Privacy Policy
privacy policy
Personal Data Protection Policy.
“Chatzigaki Manor Hotel”, (AXEPT S.A. – ANAPTYXIAKH XENODOXEIAKH EPIXEIRHSH PERTOULIOY TRIKALON”, which has its seat at Pertouli Trikala, Greece), hereinafter called “the Hotel”, is the responsible for the processing, the collection, the storage and the processing in general of your personal data.
The Hotel considers the protection of personal data it processes a matter of first priority. For this reason, it collects and processes data according to the principles included in the General Data Protection Regulation, EU 2016/679 (“GDPR”) and according to the applicable national and European legislation on personal data protection and for the purposes of processing which are described in the present Personal Data Protection Policy. It also takes all the necessary technical and organizational measures required for the protection of the personal data it collects and processes within the framework of its commercial activities.
We urge you to read carefully the present personal data protection policy of our Hotel.
I. Objects and purpose of this policy
The purpose of this policy is to inform you on the terms and conditions governing the processing of personal data by the Hotel within the framework of exercising its commercial activities and the services it offers you in any way, as well as on the rights you have on the basis of the applicable legislation. For any issue that may be addressed herein, you may contact us using the contact details provided below.
The Hotel reserves the right to modify, update, review or otherwise change the present Personal Data Protection Policy at intervals, if necessary, without previous notification, according to the legislation in force. For this reason, we call upon you to check the present policy at regular intervals in order to be informed on the existence of any modified editions.
II. Concepts and definitions
For the purposes of the present protection policy the following concepts and definitions are used:
Personal data: any information concerning an identified or identifiable natural person (“subject of the data”). The identifiable natural person is the person whose identity can be verified, directly or indirectly, especially through reference to an identifier datum, such as name, identity card number, location data, online identifier or one or several factors specific to the bodily, physiological, genetic, psychological, economic, cultural or social identity of the natural person concerned.
Processing (of personal data): Any action or series of actions which are carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, entering, organization, structure, storage, adaptation or change, the retrieval, the search of information, the use, the disclosure by transmission , the dissemination or any other form of provision, the correlation or the combination, restriction, erasure or destruction.
Data controller: The natural or legal person, the public authority, the service or any other authority which alone or together with others, determine the purposes and the way personal data are processed.
Performer of the processing: The natural or legal person, public authority, service or other entity that processes personal data on behalf of the data controller.
Consent of the data subject: Any indication of a free, specific, explicit and fully aware will, with which the data subject indicates that he or she agrees, with a statement or a clear affirmative action, to the processing of personal data relating to him / her
Personal data breach: The breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed
Health Data: Personal data related to the physical or mental health of a natural person, including the provision of health care services, and which discloses information about his or her state of health.
Special categories of personal data/Sensitive personal data: personal data revealing racial or ethnic origin, political beliefs, religious or philosophical beliefs or participation in trade unions, as well as the processing of genetic data, biometric data for the unambiguous identification of face, health data or data concerning the sexual life of a natural person or the sexual orientation.
“third party”: any natural or legal person, public authority, service or body, except the subject of the data, the responsible for processing, the person carrying out the processing and the persons who under the direct supervision of the responsible of processing or the person carrying out the processing, are authorized to process personal data,
“you or “you” or “visitor”: any natural person, who uses the services of the Hotel or visits the present website of the Hotel or whose personal data we are processing according to the provisions of the present Data Protection Policy.
III. General Principles for the Processing of Personal Data
The Hotel ensures that the personal data it processes are:
- Subject to processing that is lawful and legitimate with respect to the data subject
- Collected for specified express and legal purposes
- Appropriate, relevant and limited to those necessary for the purposes for which they are processed
- Accurate and updated
- Processed by means of appropriate technical or organizational measures, in such a way as to guarantee the appropriate security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage
- Retained only for the time required for the purposes of processing personal data. In some cases they may be retained for a longer period, especially if the processing of such data is deemed necessary for:
-the compliance with a legal obligation imposed by a provision of another law.
-the compliance of the Hotel with the duty to fulfill a public interest objective.
-archiving for purposes of public interest, scientific or historical research
-for statistical purposes
-for the foundation, opposition, exercise or support of legal claims.
IV. Legal Framework for the Protection of Personal Data
In addition to the General Data Regulation (EU) 2016/679, any national law with respect to the processing and protection of personal data shall apply. Indicatively, the following laws are mentioned:
- Law 4624/2019 (Measures for the Implementation of the European Parliament’s General Data Protection Regulation [(EU) 2016/679])
- Law 2472/1997 on the protection of individuals from the processing of personal data.
- Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector.
- Directive 1/2011 of the Data Protection Authority on the Use of Video Surveillance Systems for the Protection of Persons and Goods.
- Directive 115/2001 of the Data Protection Authority on the Protection of Personal Data in the Field of Labor Relations.
- Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications
- Regulations of the relevant administrative bodies.
V. Purposes of Processing
In accordance with the above legal framework, personal data collected by the Hotel are used for the following processing purposes:
- a) To manage the booking of rooms, the organization of conferences or events as well as any other hosting, catering or food service
- b) To manage the relationship with you before, during and after your stay at the hotel
- c) For the Company’s compliance with Greek and European Law
- d) For marketing purposes
- e) For the establishment, recognition, exercise or defense of a right and legal claims
- f) To support business processes
- g) To improve our hotel services
- h) For the security of our information technology systems
VI. Legal basis for the Processing of Personal Data
The Hotel processes your personal data transparently, in accordance with the principles of legality, proportionality, confidentiality and integrity, limitation of purpose and accuracy, specific time of data retention and data minimization.
The legal basis for processing your personal data may be:
- a) your consent
- b) the need to process your data in the context of our contractual obligation or at the pre-contractual stage
- c) the need to process your data in accordance with our legal obligation
- d) the need to process your data in the context of safeguarding our legitimate interests
- e) the need to process data to protect the vital interests of you or the person you accompany
- f) the need to export statistics
VII. Data the Hotel processes
For the above purposes, the Hotel collects and processes personal data, including indicatively the following:
- VII(a) Hotel Residents / Visitors:
The Hotel is fully committed to the safeguarding of your private life and the personal information you entrust us.
Your personal data are collected by the Hotel when you personally book on-line or by telephone or through a third party or through our website or through a third party’s platform (type Booking, Expedia), or when information is passed on by third parties (for example tourist agencies, on-line booking systems), or when you make a payment to the Hotel for the purchase of services in any way, or when you check in the Hotel or during your stay in the Hotel or when you participate in an event which takes place in the Hotel or when you connect through an electronic device to our website or the Hotel’s WiFi or when you fill in on-line booking forms or customer satisfaction forms or when you fill in the relative contact form in the Hotel’s website.
We collect and process usually the following personal data:
- Full name, nationality, identity card/passport number, date of birth, profession, address, signature sample, vehicle license plate number, telephone number and e-mail
- Stay data (arrival-departure, number of persons, total number of overnight stays)
- Room rate
- Information on your payment, credit or debit card information, remittance number and bank account number
- Invoice details
- Record of previous visits
- Contact information (i.e. e-mail) where the visitor agrees to receive information and advertising material by the Hotel
- Images from the surveillance video system operating in the Hotel premises for the security of persons and goods
- Information we may receive during the visitor’s connection to the Hotel WIFI and which are necessary for the visitor’s optimum experience while using the internet (type of device you are using, location, ip/mac address, operating system)
- Technical data, we collect, when you are using the Hotel website (cookies)
Purposes / Legal basis for data processing are:
– Performance of a contract to which the subject is a party
– Consent of the subject
– Compliance with the legal obligation of the Hotel.
The Hotel processes your personal data exclusively and only after you have given your written consent to this end, which you offer when you make a booking or when you check in at our Hotel.
The Hotel processes your personal data in a legal and legitimate way. In no case it collects or processes a greater number of information or data than the one required for fulfilling the purpose of the processing. Your data is safely stored. Their collection and processing are carried out exclusively for the above-mentioned purposes of processing and use. Your data are not used for the creation of a profile.
Minors
For persons under sixteen years of age (16), consent is offered by his legal representative.
The use of the web site and the booking engine is not intended for use by minors under the legal age requirement. No one under the legal age requirement may provide any personal information to or through our web site. We do not knowingly collect personal information from minors. If you are under the legal age requirement, please do not visit our web sites, don’t make any use of the above or send any information about yourself to us, including your name, address, telephone number or email address. In the event that we find out that we have collected personal information from a minor without verification of parental consent, this information will be deleted, upon the minor’s parent or guardian notification. If you believe that we might have any information from or about a minor, please contact us.
To the maximum extent permitted by applicable law and without limiting any other provision of this Policy, the Chatzigaki Manor disclaims any liability for any personal data submitted in contravention of this clause.
