Privacy Policy

The Privacy Policy captures the way we handle your personal information. Of course, it is a prerequisite for its application to collect your personal data. Therefore, if you just browse our site without having any online or other transactions with us, then all you are interested in is the cookie policy, which you can directly choose here (cookies).

The Privacy Policy is a brief summary of how we collect and process your personal information. In the course of our business activity and the operation of our business we collect and process personal data from visitors, prospective visitors, associates, staff and others in order to be able, on the one hand, to provide excellent services to our guests and, on the other, to fulfill the obligations derived from our contracts and the law.

Our goal is to process as little personal data as possible for as little time as possible. We apply policies that require minimal use of personal data and we create a security environment to process them. The Privacy Policy lists the purposes for which we process the personal data, the legal basis of the processing, the recipients of the data and the retention time. It also makes extensive reference to your rights in relation to personal data and gives you full details of those responsible in order for you to be able to exercise them.

The Privacy Policy structure follows the requirements of the General Data Protection Regulation (GDPR), but is customized to a user-friendly so that it can easily locate the area of interest.

SECTION 1
BASIC CONCEPTS AND INFORMATION

  1. Reservations/Reception/Check in
  2. Customer registration tab / file
  3. Newsletter/ Mailing list
  4. Credit/Debit card
  5. Social Media (Facebook-Instagram)
  6. Data recording on the Web (Cookies, Ad Words, Google Analytics)
    1. Data recording
    2. Links to other web sites
    3. Cookies
    4. Pixel Tags and other similar technologies
    5. Analytics
    6. Non- Pantelis Sapounakis S.A. Entities
  7. Resumes/ Curriculum Vitae (CV)
  8. Personnel
  9. Cameras / Surveillance systems
  10. Disclosures to Service Providers
  11. Data Security

SECTION 2
RIGHTS

  1. Right to receive transparent information
  2. Right to access your own data
  3. Right to rectify inaccurate data
  4. Right to Erasure („Right to be Forgotten“)
  5. Right to withdraw consent
  6. Right to limit processing
  7. Right to data portability
  8. Right of Objection
  9. Right to complain to the competent supervisory authority
  10. Updates to This Privacy Statement

SECTION 1
BASIC CONCEPTS AND INFORMATION

A. Data Controller

A Controller is the natural or legal person who decides on how to process personal data. It is the person who bears responsibility for any processing and has the obligation to answer any of your requests about them.
The Controller is our hotel and in particular the company (legal person) who manages it, whose full name is: Pantelis Sapounakis S.A. headquartered in Anissaras, Heraklion and contact phone number +302897502500 and email info@lyttosbeach.gr.

B. Data Protection Officer (DPO)

This is the name of a natural person to which the controller assigns the resolution of issues pertaining to personal data.

At this stage, for any question you may have and for exercising any of your rights relating to personal data, you can contact the Data Protection Officer Kostas Papadantonakis, tel .: +302897502515, email: audit@lyttosbeach.gr

C. Processing Purposes

We process your personal data in order to be able to provide you with all the services and to achieve our business goals with security for your privacy.

In order to facilitate your information, the purposes of processing your personal data are listed below. For each purpose a corresponding analysis of the GDPR requirements is made. You can use the hyperlinks of the content if you wish to select one of the purposes.

1. Reservations/Reception/Check in

Reservations can be made by phone, via our website, by email, by fax, through partner offices or directly at the reception. In any of the above cases, the following personal data are collected:

  • Name/Surname
  • Arrival date
  • Departure date
  • Type of accommodation
  • Postal address
  • Date of birthday
  • Country
  • Nationality
  • Passport No.
  • E-mail address
  • Full credit card details
  • Special requirements

Purpose of data processing. The purpose of collecting this information is to allow us to identify the visitor making the reservation in order to predict, keep and prepare the appropriate space with the appropriate preferences so that (upon check-in) we are able to deliver the corresponding space. We need to record credit card details in order to be able to collect the remuneration of the reservation in accordance with the terms of the agreement in the event that the guest makes a reservation or cancels and does not check in at the hotel.  We need to use the email address in case of relaying information about booking changes, the booking itself, or comments about our services.  We must maintain all the data about special preferences (i.e. the additional services requested by the customer) in order to be able to provide services to the customer and to justify the charge and the benefits requested.

