BOOK
EN EL

PRIVACY POLICY

Introduction
This Privacy Policy applies to the processing of your personal data (hereinafter “Personal Data”), as a hotel guest or visitor of our website (hereinafter “Guest” or “Visitor” or “you”), carried out by IOANNIS HATZILAZAROU & SONS S.A. (hereinafter “Hotel” or “we” or “us”).

As a hotel guest or visitor of our website you are entitled to the protection of your Personal Data. The Hotel respects your privacy and personal data, and always complies with the Personal Data Protection Legislation. The Hotel also undertakes to act in a transparent manner, regarding the collection and use of data in the course of fulfilling its obligations.
The term “Personal Data Protection Legislation” (hereinafter “Legislation”) implies all Greek or European laws, regulations, directives, etc., regarding the processing of Personal Data, their privacy and security.

Basic, but not exclusive statutes are the General Data Protection Regulation (GDPR), the ePrivacy Directive for the protection of privacy in electronic communications, and any other Opinion or Guideline issued by the Hellenic Data Protection Authority (DPA).

It is important that you read carefully and keep this policy, which explicitly explains how and why we collect your Personal Data, what do we do with them, how long do we maintain them, with whom we are sharing them, how we protect them, and your rights regarding them. This way you will always be fully aware of the ways and reasons why we use your personal data and your rights in accordance with the Legislation.

Data Controller
The Hotel, in accordance with the General Data Protection Regulation, acts as “Data Controller”. This means that the Hotel is responsible for deciding on the ways and purposes for which it collects and uses (hereinafter “processes”) your personal data.

Our contact details are:
IOANNIS HATZILAZAROU & SONS S.A.
Princess Andriana Resort & Spa
Kiotari – Southern Rhodes, Rhodes 85109, Greece
Tel.: +30 22444 40100
Fax: +30 22440 40101
Email: info@mayiaresort.com
Website: www.mayiaresort.com

Processing Authorities
In the context of complying with the Data Protection Legislation, we make every possible effort to:

• Process your Personal Data in a fair, legal, legitimate, clear, objective and transparent manner.
• Collect your data only for specified, explicit and legitimate purposes that we consider appropriate and that have been adequately explained to you. Assure you that they will not be used in any other way, except for these purposes.
• Collect and maintain the least possible data, which are appropriate, relevant and indispensable for processing purposes.
• Confirm that the data are correct and kept up-to-date and accurate.
• Retain your data for as long as we need them to fulfill every processing purpose.
• Make sure that the data are securely stored.
• Process your data in such a way so as to ensure that they will not be used unlawfully or against your will.

Legal Basis for Personal Data Processing
We process your Personal Data according to at least one of the legal bases specifically listed below:

• The processing of your Personal Data is necessary for the execution of our contract.
• Processing is based on your consent, which is given for one or more specific purposes.
• Processing is mandatory for compliance with the legislative framework that obliges the Hotel to maintain and process special categories of personal data.
• Processing is necessary for protecting your vital interests or those of another natural entity.
• Processing is necessary for the purposes of the legitimate interests sought by the Hotel or a third party, unless your interests, fundamental rights and freedoms associated to your Personal Data protection prevail.
• Processing is necessary for the performance of a duty carried out for the public interest or in the exercise of public authority entrusted to the Hotel.

Personal Data we Collect and Process
Personal Data include any information related to you as a recognizable individual. More specially, the Personal Data we collect, and process are described below:

• Data related to your identity (your first name, last name, gender, date of birth, marital status, ID or passport number, nationality, country of residence, profession, etc.)
• Contact details (address, telephone numbers or fax numbers, email address, etc.)
• Any data related to your stay (room preferences, date of arrival and departure, first and last names, dates of birth, ID or passport numbers of the people will be staying in the room).
• Any information related to the consumption of products (food, drinks), provision of services (transfers, spa, leisure, etc.), participation in events within the hotel premises and any relevant charges and accounts.
• Financial information, such as data related to your payment method, credit card information, TIN, detailed charges and transaction history.
• Any special requests and other preferences related to your stay to satisfy any special circumstances (professional, health-related, social, leisure, religious, etc.)
• Information about your health, any allergies, nutritional preferences, etc.
• Information related to your preferences regarding the method of communication with the Hotel, e.g. for sending information mail.
• Data collected from hotel and customer security control systems, such as through CCTV.
• Health data, physician call, symptoms, medical history, personal medical data collected either by you or your relatives or friends in the event of illness, injury, accident or emergency during your stay at the Hotel.
• Data related to complaints or objections you may have submitted.
• Any details related to your level of satisfaction from our products and services, and your experience in general during your stay at the hotel.