- VII.(b )Participants, speakers and invited to conferences, actions and events
- a) Full name, postal address, status, profession, email.
- b) Image data (photo / video recording). It is possible to take pictures and / or videotape the various events, conferences or workshops organized at the Hotel. This data may be posted on the site or social media managed by the Hotel.
Purposes / Legal basis for data processing are:
– The purpose is the successful organization. The processing of personal data is considered essential for the successful management and organization of their actions and purposes.
- VII(c) Suppliers: Full Name, VAT, IBAN, Telephone, Address, Email
Purposes / Legal basis for data processing are:
– Performance of a contract to which the subject is a contractual party
- VII.(d) Employees / External Partners: full name, father’s name, mother’s name, year of birth, place of birth, gender, nationality, address, email address, contact phone numbers, identification card number (ID), tax registration number (VAT), AMKA, bank account number (IBAN), marital status, education and training status of the employee/ partner, work experience, curriculum vitae, salary, working hours, medical record / health certificate
Purposes / Legal basis for data processing are:
- a) Managing the working relationship between the Hotel and the employee/external partner. The processing of this data is considered necessary for the performance of the employment contract.
- b) Fulfilling the employer’s obligations of the Hotel. The processing of data is necessary for the compliance of the Hotel with its legal obligations.
- VII(e) Prospective Employees:name, surname, contact information, education, work experience, email, nationality, marital status
The Hotel collects and processes candidates’ personal data for vacancies. This data is collected by the candidate upon submission of the relevant application. In case of non-recruitment, the CV of the candidate is retained for 2 years to cover any future job opportunities.
Purposes / Legal basis for processing are:
-Assessment of the candidate’s suitability for a particular job vacancy. The legal basis for processing is the legal interest of the Hotel and the consent of the prospective employee.
- VII(f) Special categories of personal data
- Employees: The Hotel, may collect and process data belonging to specific categories of personal data (“sensitive data”), such as data relating to the health of its employees, in order to meet its insurance obligations. Similarly, in exceptional cases, when required by applicable law, the Hotel may collect and process data relating to criminal convictions or offenses, such as copies of criminal records, always respecting the principle of proportionality.
- Residents / Visitors / Conference Participants:The Hotel may process data belonging to specific categories of personal data (“sensitive data”), such as data on eating habits, allergies, religious beliefs, illnesses etc.
Purposes / Legal basis for data processing in the above cases are:
– Fulfillment of the obligations and exercise of specific rights of the Hotel or the data subject in the field of labor law and social security and social protection law.
– Protecting the data subject’s vital interests
- Communication Data
Persons who have expressed their wish through explicit consent to receive news and updates from the Hotel.
Purposes / Legal basis for data processing are:
Consent of persons wishing to receive updates and offers from the Hotel
VIII. Transfer of personal data to third parties
The entire workforce of the Hotel that processes your personal data is contractually bound by the terms of confidentiality and privacy of your data. We shall not disclose your information to third parties for their own independent business or marketing purposes without your consent.
In order to offer you the best possible services, we provide access to your personal data or to special categories of them, to specific and expressly authorized personnel of our Hotel. For example:
- To the Reservations Department
- To the IT Department
- To the Marketing Department
- To our Accounting Office
- To the Legal Department if necessary
The Hotel will disclose your personal data if this is required by the law, by a judicial or regulatory decision or in order to exercise its legal rights.
These third parties may be found in Greece or in countries within the European Union or anywhere in the world. When personal data are stored by us we demand from the service providers to utilize suitable measures for the protection of the confidentiality and security of personal data. If the case of transfer of personal data to a third country outside the EU or to an international organization, you will be notified in advance according to the provisions of article 13 par. 1 (f) GDPR.
However, we may share your information with the following:
- Business partners. We may also share your information with trusted business partners. These partners may use your information to provide the services you requested and to provide you with other material, in the event you have given your consent.
- Service providers and / or any third party who may undertake the processing on our behalf. We may also disclose your information to companies that provide services on our behalf, such as IT subcontractors, companies that send bulk emails on our behalf, mail service companies, print service companies, etc.
- Other third parties with your consent or by your order. In addition to the disclosures described in this Privacy Policy, we may share information about you with third parties if you give your consent or request it.
Exceptionally, the following are allowed to have access to your personal data:
- a) the judicial and prosecutorial authorities in the exercise of their functions on their own motion or at the request of a third party claiming a legitimate interest and in accordance with legal procedures.
