As a Personal Data Controller, Grand Hotels Management and Marketing Ltd. has an obligation to inform you of what to expect when processing your personal information.

Transparency in information processing.

I. Declaration regarding the Personal Data Protection Policy

  1. The Management of Grand Hotels Management and Marketing Ltd. hereby ensures compliance with the legislation of the EU and the member states regarding the processing of Personal Data and the protection of the “rights and freedoms” of the persons whose personal data Grand Hotels Management and Marketing Ltd. collects and processes according to the General Data Protection Regulation (Regulation (EU) 2016/679).
  2. The Controller keeps a Register/s of the processing activities.
  3. This Policy applies to all Personal Data processing activities, including those carried out regarding Personal Data of customers, employees, suppliers and partners and any other Personal Data that the Company processes from various sources.
  4. The Controller keeps a Register/s of the processing activities. In cases where the keeping of the Register/s is assigned to a data protection person/Personal Data protection officer, he/she is responsible for entering any changes in the activities of Grand Hotels Management and Marketing Ltd. into this Register/s, as well as all other additional requirements, including data protection impact assessments. This Register shall be available upon request by the Supervisory Authority.
  5. This Policy applies to all employees/workers (and stakeholders) of Grand Hotels Management and Marketing Ltd., as well as to data processors and their staff members. Any violation of the General Regulation will be considered as a violation of labor discipline, and in case there is an assumption of a crime committed, the matter will be submitted for consideration in the shortest possible time to the relevant state authorities.
  6. Third parties that work with or for Grand Hotels Management and Marketing Ltd., including partners, external suppliers, customers, etc., as well as those who have or may have access to the Controller’s Personal Data, are required to familiarize themselves and comply with this Policy. The Controller is obliged to conclude a Data Confidentiality Agreement with any third party to which it grants access to the Personal Data processed by it, which gives Grand Hotels Management and Marketing Ltd. the right to carry out checks on compliance with the obligations imposed by the Agreement, unless the processing is not required by EU law or by the law of a member state.

II. Obligations and responsibilities under Regulation (EU) 2016/679

  1. Grand Hotels Management and Marketing Ltd. is a Personal Data Controller according to Regulation (EU) 2016/679 and bears all responsibility and risks of possible non-compliance with the GDPR requirements, including being responsible for developing and promoting good practices in the field of Personal Data processing data in Grand Hotels Management and Marketing Ltd.
  2. A Personal Data Processor is any person outside the Controller’s organization which directly processes Personal Data on behalf of the Controller and stores, digitizes, catalogs, etc. the whole information.
  3. The Data Protection Officer, respectively the person who, by job description or assignment, performs tasks related to Personal Data protection (responsible person/Data Protection Officer), takes part in the meetings of the Controller’s management at which issues in the field of Personal Data protection are discussed, and advises the Controller on demonstrating compliance with data protection legislation and good practice.

This reporting by the Data Protection Officer includes:

III. Data Protection Principles

The processing of Personal Data is carried out in accordance with the Data Protection Principles set out in Article 5 of Regulation (EU) 2016/679. The policies and procedures of Grand Hotels Management and Marketing Ltd. are intended to ensure compliance with these Principles.

  1. Personal Data must be processed lawfully, in good faith and transparently

Lawfully – to identify a lawful basis before processing Personal Data. These are so-called “grounds for processing”, for example “consent”. The subject’s consent is one of the grounds for processing Personal Data. This may also be the performance of a contract or a legitimate interest of the controller, in which cases consent does not need to be given.

In good faith – for the processing to be in good faith, the data controller must provide certain information to the Data Subjects, necessary in each specific case and for each specific purpose, in an understandable, concise and accessible way for the Data Subject. This applies regardless of whether the Personal Data is obtained directly from the Data Subjects or from other sources.

Transparently – Regulation (EU) 2016/679 sets out requirements regarding what information must be made available to Data Subjects, which is covered by the principle of “transparency” regulated in Articles 12, 13 and 14 of the GDPR. According to the cited provisions of the GDPR, the information must be communicated to the Data Subject in an understandable form, using clear and comprehensible language, i.e. privacy statements signed by Data Subjects must be detailed and specific, understandable and accessible. The rules for notifying the Data Subject from the part of Grand Hotels Management and Marketing LTD. are defined in the relevant transparency procedure, and the communication is carried out through a notification for confidential treatment of Personal Data.

The specific information that the Company provides to the Data Subject includes at a minimum: data that identifies the Controller and the contact details of the Controller and the contacts of the Data Controller, if any; the purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing; the period for which the Personal Data will be stored; the existence of the following rights – to request access to the data, correction, deletion (right to be forgotten), limitation of processing, as well as the right to object to the conditions (or lack thereof) in connection with the exercise of these rights; the categories of Personal Data; the recipients or categories of recipients of Personal Data, where applicable; whether the Controller intends to transfer the Personal Data to a recipient in a third country and the level of data protection; any additional information necessary to ensure fair processing.

