Please read this document carefully. It contains the Privacy Policy for guests and clients of “Grand Hotel Sofia” AD (“the Policy”) and aims to explain the practices related to the processing of personal data in the context of the services provided and activities carried out.

This Policy has been prepared in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Regulation).

PRIVACY POLICY FOR GUESTS AND CLIENTS OF “GRAND HOTEL SOFIA” AD

GENERAL PROVISIONS

Article 1. In connection with the provision of its services and the performance of its activities, “GRAND HOTEL SOFIA” AD (“GRAND HOTEL SOFIA”) processes, as a data controller, the personal data of its clients who are natural persons, as well as the personal data of other natural persons specified below (“Data Subjects” / “You”), in accordance with the rules and principles set out in this Policy.

Article 2. “GRAND HOTEL SOFIA” AD is a company registered under Unified Identification Code (UIC) 131184460 and VAT number BG131184460, with its registered office and management address at 1 Gen. Gurko str., Sofia 1000, Bulgaria.

Phone: (+359 2) 811 0800

Email:

DATA SUBJECTS

Article 3.

(1). In connection with the services provided, GRAND HOTEL SOFIA processes information regarding the following Data Subjects:

(a) natural persons who visit the website https://grandhotelsofia.bg (the “Website”) and the online store https://gifts.grandhotelsofia.bg (the “Store”);

(b) natural persons who make reservations on their own behalf or on behalf of another natural or legal person via the Website;

(c) natural persons who use the services provided by GRAND HOTEL SOFIA, including but not limited to hotel accommodation, restaurant services, and related hospitality, provision of premises for organizing conferences and other events, etc., as well as natural persons representing or otherwise acting on behalf of legal entities that use these services;

(d) natural persons who, on their own behalf or on behalf of another person they represent, submit inquiries (including but not limited to email, fax, phone calls, use of the Website’s Instant Messaging functionality, the hotel’s social media channels, etc.), requests, alerts, complaints, or other correspondence to GRAND HOTEL SOFIA;

(e) natural persons whose information is included in inquiries (including via phone call or use of the Website’s Instant Messaging functionality), requests, alerts, complaints, or other correspondence addressed to GRAND HOTEL SOFIA.

 (2) The services of GRAND HOTEL SOFIA may only be requested by legally competent individuals who are at least 18 years of age.

CATEGORIES OF PERSONAL DATA

Article 4.

(1). The information (categories of personal data) that GRAND HOTEL SOFIA processes regarding the Data Subjects under this Policy may include:

In connection with the provision of hotel accommodation services:

(a) Identification data: guest’s full name; date of birth; gender; nationality; national identification number (such as the Bulgarian Personal Identification Number – EGN); identity document number; date of issue of the identity document; validity of the identity document; country of issuance; signature.

(b) Contact details: phone number; email address; physical address.

(c) Information related to hotel accommodation: room number; floor; dates of stay (check-in and check-out dates); duration of stay (number of nights); use of a travel package; room type preference; guest’s VIP status.

(d) Additional information related to hotel accommodation, provided explicitly by the service user: special requirements and preferences, including type of press, food, and beverages; special requirements related to food products, drinks, and other substances that the guest must avoid contact with (regardless of the reason).

(2). Data related to payments and invoicing: information about the method of payment (cash, bank transfer, credit card, etc.); information about amounts due and payments made; information about payment deadlines and overdue/unpaid obligations; banking information (bank name, IBAN, account holder); currency of the payment; credit/debit card number, validity, and cardholder name; CVC code; data contained in the payment authorization form (slip); name of the legal entity; address of the legal entity; VAT number and/or other identification, tax, or registration number (e.g., Personal Identification Number for natural persons); signed authorization forms. 

(3). In connection with the provision of restaurant services:

(a) Identification data: full name.

(b) Contact details: phone number; email address; physical address.