- b) other bodies of the Greek State, which by virtue of their statutes have such a right and competence.
IX. International transfers of personal data
We may transfer your personal information to our data processor(s) or/and sub-processor(s) based outside of the EEA for the purposes described in this notice. If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘ Privacy Shield’ scheme).
Hotel PMS and Booking Engine data is stored in the cloud, using Amazon Web Services in N. Virginia, USA and in Frankfurt, Germany. Mail service data is stored in the cloud and in servers based in the USA. If you are accessing any of our systems from outside the USA, you acknowledge that your personal information may be transferred to the USA, a jurisdiction which may have different privacy and data security protections from those of your own jurisdiction, to be processed and stored.
X. Personal data retention period
We take reasonable steps to ensure that your personal information is retained only for as long as it is necessary and for the purpose for which it was collected or for as long as it is required under contract or applicable law.
Your personal data are kept exclusively and only for the time interval required for fulfilling the above-mentioned purpose for which they were collected, in compliance with the legislation in force. When the purpose of the processing of your personal data is fulfilled, they are deleted.
The CVs collected by the relevant HR department are kept for two years and then destroyed.
Tax information is maintained in accordance with tax law.
XI. Cookies and similar technologies
The Hotel as well as certain third parties which provide content, advertising, or other operations to our services, may use cookies or similar technologies for the improvement of the performance and traffic of our website.
We may use advertising companies of third parties for the display of Advertisements concerning goods and services which may interest you, when you have access and use electronic services, other websites, or online services. For the display of such advertisements these companies place or recognize a unique cookie in the browser (including the use of pixel tags). If you need more information, please visit our Cookies Notice page.
XII. Your rights concerning your personal data
The Hotel ensures that data subjects are able at any time to exercise their rights under the law regarding the collection and processing of personal data. These rights are as follows:
The right to be updated and have access: You have the right to be updated and have access to the data kept by us and to receive additional information concerning their processing.
The right to correction: You have the right to ask for the correction, modification, supplementation and updating of your data kept by us.
The right to erasure (“right to forget”): You have the right to ask for the erasure of your personal data when we process them on the basis of your consent or in order to protect our legal interests.
The right to the limitation of processing: You have the right to ask for the limitation of processing of your personal data.
The right to oppose to the processing: You have the right to oppose at any time to the processing of your personal data when there is no overriding and legal reason for us to continue the processing.
The right to portability: You have the right to receive free of charge your personal data in a form which allows you to have access to them, to use them and process them as well as ask, if it is technically possible, for the transfer of your data directly to another responsible for processing.
The right to the withdrawal of consent: You have the right at any time to withdraw your consent, to the extent it was received for the intended processing.
In order to exercise any of your rights, you can send a message to the following e-mail address: info[at]chatzigaki.gr
Or you can contact us at the following address:
Chatzigaki Manor Hotel
Pertouli, Trikala, Greece,
PC 42032
Telephone: +30 24340 91146
The Hotel will respond to your request free of charge, without delay and in any event within one month upon receipt of the request, except in exceptional cases, so that the above deadline may be extended by a further two months if necessary, taking into account the complexity of the request and/or the number of requests. The Hotel will inform you of any extension within one month upon receipt of the request, as well as of the reasons for the delay. In the event that the satisfaction of your request is impossible, the Hotel will inform you within one month upon receipt of the request, of the relevant reasons and of the possibility to file a complaint with the Data Protection Authority, as well as about your right to appeal to the competent judicial authorities.
If your claim is deemed by the Hotel to be manifestly unfounded or excessive, it may give rise to the charge of a reasonable and proportionate fee, taking into account administrative costs to satisfy it or refusing to process your claim.
The right to complain to the APPD: You have the right to submit a complaint to the Authority for the Protection of Personal Data (www.dpa.gr), 1-3 Kifissias Avenue, 115 23, Athens, Greece: Switchboard: +30 210 6475600, Fax: +30 210 6475628, e mail: complaints@dpa.gr.
XIII. Security of personal data
The Hotel takes and applies all suitable technical and organizational measures, as possible, aiming at the safe processing of your personal data and the prevention of their accidental or unfair loss or destruction or distortion and the unauthorized and/or illegal access to them, their use, alteration or revelation and sees to the legality of the collection, processing and safe storage of personal data, according to the provisions of national, European and International Law on the protection of an individual from the processing of personal data and especially having regard to the provisions of the General Regulation on the Protection of Data (EU 2016/679)
For the Terms of Use please see here