Legal basis for the processing of data. The legal basis for the processing is the contract between us (including the pre-contractual stage) and the need to protect our legitimate interests, namely maintaining a high quality of service. Indeed, sending an email after staying on our premises to learn about the quality of our services and your comments does not affect your fundamental rights, but instead allows you, if you wish, to exercise your right of expressing your view about our services and suggest ways to improve them. If you do not provide the above personal information, we will either not be able to book a room for you or we will not be able to provide you with the services you are requesting or we will not be able to contact you if there is a problem.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Data processing period. We process personal reservation data differently in terms of holding time, depending on the individual purpose of their processing, for example we keep the registration for the name and the date of check-in for a period depending on the retention period of data about your stay and preferences for special services, while the email address for a period up to the completion of the transaction between us if you have not given consent to our sending newsletters. In some cases, we have a legal obligation to retain personal data for a longer period, e.g. for the Municipality in relation to the hotel guests and the payment of a relevant fee for as long as the law provides. If you have given your consent to process the address data for future communication, it is retained for as long as you have consented, as a rule for 20 years. You may withdraw your consent at any time, but the withdrawal of consent will not affect the legitimacy of consent-based treatment before it is withdrawn.  We delete all personal data after the end of the above periods.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.  If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

2. Customer registration tab / file

We keep a customer database, with each individual tab concerning a single customer. The following personal data are recorded in this tab:

  • Name/Surname
  • Time of stay
  • Gender
  • Age
  • Nationality
  • E-mail address

Purpose of data processing. Our customer tab serves to manage the customers‘ requirements and to deliver our services. Every transaction and every service provided to our client remains on the tab in order to meet our statutory and contractual obligations, and to satisfy our high standard of service requirements.

Legal basis of data processing. For the maintenance of a customer database, the legal bases are: 1) the law, which requires the retention of data due to the issue of receipts and invoices, for tax audits and because of municipal and police provisions, 2) the contract with the customers for the provision of hotel services, catering and recreation services and to allow invoicing, payment by bank and justification of charges in cases of dispute, 3) the legitimate interest of the company in being able to systematically manage its clientele in order to provide excellent services, of a high and competitive level, and to know and facilitate its customers, and (4) your consent for certain specific processes (preferences, updates, etc.). Your data are only then entered on the tab in order to facilitate future bookings and service of specific choices and needs without the need to re-enter your data. You may withdraw your consent at any time, but the withdrawal of consent will not affect the legitimacy of the processing for the period before it is withdrawn.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Data processing period.  We maintain and process your personal data for the above purpose in a different manner as appropriate. For tax audits, invoice data is retained for twenty years after client’s departure. For municipal and police provisions, data is retained for as long as the law provides, and however up to five years, and then deleted. For the needs of servicing the contracts and then any disputes arising from them, twenty years after the departure. Communication data shall be retained for as long as necessary for any post-service provision of post-service issues and shall then be deleted unless consent has been given for their retention and shall be retained for 5 years and then deleted. The amount of your personal data that is retained over a period of time as above differs, as for example for tax audits it is not necessary to maintain your email address or our service choices or respectively for our communication it is not necessary to maintain credit card data, etc., so keeping your data by category for different periods.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

3. Newsletter/ Mailing list

We collect data for the purpose of communicating with you. Specifically:

  • your email address

The purpose of processing is to maintain our communication with you and to send you business news about new services, offers, activities and events. We want to engage with you in a way that is meaningful to you. We recognize that you may only want to hear from us in a limited way.

You may choose to unsubscribe from our newsletters by clicking the link at the bottom of one of our communications.

*Please note that even if you choose to opt-out of communications with us, we will continue to send you transactional messages about your specific reservation or stay with us, such as pre-arrival, confirmation and guest satisfaction surveys.

The legal basis of data processing is your consent. This consent has been received by you either upon your arrival at the hotel or during your stay in this or any other contact we have had with you. Without your consent to processing your data, we will not be able to send you newsletters about our offers, discounts and new services that may be of interest to you. Besides, if you are a customer of our hotel, then because of the contract between us it is possible to keep in touch with you to find out if you are happy with our services and help us improve them and also to inform you about our new programs and services. You have the right at any time to oppose our further communication with you.