(c) Payment and invoicing data: credit/debit card number, validity, and cardholder name; CVC code; name of legal entity; address of legal entity; VAT number and/or other tax or registration number (for sole proprietors and natural persons); signed authorization forms.

(d) Preference-related information (explicitly provided by the service user): food and beverage preferences; preferred payment method; special requirements related to food products, beverages, and other substances the guest must avoid contact with (regardless of the reason).

(4). In cases where the Data Subject represents another person (e.g., a company): information about which person is being represented and in what capacity (including workplace and position), as well as information regarding the services requested or orders placed in that capacity.

Likewise, in cases where services are requested by a person other than the Data Subject for the benefit of the Data Subject — information about the capacity in which the Data Subject will use the services, who requested them, who will make the payment, and other related details (e.g., accommodation arranged by the Data Subject’s employer or business partner, etc.).

(5). In connection with the issuance of discount cards for clients:

(a) Identification data: full name.

(b) Information regarding the discount that may be used with the respective client's car

(6). In connection with the services and functionalities of the Website:

(a) Data processed in relation to hotel reservation requests: full name; email address; phone number; country; credit/debit card number, validity, and cardholder name; CVC code; number of rooms; number of guests, including number of adults and children; corporate code/access code/discount code; event or group booking code; reservation number; special offers and guest preferences (if explicitly stated in the reservation form); package details (e.g., Romantic Getaway Package, Special Occasion Package, Explore Sofia Weekend Package, etc.).

(b) Data processed in relation to purchases made through the Website’s online store available at https://gifts.grandhotelsofia.bg/: registration data (full name; email address; phone number; fax; company name; address; city; postal code; region; country; password); order history; voucher details (voucher number; personalized message); payment history; credit/debit card number, validity, and cardholder name; CVC code; bank account details; order number.

(c) Unstructured content from conversations and inquiries with reservation agents via the Website’s Instant Messaging functionality.

(d) Unstructured content from conversations and inquiries with hotel staff via the hotel’s social media profiles (Facebook, Instagram, LinkedIn, TikTok, etc.).

(e) Information from login logs, server logs, and security device logs (e.g., Web Application Firewalls and similar devices): date and time, IP address, URL, browser, and device information.

(f) Cookies: The Website requires the use of cookies for its functionality. A detailed description of the cookies used, their purpose, and the information processed through them can be found in the Cookie Policy of GRAND HOTEL SOFIA, available at: Cookie Policy (EU) - Grand Hotel Sofia

In connection with complaints, applications, requests, petitions, and alerts submitted by clients (including in free-text format): unstructured information contained in the respective complaints, applications, requests, petitions, and alerts.

VIDEO SURVEILLANCE & SECURITY

Article 5.

(1) In accordance with the requirements of applicable legislation, GRAND HOTEL SOFIA implements security measures that include the following technical and organizational means for access control and ensuring physical security against intrusions into buildings and facilities, as well as for the protection of the life and health of individuals: physical security personnel, alarm systems, and a video surveillance system operating 24/7, consisting of recording and storage devices.

(2) Video surveillance and recording may be conducted in publicly accessible areas and premises within the buildings of GRAND HOTEL SOFIA, as well as in areas subject to special access control. No video surveillance is conducted in guest rooms, sanitary facilities, relaxation areas, and similar spaces. Data from video surveillance activities are stored in a monitoring room with restricted access and 24-hour security.

(3) Data Subjects and other visitors who may be recorded are informed of the use of technical surveillance and control measures, as well as any other relevant information regarding the surveillance, through information boards placed in visible locations.

DIRECT MARKETING

Article 6.

(1) With the explicit consent of the Data Subject, GRAND HOTEL SOFIA, as well as other companies affiliated with or partners of GRAND HOTEL SOFIA, may process the following personal data: name; phone number; address; email address; information about the type and volume of services used and preferred, provided by GRAND HOTEL SOFIA; and other data explicitly mentioned in the respective consent, for the purposes of direct marketing, such as offering other goods and services, including those offered by third parties, conducting surveys and questionnaires aimed at improving the quality of the services provided, and similar activities, in accordance with the scope of the specific consent given.