When you use our website, we also automatically collect information, some of which may be personal data. These include details, such as language settings, IP address, location, device settings, device OS, time of use, redirection URL, etc. We may also collect data through cookies. Cookies are small files stored by a website on a visitor’s PC and to which the website has access to analyze user behavior. In detail, both the types of Cookies that exist and the type of processing that is carried out are described in the Cookies Policy.

We also use Google Analytics to analyze the use of our website. Google Analytics generates statistics and other site usage information that is used to create reports. More specifically, the types of processing that takes place through Google Analytics are described in the Cookies Policy.

In case of registration and/or access via third-party systems (Social Media Login), we may collect and access specific information about the user’s profile from the corresponding social network, only for internal administrative purposes and/or for the purposes mentioned above.

We do not process minors’ data without the consent of their parent or guardian.

Processing of Special Categories of Personal Data
The General Data Protection Regulation specifies special data categories that need to be processed according to stricter procedures, such as health-related data. The processing of such data is only possible when provided to us through a request on your part (e.g. stating your allergies) or if required by applicable laws or regulations.

Personal Data Sources and Collection Method
Usually you are the ones providing your own personal data, however this may also be carried out by other sources:

• Travel agents, business associates, and third-party systems (e.g. reservations).
• From information created for you, when you use our products and services.
• From family members, associates or beneficiaries of products and services.
• From our website.
• From business partners (e.g. financial institutions, insurers), account beneficiaries or other entities that participate in the provision of our products and services.

Personal Data Processing and Collection Purpose
We process and use your personal data for one or more of the following purposes:

• To execute our contract and fulfill our contractual obligations, such as the provision and completion of a reservation, including payment handling, provision and completion of a stay, and any additional services you might request.
• To handle any requests you have submitted.
• To efficiently respond to any special requests and other preferences related to your stay and to satisfy any special circumstances (professional, health-related, social, leisure, religious, etc.).
• To protect your vital interests.
• To protect the Public Interest.
• To protect the legitimate interests of the Hotel (or of a third party), provided that Guest interest, fundamental rights and freedoms are not compromised.
• To handle any communication requests through the channels dedicated to this purpose.
• To comply with the legislative framework that obliges the Hotel to maintain and process special categories of personal data, such as compliance with legal requests from law authorities, including the police or tax authorities.
• To handle complaints, comments, incidents, illnesses, accidents, injuries or emergencies during your stay at the hotel.
• In order to be able to contact you or to contact another person in case of emergency.
• To provide personalized information, offers and services during your stay.
• For direct marketing activities, such as newsletters and promotional messages for new products and services or other promotions we believe may be of interest to you, through snail mail, email, mobile devices or social networks (with your consent).
• For direct marketing activities, such as by publishing photos and videos in electronic or printed media (with your consent).
• To evaluate the effectiveness of our promotional campaigns and advertising.
• To identify, investigate and prevent fraud and other illegal activities. For these purposes, personal data may be shared with third parties, such as law enforcement authorities, and external consultants.
• To improve visitor experience, our business operations and this of our partners, to develop new products and services and review and improve the existing ones, and for promotional activities through information provided to us by your reviews and ratings.
• For your security, protection and in order to avoid unlawful actions against you.

Some of the above processing cases overlap to some extent and all constitute legal bases and legitimate purposes, within the framework of which we process your personal data.

Your personal data will be used solely for the purposes for which they have been collected or for other purposes compatible with the initial ones. If it is necessary to use your personal data for any other purpose, you will be informed accordingly and notified of the legal basis of the processing or even to request your consent.

In any case, your personal data processing takes place in accordance with the principles hereof and the rules of the Personal Data Protection Legislation.

Automated Decision-Making, including Profiling
We do not make any decisions that may significantly affect you, including profiling, in an automated way (decision-making solely with the use of a computerized system).

