Notice on the Processing of Personal Data of Customers and Website Users

Version 1.0 / 20.01.2019

Introduction

This Privacy Policy applies to any processing conducted by “NIKA EXTE SA” (hereinafter: “the Hotel”, “Hotel Elysium” or “we”) with respect to personal data (hereinafter: “Personal Data”) which is provided by you as a guest of our hotel or user of our Website (hereinafter: “Customer” or “User” or “you”).

As a customer of our hotel or user of our Website, you have a right to demand protection of your Personal Data. The Hotel respects your privacy and your personal data and complies with the applicable Data Protection Laws at all times. The hotel further undertakes to adopt fully transparent policies and procedures in collecting and using data in the context of its obligations.

The term “Data Protection Laws” (hereinafter: “Law”) refers to a set of Greek or European laws, regulations, directives etc. that regulate the processing of Personal Data and the privacy and security of such Data.

Basic legislative instruments in this regard are, among others, the General Data Protection Regulation (GDPR), the ePrivacy Directive concerning the protection of privacy in the electronic communications sector and such other Opinions or Guidelines issued in this regard by the Hellenic Data Protection Authority (HDPA).

It is important that you read this policy carefully and keep it for future reference, as it provides a thorough description of how and why we collect your Personal Data, how we use them, how long we keep them, who we share them with, how we protect them and the remedies available to you in this regard. This way you will always be fully informed on how and why we use your data as well as of the rights that are afforded to you in this regard under the Law.

Data Controller

The Hotel is acting as a “Data Controller” in accordance with the General Data Protection Regulation. This means that the Hotel is responsible for deciding how and why it will collect and use (“process”) your personal data.

Our contact details are as follows:

NIKA EXTE SA
Elysium Resort & Spa
Kallithea, Rhodes, GR-85100, Greece
Tel: +30 22410 45700
Fax: +30 22410 87060
E-mail: info@elysium.gr
https://www.elysium.gr

Processing Rules

As part of our policy to act in compliance with the Data Protection Legislation, we make all reasonable efforts to:

• Process your personal data in a fair, legitimate, clear, objective and transparent manner.
• We only collect your data for specific, explicit and legitimate purposes, which we consider appropriate and have been thoroughly explained to you. We also assure you that your data will not be howsoever used for any other purpose.
• We collect and keep as little data as possible, namely only data which is appropriate, relevant and strictly necessary for processing purposes.
• We verify the accuracy of your data and keep an up-to-date, accurate record thereof.
• We shall only retain your data for as long as this is imperative to meet our processing objectives.
• We shall make sure that your data is stored with utmost security.
• We process your data in a manner which ensures that it will not be used unlawfully or against your will.

Legal Basis of Processing

Processing of your Personal Data shall be conducted on at least one or more of the following legal bases:

• Processing of your Personal Data is necessary for the performance of the contract that is in place between us.
• Processing is conducted on the basis of your consent, which has been given by you for one or more specific purposes.
• Processing is imperative for reasons of compliance with the applicable legal framework, which requires the Hotel to keep and process specific categories of personal data.
• Processing is necessary to safeguard your vital interests or those of any other individuals.
• Processing is necessary to protect the legitimate interests of the Hotel or any third parties, as long as it does not infringe upon your own private interests or your fundamental data protection rights and freedoms.
• Processing is necessary to perform any duties that serve the public interest or exercise any form of public authority which is vested to the Hotel.

Categories of Personal Data we Collect and Process

Personal Data is any information that relates to you as an identifiable individual. The categories of Personal Data we collect and process are thoroughly described below:

• Identification details (name, surname, sex, date of birth, marital status, identity card or passport number, nationality, country of residence, occupation, etc.);
• Contact details (home address, telephone or fax numbers, email address, etc.);
• Information concerning your stay (room preferences, arrival and departure dates, names and surnames, birth dates and ID or passport numbers of any people staying in the room);
• Information concerning the consumption of products (food, beverages), any services offered (travel, spa, recreational services, etc.), participation in activities on the Hotel premises and related charges;
• Financial information such as details of payment method, credit card details, tax registration number, detailed costs and transactions history;
• Any special requests or preferences during your stay, relating to any particular circumstances (business, health, social, leisure, religious, etc.);
• Information concerning your health, any allergies, food preferences, etc.
• Any preferences you may have in terms of how the Hotel can contact you, e.g. in order to provide you with informational material.
• Information collected from the Hotel and Customers security control systems, e.g. through our CCTV system.
• Health data, calls for physicians, symptoms, medical record, private physician’s details collected from you or from your relatives or friends in the event of sickness, injury, accident or emergency during your stay at the hotel.
• Information concerning any reports, complaints or objections you may have submitted.
• Information concerning your level of satisfaction in relation to our products, services and your general experience during your stay.

