Privacy Policy

GENERAL DATA PROTECTION AND PRIVACY REGULATION POLICY INTRODUCTION

The objective of SANTA SA, is to provide the best possible tourist, hotel and travel services to its guests.

As a guest at the Wellness Santa Hotel, you will enjoy friendly and personalized services, deriving from the thorough knowledge and tourist education of our professionals. Our culture is built around anthropocentric hospitality and is aimed at caring for you, giving you the sense of “a home away from home”.

If you are a client of the company, you are entitled to the protection of your Personal Data. This data, as analyzed below under section 4, might be your name, your phone number, your e-mail address, as well as other data, such as your home address, your tax identification number, your ID or passport details and other identification data or special categories of data concerning you, such as your medical history or health record.

In this General Data Protection and Privacy Regulation Policy (hereinafter “this Policy” for short), we describe the type of data we collect, either from you directly or through our dealings with you, how and why we collect your Personal Data, what we do with it, who we share it with, how we protect it, the options you have concerning your Personal Data, the technical and organisational measures we take to keep it safe, and of course your relevant rights.

This Policy concerns the processing of your Personal Data within the scope of the service provision mentioned above, as well as its further processing for promotional and information purposes. This Policy includes general rules and clarifications and is a broad overview of the practices we adopt in order to ensure the protection of your Personal Data. It is also subject to regular revision, out of respect for the importance of the privacy of your Personal Data, the protection of which we set as a priority. The latest version of this Policy is available on our website. A hard copy of it can be obtained from the reception desks at our hotel. Lastly, it is executed through separate privacy policy statements. You will be notified of the need for such statements every time your Personal Data is required in relation to the above mentioned activities, for example, by our employees and/ or business partners, for personal contact services, newsletters, promotions, events, etc

At the end of this Policy you will find the definitions of some basic concepts used throughout this document and written with a capital first letter (for example, Personal Data, Processing, Data Controller, etc.)

Note that it is important for you to read this Policy carefully. In case you do not agree, you cannot make use of our services, as described below under section 1.

WHO IS THE DATA CONTROLLER – SCOPE

The Company responsible for your Personal Data processing is:

The SOCIETE ANONYME company «SANTA SOCIETE ANONYME – HOTEL COMPANIES AND TOURIST COMPANIES» with the distinctive title “SANTA SA” based in Thessaloniki GREECE, area of N. Epivaton, on Gr. Lambraki 2 with Tax Registration numb. 094027915

The terms SANTA SA, “(to) us”, “our(s)” or “we” invariably refer to the company.

This Policy is applicable to every service or operation provided by us and is either expressly mentioned or alludes to this Policy (hereinafter jointly called our “Services”) on this website, on any location on the web or online application, in any SANTA SA promotion, online and offline, for access to our Services, whether an electronic means or other device is used or not.

DEFINITION OF “PERSONAL DATA”

Personal Data is any information that concerns an identified or identifiable individual(the “data subject”). An identifiable individual is a person who can be identified, directly or indirectly, especially by reference to an identification particular, such as name, ID card number, geolocation data, an online user ID or to one or more factors that describe the physical, physiological, genetic, psychological, economic, religious, cultural or social identity of the individual in question. Personal data includes information such as email address, home address, mobile phone number, user names, personal preferences and purchasing habits, content created by the user. It is also likely to include unique numerical identifiers, such as your IP address and cookies.

BASIC PRINCIPLES

We are particularly sensitive concerning the Personal Data you entrust to us and we undertake to process it in a fair, transparent and secure way. The basic principles of SANTA SA are the following:

Lawfulness: we will collect your Personal Data in a strictly fair, lawful and transparent manner.

Data minimisation: we will minimise the collection of your Personal Data to only that directly related to and essential for the purposes for which it has been collected.

Purpose limitation: we will collect your Personal Data only for specific, clear and legitimate purposes and will not process it further in a manner that is incompatible with these purposes.

Accuracy: we will keep your Personal Data accurate and up to date.

Security and protection of data: we will put in place technical and organisational measures to ensure the appropriate level of security and protection of data, considering, among other things, the nature of your Personal Data that is being protected. Such measures ensure the prevention of any unauthorised disclosure or access, accidental or unlawful destruction, accidental loss or alteration and any other unlawful Processing.