When and How do we Share or Disclose any Personal Data Collected in Other Ways
Within the framework of its operation and in order to fulfill its contractual and legal obligations for the purposes included in this Privacy Policy, the Hotel may transmit some personal data to third parties, including credit institutions, tax authorities, accounting services providers, travel agents, suppliers, collaborating private insurance companies, doctors, lawyers, health bodies, maintenance providers, various service providers, etc. and in general any third party necessary for the fulfillment of its regulatory and legal obligations.

The transmission of data shall take place by ensuring (whenever feasible) that these third parties are processing your data with absolute confidentiality, taking all appropriate security measures for their protection, according to our policies, and do not use your personal data for their own purposes or any other purpose except those agreed upon.

Specific data may be forwarded to your relatives upon your prior consent or in case of emergency.

In addition to the above, the Hotel shall not transfer your personal data to any third party, unless it is legally obliged to do so or when it has to comply with its contractual and legal duties (tax authorities or the police, performing our audit duties).

The Hotel will not sell your personal data to third parties under any circumstances and will not allow any third parties to sell the data the Hotel has forwarded them.

We cooperate with third parties to offer you online reservation services, such as booking.com or Web Hotelier and Channel Managers. Although we provide the content to these websites and you make a reservation directly with us, reservation processing is made by third parties. The data you provide these third parties with are stored in one or more databases hosted by them. These third-party companies do not use or access your personal information for purposes other than managing reservations.

Personal Data Disclosure
We will use and disclose personal data, if we believe it is necessary or appropriate:

• To law authorities and other governmental authorities to the extent required by law or when strictly necessary to prevent, detect or prosecute criminal offenses and fraud.
• To comply with the applicable law, including laws outside your country of residence.
• To comply with the legal process.
• To respond to requests from public and state authorities, including authorities outside your country of residence, and respond to national security or law enforcement requests.
• To deal with emergencies.

International Transmission of Personal Data to Third Countries
Sometimes your personal data may be transmitted to third countries outside the EU for the purposes described in this policy. The transmission of personal data to a third country or international organization may take place if the European Commission has determined that these third countries have an adequate level of protection or appropriate safeguards and guarantees (e.g. standard contractual clauses approved by the European Commission) and provided that there are enforceable rights and effective remedies for you.

For How Long Do We Maintain Your Data
We will maintain your Personal Data for the period which is mandatory to fulfill the purposes described in this Privacy Policy, as long as they are necessary to fulfill our contractual and legal obligations, unless required or permitted by law to maintain them for a prolonged period of time or if you request their withdrawal from us, oppose or revoke your consent.

The criteria used to determine our booking periods include:
• The time period during which we have a continuous relationship with you, and we provide you with our Services
• If you have a reservation that is not yet complete
• If there is a legal obligation that forces us to maintain them (for example, some laws require us to keep your transaction records for a certain period of time before we delete them)
• Whether maintaining your data is recommended for tax and legal purposes
• For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations
• For as long as someone could proceed to a legal action against us
• For time periods mandatory by legal and regulatory requirements or directives

If data collection was based on your consent, these data may be deleted at any time after your consent is revoked.

Your data may also be deleted in one of the following cases:

• when they are no longer necessary for the purposes they were collected to begin with
• when deletion is necessary to comply with our legal obligations
• at your request, provided there are no compelling legal reasons for maintaining them.

Data will be destroyed in a secure way when no longer necessary. It may be necessary for the company to retain some financial data for legitimate purposes (e.g. accounting matters).

Your Rights Regarding your Personal Data Protection
Under certain conditions set forth in the Personal Data Protection Legislation, you have the following rights regarding your personal data:

• Right to transparency information: You have the right to know who is processing your data, how they are being processed, which are those and for what reason.
• Right to access. You have the right to access your personal data for free.
• Right to correction. You have the right to ask for the correction of any inaccurate data and to fill in any incomplete information.
• Right to deletion. You have the right to request the deletion of your personal data under certain conditions, such as when the data are no longer necessary in relation to the purposes for which they were collected, if you have revoked your consent and there is no other legal basis for processing, if the data were illegally processed, etc. The deletion may not be possible when processing is necessary for, inter alia, the Hotel’s observance of a legal obligation, to carry out a public interest duty, for the exercise of a public authority entrusted to the Hotel, for reasons of public interest associated with public health, for the establishment, exercise or support of legal claims, etc.
• Right to processing limitation. You have the right to request the limitation of the processing of your personal data when their accuracy is questioned, when the processing is illegal, when the data are no longer needed by the data controller or if you have objections to the automated processing.
• Right to data portability. You have the right to request the transfer of your data to another data controller, when this is technically feasible.
• Right to object. You have the right to object to the processing of your personal data, provided that the public interest is not compromised. The right to object to certain forms of processing of your personal data, so as not to be subject to the legal consequences of automated processing or formatting.

