Personal Data Protection Policy

The policy of GullivAir for your personal data processing is a policy of transparency, accountability and strict compliancy with the applicable law.

1.Data controller


PIN: 203947405

Administrative offices

80, Christopher Columbus Blvd.

Sofia 1592, Bulgaria

2.What data do we process, purpose and legal basis

2.1.What data do we process?

When you book a flight or flight-related services using our website, app, telephone, e-mail or a third party, you should voluntarily provide us with your personal information including:

2.1.1.Passenger name record (PNR) – names, mobile telephone numbers, e-mail address (mobile telephone number of a close relative or friend), route, dates of the planned journey, date of reservation, PNR number, number, date and place of issue of ticket, GullivAir loyalty card number, travel agent, travel status, number, baggage, seat number, full payment details, including billing address, number and names of the other passengers in the PNR, including all the information about minors, advance passenger information, history of changes in the PNR.

When you book a flight via our website or app, telephone or office, you will receive your flight related information such as additional flight services and online check-in or flight irregularities notifications on the e-mail address your gave during reservation. You can object at any time your flight related information, using the corresponding link in your messages.

However, that will not stop the flight irregularities notifications.

The e-mails sent by GullivAir are not encrypted.

2.1.2.The details of your bank card, e-mail address and billing address - upon the completion of your reservation with the purchase of a ticket or a flight related service.

2.1.3.Advance Passenger Information – (API), including your names, number, validity and country of issue of your identification document, gender, nationality and date of birth.

Visa information, including its number, validity, date and place of issue, date and place of birth, where applicable.

Your address for the first night at destination, if you travel to the United states of America.

2.1.4.When you register you GullivAir profile or for the participation in our loyalty programme via our website or app, we will need your names, date of birth, mobile telephone, e-mail address, language settings, country, preferred departure airport, flight preferences, password. The provision of data in that respect is not required by law, however you will be able to enjoy services available only for customers with a GullivAir profile and the members of our loyalty programme, such as offers tailored especially for you, and quick access and services in our onboard Wi Fi entertainment.

The data provided will be given voluntarily by you during the process of registration, however you may delete your GullivAir profile at any time, if choose so. However, that will not stop the irregularities notifications for your booked flights or flight-related services.

2.1.5.By giving us your express consent and by the provision of your medical certificate or information about your health, physical and medical condition, you agree that we could process your data in case you need any additional services, or high standard of specialized care during flight, as well as in case we need to assess your suitability for air travel, or to protect the health of other passengers. It is our contractual obligation and we are legally obliged to ensure that passengers who have purchased the relevant services from us will be able to receive appropriate assistance.

2.1.6.In strict compliance with legal requirements and our internal rules, we automatically collect limited information when you access or use our site. To improve our services and proper functioning of the site, we use the so-called cookies, small pieces of data, stored in text files, sent by the web server to the user’s browser. The browser may store it and send it back to same server, if there would be further requests. This allows feedback to be collected from the server. Users may disable the use of cookies by their respective browser, however that might prevent the use of all the functionalities of the site. For further information on the use of cookies, you might refer to:

2.1.7. The information which you provide for marketing purposes includes your names, title, gender, country, preferred language, airport preference and e-mail address.

We do not provide your data to third parties for sending commercial information. The company might inform you about its new products, promotions and services, that are similar to those you have already purchased, only after receiving your express consent, which you can withdraw at any time, through the relevant clearly marked links for unsubscribing in our marketing messages, or by sending an e-mail with the subject "Unsubscribe" through our contact form, or to our Data security department at our address: GullivAir, Data security department, 80, Christopher Columbus Blvd. Sofia 1592, Bulgaria.

The withdrawal of your consent will immediately terminate the use of your e-mail for marketing purposes, but will not terminate the receipt of messages on your mobile phone and e-mail address in case you have purchased a flight from us and we need to inform you about flight irregularities.

2.2.What is the purpose and the legal basis of your data processing?

