The main activity of the company under the company name “PAPAZOGLOU S.A” (hereinafter, the “Company”) is the exploitation of hotel establishments and the provision of tourism hospitality services to customers staying at its hotels, as well as several other tourist services offered to the visitors of its hotels. The Company, acting in the capacity of controller and in accordance with Regulation (EU) 2016/679 and the provisions of Greek laws on the protection of personal data, informs any natural person entering into transactions with the Company (hereinafter the “Customer”) that the Company and/or third parties acting at the direction and on behalf of the Company will process personal data relating to him or her. Such processing will be always performed in the context of a transaction relationship for services provided by the Company (tourism hospitality services, etc.) during the period of stay of the Customer, according to the above.
Reasons why personal data are collected
The Company collects and process personal data, where necessary, a) due to the legal relationship between the Customer and the Company for the performance of a contract regarding the provision of tourism hospitality services to the Customer, and b) due to the Company’ legal obligation to identify the Customer/visitor who plans to stay at the hotel.
How and when personal data are collected
The Company informs the Customer that during his/her request for a room reservation/booking at a Company hotel, made either through the Company’s electronic booking platform or through other distant communication means (i.e. fax), or by the Customer himself/herself, the Company will require from the Customer to complete his/her personal data, as well as other data concerning payment methods/tools (like, in an indicatively manner, his/her credit card details), which are required as a minimum and are absolutely necessary for the provision of the requested hospitality services. Such data are required by the company for the purposes of a) recognizing/identifying each data subject whenever a room reservation is made or upon arrival at a Company hotel, b) safeguarding the Company’s financial interests with regard to indemnification/payment for the provision of services, and c) issuing any legally required financial/tax document and proof of payment/invoice, upon payment for the provision of hospitality services to customers staying at a Company hotel.
Which personal data are collected
In particular, the Customer either upon his/her arrival at a Company
hotel or through a safe online booking platform, which is provided and
supported by a third party acting in the capacity of processor, or
through any other distant communication means (like, in an indicative
manner, facsimile/fax), and in any case the Customer himself/herself
will complete the following identification details: Surname, name,
father’s and mother’s name, date and place of birth, national identity
card or passport number, home address, city of residence, country,
profession, telephone number, nationality, Tax Identification Number,
electronic address (e-mail), contact phone number, date of arrival,
check-in and check-out dates, number of rooms, number of persons. In
addition to the above, in case the Customer wishes to receive
communications about Company hotels and gives his/her consent to that
respect, the Company may send such communications to his/her electronic
address or social media.
Use and retention of personal data
The Company will make use of Customer identification and recognition data for the purposes, on one hand, of issuing taxation documents (i.e. payment receipts or invoices for provision of services) and, on the other hand, of updating company records/books, the keeping of which in printed or electronic form is required by law (like, in an indicative manner, pursuant to article 10 of Presidential Decree 186/92), such as, in an indicative manner: a) The Hotel Reception Book, intended for inspection by the Police, and b) the Hotel Reception Book, intended for inspection by the competent Public Fiscal Service. Records of such taxation documents (payment receipts for provision of services, invoices), which include data of the data subjects, are kept by the Company in printed and electronic form for twenty five years, as the competent Public Fiscal Service is entitled to carry out inspections throughout this period on the Company’s accounting books and documents. Apart from the above taxation documents, the Company does not keep records of any other type regarding registered personal data of customers who stay at Company hotels, and neither wishes nor has the legal right to keep such information. Access to such records is limited to the Company’s financial/accounting department, acting in the capacity of processor. With regard to the acceptance of payments through credit and debit cards, Company hotels or third parties collaborating with the Company (processors) have already complied with and make use of encryption methods in relation to the storage of customers’ personal data, as well as regarding the storage of credit card data, which are used according to PCI data security standards. Hence, the management of payments through credit/debit cards and the storage or management, whatsoever, of credit card data may be registered/stored by a provider that is certified according to PCI standards.
Data Subject/Customer rights
The Customer has the right: a) To know which personal data concerning him/her are kept and processed by the Company, as well as the origin of such data (right of access); b) To request -and this is also an obligation for him/her- that his/her data are rectified or completed in order for them to be complete and accurate, by submitting all necessary documents proving the necessity for the completion or rectification (right to rectification); c) To request the restriction of processing of his/her data (right to restriction of processing); d) To refuse and/or object to any further processing of data kept by the Company (right to object); e) To request the erasure of his/her data from the Company records (“right to be forgotten”); f) To request from the Company to transmit data provided to said Company to any other controller (right to data portability). It should be noted that satisfying requests based on points c, d and e above, where they concern data that are necessary for entering into or maintaining a legal relationship/contract with the Customer and regardless of whether they have been provided by the Customer or not, may result to the automatic -on behalf of the Customer- termination of the relevant contract or contracts, according to the terms contained therein, or failure to examine the data subject’s request. In any case, the Company has the right to reject the request to restriction of processing or erasure of the Customer’s data, whenever processing or keeping of data is necessary for the establishment, exercise or defence of Company’s legal claims or for the compliance with Company’s legal obligations . The exercise of the right to data portability (point f above) does not cause the erasure of data from Company records, which is subject to the terms of the immediately previous paragraph.
