Personal Data Protection Policy
This Policy, has been drafted taking into account the applicable National and EU legal framework for the protection of personal data and in particular the General Data Protection Regulation (EU) 2016/679 (“the Regulation”) and Law 4624/2019.
For the purposes of this Policy, the following terms have the following meanings:
“Personal Data”: means any information relating to an identified or identifiable natural person (“data subject”) an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Processing”: means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his or her appointment may be provided for by Union or Member State law.
“Processor”: means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Data Subject”: the natural person whose personal data are processed. In this particular case, the Data Subject is considered to be any user of our Website.
“Consent” of the data subject: any freely given, freely given, specific, explicit and fully informed indication of intent by which the data subject signifies his or her agreement, by declaration or by a clear affirmative action, to the processing of personal data concerning him or her.
“Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
“Existing legislation”: The respective national and EU legislation on personal data protection and in particular the General Data Protection Regulation (EU) 2016/679, Law 4624/2019 “Personal Data Protection Authority, measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and transposing into national law Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data.
General Principles for the Processing of Personal Data
When Company processes personal data, it shall ensure that:
- To process such data lawfully, in accordance with the provisions of existing legislation and the conditions laid down therein, subjecting them to lawful and fair processing in a transparent manner in relation to the data subject (Principle of Lawfulness, Objectivity and Transparency).
- Process personal data only for specified, explicit and legitimate purposes and not further process them in a way incompatible with those purposes (Principle of Purpose Limitation).
- Be adequate, relevant and limited to what is necessary for the purposes for which they are processed (Principle of Data Minimisation).
- Take appropriate technical and organisational measures so that personal data are processed in a way that ensures an adequate level of protection and security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage. In addition, periodically review the adequacy and effectiveness of these measures (Integrity and Confidentiality Principle).
- To make the necessary efforts to ensure that the personal data it holds and processes are always accurate and up-to-date and that all reasonable steps are taken to promptly delete or correct personal data that are inaccurate in relation to the purposes of the processing (Principle of Accuracy).
- Not to retain the personal data collected for a period longer than the purposes for which they were collected and processed. However, it may retain them for a longer period if the processing of these data is necessary:
i. to comply with a legal obligation that requires processing under a provision of law,
ii. for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company,
iii. for reasons of public interest,
iv. for archiving purposes in the public interest, or for scientific or historical research purposes, or for statistical purposes, after appropriate technical and organisational measures have been taken, including pseudonymisation, and only if these purposes cannot be served by anonymisation of the data,
v. for the establishment, exercise or defence of legal claims (The Limitation of Storage Period Principle).
To take the necessary measures to comply with the requirements of the Existing Legislation and to be able to prove at any time that it complies with the above (Accountability Principle)
Personal Data We Collect and Process, Purpose of Processing and Lawful Basis.
The Company, in the context of the services and functions of this Website, may collect personal data of its visitors as follows:
Ι. Personal data collected through the contact form.
Through the online contact form available on the Website, the user has the possibility to contact the Company. In case the user wishes to use this service, he/she should fill in the relevant fields (a) his/her name, (b) his/her e-mail address, (c) the subject of his/her message, as well as (d) any further information he/she wishes to communicate by filling in the “Message” field.
Purpose of Processing and Lawful Basis.
The purpose of the collection and processing of such personal data is the provision of the Company’s services in the field of hospitality and tourism, the direct contact of the user with the Company, the Company’s optimal response to the user and its service as well as the satisfaction of the user’s requests. The legitimate basis for processing the personal data of the users is the legitimate interest of the Company to provide high quality services to the users of the Website, to facilitate communication with the community and to process the requests received in the context of its operation (G.D.P.R. article 6 paragraph 1 point f).
Personal Data collected while browsing the Company’s Website.
Purpose of Processing and Lawful Basis.
The purpose of collecting and processing such personal data is to ensure the optimal operation and design of the website and to provide high quality services. The legitimate basis for the processing of users’ personal data is the legitimate interest of the Company to provide high quality services to the users of the Website (Article 6(1)(f) of the G.D.P.R.).
III. Personal Data collected by subscribing to the newsletter.
This Website may collect data provided by users when they subscribe to the update list, such as their full name and email address.
Purpose of Processing and Lawful Basis.
The purpose of the collection and processing of such personal data is the Company’s communication with users and the sending of informative material regarding the Company’s services, products and offers. The legal basis of the processing is the prior consent of the users.