Access and correction: we will process your Personal Data in accordance with your legal rights.

Storage limitation: we will keep your Personal Data on record in a manner that is consistent with the applicable laws and regulations concerning personal data protection and for no longer than is necessary for the purposes for which it has been collected.

Protection during international transfers: we will ensure that all your Personal Data transferred outside the European Economic Area is adequately protected.

Fail-safe security against third parties: we will ensure that access to your Personal Data by (and its transfer to) third parties will be made according to the applicable law and the appropriate standard safety procedures.

Direct marketing and cookies legitimacy: when we send you promotional material or place cookies on your computer, we will ensure that it is done according to the applicable law.

PERSONAL DATA PROCESSING PURPOSES – TYPE OF PERSONAL DATA COLLECTED AND ITS LEGAL BASIS –PERSONAL DATA RETENTION PERIOD

Personal Data collection purposes:

The collection of your Personal Data by us is made in order to provide the services you have requested and for the purpose of improving the provision of such services. Namely, we collect data for the following purposes:

Room reservation and other relevant services (such as keeping documents required by law or responding to requests concerning accommodation) involving your stay at the Hotel (access to a room, minibar services, phone use, etc.),

For organisational reasons (e.g. listing guests with arrivals/departures within any given day, guests with special offers),

Improving the services provided to better meet your needs, as for improved personalised services we rely on past preferences, to promote products and services that suit your needs, to inform you about our offers and services, etc.,

Inform you about offers, sending you newsletters, etc.,

Complying with the Greek and European legislation.

What Personal Data we collect

Personal Data that we are obliged to ask from you for providing our Services

Client information e.g. full name, father’s name, ID card number, phone number, home address,

Billing information e.g. TIN, credit/debit card number,

Personal details(e.g. date of birth, nationality, place of birth),

Date of arrival/departure and room number,

Preferences and interests e.g. preferred storey, non-smoking room, type of bed, cultural interests,

Medical data concerning your health, e.g. allergies, history of pathological conditions, etc.

Information such as your cultural interests, possible health issues, or whether you are a smoker or not may be considered sensitive. Therefore, we retain this kind of information only when obliged by law or following your explicit consent and only in relation to the provision of our services, e.g. a special diet request.

Information on people under 18 is limited to full name, nationality and date of birth and is provided only by a guardian.

Information that you provide

While providing our services, it is possible that you create accounts/profiles, for which we may have to ask you to provide information such as your full name or your e-mail address.

When you order a product or service, we may ask for information that is necessary for the processing of your order, such as your full name, room information, etc.,

In case you participate in one of our contests or promotions, you may be asked to give your full name, contact information, e-mail address, personal or professional interests, etc.

Information concerning your use of our Services

Good examples are:

Device information (e.g. device unique identifiers, IP address, device settings for accessing our Services, etc.),

Geolocation information (e.g. your GPS device, etc.),

Other information pertaining to your use of our services (e.g. interaction with content offered through a Service),

Cookies placed on the browser you are using when visiting our website that enable us to properly respond to, forward and route your request. In this case, we are likely to collect information regarding the browser you are using for the purposes of our system administration and for obtaining collective information on the visitors of our website. This information is collected purely for statistical reasons and does not identify individuals,

Your use of our contact forms in order to ask for further information or post a comment. This happens in relation to our investigating your request so that we can constantly improve the services we provide.

Other types of information collected

When you are using our services, we collect information as per all of the above. In addition, we are likely to obtain information about you from publicly and commercially available sources, always in accordance with what is provided by law, as well as from third party social networking services when you opt in for such services.

In any case, you have the right to refuse the provision of the information requested for all of the above when opting in to receive our services but this might affect your ability to use these services.

Legal Basis for Processing

Depending on the purpose for which your data is used, the legal basis for processing it may be:

Your consent, for the purposes of Processing (as for example, when processing special categories of data under section 9, subsection 1 of the General Data Protection Regulation E.U. 2016/679, or when we inform you about service and product offers, events organised by us, etc.). To avoid any kind of doubt, you have the right to withdraw your consent at any time.

Contract execution: we process your Personal Data when it is necessary for entering into a contract.

Legal purposes, when processing is required by law.

