NOTIFICATION TO CLIENTS AND PROSPECTIVE CLIENTS OF “PATMOS AKTIS SINGLE MEMBER S.A.” (hereinafter “We”)
(a) What this Privacy Notice covers
We take the issue of safeguarding your privacy seriously. Therefore, to the extent applicable, we gather, store and process personal data in accordance with the General Data Protection Regulation 2016/679 (GDPR), as well as any local legislation on GDPR (jointly the “Data Protection Legislation”). This Privacy Notice provides an overview to how we do this in the context of our services.
This Privacy Notice applies to all of our clients and prospective clients (“you”) and covers Personal Data that is held electronically and also applies to paper-based filling systems.
(b) Explanation of terms used in this Privacy Notice
Personal Data means information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Special Category Personal Data means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
2. Information and Data Security
It is our policy to protect your right to privacy. We will take all reasonable steps to ensure that adequate technical and operational security measures, confidentiality obligations and compliance procedures are in place to prevent inappropriate access to, disclosure, alteration or deletion of, Personal Data.
In addition, we limit access to your Personal Data to those employees, agents and contractors who have a business need to know. Our agents and contractors will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
In respect of our communication via e-mail, we have taken all appropriate technical and organizational measures for the safe transfer of information and we use reasonable endeavors to mitigate the risks of viruses or errors during such transfer. Nonetheless, it is important to note that there is an inherent risk in the transfer of information via e-mail. Therefore, please be aware of this when requesting or sending information to us by e-mail. We recommend you not to include confidential information (e.g., credit card information) when using e-mail.
Finally, to be prudent, ensure that you always close your browsers when you are done using our online reservation form. Although the session will terminate after a short period of inactivity, it is best to close your browsers immediately upon completion, especially when using a public computer.
3. Types of Personal Data collected
In the course of providing services to you, we may process Personal Data and Special Category Personal Data. This typically includes the following information relating to you:
- Personal contract details such as name, surname, father’s name, title, home address, zip/ postal code, phone number and personal email address.
- Date of birth and place of birth.
- Marital status, dependents (name and age) and relations.
- Copies of identification documents, such as ID cards, passports and driving licenses and information regarding the relevant issuance authority.
- Nationality and country of residence.
- Financial information, such as your credit card details and transaction history.
- Special categories of personal data where disclosed and relevant to the provision of our services, such as health information (e.g., disabilities, allergies), religious or philosophical beliefs, political opinions, and, to the extent legally possible, information relating to criminal convictions or offences.
- Technical information, such as information about the device you use to interact with us (including the unique device identifier, hardware model and operating).
- Correspondence (e.g., when you contact us, send us an enquiry or make a request relating to the provision of our services).
- Preferences – such as special requests, service issues and other preferences for your stay.
- Data related to the services provided to you by us (including your arrival to and your departure from our hotels).
- Your signature.
4. Sources of Personal Data
We collect your Personal Data when you provide it to us, or interact with us directly, for example:
- When you make a reservation online by contacting the reservation office of our hotels.
- When you make a reservation by using our online booking platform/ booking application form.
- When you create a profile, in the case of our mobile application.
- When information is created as a result of generally providing services to you.
We also receive your Personal Data from other sources, such as business parties, travel agencies/ agents/ offices and publicly available sources.
5. How we use Personal Data
We are a data controller which means that we are responsible for deciding how we hold and use Personal Data about you. We may use your Personal Data before, during and after our relationship ends with you.
(a) Legal basis for using your Personal Data
We will only use your Personal Data when the law allows us to. Most commonly and depending on the situation in which we will use your Personal Data (see paragraph b below), we will use your Personal Data in the following circumstances:
- Where we need to perform the agreement we have entered into with you or in order to take steps at your request prior to entering into any such agreement.
- Where we need to comply with a legal and regulatory obligation.
- here it is necessary for our legitimate interests (or those or a third party) and your interests and fundamental rights do not override those interests (e.g. using your personal information helps us to operate and improve our business and minimize any disruption to the services that we may offer to you).
We may also use your Personal Data in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest.
- Where you have given your consent.
(b) Situations in which we will use your Personal Data
The situations in which we will process your Personal Data are listed below.
- To confirm and verify your identity regarding your reservation request.
- To provide our services to you.
- For billing/ invoicing purposes in relation to your stay with us.
- To charge your credit card, where authorised, in light of your booking request.
- To carry out business, operational and administrative activities, including record keeping and audits.
- To contact you in relation to matters that arise from your stay with us.
- To comply with any applicable laws and regulations.
- To comply with the request or requirement of any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority.
- For use in connection with any legal proceedings or regulatory action (including prospective legal proceedings/ regulatory action) and for obtaining legal advice or for establishing, exercising or defending legal rights.
- To give you information and marketing (by post, telephone, email) about events, products and services offered by us which we believe may be of interest to you.
- To conduct surveys or focus groups to receive your views of our services.
- To operate our business, including for internal purposes such as auditing, data analysis, statistical and research purposes and troubleshooting to help us improve our services.
(c) If you fail to provide Personal Data
If you fail to provide certain information when requested, we may not be able to confirm your reservation request/ perform the agreement we have entered into with you, or we may be prevented from complying with our legal obligations.
6. Recipients of your Personal Data
We (and those parties to whom Personal Data is disclosed) may disclose Personal Data in the situations described above:
- To third parties who provide services to us or that act as our agents (or prospective third party service providers or prospective agents). Such service providers and/ or agents may also disclose such information to their service providers or agents. We will take all reasonable steps to ensure that the service provider or agent is subject to appropriate data processing requirements and that they impose such requirements on any of their service providers or agents.
- To our professional advisors and auditors.
- To any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority.
- To public authorities, regulators or governmental bodies, when required by law or regulation.
- Otherwise, if you consent to such disclosure.
7. Overseas transfers
The Recipients referred to in section 6 above can be located outside the European Economic Area. In those cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection (currently Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay and Japan), we require such recipients to comply with appropriate measures designed to protect personal data.
8. Retention of Personal Data
We will retain Personal Data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory, accounting, reporting or internal policy requirements. To determine the appropriate retention period for Personal Data, we consider the applicable legal requirements, as well as the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means.
9. Your rights and duties
(a) Your duty to inform us of changes
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if the Personal Data you provided to us has changed by the time of your arrival in our premises.
(b) Your rights in connection with Personal Data
Under certain circumstances, by law you have the right to:
- Request access to your Persona Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue its processing. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes by writing to the email address mentioned below or using any opt-out facility specified by us in the relevant marketing communication.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your Personal Data to another party (also known as “data portability”).
- Where we process your personal data on the basis of your consent, withdraw that consent at any time. Please also note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- In certain circumstances, request not to be subject to automated decision-making, including profiling.
If you want to exercise your rights, as per above, please contact us at firstname.lastname@example.org.
Finally, you have the right to lodge a complaint with the competent Data Protection Authority (for Greece: www.dpa.gr).
(c) Queries relating to the processing of your Personal Data
If you have a query regarding the processing of your Personal Data please contact us at email@example.com.
10. Changes to this Privacy Notice