Data processing period. We renew our list every ten years. Therefore, you will receive a message again in order to resubmit your consent otherwise after the lapse of time we will delete from our database the specific personal data of your e-mail address.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

4. Credit/Debit card

In some cases of a room reservation, we ask you to give us the following details of credit/debit card:

  • Cardholder name and typed of credit/debit card
  • Credit/debit card number
  • Security number (CVV)
  • Expiry date

The purpose of processing. Provide a reservation and charge the total amount of the reservation or only part thereof, depending on the cancellation.

The legal basis of data processing. The execution of the contract concluded for the provision of room reservation as a service. The provision of data is mandatory as it is the requirement to provide the service and the security of the payment.

If in any form regarding your booking you acknowledge your specific consent for your credit / debit card data to be retained for other transactions as well, the legal basis for our processing your data will be your consent for this processing. You may withdraw your consent at any time, but the withdrawal of consent will not affect the legitimacy of consent-based treatment before it is withdrawn.

Data processing period. Credit / debit card data are disclosed solely for transaction purposes and only to authorized persons. Upon departure from the hotel, these data are not disclosed, and access to these data is avoided. The data are deleted within six months of the transaction and if it is completed. In cases of consent, your personal data are retained for as long as your credit card is valid.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

5. Social Media (Facebook-Instagram)

Our company may communicate with you through social networks, and specifically through Facebook or Instagram.

By clicking the „Like“ and „Follow“ buttons on this page, Facebook users can subscribe to the News Feed published on the page. Clicking the „Decline Like“ button they can be deleted.

The Company may have access to its „friends“ profiles, however, it does not record or process them in its system.

The purpose of data processing. The purpose of processing the personal data of Facebook and Instagram users (friends) is to share the content of the page with them. Users and company share news and offers, keeping in touch. This helps to make the company familiar to the public and to promote its services to those who choose it.

The legal basis of data processing. The processing of personal data relies upon the consent of the subject. Consent can be revoked at any time by unsubscribing. Withdrawal of consent does not affect the legitimate processing that took place before the revocation. If the consent is revoked, the user will no longer receive notifications.

Data processing period. The processing of personal data takes place as long as the consent exists and is interrupted when it is revoked. No personal data are stored or further stored and processed.

The company publishes photos / videos about various events, etc. on her Facebook page and Instagram. The photos that are published are always of groups and always relate to the events without allowing any other conclusions about the participants as the selection of the photos is made in such a way that they do not exhibit exceptional conditions and are usually taken with the consent of the subjects within the company’s premises in locations where an event took place. Any unauthorized mention of any element identifying the subjects is avoided. If it is not a photo of a group of people, the company always requests the prior written consent of the data subjects prior to publication. You have the right to request removal of a photo that includes you. The company proceeds to do so in order to promote its services and considers that this does not violate the fundamental freedoms of the subjects. Keeps photos for six months from the day of the event and then deletes them.

Facebook and Instagram record your personal information independently of us. Every time you visit our pages on Facebook and Instagram, these businesses collect and process your personal data without our own intervention or knowledge. They are processors independent of us. You can configure your own parameters and learn about data processing performed by these businesses. Visit the links below for more information on Facebook’s data editing and Facebook guidelines on websites: https://www.facebook.com/policies/cookies/ and https://www.facebook.com/about/privacy/update and for Instagram: the page  www.help.instagram.com

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

6. Data recording on the Web (Cookies, Ad Words, Google Analytics)

6.1 Data recording

When you open our site on a device (such as a laptop or a desktop computer, smartphone or tablet), this device will automatically record data. Data that are automatically recorded include:

  • the IP address of your device. We collect your IP address, a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP address is identified and logged automatically in our server log files when a user accesses the Online Services, along with the time of the visit and the pages that were visited. We use IP addresses to calculate usage levels, diagnose server problems and administer the Online Services. We also may derive your approximate location from your IP address.
  • the date and time of your visit to our site
  • the type of browser
  • the name and address of your internet service provider.
  • Browser and device data
  • App usage data
  • Data collected through cookies, pixel tags and other technologies
  • Demographic data and other data provided by you
  • Aggregated Data. We may aggregate data that we collected and this aggregated data will not personally identify you or any other user.

