Privacy policy and personal data protection

Information for us:
Hotels and Dreams OOD
Address: Sofia, 115, Simeonovsko shosse Str.
UIC: 205368289
Identification Number by the Law on VAT: BG205368289
Accountable person Dimitar Krastev and Asya Pandzherova

Our main aim, when working with personal data

Restaurant Leonardo processes your personal data in order to provide to its guests better, higher-quality and more diverse services.  In the view of this, the data security is of importance for the success of our business and for our public image as a hotel. That is why we strive to protect your data as we apply all appropriate technical and organizational means, that we have available, so as not to allow any unauthorized access, unpermitted or malicious use, loss or premature deletion of information.

This policy for the protection of personal data” is designed to explain how and why we process your personal data.

How and why we use your personal data

For the implementation of regulatory obligations and by contract

We collect and process your personal data and other personal data in order to fulfill obligations assigned to us under the regulatory act, such as the Law of Tourism

We collect and process your personal data and other personal data to deliver to the full extent the services that you have requested and wanted to use, as well as to fulfill our contractual obligations to you.  

    • Personal Identification Number, names, sex, citizenship, permanent address
    • е-mail, letters, information about your requests for the removal of problems, appeals, applications, complaints;
    • other feedback, that we receive from you;
    • video recordings that are made with the aim of improving the security  
    • preferences for the services that we provide to you;
    • information about credit or debit card number, bank account or another bank and payment information related to the payments made to the hotelfor payment of the product or service through the booking system of the hotel website, the User does not provide any bank/credit cards details to the Tourist Management Ltd. Payment by a bank card shall be made through the virtual POS terminal of the bank, whereby the bank card details are entered directly into the Secure platform of the bank. In this way, the data from the bank card of the user are maximum protected and do not become available to the Tourist Management Ltd. To prevent misuse of payment by your Visa or MasterCard card, we apply the best practices recommended by the international card organizations:
  • Security for the introduction and transfer of the card data is provided through the use of the SSL protocol for encrypting the connection between our server and the payment page for our bank service.
  • The authenticity of your card is verified by entering a security code (CVV2)
  • In addition, to identify you as a cardholder, the payment server for e-commerce for the service of our bank supports the authentication schemes of the international card organizations – Verified by VISA and MasterCard SecureCode, in case you are registered to use them

Other information such as:

      • Data provided on the Internet website of the hotel;
      • IP address when you are visiting our web page;
      • Demographic data, household information when you agree to participate in our surveys, withdrawals of prizes or other feedback you provide to us in connection with the services that you use;

The processing is carried out with the aim of:

  • Establishing the identity of the customer at the accommodation in the hotel;
  • Management and implementation of your service requests;
  • The preparation and dispatch of account/invoice for the services that you use with us;
  • Ensuring the full necessary service to you, as well as to collect the amounts due for the services used;
  • Analysis of client history and user profile design with the view of determining the appropriate offer for you;
  • Investigate and analyze customer service usage on the basis of anonymous or personalized information to establish the main trends, to improve our understanding of our clients’ behaviour and to collaborate with third parties to develop new services for our customers;
  • Processing by the data processor upon conclusion of a contract, assignment, reporting, acceptance, payment;

After Your consent

In some cases, we process your personal data only after your prior written consent. The consent is a separate ground for the processing of your personal data and the purpose of the processing is specified in it and is related to the objectives listed in this policy. If you give us the relevant consent and until its withdrawal:

  • We prepare suitable proposals for you, for programs and services offered by the hotel;

The consents submitted may be withdrawn at any time. The withdrawal of the consent will have an effect on the provision of the relevant services related to the provision of the relevant programs.  

We have a large portfolio of programs and services.  When you give us consent to data processing, this consent will apply to all programs and services that you use.

To withdraw your given consent, you only need to use our site or just our contact details.


To whom we provide your personal data:

We process your credentials and other personal data in order to comply with obligations that are provided in an enactment, for example:

  • Provision of information to the Consumer Protection Commission or Third Parties stipulated in the Consumer Protection Law;
  • Provision of information to the Commission for the protection of personal data in relation to obligations under the legislation on the protection of personal data – Personal Data Protection Act, Regulation (EC) 2016/679 of 27 April 2016, etc.;
  • Obligations laid down in the Accountancy Law and Tax and Social Insurance Procedure Code, and other related regulations in connection with the conduct of a correct and legal accounting;
  • Provision of information to the court and third parties in the context of the court proceedings, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings;
  • Payment authentication for online registrations.