(2) When personal data is processed for direct marketing purposes, the Data Subject has the right to object to such processing at any time. In such cases, the processing of personal data for these purposes shall be terminated.

(3) The Data Subject has the right to withdraw their consent for the processing of their personal data for direct marketing purposes at any time. In such cases, the processing of personal data based on the given consent shall be terminated.

(4) Profiling for direct marketing purposes may only be carried out with the explicit consent of the Data Subject, and at least the following additional safeguards for their rights and interests shall apply: the right to human intervention by the controller; the right to express their point of view; and the right to contest decisions based on profiling. At present, GRAND HOTEL SOFIA does not carry out such personal data processing activities.

PURPOSES OF PERSONAL DATA PROCESSING

Article 7: GRAND HOTEL SOFIA collects, stores, and processes the information described in Articles 4, 5, and 6 above for the purposes set out in this Policy and in the general terms and conditions (the contract) for the use of the respective services it provides. Depending on the legal basis for the processing, these purposes may include:

(a) purposes related to compliance with legal obligations of GRAND HOTEL SOFIA;

(b) purposes related to and/or necessary for the performance of contracts concluded with GRAND HOTEL SOFIA or for taking steps at the request of the Data Subject prior to entering a contract;

(c) purposes based on the legitimate interests of GRAND HOTEL  SOFIA or third parties;

(d) purposes for which the Data Subject has given consent for the processing of their data.

Article 8. The purposes for processing personal data by GRAND HOTEL SOFIA related to compliance with legal obligations include:

(1) Maintaining a register of accommodated tourists and submitting information from it to the competent authorities in accordance with the statutory procedures;

(2) Address registration of foreign nationals in accordance with applicable legislation;

(3) Withholding and payment of tourist tax;

(4) Activities related to the development and implementation of counter-terrorism measures;

(5) Handling of alerts, complaints, requests for exercising rights, and similar matters, as well as claims and commercial guarantees (where applicable), including the preparation of responses;

(6) Accounting, invoicing, and reporting of received and made payments in accordance with applicable tax and accounting legislation;

(7) Other activities related to the fulfillment of legal obligations (tax, accounting, regulatory, licensing, etc.) of GRAND HOTEL SOFIA, including the provision of information to competent state and judicial authorities and assistance during inspections by such authorities.

Article 9. The purposes for processing personal data by GRAND HOTEL SOFIA related to and/or necessary for the performance of contracts or for taking steps at the request of the Data Subject prior to entering into a contract with GRAND HOTEL SOFIA include:

(1) Acceptance, administration, and processing of reservations and cancellations;

(2) Customer service, including the provision of online services via the Websites;

Enabling account registration and administration and maintenance of registered profiles in the online store accessible through the Website;

(4) Administration, fulfillment, and delivery of purchases made through the Website;

(5) Communication related to the services provided;

(6) Administration and receipt of payments for the services provided, including remote payments;

(7) Guaranteeing reservations and payment for hotel accommodation and additionally requested services;

(8) Financial and accounting activities, and administration, processing, and collection of payments due for the services provided;

(9) Refund of incorrectly transferred amounts;

(10) Ensuring a personalized approach in the provision of services, tailored to the preferences expressed by the users.