The data are automatically logged by the web server of the site, without your consent or any specific activity being required by you. The system records and uses the data for the automatic production of statistical measures. These data cannot be associated with other personal data unless such an association is provided for by law. These data will only be used to correct mistakes and improve the quality of our services and for statistical purposes. More information:  https://support.google.com/analytics/answer/2611268?hl=el

Purpose of data processing. The technical development of the IT system, the monitoring of the service and the production of statistics. In the case of criminal activities, this data can be used – in cooperation with the user’s internet provider and the competent authorities – to identify the source of such criminal activities.

The legal basis for data processing. The data collected and processed can only lead to identification of the subject except through cooperation with the provider and only upon the related request of the Judicial authority. Otherwise, any other treatment is based on the provision of Law 3471/2006 on the issues of e-commerce services and information society services.

Data processing period. 30 days from opening our web site.

6.2. Links to other web sites

In order to anticipate your needs, our website provides links to other web sites and third parties for your convenience and information. We are not responsible for the collection, use, maintenance, sharing or disclosure of data (including personal data) by such third parties. We encourage you to contact these third parties to ask questions about their privacy practices, policies and security measures before disclosing any personal data. We recommend that you review the privacy statements and policies of linked web sites to understand how those web sites collect, use and store information

6.3. Cookies

What are cookies? Cookies are small text files that are stored on the hard disk drive of computers or smart devices until their expiration date set in the cookie and are triggered (by sending a notification to the site’s web server) whenever the web page opens in a browsing application on the device.

Purpose of data processing.  Sites use cookies to capture information about the use of the site (pages visited, time devoted to pages, browsing information, disconnections, etc.) and personal settings – but these data cannot be associated with the identity of the visitor. Cookies allow website administrators to maintain user-friendly websites and improve the experience of users who offer their sites to their visitors.

What cookies are used:

„permanent cookies“ that remain during many visits to the site and stored on your hard disk. Permanent cookies will remain stored on the computer or on the smart device after the site is closed. Such cookies are used to allow the site to track returning visitors. Permanent cookies track visitors returning by linking the server side ID to the user and are therefore an essential part of the functionality of sites that require user authentication – for example, in web shops, net-banking sites and e-mail sites. Permanent cookies do not contain personal data, they can only be used to uniquely identify users by linking them to the correct item in the database stored on the web server of the site. The inherent risk of using permanent cookies is that they can only track the web browser as opposed to the user, so if a user uses a public access point – like a computer in an Internet café or a public library – to connect to a store and fails to disconnect from the store at the end of his/her session, another person may have non-authentic access to the web store, which is falsely identified by the system as the original user (and therefore authenticated ).

„session cookies, which are automatically deleted after each visit. Session cookies are temporarily stored only on the computer or smart device while the visitor uses the site. These cookies allow the system to „remember“ certain information, so the visitor should not provide them whenever they open the site. The period of validity of session cookies is limited to the duration of the site’s use. the purpose of using session cookies is to prevent data loss (for example, when filling in a longer form). At the end of every use of the site – each session – as well as when the browser closes, cookies of this type are automatically deleted.

«Third-party cookies» are created by other websites. These sites have some content, such as ads or images, which you can see on the website you are visiting.

«Third Party Advertisers»We may use third-party advertising companies to serve advertisements regarding goods and services that may interest you when you access and use the Online Services, other websites or online services. To serve such advertisements, these companies place or recognize a unique cookie on your browser (including through the use of pixel tags)

«Third Party Advertisers»We may use third-party advertising companies to serve advertisements regarding goods and services that may interest you when you access and use the Online Services, other websites or online services. To serve such advertisements, these companies place or recognize a unique cookie on your browser (including through the use of pixel tags)

http://www.allaboutcookies.org/manage-cookies/

Keep in mind that if you choose to disable cookies, you limit the functionality of the site.

The legal basis for processing as far as cookies are concerned is their necessity for the functionality of the website. These cookies are necessary for the proper operation of the site, so in these cases the legal basis for data processing is the law itself.

Recipients of your personal information. Your personal data (the respective ones in each instance) can be forwarded to the relevant authorities or a third party partner.