Whenever you make use of our Website, certain types of information, including information that may constitute personal data, are collected automatically. Such information includes information about your language settings, IP address, location, device settings, device operating system, time of access, redirecting URL, etc. We may also collect data through cookies. Cookies are small files that are stored on the user’s computer, which are accessed by the Website for the purpose of analysing user behaviour. The types of Cookies we use and the type of processing that is conducted are described in a separate policy (Cookies Policy).

We also use Google Analytics to analyse your use of our Website. Google Analytics generates statistical and other site usage information, which is used to generate reports. The type of processing performed through Google Analytics is described in a separate policy (Cookies Policy).

In case you register and / or access our Website through a third-party account (Social Login), we may collect and access specific user profile information from the relevant social network only for internal administration purposes and / or for the purposes listed above.

Processing of minor persons’ data is subject to the consent of their parents or guardians.

Processing of Special Categories of Data

The General Data Protection Regulation defines specific categories of data that are subject to stricter processing procedures, e.g. health data. We only process this type of data with your request (e.g. information concerning food allergies) or in any situations where such processing is required under the applicable laws or regulations.

Collection Method and Source of Personal Data

Your personal data is normally collected from you; however, we may also collect Personal Data from other sources, such as:

• Travel agents, business partners and third-party systems (e.g. booking platforms).
• Information about you created when you make use of our products and services.
• Family members, colleagues or beneficiaries of products and services.
• Our Website.
• Business partners (for example, financial institutions, insurers), account holders or other parties involved in the supply of our goods and services.

Purpose of Collection and Processing

We process and use your personal data for one or more of the following purposes:

• For the performance of the contract that is in place between us and to meet our contractual obligations, e.g. to effect and complete reservations, including the handling of payments, and provide the accommodation services contractually agreed or any additional services you may have requested;
• To manage any requests you may have submitted;
• To address any specific requests or preferences concerning your stay more effectively, in order to meet any particular requirements (professional, health, social, entertainment, religious, etc.);
• To protect your vital interests;
• To protect the public interest;
• To protect the legitimate interests of the Hotel (or third parties), insofar as this does not infringe upon the private interests or the fundamental data protection rights and freedoms of Users;
• To manage your communication requests through channels available for that purpose;
• To comply with any regulations requiring the Hotel to maintain and process specific categories of personal data, e.g. to comply with any legitimate requests of law enforcement authorities like the police or the tax authorities;
• To handle any complaints, observations, reports, incidents, sicknesses, accidents, injuries or emergencies during your stay at the hotel;
• To be able to contact you or any other available contact in case of an emergency;
• To provide customised information, offers and services during your stay;
• For direct marketing activities, e.g. to send you newsletters and promotional communications relating to new products and services, or any other offers which we believe may be of some interest to you, by post, email, through mobile devices or social networks (subject to your consent);
• For direct marketing activities, by publicising photos or videos on any electronic or printed medium (subject to your consent);
• To evaluate the effectiveness of our promotional campaigns and advertising;
• To identify, investigate and prevent fraud and other illegal activities. For these purposes, your personal data may be disclosed to third parties, e.g. to law enforcement authorities or external consultants;
• To improve our guests’ experience and our operational performance as well as that of our partners, by developing new products and services and reviewing or improving our existing products and services and promotional activities, on the basis of information drawn from your reviews and ratings;
• For your own security and protection and to prevent unlawful actions against you.

 

Some of the above types of processing may partly overlap, but they altogether constitute the legal bases and legitimate purposes that govern our processing of your personal data.

Your personal data will be used exclusively for the purposes for which it was originally collected or for other purposes consistent with such original purpose. If a need arises to make use of your personal data for any other purpose, you will be notified accordingly and you will be made aware of the legal basis on which such processing will be conducted or may even be requested to grant your consent.

In any case, your personal data shall be processed in accordance with the rules laid down in this policy and those applicable under the Data Protection Legislation.

Automated decision-making process, including profiling

We make no decisions which might have a significant impact on you, including profiling, under automated procedures (decision-making procedures conducted through use of a computerised system without human intervention).

