Dedo Pene

Dedo Pene Inn and Guest House in Bansko

Privacy Policy

Privacy Policy for Customers of “Dedo Pene”, Bansko

Please read carefully the present document. It contains the Privacy Policy for customers of hotel and restaurant “Dedo Pene”, Bansko, and the users of its website (“the Policy”) and is aimed to explain our practices related to personal data processing in the context of the services provided and activities performed by us.

The Policy is drafted in compliance with the requirements under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Regulation).

General provisions
  1. In connection with the provision of its services and performance of its activities, DEDO PENE V+V Ltd. (“Dedo Pene” / “we”), in its capacity as data controller, processes personal data of its customers – natural persons, as well as personal data of other individuals specified below (“Data Subjects”/ “you”), in compliance with the rules and principles under the present Policy.
  2. DEDO PENE V+V Ltd. is a company with UIC 101655091, head office and registered address: Bansko 2770, 1, Alexander Buynov St., tel. (+359 74) 988 348, mobile tel. (+359 888) 795 970, fax: 074 982 223, email address: and web:

Data Subjects
  1. In connection with the provided services we processes information regarding the following Data Subjects:
    1. individuals visiting the website (the Website);
    2. individuals making reservations through the Website or booking websites, in their name or on behalf of another individual or legal entity;
    3. individuals using the services provided by us, including, but not limited to, hotel accommodation, restaurant and related services, including individuals representing or acting in another manner on behalf of legal persons using the said services;
    4. individuals who, on their own behalf or on behalf of another person, have addressed inquiries (including, but not limited, by email, fax, phone, or other), requests, signals, complaints or other correspondence to Dedo Pene.

Categories of Personal Data
  1. The information (categories of personal data) concerning Data Subjects which is processed by Dedo Pene pursuant to the present Policy may include:
Categories of Data Data Types

In connection with the provision of hotel accommodation

  • identification data: guest’s full name; date of birth; gender; nationality; national identification number (such as PIN for Bulgarian citizens or identification number for foreigners) ID document number and date of issue; ID document date of expiry; country issuing the ID document; signature;
  • contact details: telephone number; email address; address;
  • information related to hotel accommodation: room number; floor; dates of stay (check-in date, check-out date); duration of stay (number of nights spent at the hotel); tourist package, if used;
  • additional information related to hotel accommodation at the customer’s explicit request: special requirements and preferences, including type of press, food and drinks; special requirements related to food products, drinks and other substances which should be avoided by the guest (regardless of the reason).

Data relating to payments and issuance of invoices

  • information regarding the payment method (in cash, by bank transfer, by credit card, etc.); information regarding due and effected payments; information regarding the due date of payment and overdue/outstanding debts; bank details (bank, IBAN, account holder); currency of the payment; number, expiry date and holder of the credit/ debit card; CVC code; data contained in the payment authorization slip; PIN for natural persons; authorization slips (signed).

In connection with the provision of restaurant services

  • identification data: full name;
  • contact details: telephone number; email address; address;
  • data relating to payments and issuance of invoices: number, expiry date and holder of the credit/debit card; CVC code; VAT number and/or other tax or registration number (for sole traders and natural persons); authorization slips (signed);
  • information of preferences (at the customer’s explicit request): food and drink preferences; preferred payment method; specific requirements related to food products, drinks and other substances which should be avoided by the guest (regardless of the reason).
  • In cases where the Data Subject represents another person (e.g. a company): information regarding the represented person and the capacity of the representative (incl. workplace, position), as well as information of ordered services/ submitted orders in such capacity. Respectively, in cases where the services are ordered by a person other than the Data Subject on behalf of the Data Subject – in what capacity the Data Subject will use the services, who has ordered the services, who will make the payment, etc. (for instance, in case of accommodations organized by an employer or a business partner of the Data Subject, etc.).

In connection with the services and functionalities of the Website

  • data processed in connection with accommodation and restaurant booking: full name, email address; telephone number; date and hour of the reservation / check-in and check-out dates; number of rooms; number of guests, special offers and preferences (with explicit indication in the booking form or by email);
  • information from log-in logs, server logs, Web Application Firewalls, and other devices falling in this category: date and time, IP address, URL, browser and device information;
  • Cookies: The operation of the Website requires the use of cookies. You can find a detailed description of the cookies used, their designation and the information which is processed by means of cookies in the Cookies Policy of Dedo Pene, accessible at

In connection with complaints, applications, requests and signals (including in free text)

  • non-structured information contained in the respective complaints, applications, requests and signals.