6.4 Pixel Tags and other similar technologies

We collect data from pixel tags (also known as web beacons and clear GIFs), which are used with some Online Services to, among other things, track the actions of users of the Online Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Online Services

6.5 Analytics

We collect data through Google Analytics and Adobe Analytics, which use cookies and technologies to collect and analyze data about the use of the Services. These services collect data regarding the use of other websites, apps and online resources. We use Google Analytics and Google AdWords, services which transmit website traffic data to Google servers. Google Analytics does not identify individual users and does not associate your IP address with any other data held by Google. We use reports provided by Google to help us understand website traffic and webpage usage and optimize advertisements bought from Google’s own and other advertising networks. Google may process the data in the manner described in Google’s Privacy Policy and for the purposes set out above in this section. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/ and opt out by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

We collect certain data through your browser or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, internet browser type and version and the name and version of the Online Services (such as the Apps) you are using. We use this data to ensure that the Online Services function properly. https://support.google.com/analytics/answer/2611268?hl=el

We also use Yandex Metrica and Yandex Direct services, which collect user- and session parameters via cookies. Information collected by such cookies does not reveal your identity, but it can help us to improve our website performance. Information about your use of this website will be transferred to Yandex and stored on Yandex’s servers. Yandex will process this information to assess how you use the website, compile reports for us on our website operation, and provide other services. Yandex processes this information as specified in Yandex Privacy Policy.

Our website also uses Facebook pixel, which collects anonymized aggregated data that helps us with optimization of ad purchases on Facebooks different platforms (including Instagram). Facebook collects a user id that will allow them to match if a user has visited a site with the Facebook pixel. We as advertisers can however never identify the behavior of a specific user. Facebook and its related platforms are in a closed advertising ecosystem where their users can regulate if they consent to advertisers using data collected from their websites to purchase ads on Facebook.

6.6 Non- Pantelis Sapounakis S.A. Entities.

This Privacy Statement does not address, and we are not responsible for the privacy, data or other practices of any entities outside of the Pantelis Sapounakis S.A., including Franchisees, Owners, Authorized Licensees, Strategic Business Partners or any third party operating any site or service to which the Services link, payment service, loyalty program, or website that is the landing page of the high-speed Internet providers at our properties. The inclusion of a link on the Online Services does not imply endorsement of the linked site or service by us. We have no control over, and are not responsible for, any third party’s collection, use and disclosure of your Personal Data.

In addition, we are not responsible for the data collection, use, disclosure or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including with respect to any Personal Data you disclose to other organizations through or the Apps or our Social Media Pages.

7. Resumes/ Curriculum Vitae (CV)

You can find an ad for job search either in a newspaper or on websites of other organizations or on our website or learn about it through your acquaintances. In either case, you will be asked to send or you will voluntarily send a CV in which you usually indicate on your own your entire curriculum and personal data, gender, age, etc. In each case of receiving a resume, we inform the subject about the processing of their data by referring to this page.

Purpose of data processing. It’s the hiring of the subject by our business. It may also be simple disclosure of qualifications for future recruitment. Finally, the covering of vacancies (usually seasonal) with competent and trained staff. Finally, it may be the storage of resumes so that they can be used in the future for any of the company’s needs.

The legal basis for data processing. Your consent, which results from the CV itself in our address and is included in it. If sent via our website, your consent is substantiated and is up to date, as there is a reference to the current Privacy Policy on the site. In any case where an assignment is made through a notice, there is a note and a referral for your information from this site, so that the consent by sending the resume is updated. In any case, if a CV is received, there will always be a communication to the subject’s personal email in order to receive consent for the processing of his or her data, otherwise the CV will be deleted or destroyed.

You have the right at any time to withdraw your consent to your CV being processed, by email or in a letter, and you can also delete your registration at any time only if your recruitment process has not proceeded. If you are hired, the basis for editing your resume changes and is our contract and legitimate interest. Withdrawal of consent does not affect legitimate consent-based processing before it is revoked.

Data processing period. We keep the CVs for as long as the employment relationship lasts, and for a period equivalent to your other personal data after its expiration, if the recruitment and employment of the subject. If no recruitment is made then CV data is retained for a period of two years and only if the consent proof for this is available as above.