When and how we share or disclose any Personal Data we receive with/to third parties

In the context of our operations and with a view to meeting our contractual and legal obligations for the purposes set out in this Privacy Policy, we may disclose certain personal data to third parties, including to credit institutions, tax authorities, accounting offices, travel agents, suppliers, associated private insurers, physicians, attorneys, health care providers, maintenance service providers, other service providers, etc. or to such other parties as may need to gain knowledge of your data in order to comply with any regulatory or legal obligations.

Such disclosure shall be made in a manner which ensures (where possible) that the third parties concerned will process your data with strict confidentiality, applying all security measures necessary to protect it in accordance with our policies, and that they shall not use your personal data for their own purposes or for any purposes other than those explicitly authorised.

Specific categories of data may be disclosed to your relatives with your prior consent or in case of an emergency.

In addition to the above, we shall not share your personal data with any third parties, save where we bear a statutory obligation in this regard or where such disclosure is necessary in order to meet any contractual or legal obligations (e.g. disclosure to tax authorities or the police, or for compliance with audit requirements).

The Hotel shall under no circumstances sell your personal data to third parties or allow any third parties to sell any data which is forwarded to them by the Hotel.

We work together with third parties (such as booking.com or Web Hotelier and the Channel Managers) to offer you online booking services. All content posted on those websites is supplied from us and you are able to make reservations directly with us; however, bookings are subject to processing by third parties. Any data you provide to such third parties is stored in one or more databases that are hosted by them. Such third parties do not use or access your personal data for any purposes other than to manage reservations.

Personal Data Disclosure

We shall use and shall disclose your personal data to the following parties, in the manner we consider necessary or appropriate:

• Law enforcement or other government authorities, to the extent this is required by law or essentially required in order to prevent, identify or prosecute any criminal offences or fraud;
• To comply with the applicable laws, including any laws applicable outside your country of residence;
• To comply with applicable legal formalities;
• To address any requests from public or government authorities, including from any authorities outside of your country of residence, and comply with applicable national security or law enforcement requirements;
• To deal with emergencies.

International Transfers of Personal Data to Third Countries

Your personal information may be sometimes transferred to third countries outside the EU for the purposes described in this policy. Personal data may be transferred to third countries or international organisations in any situations where the European Commission has determined that these countries offer an adequate level of protection or effective safeguards and guarantees (e.g. standard contractual clauses approved by the European Commission), provided that you are afforded enforcement options and effective legal remedies.

Data Retention Period

We shall retain your Personal Data for as long as it is necessary for the purposes described in this Privacy Policy, insofar as this is necessary to perform our contractual and legal obligations, unless a longer retention period is prescribed or permitted under the law or a User requests their data’s withdrawal or opposes or revokes their consent.

The data retention period is defined among others on the basis of the following criteria:

• The time period for which we maintain a business relationship with you and provide you with our Services;
• Whether you have made a reservation which has not yet been completed;
• Whether we bear a legal obligation to keep your data for a particular period of time (for example, some laws require us to keep record of our transactions for a certain period of time before we delete them);
• Whether retention of your data is advisable for legal or tax purposes;
• Our reasonable business needs, e.g. managing our relationship with you and our operations;
• Whether there is a possibility of third parties taking any legal action against us;
• Any retention requirements applicable under any laws, regulations or directives.

If your data was collected on the basis of your consent, it may be erased any time after your consent is withdrawn.

Your data may also be erased in any of the following situations:

• If it is no longer necessary for the purposes it was originally collected;
• If erasure is imperative for reasons of compliance with any statutory requirements;
• At your request, as long as there are no compelling legal reasons dictating their retention.

Your data shall be safely destroyed when it is no longer necessary. We may need to keep certain financial information for legitimate purposes (e.g. for accounting purposes).

Rights of the Data Subjects

Subject to particular conditions laid down in this Privacy Policy, you have the following rights in relation to your personal data:

• Right to Transparency:
  You have α right to know who is processing your data; how they are processing it; what type of data is being processed and for what purpose
• Right of access:
  You have α right to demand free access to your personal data.
• Right to rectification:
  You have a right to demand rectification of inaccurate personal data and to have incomplete personal data completed.
• Right to erasure (“right to be forgotten”):
  You have a right to demand the erasure of your personal data under certain conditions, such as when your data are no longer necessary in relation to the purposes for which they were collected, you have withdrawn your consent and there is no other legal basis for processing, the data have been unlawfully processed, etc. Erasure may not take place if processing is necessary, among others, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Hotel, for reasons of public interest in the area of public health, or for the establishment, exercise or defence of legal claims, etc.
• Right to restriction of processing:
  You have a right to demand restriction of processing where: the accuracy of the personal data is contested; the processing is unlawful; the controller no longer needs the personal data for the purposes of the processing; you have objected to automated processing.
• Right to data portability:
  You have a right to demand the transfer of your data to another controller where this is technically feasible.
• Right to object:
  You have a right to object to the processing of your personal data, provided that this causes no impairment to the public interest. You have a right to oppose certain forms of processing of your personal data to ensure that your data is not subject to the legal effects of automated processing or formatting.