Moreover, in case we process your personal data based on a legitimate interest or for public interest purposes, you have the right to express your disagreement at any time regarding your personal data use, in accordance with applicable law.
If you have given your consent to the use of some of your data, you also have the unlimited right to revoke it at any time. Revoking your consent means that we will stop processing the data you previously allowed us to process. The Hotel reserves the right to determine what information should continue to maintain, in order to fulfill its tax and legal obligations in general. There will be no consequences for the revocation of your consent, beyond the Hotel’s inability to perform this processing.

You may exercise your rights by contacting the Hotel either by sending an email at privacy@mayiaresort.com or by using the Data Subject Request Form. If you exercise any of your rights via a written request, we will make every possible effort to process your claim within thirty (30) days of receipt and we will inform you either of your satisfaction or of the reasons that prevent its implementation. If you do not receive a response within 30 days or are not satisfied with our response, you have the right to complain to the Data Protection Authority.

You have the right to submit a complaint to the Data Protection Authority, which enforces data protection laws, if you have concerns about how the Hotel is processing your personal data or if you are dissatisfied with our response to your complaint or request.

Data Protection Authority
1-3, Kifisias Avenue, Zip Code 115 23, Athens
Tel.: +30-210 6475600
Fax: +30-210 6475628
e-mail: contact@dpa.gr
http://www.dpa.gr

The Protection of your Personal Data
Data are stored in a range of different resources, including physical files, the website, the Hotel’s Property Management System, and other IT systems (including email). Data are stored as a whole, and in the format they were submitted, without compromising their content.

We have established a series of technical and organizational security measures to prevent the unauthorized or illegal use or access of/to your personal information, accidental loss or damage to their integrity, their alteration or disclosure. Moreover, access to your personal data is limited to those who need to know on a professional level. They will only process your personal data in accordance with our instructions and are subject to a confidentiality obligation. Your Personal Data will be processed by a Third Processor only if he agrees to comply with the specific technical and organizational data security measures.

In case of a breach of data security, we will notify you and the relevant regulatory bodies we are legally obliged to.
Questions, Concerns or Complaints

If you have any questions about this Privacy Policy or if you would like to submit a complaint regarding the processing method of your personal data by the Hotel or its partners, you have the right to contact us. Our contact details can be found in the sections Data Controller and Data Protection Officer.

Links To Other Websites and Social Media
Our website may contain links to allow you to visit other websites or Social Networks. However, once you have used these links, you should be aware that we have no control over the other websites you are going to visit. Therefore, we cannot be held responsible for the protection and confidentiality of the data you are providing them with, when visiting them, and they are not governed by this Privacy Policy. You should be careful and review the privacy statement applicable to these Websites.
Third-party Businesses that Operate Within the Hotel Premises.

There are third-party businesses operating within the premises of the Hotel, providing services and products to Hotel guests. We cannot be held responsible for the protection and confidentiality of the data you are providing them with, during your visit to them, and these businesses are not governed by this Privacy Policy. You should be careful and examine the Privacy Policy applicable to these businesses.

More specifically, the third-party businesses operating within the premises of the Hotel are the following:
• Opera D’arte Shopping Center
• Gioellio Jewelry
• Aegeo Spas

Amendments To This Policy
The Hotel reserves the right to modify this Privacy Policy and its related practices at any time in order to respond to any changes in the regulatory environment, business needs, or to meet the needs of the subjects, properties, strategic partners and service providers, without notice. Such changes, amendments, additions or deletions to the Privacy Policy shall replace any previous ones and shall be valid immediately after their disclosure.

Updates will be posted on the Hotel’s website at the following address and will be marked with a publication date, so you always know when the policy was last updated.

www.mayiaresort.com/privacy-policy

We encourage you to check our website frequently to see our current privacy policy and to make sure you agree with any changes made to it. For older versions, you may contact us.