Our vested interest, namely:

Improvement of our services: through enhancing the quality of the services we provide and better understanding your needs and expectations, we are able to provide even better services,

Prevention of fraud incidents: to ensure that every payment is completed without any incident of fraud or appropriation,

Security of our tools: to protect the tools you are using (websites, devices, etc.) so as to ensure their proper functionality and constant improvement.

To lawfully update and correct your Personal Data at our disposal via different systems operated by us or any other recipient.

To manage your consent as mentioned above.

In case you provide Personal Data of third parties (your relatives, employees, partners, etc.), you are obliged to ensure that it has been fairly and lawfully collected and that you have the required authorisation to act in their name and on their behalf (including consenting for them), so that further processing of such data by our company is possible.

Personal Data retention period

The company, depending on the amount, the nature and the sensitivity of Personal Data, as well as the purposes for which we process it, determines the appropriate data retention period. We will retain your Personal Data only for as long as necessary in order to fulfill the purposes for which it has been collected e.g. the fulfillment of a legal obligation.

More specifically, we retain your Personal Data for ten (10) years from its collection date so that we can provide the above mentioned services. The only exceptions to the time length stated above are cases where:

the law requires that we retain your Personal Data for a longer period of time or delete it sooner, or

we may have a vested interest in raising, proving or defending legal claims relevant to the above mentioned products and/or services (e.g. liability issues arising from the provision of services, claims for wrongdoing, etc.), or

it is required for accounting, taxation or auditing purposes, or

it is required for the protection of your own vested interest, or

you exercise your right to have your Personal Data deleted (where applicable) and we are under no obligation to retain it in relation to any of the reasons allowed or required by law.

In addition, our company reserves the right to anonymise your Personal Data so that it cannot be traced back to you in order to use this information indefinitely for research or statistical purposes without further notice to you being needed.

REQUIREMENTS FOR THIRD PARTY ACCESS TO YOUR PERSONAL DATA

A basic principle of ours is that we will not share your information with third parties for their own independent business or promotional purposes without your consent.

Aiming at providing you with the best possible services, we grant access to your personal data, or to part of it, to certain authorised members of our staff, namely to:

1. a) Our company’s employees: authorised members of our staff only
2. b) Business partners:

Business partners: for example, reputable companies that may use your Personal Data in order to provide services and/ or send you promotional material (provided that you have given your consent for receiving such material). We request that such companies always adhere to the applicable law and to this Policy and that they pay particular attention to maintaining the confidentiality of your personal information.

Our company’s service providers: companies that provide services to our company or on its behalf for the purposes of such provision.

Advertising, marketing and promotional companies: so that they can help us achieve and analyse the effectiveness of our advertising campaigns and our promotional activities.

1. c) Other third parties:

When required by law or deemed legally necessary for the protection of SANTA SA:

in compliance with the law, at authorities’ requests, following court orders, in legal proceedings, for obligations relevant to reporting and submitting information to the authorities, etc.,

to confirm or impose compliance with the policies and agreements of SANTA SA and

to protect the rights, property or security of SANTA SA or its clients.

In relation to business dealings: in the context of the transferor assignment of the whole or part of its business, or otherwise in relation to the merger, consolidation, change of management, reorganisation or liquidation of the whole or part of SANTA SA company.

Please keep in mind that the third party recipients mentioned in points b) and c) above –especially service providers that may provide products and services through the use of services or applications of SANTA SA or via their own commercial channels– may collect Personal Data from you separately. In this case, the afore-mentioned third parties shall be entirely responsible for the control and management of this Personal Data and any business you carry out with them shall be in accordance with their own terms and conditions.

TRANSFERS OUTSIDE EEA

Your Personal Data may be transferred to recipients outside the EEA and be processed by both us and the recipients in question. For any transfer of your Personal Data to countries outside the EEA that do not normally have the same level of data protection as the EEA, SANTA SA will take the appropriate special measures to ensure an adequate level of protection for your Personal Data. Such measures may, for example, consist in an agreement with the recipients concerning binding contractual clauses that guarantee such an adequate level of protection.

You will be clearly advised every time your Personal Data is to be transferred outside the EEA. Such information will be provided through a separate privacy notice, which will be included, for example, in certain services (including communication services), electronic newsletters, reminders, offers, invitations to events, etc.