How We Protect Your Personal Data

To ensure the adequate data protection of the Company and its customers, we apply all the necessary organizational and technical measures provided for in the Personal Data Protection Law and the sub-statutory acts for its application.

The company has appointed a designated Data Protection Officer who supports the processes of data protection and security.

For the sake of maximum security when processing, transferring and storing your data, we may use additional security mechanisms such as encryption, pseudonymization, and etc.

When we delete Your Personal Data

As a general rule, we terminate the use of your personal data for the purposes related to the contractual relationship, after termination of the contract, but do not delete them before the expiry of one year from the date of termination of the contract or until the final settlement of all financial obligations and the expiry of the statutory obligations for  storing the data, such as obligations under the Accountancy Act for the storage and processing of accounting data (5 years), the expiry of the limitation periods for submission of claims laid down in the Law on Obligations and Contracts (5 years), the obligations for the provision of information to the court, competent state bodies, and etc. grounds provided for in the current law (5 years). Please note that we will not delete or anonymize Your personal data if it is necessary for a pending court, administrative proceedings or proceedings to process your complaint to us.

Your data can also be anonymized. Anonymization is an alternative to data deletion. With the anonymization, any personally identifiable elements/elements that allow you to identify yourself are irrevocably deleted.   There is no legal obligation for deletion of the anonymized data, as it does not represent personal data.

Your rights in connection with the processing of your personal data

Right to Information:

You have the right to ask for:

  • information about whether the data related to you are being processed, information for the purposes of such processing, for the categories of data, and for the recipients or the categories of recipients to whom the data are disclosed;
  • a message in an intelligible form containing your personal data being processed, as well as any available information about their source;
  • information about the logic of any automated processing of personal data related to you, at least in the cases of automated decisions.

The right of correction:

In the event that we handle incomplete or erroneous/false data, you are entitled at any time to request:

  • that we should delete, rectify or block your personal data, the processing of which does not comply with the requirements of the law;
  • that we should inform the third persons, to whom personal data have been disclosed, for any deletion, correction or blocking, with the exception of cases where this is impracticable or involves a disproportionate effort.

The right to delete /the right “to be forgotten”/:

You have the right to ask at any time for deletion of the personal data processed by us, if:

  • The personal data are not necessary for the purposes for which they have been collected and processed;
  • You withdraw your consent and there is no other legal basis for processing them;
  • Personal data are processed unlawfully

Right to Objection:

At any time you have the right to:

  • object against the processing of your personal data in the presence of a legal reason for that; when the objection is justified, the personal data of the relevant physical person can no longer be processed;
  • object to the processing of your personal data for the purposes of direct marketing.

Right to limit the processing*:

You may request a limitation of the processing of the customizable data if:

  • you question the accuracy of the data for the period in which we must verify their accuracy; or
  • the processing of the data is without legal grounds, but instead of deleting them, you want their processing to be limited, or
  • we do not need these data anymore (for the specified purposes), but you need them for the establishment, exercise or defense of legal claims; or
  • you have filed an objection to the data processing, pending verification whether the grounds of the administrator are legitimate.

The right to data portability*:

You may request from us to provide the personal data that you entrusted to our care, in an organized, orderly, structured, common electronic format if:

  • we are processing your data under the contract and based on the declaration of consent, which may be withdrawn or on a contractual obligation and
  • the processing is done automatically

Right to appeal:

In the event that you believe that we are violating the applicable legal framework, please contact us to clarify the matter. Of course, you have the right to submit a complaint to the Personal Data Protection Commission. After 25 May 2018, you will be able to file a complaint to the regulatory authority as well within the EU.

Applications for access to information or for correction are filed in person or by explicitly-authorized-by-you person, by a notarized power of attorney. An application may also be made electronically in accordance with the procedure laid down in the Law on Electronic Document and Electronic Signature

We will pass judgement on your request within 14 days of its filing.  If a longer period is objectively necessary – with a view to collect all the requested data and this seriously impedes our activities, this period may be extended to 30 days With our decision we give or refuse access and/or the information requested by the applicant, but we always motivate our response.

Updates and changes to the policy

In order to apply the most up-to-date protection measures and to comply with the current legislation, we will update regularly this Policy for Personal Data Protection.  We invite you to regularly review the current version of this Personal Data Protection Policy, to be permanently informed about how we care for the protection of the personal data that we collect.