Moreover, in any situations where we process your personal data on the basis of a legal interest or a public interest, you have a right to object to such use of your data any time, as per the applicable regulations.

If you have given your consent to the use of certain data, you have an unrestricted right to withdraw your consent at any time. Withdrawing your consent means that we will terminate the processing of any data in respect of which we had obtained your consent. Of course, we reserve the right to determine which information needs to be retained for reasons of compliance with our general tax and legal obligations. Withdrawing your consent shall entail no effects other than our inability to carry out processing.

You may exercise your rights by contacting the Hotel or by email (privacy@elysium.gr) or by filing a Data Subject Application Form. If you exercise any of your rights by filing a request, we shall make all reasonable endeavours to process your request within thirty (30) days of receipt and to inform you of the positive outcome or of any reasons preventing us from granting your request. If you do not hear from us in 30 days or if you are not happy with our response, you have a right to file a complaint with the Data Protection Authority.

You have a right to file a complaint with the Data Protection Authority, which is responsible for enforcing the data protection legislations, if you have any concerns as to how we are processing your personal data or if you are not happy with our response to your complaint or request.

HELLENIC DATA PROTECTION AUTHORITY
1-3, Kifissias Ave., 115 23, Athens
Tel.: +30-210 6475600
Fax: +30-210 6475628
Email: contact@dpa.gr
http://www.dpa.gr

Protection of your Personal Data

Your data is stored in different resources, including in a physical record, on our Website, on the Property Management System and on other computer systems (including in email applications). Your data is stored in its entirety, in the form it was submitted to us, without any interference in their content.

We have a series of technical and organisational security procedures in place to prevent any unauthorised or unlawful use of, or access to, your personal data, as well as any accidental loss or damage, modification or disclosure of your data. In addition, we only allow access to your personal information strictly on a need-to-know basis. Any third parties shall process your personal data in accordance with our instructions and shall be bound by a confidentiality obligation. Your Personal Data shall only be processed by a third party Processor only if the latter agrees to apply our technical and organisational security measures.

In case of a data security breach, we will notify you and the competent regulatory authorities, where we bear a legal obligation to that effect.

Questions, Concerns and Complaints

If you have any questions about this Privacy Policy or if you would like to complain about how we or our business partners process your data, you have a right to contact us. Our contact details are set forth in the Sections entitled Data Controller and Data Protection Officer of this Policy.

Links to Other Websites and Social Media

Our site may contain links granting you quick access to other websites or Social Networks. You should know that, once you make use of any such links, we no longer have any control over any other Sites you may be redirected to. Therefore, we may not be held responsible for the protection and confidentiality of any information you disclose during your navigation in any such websites, as these sites are not subject to this Privacy Policy. You should be extremely careful and should always review the data protection statements applicable to these Websites.

Third-party undertakings carrying out operations on our premises

There are third-party undertakings offering various services and products to you on our premises. Therefore, we may not be held responsible for the protection and confidentiality of any information you disclose to such undertakings, as the latter are not subject to this Privacy Policy. You should be extremely careful and should always review the Privacy Policies of any such undertakings.

The third-party undertakings carrying out operations on our premises are listed below:

• Rodos Cars
• Rodos Gold Vogiatzis
• Wilder Klaus, photographer

Amendments

The Hotel reserves the right to amend this Privacy Policy and any relevant policies any time without notice, in order to keep in pace with the regulatory developments and its business needs or meet the needs of the data subjects, the owners, its strategic partners or service providers. Any such changes, amendments, additions or deletions to this Privacy Policy shall replace all previous notifications and shall take effect as soon as they are publicised.

Any updates to this Policy shall be posted on the Hotel’s website (cf. address below) along with an indication of their publication date, to enable Users to keep track of updates.

You are advised to review our website regularly to familiarise yourselves with our updated privacy policy and to make sure that you agree with any changes introduced to it. You may contact us in case you need to obtain any older versions of this Policy.