The data obtained for specific purposes are not used for purposes that differ from those officially announced as part of the Register of data processing activities (Article 30 of the GDPR) of Grand Hotels Management and Marketing Ltd. A procedure for transparency in the processing of Personal Data defines the relevant rules.

The Data Protection Officer will carry out an initial impact assessment when necessary, taking into account all circumstances related to the data processing operations of Grand Hotels Management and Marketing Ltd. In each specific case, where there is a Personal Data breach, the Data Protection Officer as responsible person in the Controller’s enterprise should carry out a risk assessment and, in the event of a high risk, notify the Supervisory Authority and/or the Data Subject. In considering the risk on a case-by-case basis, the Data Protection Officer should consider the degree of potential harm or loss that could be caused to individuals (e.g. staff or customers) if a security breach were to occur, any likely reputational damage of the Controller, including possible loss of customer trust, etc. Ensuring the security of Personal Data is also related to the implementation of appropriate technical measures, which the Data Protection Officer monitors and which may include at least:

In assessing the appropriate organizational measures, the Data Protection Officer will consider the following:

The assessment of appropriate measures takes into account the identified risks to Personal Data, as well as the possibility of harm to the persons whose data is processed.

Regulation (EU) 2016/679 includes provisions that promote accountability and governance and complement transparency requirements. The principle of accountability in Art. 5, para. 2 requires the Controller to prove that it complies with the other principles in the GDPR and expressly states that this is its responsibility.

Grand Hotels Management and Marketing Ltd. demonstrates compliance with data protection principles by implementing data protection policies, adhering to codes of conduct, implementing appropriate technical and organizational measures, and adopting data protection techniques at the stage of design and default data protection, privacy impact assessment, Personal Data breach notification procedure, etc.

IV. Rights of data subjects

  1. According to the GDPR, the Data Subject has the following rights regarding the processing of his/her personal data:
  2. To receive information about the Personal Data related to him/her, which are processed by the Controller, and the purpose for which they are processed, including to obtain access to the data, as well as information who are the recipients of this data and the third parties to whom data is transmitted;
  3. To request a copy of his/her personal data from the Controller;
  4. To ask the Controller to correct Personal Data when they are inaccurate, as well as when they are no longer up-to-date;
  5. To demand from the Controller the deletion of Personal Data (right “to be forgotten”);
  6. To ask the Controller to limit the processing of personal data, as in this case the data will only be stored, but not processed.;
  7. To object to the processing of his/her Personal Data;
  8. To object to the processing of Personal Data concerning him/her for the purposes of direct marketing;
  9. To file a complaint with a Supervisory Authority if he/she believes that any of the provisions of the GDPR have been violated;
  10. To request and be provided with Personal Data in a structured, widely used and machine-readable format;
  11. To withdraw his/her consent to the processing of Personal Data at any time with a separate request addressed to the Controller;
  12. Not to be the subject of automated decisions that affect him/her to a significant extent, without the possibility of human intervention;
  13. To oppose automated profiling that occurs without his/her consent;
  14. Grand Hotels Management and Marketing Ltd. provides conditions to guarantee the exercise of these rights by the Data Subject:
  15. Data Subjects may make data access requests as described in the relevant procedure, which procedure also describes how Grand Hotels Management and Marketing Ltd. will ensure that the response to the Data Subject’s request meets the requirements of the General Regulation.
  16. When the requests of a Data Subject are manifestly unfounded or excessive, in particular due to their repetition, Grand Hotels Management and Marketing Ltd. may either impose a reasonable fee, taking into account the administrative costs of providing the information, communication or taking the requested actions, or refuse to act on the request.
  17. Data Subjects have the right to submit objections to Grand Hotels Management and Marketing Ltd. , related to the processing of their Personal Data The processing of a request from the Data Subject and the submission of objections by the Data Subject is carried out in accordance with the rules accepted in the Company. The Supervisory Authority in Bulgaria is the Commission for the Protection of Personal Data, address: 1592Sofia, ” Prof. Tsvetan Lazarov” No. 2 (