As a rule, immediately after receiving the resume, we send notification to the email address provided in order to request the subject’s consent to maintain the resume for the period in question in accordance with the terms of this policy.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

8. Personnel

We keep our staff records in order to be able to manage the obligations arising from our employment contract, by the law and by our legitimate interests. All the data we process as well as the legal basis for the processing, the holding time and the rights of the subjects in general are communicated in detail to the employees of our company through internal correspondence and information.

9. Cameras / Surveillance systems

The personal data entered are the images of the clients and third parties who make use of the hotel premises. Webcams are located on the entire perimeter of the hotel and are constantly recording areas of particular importance for security such as entrance, check-in, reception, etc. There is a clear signage of the subject at every point where the camera is located.

Purpose of data processing. Video surveillance is used to protect the persons and property of visitors and the hotel. Their use also has a deterrent effect in the sense of limiting incidents if it is known that there is some kind of monitoring. Their use is intended to allow securing and controlling the facilities by a security team.

The legal basis for data processing. The legal basis is the company’s legitimate interest in protecting both its assets and its clients and in securing their uninterrupted stay at its premises. The safety of the facilities is of primary concern and business necessity as tourist facilities are sensitive areas and their precaution is necessary. Because the hotel area is also a workplace for the staff, camera shots are not used to assess or control their work and do not focus on employees unless it is impossible to avoid it, for example in the area of the cashier, the reception or of the entrance.

Data processing period. The processing period is 15 days from the day of receipt. Each camera produces 24-hour movie material that is kept in the company’s security records on behalf of our business and then destroyed.

Data transfer outside the EU. Your data is not transferred to non-EU countries.

Recipients of your personal information. Your personal data can be forwarded to the relevant authorities or a third-party partner.

If you wish to exercise any of your rights listed in Section 2 in relation to the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email.

From time to time we take pictures and videos of events taking place inside the hotel premises where the company’s services are being promoted. We try to get the oral consent of the subjects before shooting and the photo always concerns groups of people in their public activities.

The legal basis for photographing the subjects in events of the hotel where they participate is based either on their explicit consent to being photographed or on the company’s legitimate interest in taking group photos of their events and posting them on its Facebook page and on Instagram.

10. Disclosures to Service Providers

We sometimes contract with other companies and individuals to perform functions or services on our behalf such as spas and restaurants within our hotels, website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services. They may have access to Personal Data needed to perform their functions but are restricted from using the Personal Data for purposes other than providing services for us or to us. Pantelis Sapounakis S.A. requires that its Service Providers that have access to Personal Data received from the EEA and Switzerland provide the same level of protection as required by the Privacy Shield Principles. We are responsible for ensuring that our Service Providers process the Personal Data in a manner consistent with our obligations under the Principles.

11. Data Security

We use reasonable physical, electronic, and administrative safeguards to protect your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contacting Us” section, below.

SECTION 2
RIGHTS

In this Privacy Policy you can learn about the rights you have against us as your personal data processors. We have taken steps to be able to answer any of your inquiries in a short period of time not exceeding one month from receipt of your request and without any charge for this service. In complex cases, it may take longer for our response. In this case, we will notify you of the reasons for the delay and the estimated time for the delay, which may not exceed a total of three months.

We will respond to you electronically or by any other means as you have requested. We reserve the right to charge administrative costs to process a claim that is unreasonably repeated or in the case of a manifestly unfounded or excessive claim.

Note that we need to verify your identity to be able to respond to your request.

If we believe that we should not act on your request, we will inform you of the reason for our decision as well as of your options for legal remedies.

If you believe that our hotel has processed your personal information irregularly, please contact us to remedy this and in this way improve our services to all visitors. You can send us a formal complaint by email or post to the address mentioned above.

1. Right to receive transparent information

We will provide you with all the information required by the GDPR in a short, transparent, comprehensible and easily accessible format, using clear and simple language, especially for any child-specific information. We will provide the information to you in writing or by electronic means. If requested, we will provide the information orally.