VIDEO SURVEILLANCE TECHNICAL SYSTEMS
To ensure the safety of both customers and their personal belongings during their stay at the hotels, the Company makes use of suitable and legal video surveillance technical systems, in accordance with Regulation (EU) 2016/679 (GDPR) and directive 1/2011 issued by the Hellenic Data Protection Authority regarding the protection of natural persons and goods. Monitoring through video surveillance for the protection of natural persons and goods is limited to a)Εntry/exit of persons (like, for example, through video surveillance at the main entrance, reception, lift and staircase entrance/exit), b) Μoney deposit areas (i.e. counter machines), as well as c) Areas where the electrical/mechanical installations of the Company hotels are found (i.e. laundry, food storage refrigerators areas). To ensure the protection of privacy, suitable and distinguishable signs have been placed to warn natural persons/data subjects (such as customers, employees, etc.), in a timely manner and before entering in camera range, that a video surveillance system is installed. The video surveillance system used by the Company will solely and exclusively record image and, by no means, sound; also, torsion or zoom is not enabled in said system. Access to video surveillance system is limited to the data Processor and the Hotel Manager. Collected data will be erased within 15 days, at the latest, from the date they were collected/recorded. In case there is an incident, data can be extracted from the system and be kept in a separate record for up to 30 days. If an incident concerns third parties, images can be kept for up to 3 months. It should be also noted that the Company will not install video surveillance systems in restaurants and halls leading to hotel rooms or other areas where hotel customers or visitors may be monitored (i.e. private room entrances, toilets and other areas where recreational activities take place, like swimming pools, gyms, sport areas, locker rooms, etc.), since video surveillance is not allowed in such areas. Any natural person/data subject has the right of access to video surveillance data concerning him/her, and the processor has the obligation to provide -free of charge and within fifteen (15) days from the submission of a relevant request- a copy of the part of the image signal in which the data subject has been recorded, or a printed series of sequences from the recorded images, or -depending on the case- inform the person concerned in writing and within the same time limit that he/she does not appear in the recording or that the relevant part of the recording has been destroyed. Alternatively, where the data subject agrees to that respect, the processor can simply demonstrate directly the above part of the recording. For this purpose, the data subject should indicate the exact time and place that he/she entered in camera range. Furthermore, when providing a copy of images, the processor should cover the image of third persons (i.e. by blurring part of the image), so as to avoid any possible infringement of their right to privacy. Where a recording is simply demonstrated, covering the image of third persons is not necessary. The data subject has the right to object to the processing of his/her image from the video surveillance system and request the locking of data. If the processor ascertains that the data subject’s request for the erasure or locking of data is legal, he/she should immediately proceed to the erasure or locking of data and make adjustments to the operation of the system, so as to avoid illegal processing of data in the future. In any case, the data subject has the right to lodge a complaint with the supervisory authority for the protection of personal data, which is the “HELLENIC DATA PROTECTION AUTHORITY” (www.dpa.gr).
In order to sign up for Company newsletters and be able to receive updates and/or offers and/or other promotional material, you must provide your electronic address (e-mail) either upon your arrival by completing the Registration Card or by completing the online platform of our website. Upon signing up for our newsletters and personalised communications, you explicitly grant us your consent to receive all updates and/or offers and/or other promotional material through electronic and text messages or instant messaging, as provided by relevant services (i.e. through SMS, Viber, Push Notifications, etc.)
COMPANY WEB PAGE NAVIGATION / COOKIES
PERSONAL DATA SAFETY
The confidentiality of data that are processed by the Company, such as customers, providers or employees data, is safeguarded, since access to such data is limited to authorised persons, like -in an indicative manner- hotel managers, who use access password to confirm reservations made by customers or carry out reservations made by customers or manage transactions with providers or employees, as well as to generally have access to files with data subjects information. Furthermore, the Company keeps back-up files for all information that may be processed, thus ensuring that: a) information is always available; b) information that has been managed and processed is accurate and complete; c) access to information that has been processed is possible at all times, and d) in case of a natural or technical incident, it will be possible to restore, make available and have access to processed data in a timely manner. In any case, the Company protects all data that may have been recorded, by using natural safety measures as well as other measures against unauthorized access to the Company’s systems, websites and servers. For example, the Company protects your information by using access password controls and ‘firewalls”.
CONTACT – INFORMATION – COMPLAINTS
The Customer, as well as any other data subject, can update the information entered into the Company database, and change his/her preferences and contact details. The Customer can also contact the Company by sending an e-mail at: email@example.com, so as to inform that he/she does not wish to receive communications related to the Company and its hotels, as well as to make comments or ask questions about the Company’s Personal Data Protection Policy. In addition, the data subject has the right to lodge a complaint with the supervisory authority for the protection of personal data, which is the “HELLENIC DATA PROTECTION AUTHORITY”, at the following link:www.dpa.gr