V. Consent

  1. By “consent” Grand Hotels Management and Marketing Ltd. understands any freely expressed, specific, informed and unequivocal indication of the will of the Data Subject, by means of a statement or a clear affirmative action, which expresses his/her consent for the Personal Data related to him/her to be processed. The Data Subject can withdraw their consent at any time. Consent of the Subject of Personal Data is required whenever there is no alternative legal basis for the processing.
  2. By “consent”, Grand Hotels Management and Marketing Ltd. understands only the cases in which the Data Subject was fully informed about the planned processing and expressed his consent without any pressure being exerted on him/her. Consent obtained under duress or based on misleading information will not be a valid basis for processing Personal Data.
  3. Consent cannot be inferred from a lack of response to a message to the Data Subject. For consent to exist there must be active communication between the Controller and the Subject. The Controller requests and obtains consent for processing activities where consent is required for these activities.
  4. For special categories of data, express written consent must be obtained in accordance with the Procedure for Obtaining Consent for the Processing of Personal Data of Data Subjects, unless there is an alternative lawful basis for processing.
  5. The Subject’s consent to the processing of Personal or special categories of data is given – on the basis of the relevant document of consent provided by the Data Subject to the Controller for each specific purpose of processing. When the Subject signs a contract, consent is not necessary because their data is collected on a different legal basis.
  6. When Grand Hotels Management and Marketing Ltd. processes personal data of children, it receives permission from those exercising parental rights (parents, guardians, etc.). This requirement applies to children under the age of 16.

VI. Data security

  1. The employees of the Controller, who, according to their job characteristics, have an obligation to process certain Personal Data on behalf of their employer, are obliged to ensure the security of the processing and storage of the data on their part, including ensuring that they will not disclose the data to third parties, unless Grand Hotels Management and Marketing Ltd. has granted such rights to such third party to access the data.
  2. Personal Data or part of it must be accessible only to those who have an obligation to process/store it, and access can only be granted in accordance with established access control rules. All Personal Data must be stored, for example:
  3. in a room with controlled access; and/or in a locked cabinet or filing cabinet; and/or
  4. if it is computerized, protected by a password in accordance with the internal requirements specified in the organizational and technical measures for controlling access to information (for example, access control rules); and/or
  5. stored on portable computer media that are protected in accordance with organizational and technical measures for controlling access to information.
  6. To create an organization to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees / workers of Grand Hotels and Management. All employees / workers are required to be trained and accept the relevant contractual clauses / declaration of compliance with organizational and technical access measures, as well as workstation locking rules, before they are granted access to information of any kind.
  7. Paper records must not be left where they can be accessed by unauthorized persons and cannot be removed from designated office premises without express permission. As soon as paper documents are no longer required for ongoing customer support work, they must be destroyed in accordance with established procedure/rules and protocol.
  8. Personal Data may be deleted or destroyed only in accordance with the accepted procedure. Paper records that have expired should be shredded and destroyed as “confidential waste”. Data on the hard drives of redundant personal computers must be erased or the drives destroyed according to established policies/procedures.
  9. The processing of Personal Data “outside the office” poses a potentially greater risk of loss, theft or breach of personal data. The staff is specifically authorized to process the data outside the Controller’s premises.

VII. Disclosure of data

  1. Grand Hotels Management and Marketing Ltd. must ensure conditions under which Personal Data is not disclosed to unauthorized third parties, including family members, friends, government authorities, even investigative ones, if there is reasonable doubt that they are not required by the established order. All employees / workers should exercise caution when asked to disclose Personal Data held about another person to a third party It is important to consider whether or not the disclosure of the information is related to the needs of the activity carried out by the organization. It is necessary to provide employees with special training and periodic briefings in order to avoid the risk of such a violation.
  2. All requests from third parties to provide data must be supported by appropriate documentation and all such data disclosures must be coordinated with the responsible person / Data Protection Officer to provide an opinion.
  3. Personal Data will be provided to the competent public authorities during and on the occasion of the exercise of their official powers.

VIII. Storage and destruction of data

  1. Grand Hotels Management and Marketing Ltd. does not store Personal Data in a form that allows the identification of subjects for a longer period than is necessary, in relation to the purposes for which the data were collected.
  2. Grand Hotels Management and Marketing Ltd. can store data for longer periods only if the personal data is processed for archiving purposes, for purposes of public interest, scientific or historical research and for statistical purposes, and only when performing appropriate technical and organizational measures to guarantee the rights and freedoms of the Data Subject.
  3. The storage period for each category of Personal Data is specified in the Data Storage and Destruction Procedure as well as the criteria used to determine this period, including any legal obligations requiring Grand Hotels Management and Marketing Ltd. to retain the data.
  4. The procedure for storing and destroying data, as well as the rules for destroying information on unused recording media, applies in all cases.
  5. Personal Data must be destroyed according to the principle of ensuring an appropriate level of security (Article 5, para. 1 b. f) of the General Regulation) – including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures (“integrity and confidentiality”);

IX. Data transfer

Any export of data from within the EU to countries outside the EU (referred to in the General Regulation as “third countries”) is illegal unless there is an appropriate level of protection of the fundamental rights of Data Subjects.