2. Right to access your own data

You have the right to receive from us the confirmation of whether or not your personal data are processed and, if so, to access the data and the following information:

  1. the purpose of the processing,
  2. the relevant categories of personal data,
  3. the recipients to whom we have revealed or will disclose personal data, in particular recipients in countries outside the EU. If we transfer your personal data to a non-EU country or to an international organization, information on appropriate safeguards (Article 46 GDPR) on the transfer.
  4. the period for which the personal data are stored or the criteria determining that period,
  5. the existence of your right to ask us to correct or delete personal data or to restrict the processing of personal data or to oppose the processing,
  6. your right to file a complaint with a supervisory authority,
  7. when your personal data are not collected directly from you, we will give you all available information about their source,
  8. if there is automated decision making including profiling, important information about the rationale followed and the significance and predicted consequences of this processing for you.

3. Right to rectify inaccurate data

If we process inaccurate or incomplete personal data, you have the right to request we rectify without unjustified delay.

4. Right to Erasure („Right to be Forgotten“)

You have the right to ask us to erase your personal data and to respond to the request without undue delay when one of the following reasons apply:

  1. Your data is no longer necessary in relation to the purposes for which it was initially processed,
  2. You withdraw your consent and we have no other legal basis for processing your data,
  3. You declare your opposition to the treatment under Article 21 of the GDPR (as below under 8) and there are no compelling reasons for continuing the processing,
  4. Data have been processed illegally,
  5. The data must be deleted in accordance with the law,
  6. The legal basis for data processing is the consent given by a guardian for a child under Article 8.1 GDPR and either (i) you are the guardian and the child is still under the age of consent, or (ii) you are now that child and older than the age of consent.

Please note that we cannot delete your personal data to the extent that we need to process it:

  1. for the exercise of the right to freedom of expression and information,
  2. to comply with a legal obligation that requires treatment,
  3. for reasons of public interest in the field of public health,
  4. for purposes of archiving for reasons of general interest, scientific or historical research or statistical purposes, where the application is likely to render it impossible or seriously detrimental to the achievement of the objectives of such processing; or
  5. for the foundation, exercise or support of legal claims.

5. Right to withdraw consent

Where you have given your consent to any processing, you have the right to revoke it at any time. You can do this by sending a request to the email address that is shared with you here.

Please note that withdrawing your consent will not affect the processing we have already done.

6. Right to limit processing

You may ask us to restrict the processing of your personal data when one of the following applies:

  • You question the accuracy of personal data
  • We no longer have the legitimate basis for editing, but you oppose deleting the data and you are asking to restrict its use
  • We no longer need the data for the original purpose, but you need it for the foundation, exercise or support of legal claims
  • You object to the processing of the data in accordance with Article 21 of the GDPR (see below) and request the limitation until the reason for the objection is verified

Where processing is limited to the above, except for the continued storage of the data, we will process it only with your consent or: (a) to establish, exercise or support legal claims, (b) to protect the rights of another person, or (c) for reasons of overriding public interest in the EU or a Member State.

Where we limit processing, we’ll let you know before we remove the restriction.

7. Right to data portability

You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine readable format, as well as the right to transmit such data to another processor without objection by us when: processing is based on your consent or contract and the processing is done by automated means and only if it is technically feasible. This right does not apply to the processing necessary for the performance of a duty performed in the public interest and cannot adversely affect the rights and freedoms of others.

8. Right of Objection

You have the right to oppose, at any time and for reasons related to your particular situation, the processing of your personal data, which is based either on the legitimate interest under Article 6 (1) (f) of the GDPR or is necessary for the fulfillment duty carried out in the public interest pursuant to Article 6 (1) (e) of the GDPR. We will not subsequently process the data unless we can demonstrate overriding and legitimate reasons for processing that prevail over your interests, rights and freedoms, or for the foundation, exercise or support of legal claims.

9. Right to complain to the competent supervisory authority

In any case and for every request you have the right to request the assistance of the Personal Data Protection Authority where you can report or complain. The address of the Authority is 1-3 Kifissias Avenue, Athens, its site is www.dpa.gr and its contact telephone number is 210 6475000 and fax 210 6475628

10. Updates to This Privacy Statement

The “LAST UPDATED” legend at the top of this page indicates when this Privacy Statement was last revised. Any changes will become effective when we post the revised Privacy Statement on the Online Services. Your use of the Services following these changes means that you accept the revised Privacy Statement.

An den Anfang scrollen