Surveillance and Security
  1. We apply security measures including a 24-hour video surveillance system of recording and storage devices for ensuring the physical security against violations on the buildings and sites, and for protection of the life and health of citizens.
  2. Video surveillance and video recording may be performed in publicly accessible zones and premises in the buildings of Dedo Pene and in zones and premises with an exclusive access regime. As far as this cannot be avoided upon the installation of the video surveillance devices it is possible that they record also part of the street in front of Dedo Pene’s premises but this is made accidentally and is not the purpose of the video surveillance. There is no video surveillance in the guest rooms, WCs, recreation rooms, etc. The data of video surveillance activities are stored in a separate locked room with limited access. The records are being reviewed only upon occurrence of an accident (such as incident, unlawful act of an employee, client or a third person) as the respective section of the recording shall be archived and stored for the period necessary for us to exercise our respective rights.
  3. Information boards are available at visible places to notify Data Subjects and other visitors that technical means for surveillance and control are used, and provide any other related information.

Direct Marketing
  1. Subject to your explicit consent, we, respectively other companies related to or partners of us, may process the following your personal data: names; telephone number; address; email address; information of the type and number of used and preferred services provided by us and other data explicitly specified in the respective consent for the purposes of direct marketing, such as offering of goods and services, including goods and/or services offered by other persons, conducting inquiries and polls for the purpose of improving the quality of the services provided, etc., within the scope of the respective consent.
  2. Where personal data are processed for direct marketing purposes you shall be entitled at any time to object to such processing or withdraw your consent to the processing. In such cases, the processing of personal data for such purposes is terminated.

Purposes of Personal Data Processing
  1. We collect, store, and process the information described above for the purposes provided for in the present Policy, which, depending on the legal grounds for the processing may be:
    1. purposes related to the compliance with legal obligations of Dedo Pene;
    2. purposes related to and/or necessary for the performance of the contracts concluded with us or for taking steps at the request of the Data Subject prior to entering into a contract;
    3. purposes related to our legitimate interest or of third parties;
    4. purposes for which the Data Subject has given his/her consent to the processing of his/her data.

Provision of personal data and consequences from refusal
  1. We clearly indicate, where applicable and in the appropriate manner, whether the provision of the respective data and/ or documents is mandatory or constitutes a requirement necessary for the conclusion or performance of a contract, as well as the consequences from the refusal to provide such data. Any refusal to provide data and documents indicated as mandatory may prove an impediment to the provision of a service by us to the satisfaction and execution of submitted requests, applications, signals, etc., which releases us from liability for default.

Other Sources of Personal Data
  1. In certain cases, the personal data processed by us are not collected and received directly from the Data Subject of the relevant data, but from third parties, such as:
    1. persons representing, working for or otherwise cooperating with the Data Subject;
    2. event organizers – with respect to information concerning the participants in the event;
    3. business partners (e.g. booking sites; tourist agencies, other persons that provide intermediary services in the context of booking or ordering of other services, etc.) of Dedo Pene;
    4. competent state and judicial authorities.

Categories of Recipients of Personal Data. Data Processors
  1. We not disclose personal data concerning the Data Subject to third parties except where:
    1. this is necessary for compliance with our legal obligation – such as to competent state, municipal or judicial authorities, auditors;
    2. this is explicitly provided for in the Privacy policy and/or the general terms (the contract) for use of the services by us – such as data processors as assigned by us, companies for receivables collection;
    3. this is necessary for the provision of our services – such as to banks and payment services providers, postal and delivery services providers, our business partners such as: booking sites; travel agencies and other providers of tourist services or other supportive services such as car rental, taxi and other transport services, etc.;
    4. the Data Subject has given his/her explicit consent – to the persons provided for in the relevant consent (e.g. our related parties, our business partners, etc.);
    5. this is necessary to protect our rights and legitimate interests or of third parties or the Data Subject – such as to state, municipal and judicial authorities, private and public judicial enforcement officers, lawyers; (f) in other cases provided by law.
  2. For the purposes specified in the present Policy, Dedo Pene may assign data processing activities to third parties – data processors, in compliance with the requirements under the Regulation and the other applicable personal data protection rules. Where personal data are disclosed to and processed by data processors, such disclosure and processing will be carried out only to the extent and in the amount necessary for the performance of the tasks assigned by us. Data processors act on our behalf and are obliged to process personal data only in strict compliance with our instructions. Data processors shall not be entitled to use or otherwise process the information for purposes other than for the purposes specified in the present Policy.
  3. Dedo Pene does not intend to transfer your personal data to persons or organizations outside the European Union. If this becomes necessary in exceptional circumstances, we will inform you therefor and implement the needed protection measures.

Retention Periods
  1. We process and store information about the Data Subject until achieving the relevant purposes it is collected and processed for. In accordance with the applicable legislation, we process and store information about the Data Subject for the periods as follows:
Type of data Storage period

Data relating to the register for accommodated tourists within the meaning of Art. 116 of the Tourism Act, including identification data of the accommodated persons as well as data related to the hotel accommodation

5 calendar years

Information relating to requested and used hotel accommodation services, events and restaurant services, including such relating to cancellation of bookings for hotel accommodation (as far as they involve a refund of pre-paid amounts and/or a deduction of amounts due)

From making the respective booking/request up to 5 (five) years from the provision of the service/completion of the contract/cancellation of the booking.