The transfer of Personal Data outside the EU is prohibited unless one or more of the specified safeguards or exceptions apply:

  1. Adequacy decision

The European Commission may assess third countries, territory and/or specific sectors in third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In these cases, no authorization is required. Countries that are members of the European Economic Area (EEA) but not the EU are considered eligible for an adequacy decision

Grand Hotels Management and Marketing Ltd. may adopt approved mandatory corporate rules for the transfer of data outside the EU where applicable. This requires their submission to the relevant Supervisory Authority for approval.

The Controller may adopt established standard contractual data protection clauses when transferring data outside the European Economic Area. If Grand Hotels Management and Marketing Ltd. accepts standard contractual clauses approved by the relevant Supervisory Authority, there is automatic recognition of adequacy.

In the absence of an adequacy decision, mandatory company rules and/or contractual clauses, a transfer of Personal Data to a third country or international organization shall only take place under one of the following conditions: the Data Subject has expressly consented to the proposed transfer after being informed of the possible risks of such transfers; the transmission is necessary for the performance of a contract between the Data Subject and the Controller or for the performance of pre-contractual measures taken at the request of the data subject; the transmission is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person; the transmission is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defense of legal claims; the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally unable to give consent; the transmission is made from a register which, under EU law or the law of the Member States, is intended to provide information to the public and is available for reference by the public in principle or by any person who can demonstrate that he/she has a legitimate interest in doing so, but only insofar as the reference conditions laid down in Union law or the law of the Member States are fulfilled in the particular case.

X. Register of data processing (data inventory)

  1. Grand Hotels Management and Marketing Ltd. has created a data inventory process as part of its approach to address risks and opportunities in the process of complying with Regulation (EU) 2016/679 compliance policy. During the inventory of the data in Grand Hotels Management and Marketing Ltd. and in the work flow of data, the following are established:
  2. business processes that use Personal Data;
  3. the sources of Personal Data;
  4. the number of Data Subjects;
  5. description of the categories of Personal Data and the elements of each category;
  6. processing activities;
  7. the purposes of the processing for which the Personal Data are intended;
  8. the legal basis for the processing;
  9. the recipients or categories of recipients of the Personal Data;
  10. the main systems and places of storage;
  11. all Personal Data subject to transfers outside the EU;
  12. storage and deletion periods.


  1. General regulation for the protection of personal data

Regulation (EU) 2016/679 (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC. It has direct effect and implies a change in the legislation of the member countries in the field of Personal Data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that Personal Data is not processed without their knowledge and, where possible, is processed with their consent.

Material scope – this Regulation applies to the processing of Personal Data in whole or in part by automatic means, as well as to the processing by other means of Personal Data that are part of a register of Personal Data or that are intended to form part of a register of Personal Data.

Territorial scope – the Rules of the General Regulation will apply to all data controllers established in the EU who process Personal Data of natural persons in the context of their activity. It will also apply to non-EU controllers who process Personal Data for the purpose of offering goods and services or if they monitor the behavior of Data Subjects who reside in the EU.

“Personal Data” – any information relating to an identified natural person or an identifiable natural person (“Data Subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;

“Special categories of Personal Data” – Personal Data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data relating to health or data regarding an individual’s sex life or sexual orientation.

“Processing”– means any operation or set of operations performed on Personal Data or a set of Personal Data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission , distribution or other way in which data is made available, arranged or combined, restricted, deleted or destroyed;

“Controller”– any natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of Personal Data processing; where the purposes and means of this processing are determined by EU law or the law of a Member State, the Controller or the special criteria for its determination may be established in Union law or in the law of a Member State;

“Data Subject” – any living natural person who is the subject of the Personal Data stored by the Controller.

“Consent of the Data Subject” – any freely expressed, specific, informed and unequivocal indication of the will of the Data Subject, by means of a statement or a clear affirmative action, which expresses his/her consent to the Personal Data relating to him/her being processed;

“Child” – The General Regulation defines a child as anyone under the age of 16, and under national law anyone under the age of 18. The processing of a child’s Personal Data is only lawful if a parent, guardian or custodian has given consent. The Controller makes reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given or is authorized to give consent.

Contact with the Personal Data Controller:



Phone: 02 8199 221

Очаквайте скоро!

Grand Hotel Therme

Grand Hotel Bansko

Grand Hotel Sveti Vlas

To organize events

Contacts with Grand Hotel Resorts by Pulse

We take great care to improve your stay and respond to your questions and comments. Leave us contact information and we will get back to you.