Article 10. The purposes for processing personal data related to the legitimate interests of GRAND HOTEL SOFIA or third parties include:

(1). Legitimate interest:

(1.1) Exercising and protecting the legal rights and interests of GRAND HOTEL SOFIA; and

(1.2) Assisting in the exercise and protection of the legal rights and interests of clients; other persons associated with GRAND HOTEL SOFIA; employees of GRAND HOTEL SOFIA; persons processing personal data on behalf of GRAND HOTEL SOFIA; and business partners of GRAND HOTEL SOFIA:

(a) Establishing, exercising, or defending legal claims of the above-mentioned persons under items (1.1) and (1.2), including through legal proceedings, such as filing complaints, alerts, and similar with competent state and judicial authorities;

(b) Video surveillance and access control for the purpose of protecting the property of GRAND HOTEL SOFIA, demonstrating compliance with applicable requirements, ensuring physical security against intrusions into buildings and facilities, and protecting the life and health of individuals;

(b) Taking actions to discontinue the provision of services in cases of non-payment, violation of the rules and policies established by GRAND HOTEL SOFIA, and similar;

(c) Administration and handling of received complaints, alerts, requests, and similar;

(d) Collection of receivables owed to GRAND HOTEL SOFIA, including through enforcement and/or assignment to third parties, as well as transfer of receivables to third parties (cessions) in accordance with the law;

(e) Sending of notarial invitations.

(2). Legitimate interest – analysis, planning, and improvement of the quality of services provided by GRAND HOTEL SOFIA:

(a) Maintaining a copy of data from the internal information system related to the current status of the hotel (occupancy, obligations, etc.) in case of system failure;

(b) Receiving, processing, and preparing responses to submitted applications, requests, and similar, not related to complaints about the services used;

(c) Conducting customer satisfaction surveys and feedback collection;

(d) Monitoring, analyzing, and optimizing business processes to improve service quality.

(3). Legitimate interest – ensuring the proper functioning and use of the Website:

(a) maintenance and administration of the Website;

(b) detection and resolution of technical issues related to the Website’s functionalities;

(c) Taking measures against malicious actions that threaten the security and normal operation of the Website.

(4). Legitimate interest – conducting hotel and restaurant operations and ensuring high-quality hospitality services:

(a) administration and management of the services provided by GRAND HOTEL SOFIA;

(b) management and quality control of the services offered;

(c) obtaining feedback regarding the services provided.

Article 11. The purposes for processing personal data based on consent given by the Data Subject include:

(1) Sending marketing and promotional messages about services, special offers, packages, events, and similar;

(2) Conducting surveys and obtaining feedback regarding the quality of services;

(3) Sending newsletters;

(4) Other purposes for which specific consent has been provided by the Data Subject.

PROVISION OF PERSONAL DATA AND CONSEQUENCES OF REFUSAL TO PROVIDE IT TO GRAND HOTEL SOFIA

Article 12.

(1) GRAND HOTEL SOFIA clearly indicates, where applicable and in an appropriate manner, whether the provision of specific data and/or documents is mandatory or constitutes a requirement necessary for the conclusion or performance of a contract, as well as the consequences of refusal to provide them.

(2) If further clarification is needed, any Data Subject may request such information at the premises of GRAND HOTEL SOFIA or send an inquiry to the contacts listed in Article 23 of this Policy.

(3) Refusal to provide data and documents identified as mandatory may constitute an insurmountable obstacle to the provision of services by GRAND HOTEL SOFIA, or to the satisfaction and execution of submitted requests, applications, petitions, complaints, etc., which releases GRAND HOTEL SOFIA from liability for non-performance.

(4) Refusal to provide data and documents, or the provision of false ones, may result in the inability to deliver the respective services or in the suspension of access to services provided by GRAND HOTEL SOFIA.

(5) Data Subjects should not provide GRAND HOTEL SOFIA with any special categories of personal data within the meaning of Articles 9 and 10 of the Regulation (namely: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation; and personal data relating to criminal convictions and offences).

OTHER SOURCES OF PERSONAL DATA

Article 13.

(1) In certain cases, the personal data processed by GRAND HOTEL SOFIA is not collected or received directly from the Data Subject to whom it relates, but from third parties such as:

(a). Persons representing, working for, or otherwise cooperating with the Data Subject;

(b). Event organizers – regarding information about participants in the event;

(c). Business partners (e.g., booking websites such as booking.com; travel agents; other entities providing intermediary services for reservations or other service requests, and similar) of GRAND HOTEL SOFIA;

(d). Competent state and judicial authorities.