In cases where the services are requested and used based on a long-term contract, the period starts running from the complete performance and/or termination of the contract.

Financial and accounting documents; invoices; authorisation slips; other information related to tax and insurance control.

Up to 10 (ten) years from the beginning of the year following the one in which payment of the amount for the relevant year is due.

Unstructured communication, correspondence, complaints, signals, etc.

5 years

In cases where the correspondence concerns a long-term contract, the period starts running from the complete performance and/or termination of the contract.

Data relating to reservation of restaurant services by phone

Up to 1 year

System logs. Logs related to security, technical support, etc. (these may contain information such as: date and time, IP address, URL, information about the browser version and device)

Up to 1 year

Data from video recordings

2 months

Data from feedback cards/client’s ratings

  • The information from the feedback cards is filled in the internal systems of Dedo Pene in a fully anonymized form (only the feedback, comments and recommendations) without any information regarding the person who has given this feedback. After that the feedback cards are destroyed immediately.
  • Up to 30 days after they have been filled in
  • Personal data included in client’s ratings, published on bookings websites, shall be stored for the periods specified by the relevant websites

Data processed on the grounds of Data Subject’s explicit consent

As of the moment of obtaining the consent till its withdrawal by the Data Subject

The personal data referred to in this Policy may also be processed for a longer period than the ones specified above if this is necessary to achieve the objectives set forth therein or to protect the rights and/or legitimate interests (including in legal proceedings) of Dedo Pene or if the current legislation provides for data processing for a longer period.

Rights of the Data Subjects Regarding Their Personal Data
  1. In relation to the processing of the personal data concerning him/her, each Data Subject has the following rights:
    1. right of access and information – to be provided with information on the processing of his/her personal data from us and to have access to the processed personal data;
    2. right of rectification – to require his/her personal data to be rectified and completed if the data are inaccurate or incomplete;
    3. right of erasure – to require his/her personal data to be erased if there are the grounds for this provided for in the Regulation;
    4. right of restriction of personal data processing – to require that we restrict the processing of his/her personal data within the limits provided for the Regulation if there are the grounds for this set forth therein;
    5. right to notify third parties – to require that we notify the third parties to whom his/her personal data have been disclosed of any rectification, erasure or restriction of the processing of his/her personal data unless this proves impossible or involves disproportionate effort from us;
    6. right of data portability – to receive the personal data concerning him/her and which he/she has provided to us, in a structured, commonly used, machine-readable format, as well as to have the right to transmit such data to another controller without any hindrance on our part;
    7. right not to be a subject to an automated decision which is based solely on automated processing (i.е. processing without human intervention), including profiling within the meaning of the Regulation. We at Dedo Pene do not use programmes for automated personal data processing and decision making, including your profiling;
    8. right to withdraw consent for processing – where personal data processing is based solely on consent given by the Data Subject, the latter shall have the right to withdraw his/her consent at any time. Such withdrawal shall not affect the lawfulness of the processing based on consent before its withdrawal;
    9. right to object - the Data Subject shall have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her, including profiling within the meaning of the Regulation, based on public interest, exercise of official authority and the legitimate interests of Dedo Pene or a third party. In these cases, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or where necessary for establishing, exercising or defending legal claims.
  2. The Data Subject may exercise his/her personal data protection rights by personally submitting a written request at the address specified in Item 2 of this Policy or by sending a written non-anonymous request by post.
  3. The Data Subject may exercise the rights relating to his/her personal data also through an explicitly authorized person (with a power of attorney certified by a notary). Part of the rights may also be exercised through the functionalities available on the Website.

Data Security
  1. We will take reasonable measures to: (a) protect personal data against unauthorized access, disclosure, change or destruction, and (b) maintain accurate and updated personal information, as appropriate. We also require from service providers, with whom we share personal data, to take measures analogical to ours, for the provision of confidentiality for your personal data. Such protection is in place with respect to the information which we keep electronically or on a paper copy. The access to your personal information is restricted to specific personnel or representatives. In addition we use generally accepted techniques for protection of the information such as firewalls, access control, etc. However, regrettably, there is no security system or data transfer system online, which is guaranteed to be completely secured, and in case of breach, we are under the responsibility to address the case to the persons and authorities concerned.

Right to Lodge a Complaint with a Supervisory Authority
  1. Any Data Subject has the right to lodge a complaint with a personal data supervisory authority.

    Supervisory authority in the Republic of Bulgaria is: Commission for Personal Data Protection
    Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592

Explanations and Additional Information
  1. The Data Subject may seek clarifications regarding the content, the grounds and the way of exercising his/her rights under this Policy, as well as any additional information regarding his/her rights regarding the processing of personal data by DEDO PENE V+V Ltd on the contact details given in Item 2 above.

This Privacy Policy has been drafted by DEDO PENE V+V Ltd in its capacity as data controller to fulfill its obligations to provide information to the data subjects under Art. 13 and Art. 14 of Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

This Privacy Policy will take effect from 25.05.2018.