIGROUP.

16. Questions regarding requests for disclosure of Personal Data to third parties should be directed to Hotel Management.

17. In some cases, the use of Third Parties involves the transfer of Personal Data across borders.

18. When transferring Personal Data to Third Parties across borders, we must:

• Determine that we have a legitimate justification for transferring Personal Data (e.g., a valid business reason)
• Follow instructions or any local legal requirements (e.g., notifying individuals, notifying Data Protection Authorities, using contractual safeguards, etc.).

INDIVIDUAL RIGHTS REGARDING PERSONAL DATA

19. We have agreements with Data Controllers for them to exercise individuals' rights in accordance with Personal Data. This includes Data Subject Access Requests and other rights regarding Personal Data. In case a Data Subject makes a request, it must be processed in accordance with the Data Subject Access process. Regarding other requests - the same should be directed to Hotel Management.

20. In the event of a data protection breach, the Data Protection Policy - procedure must be followed immediately

UNCERTAINTIES

21. In case of any uncertainties regarding Personal Data, any Manager who becomes aware of a possible violation of applicable laws and/or this Policy should immediately inform Hotel Management. As an alternative, they can report their concerns (anonymously) in the complaint, grievance, and suggestion box provided for employees in the employee section of the hotel.