(2) The persons under para. 1, items 1–3 undertake to inform the Data Subjects whose data they provide and to ensure that the data is provided on the basis of a valid legal ground.

PROCESSING OF INFORMATION BY THIRD PARTIES – PERSONAL DATA PROCESSORS

Article 14.

(1) For the purposes outlined in this Policy, GRAND HOTEL SOFIA may assign personal data processing activities to third parties – personal data processors – in accordance with and within the scope of the requirements of the Regulation and other applicable data protection rules.

(2) When personal data is disclosed to and processed by personal data processors, this will be done only to the extent and volume necessary for the performance of the tasks assigned to them by GRAND HOTEL SOFIA.

(3) The personal data processors act on behalf of GRAND HOTEL SOFIA and are obligated to process personal data strictly in accordance with the instructions of GRAND HOTEL SOFIA. They are not permitted to use or process the information in any other way or for any other purposes than those specified in this Policy.

CATEGORIES OF PERSONAL DATA RECIPIENTS

Article 15.

(1) GRAND HOTEL SOFIA does not disclose personal data concerning the Data Subject to third parties, except in the following cases:

When it is necessary to fulfill a legal obligation of GRAND HOTEL SOFIA:

(a) competent state, municipal, or judicial authorities;

(b) auditors;

(2) When it is explicitly provided for in this Policy and/or in the general terms (contract) for the use of the respective services provided by GRAND HOTEL SOFIA:

(a) personal data processors acting on behalf of GRAND HOTEL SOFIA;

(b) debt collection companies;

When it is necessary for the provision of services by GRAND HOTEL SOFIA:

(a) banks and payment service providers;

(b) postal and courier service providers;

(c) business partners of GRAND HOTEL SOFIA, such as: booking websites; travel agencies; and other providers of travel or auxiliary services such as car rentals, taxi and other transport services, and similar;

(3) When the Data Subject has given explicit consent to the persons specified in the respective consent (e.g., entities affiliated with GRAND HOTEL SOFIA, its business partners, and similar);

(4) When it is necessary to protect the rights or legitimate interests of GRAND HOTEL SOFIA, third parties, or the Data Subject:

(a) state, municipal, and judicial authorities;

(b) private and public enforcement agents;

(c) lawyers;

(d) notaries;

In other cases provided for by law.

Article 16.

(1) GRAND HOTEL SOFIA processes and stores information about the Data Subject until the relevant purposes for which the data was collected and is being processed have been achieved.

(2) In accordance with its internal rules and procedures and the applicable legislation, GRAND HOTEL SOFIA processes and stores information about the Data Subject within the following timeframes:

RIGHTS OF DATA SUBJECTS IN RELATION TO THEIR PERSONAL DATA

Article 17.

(1) In connection with the processing of personal data relating to them, each Data Subject shall have the following rights:

1. Right to Information – to receive information regarding the processing of their personal data by GRAND HOTEL SOFIA;
2. Right of Access:

(a) to obtain confirmation as to whether personal data concerning them are being processed;

(b) to gain access to the processed personal data and to detailed information regarding the processing and their rights.

3. Right to Rectification – to request the correction or completion of their personal data if it is inaccurate or incomplete.
4. Right to Erasure – to request the deletion of their personal data where the grounds provided for in the Regulation apply;
5. Right to Restriction of Processing – to request GRAND HOTEL SOFIA to restrict the processing of their personal data within the limits provided by the Regulation, where the grounds for such restriction exist;
6. Notification of Third Parties – the right to request GRAND HOTEL SOFIA to notify third parties to whom their personal data have been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort for GRAND HOTEL SOFIA;
7. Right to Data Portability – to receive the personal data concerning them, which they have provided to GRAND HOTEL SOFIA, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from GRAND HOTEL SOFIA.