Data collected when making a reservation through the Website.
If a reservation is made through the Website, your full name, address (street and number), city, country, telephone number, email address, credit card details (card type, card number, security code, expiry date, cardholder details), and arrival and departure date are collected.
Purpose of Processing and Lawful Basis.
The reservation data is collected in order to process and handle the reservation, the payment of the relevant services, fees and charges as well as the processing of customer data in case of the need for dispute resolution. The legal basis is considered to be the execution of a contract with the customer (G.D.P.R. Article 6(1)(b)) and the safeguarding of the legitimate interests of the company G.D.P.R. Article 6(1)(f)).
- Social media buttons.
On our Website, there are social media widgets from social networks (e.g. Facebook and Instagram), through the use of which, after the user logs in to the social network, a special digital fingerprint of the user is created, for which both the Company and the social network itself act as joint controllers.
For more information on the data processing policy and the configuration options of these networks, please visit the following websites:
Purpose of Processing and Lawful Basis.
The purpose of collecting and processing such data is to improve the services provided by us and in general the user’s experience when visiting the Website. The legitimate basis for processing the personal data of users is the legitimate interest of the Company to provide high quality services to the users of the Website (G.D.P.R. article 6(1)(f)).
Personal Data of Minor Users.
Company does not address minors and does not wish to collect and process personal data of minors (i.e. persons under the age of 18). However, since it is impossible to cross-check and verify the age of the users of our Website, we ask the parents/guardians of minors, in case they find any unauthorized data disclosure on behalf of minors, to immediately notify the Company, as to take the necessary protective measures (e.g. immediate deletion of their data). If the Company becomes aware that it has collected personal data of a minor, it undertakes to delete them immediately and to take all necessary measures to protect such data.
Data Protection Impact Assessment (DPIA)
Where a type of processing is likely to present a high risk to the rights and freedoms of natural persons, Company shall carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (“impact assessment”). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality and assist in risk management by evaluating and defining measures to address the risks. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. The impact assessment takes into account the nature, scope, overall context and purposes of the processing in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of data subjects.
How do we ensure that Processors respect your Personal Data?
Company, in the context of its activities, may transfer data to third parties and/or allow access to them (legal or natural persons) acting as processors and/or sub-processors, to support its operation and serve its purposes, such as, for example, transferring data to service providers, website developers, cloud service providers, application development support companies, etc.
Our partner companies that act as processors and/or sub-processors on our behalf have agreed and contractually bound themselves to the Company:
- maintain confidentiality and ensure data confidentiality,
- process the data only for a specific purpose and for no other purpose
iii. not to transmit data to third parties,
- take appropriate organisational and technical security measures to ensure data protection,
- comply with the legal framework for the protection of personal data and in particular the Regulation and Law 4624/2019.
- Transfers to third parties
Users’ personal data may be transferred to public authorities, independent authorities, etc. in the exercise of their duties, either on their own initiative or at the request of a third party with a legitimate interest, following all legal procedures and subject to appropriate safeguards to ensure the protection of personal data. Company reserves the right to disclose and/or transmit personal data to a third party to whom it may transfer or merge parts of its business or assets. In the event of a change in our business, the new owners have the right to use your personal data in the same way as set out in this Policy.
- Transfer of Personal Data outside the EU
In case of transfer of personal data of users collected through our Website to a country outside the European Union (EU) or the European Economic Area (EEA), Company will first check whether :
- a) the European Commission has issued an adequacy decision for the third country to which the transfer is to be made.
- b) The appropriate safeguards in accordance with the Regulation are met for the transfer of such data.
Otherwise, the transfer to a third country is prohibited and the Company will not transfer users’ personal data to that country, unless one of the specific exceptions provided for in the Regulation applies (e.g. the express consent of the user and his/her information on the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the user, etc. If in the context of its lawful activities there is a need to transfer personal data outside the EU, the Company shall select the appropriate legal transfer mechanisms in full compliance with the Regulation and the Existing Legislation and shall inform the data subjects accordingly.
Data Retention Period
The personal data of users are collected and kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted from the archives of Company. When processing is imposed as an obligation by provisions of the applicable legal framework or a specific retention period is provided, your personal data will be stored for as long as the relevant provisions require. Users’ personal data processed with consent will be kept until the consent is withdrawn, without this withdrawal affecting the lawfulness of the processing up to that point.