We process personal data under the provisions of the EU General data protection regulation 2016/679 (GDPR) and the Bulgarian Personal data protection act, strictly for the purpose for which it was provided:

2.2.1.To fulfill our contractual obligations, as well as due to the regulations of local authorities and under Art. 6, paragraph 1 (b) GDPR, such as:

  • issuing flight tickets
  • sending booking confirmations and irregularities notifications
  • providing flight related services
  • check-in procedure

2.2.2.To protect and fulfill our legitimate interests, as well as the interests of third parties pursuant to Art. 6, paragraph 1 (f) GDPR, such as:

  • provision of information about booked flights
  • guaranteeing flight security
  • safeguarding IT security of GullivAir
  • investigating and prosecuting criminal offences
  • auditing purposes
  • enforcing legal claims

2.2.3.For marketing or promotional purposes, based on your explicit consent, under Art. 6, paragraph 1 (a) GDPR, such as:

  • sending newsletters and regular and personalized offers
  • personalized use of website marketing
  • customer surveys and market research, used to monitor or improve our -services

Pursuant to Art. 7, paragraph 3, consent can be withdrawn at any time. However, “the withdrawal of consent shall not affect the lawfulness of processing, based on consent before withdrawal.”

2.2.4.For the compliance with legal obligation to which the controller is subject, pursuant to Art. 6, paragraph 1 (c) GDPR.

Herein, the obligation to provide information to the competent authorities in accordance with the applicable law.

Under Art. 42 (b) of the Bulgarian State agency for national security act (SANS), the air carriers are obliged to provide to the National Unit, under Art. 11 (a) of SANS, the reservation data of passengers for all flights in, to and from Bulgaria.

Based on our bilateral and multilateral agreements, as well as applicable regulations in the points destination/departure we are obliged to transmit data to immigration authorities.

API is required when traveling to/from certain destinations, to the extent we are oblidged to participate in international travel control activities. The airline may be forced to refuse carriage if it does not have the information required by the relevant legislation and border authorities.

To fight pandemic, data is transmitted to the relevant authorities.

2.2.5.Special categories of personal data as to Art. 4, paragraph 15 GDPR, including the information connected with Covid-19 pandemic, are processed following:

  • your explicit consent, pursuant to Art. 9, paragraph 2 (a) GDPR, according to the conditions of Art. 9, paragraph 2 (i) and on the basis of Art. 9, paragraph (b), (c) and (e) and under the strict guarantees, based on Art.9, paragraph 1(a).

3. Sharing data with third parties

3.1.When booking and purchasing services via GullivAir reservation system, by e-mail, by phone or in the company's office, based on your contract with us, your data may be shared with third parties - partner airlines, groundhandling services at airports, other service providers, subcontractors and agents.

According to national legislation, government and law enforcement agencies may request certain data in order to protect the rights and safety of our customers and employees, as well as our assets.

When traveling to certain destinations, pursuant to the requirements of national immigration regulations, your personal data must be transferred in advance for the purpose of border control and security.

Directive (EU) 2016/681 of the European Parliement and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for prevention, detection, investigation and prosecution of terrorist offences and serious crimes obliges air carriers to transfer relevant PNR data to the corresponding national units.

Technologies providing highest level of security for your data are used during online payments with bank cards.

Your data may be shared with third parties to the minimum amount necessary to provide your contractual services.

3.2. GullivAir receives your data from third parties as well, such as tour operators and travel agents booking scheduled and charter flights tickets or other services.

4. Rights of data subjects

Based on the applicable legislation for the rights of the data subjects, you have the right to access the personal data we process. You could request information, you could ask for rectification, restrict and object processing, or exercise your right for data portability or deletion (the right “to be forgotten”).

If you do not provide or withdraw your consent to the processing of your data, including sensitive one, where applicable, we may not be able to provide you with the full range of services you have booked and therefore, the airline may be forced to refuse carriage and cancel your flights and flight-related services with no right to refund the bookings.

The subject of data has the right to access the personal data we process, however in certain cases, in accordance with Art. 53 of the Bulgarian Personal data act, the air company may:

  • refuse to take actions in regard to your request;
  • charge you a fee for taking action in regard to your request, as well as request additional information confirming the identity of the data subject and the data of your reservations.

Every data subject has the right to file a complaint regarding the way we process data with the Commission for personal data protection at: 2, Prof. Tsvetan Lazarov Blvd, Sofia 1592, website:

5. How to contact us if you have questions about your personal data?

You could address your questions concerning the processing of your personal data to the GullivAir Data Protection Officer at:

Administrative Offices

Data Security Department

80, Christopher Columbus Blvd.

Sofia 1592


6.Amendments to GullivAir Personal data protection policy

Our Personal data protection policy forms an integral part of the company’s General conditions of carriage.

GullivAir reserves its right to update it in case our company’s policies or applicable legislation is amended.

Booking and purchasing of our services means that the user knows and accepts the current version of GullivAir Personal Data Protection Policy.

Last updated: 27 November 2020