The right to data portability applies when the following two conditions are met simultaneously:

• The processing is based on consent or on a contractual obligation, and

(b) The processing is carried out by automated means.

Where technically feasible, the Data Subject has the right to obtain the direct transfer of personal data from GRAND HOTEL SOFIA to another controller. The right to data portability may be exercised in a manner that does not adversely affect the rights and freedoms of other individuals.

8. Rights in relation to automated individual decision-making, including profiling – the right not to be subject to a decision based solely on automated processing (i.e., processing without human involvement), including profiling within the meaning of the Regulation, which produces legal effects concerning the Data Subject or similarly significantly affects them, unless the grounds provided for in the Regulation apply and appropriate safeguards are in place to protect the Data Subject’s rights, freedoms, and legitimate interests. Such safeguards shall include, at a minimum, the right to obtain human intervention on the part of GRAND HOTEL SOFIA, the right to express their point of view, and the right to contest the decision.

If such a decision, including profiling, is made in relation to the Data Subject, they shall, in each specific case, have the right to receive from GRAND HOTEL SOFIA meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for them, and the manner in which the rights under this point may be exercised.

9. Right to withdraw consent to processing – where the processing of personal data is based solely on the Data Subject’s consent, they may withdraw their consent at any time. Such withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

RIGHT TO OBJECT

Article 18. The Data Subject shall have the right, at any time and on grounds relating to their particular situation, to object to the processing of personal data concerning them, including profiling within the meaning of the Regulation, where such processing is based on public interest, the exercise of official authority, or the legitimate interests of GRAND HOTEL SOFIA or a third party. In such cases, GRAND HOTEL SOFIA shall cease processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

Article 19.

(1) The Data Subject may exercise their rights related to personal data protection by submitting a written request to GRAND HOTEL SOFIA – either in person at the address specified in Article 23 of this Policy or by sending a notarized request by post.

(2) The request under paragraph 1 may also be submitted electronically, provided it is signed by the Data Subject with a qualified electronic signature within the meaning of the Electronic Document and Electronic Certification Services Act and Article 3(12) of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, and sent to GRAND HOTEL SOFIA at the email address specified in Article 23 of this Policy.

(3) The Data Subject may exercise their rights related to their personal data either personally or through an expressly authorized representative (with a notarized power of attorney).

(4) Some of the rights may also be exercised through the functionalities available on the Website.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Article 20. Each Data Subject has the right to lodge a complaint with a personal data protection supervisory authority, in particular in the EU/EEA Member State of their habitual residence, place of work, or the place of the alleged infringement, if they consider that the processing of their personal data infringes the provisions of the Regulation or other applicable data protection requirements.

SUPERVISORY AUTHORITY IN THE REPUBLIC OF BULGARIA

Article 21. The supervisory authority in the Republic of Bulgaria is:
Commission for Personal Data Protection
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Website: https://www.cpdp.bg/

LIMITATIONS OF RIGHTS

Article 22. The scope of the rights of Data Subjects and the obligations of GRAND HOTEL SOFIA in relation to these rights may be restricted by a legislative measure under EU law or the law of a Member State applicable to GRAND HOTEL SOFIA.

CLARIFICATIONS AND ADDITIONAL INFORMATION

Article 23. The Data Subject may obtain clarifications regarding the content and grounds for data processing, the manner of exercising the rights under this Policy, as well as any additional information related to their rights in connection with the processing of personal data by GRAND HOTEL SOFIA at:

Address: 1 Gen. Gurko str., Sofia, Bulgaria
Email:
Phone: +(359 2) 811 0 866

This Privacy Policy has been prepared by “GRAND HOTEL SOFIA” AD in its capacity as a personal data controller in order to fulfill its obligations to provide information to data subjects under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

This Privacy Policy is effective as of 01.07.2020.

Last updated: 22.08.2025.