Security of Personal Data
All officers and employees of Company are responsible for ensuring that the personal data held and processed by the Company are kept securely and are not disclosed or transmitted to any third party, unless the third party is authorized by the Company to receive and process such information in the context of (a) the legitimate activities of Company and if it has entered into a corresponding confidentiality agreement or (b) there is a legal obligation to do so by law or by court order or (c) there is a legal obligation to do so.
Company takes all appropriate technical and organizational measures for the security of the personal data it holds and processes. Although no method of transmission over the Internet or method of electronic storage is completely secure, the Company takes all necessary digital data security measures (antivirus, firewall, etc.).
Company applies, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures designed to apply data protection principles and incorporate the necessary safeguards in the processing in such a way as to meet the requirements of the G.D.P.R. and protect the rights of data subjects (data protection by design).
Company shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the purpose of the processing are processed (data protection by default).
Company shall ensure that the personnel involved in the collection and processing of personal data are adequately informed and trained.
In case of a personal data breach, the Company shall promptly inform the Personal Data Protection Authority, unless the breach is unlikely to cause a risk to the rights and freedoms of natural persons, providing all required information and documentation. If the breach is likely to pose a high risk to the rights and freedoms of natural persons, Company shall promptly notify the data subjects of the breach in question, unless such notification requires a disproportionate effort, or in the meantime the Company has implemented appropriate technical and organisational protection measures on the data affected by the breach that render it incomprehensible to unauthorised users, or in the meantime the Company has taken measures to ensure that the data affected by the breach are not accessible to unauthorised users.
Company ensures that it is able to respond immediately to the requests of users, for the exercise of their rights in accordance with the Existing Legislation.
In particular, each user has the following rights:
a) The User has the right to access his/her Data: To request information on the processing of his/her personal data by Company To request access to his/her personal data held by Company. More specifically, he/she may request to receive a copy of his/her personal data held and to check the lawfulness of the processing.
b) Right to rectification of inaccurate data: Request the correction of personal data in case they are inaccurate or incomplete.
c) Right to erasure: To request the erasure of his/her personal data if their retention is not based on any legitimate basis or legitimate interest.
d) Right to restriction of processing: To request restriction of the processing of his/her personal data, subject to specific conditions.
e) Right to data portability: to request the portability/transmission of his/her personal data either to himself/herself or to third parties.
f) Right of Withdrawal/Objection: Revoke at any time the consent given for the processing of his/her personal data, without this revocation affecting the lawfulness of the processing up to that point, to object to the processing of his/her personal data by
To exercise your rights, you may contact us at firstname.lastname@example.org by submitting a request: a) for the correction or deletion of the personal data you have entered or in any other way you have provided or we have collected through our Website, b) for the restriction of the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website, c) to object to the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website, d) to the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website. In case of exercise of any of the above rights, Company shall provide the data subject with information on the processing operations upon request submitted within one (1) month from the receipt of the request and the identification of the data subject. This time limit may be extended by two (2) more months, if necessary, if the request is complex or there is a large number of requests. In this case, the Company shall, within one (1) month of receipt of the request, inform the user of the delay and the reasons for it.
The Company may refuse to comply in whole or in part with a request received from the data subject only where this possibility is provided for by the Regulation or national legislation.
If a request from the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may make compliance with it subject to the payment of a reasonable charge to cover the administrative costs involved in complying with it or refuse to comply with the request.
Disclaimer for Third Party Websites
In case of our Website contains links that redirect users to third party websites, we inform you that Company does not control and is not responsible for any risk or damage (positive/ negative) suffered by the user from the use of the content of the Website and these websites, nor for the way in which the personal data of users are processed. Company takes all necessary measures to ensure that this Website is a safe environment for users, providing them with valid, reliable and up-to-date information.
Right of recourse to the Personal Data Protection Authority
For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request, and you believe that your personal data protection is in any way affected, you may submit a complaint through a dedicated portal (https://www.dpa.gr/el/syndesi/prosvasi ) to the Personal Data Protection Authority (PPA) (Athens, 1-3 Kifissia Avenue, P.O. Box 115 23, tel: +30 2106475600). Detailed instructions for lodging a complaint are available on the Authority’s website (https://www.dpa.gr/el/polites/katagelia_stin_arxi ).
Last Revision: July 2022