ΠΡΟΫΠΟΘΕΣΕΙΣ πρόσβασης Τρίτων στα Προσωπικά Δεδομένα σας

Βασική αρχή μας αποτελεί το γεγονός ότι δεν θα κοινοποιήσουμε τις πληροφορίες σας σε τρίτους για δικούς τους ανεξάρτητους επιχειρηματικούς σκοπούς ή σκοπούς εμπορικής προώθησης χωρίς την συγκατάθεσή σας.

Με στόχο μας την βέλτιστη παροχή υπηρεσιών προς εσάς, παρέχουμε πρόσβαση των προσωπικών σας δεδομένων ή σε μέρος αυτών στο αρμόδιο προσωπικό μας και ειδικότερα:

α) Στο προσωπικό της εταιρείας μας: στα εξουσιοδοτημένα μέλη του προσωπικού μας.

β) Σε τρίτους επιχειρηματικούς εταίρους:

Επιχειρηματικοί εταίροι: για παράδειγμα, αξιόπιστες εταιρείες που ενδέχεται να χρησιμοποιούν τα Προσωπικά Δεδομένα σας ώστε να σας παράσχουν τις υπηρεσίες  και/ή να σας χορηγήσουν διαφημιστικό υλικό (υπό την προϋπόθεση ότι έχετε δώσει την συγκατάθεσή σας για τη λήψη τέτοιου υλικού). Ζητούμε από αυτές τις εταιρείες να ενεργούν πάντοτε σύμφωνα με τους ισχύοντες νόμους και την παρούσα Πολιτική και να δείχνουν ιδιαίτερη επιμέλεια στη διατήρηση της εμπιστευτικότητας των προσωπικών σας πληροφοριών.

Πάροχοι υπηρεσιών της εταιρείας μας: εταιρείες που παρέχουν υπηρεσίες στην εταιρεία μας ή για λογαριασμό της, για τους σκοπούς της παροχής αυτών των υπηρεσιών.

Εταιρείες διαφήμισης, μάρκετινγκ και προώθησης: για να μας βοηθήσουν να επιτύχουμε και να αναλύσουμε την αποτελεσματικότητα των διαφημιστικών εκστρατειών και των προωθητικών ενεργειών μας.

YOUR RIGHTS

We respect your right to privacy. Your rights to control your personal data are as follows:

Right to information: you have the right to receive clear, transparent and straight forward information as to the way we use your Personal Data, as well as of your rights per se. This is the reason why we provide the information in this Policy.

Right to access-communication of the subject with the Data Controller SANTA SA: You have the right to access the Personal Data we retain about you (without prejudice to some Legal restrictions).You also have the right to communicate with the Data Controller, whose details are given below. We may charge a reasonable fee for administrative costs when asked to provide this kind of information and evidently groundless, excessive or recurring requests may go unanswered,

Right to withdraw consent: you have the right to withdraw your consent for the processing of your Personal Data by us, when such processing requires your consent. Said withdrawal of consent does not affect the legitimacy of the processing already performed based on such consent in the time preceding its withdrawal. If you wish to object and withdraw your consent, contact us in the ways shown below,

Right to rectification of data: In case of incorrect and/ or outdated/ incomplete data, you have the right to ask for rectification of your Personal Data. You can correct your Personal Data either through your account, if any, or by contacting us, using the contact details given below. Note that it is important for us to keep accurate and up-to-date records of your Personal Data. Therefore, you are kindly requested to make said corrections/updates, either yourself or by contacting us in order to notify us of the need for such corrections-alterations so that we can correct-update your details.

Right to erasure of data from our records: In certain cases you are entitled to request the erasure of your Personal Data. Note that it is not an absolute right, as we may have legally sound reasons to retain your Personal Data. If you wish that we erase your Personal Data, contact us in the ways shown below,

Right to restrict processing of the data: You have the right to request the restriction of the processing of your Personal Data. If you ask us to restrict the processing of your Personal Data, we store it but we cannot use or process it any further. According to the New General Data Protection Regulation (GDPR), this right is valid in the following cases:

the accuracy of the personal data is contested by the data subject (i.e., by you) for a period that enables the data controller to verify the accuracy of your personal data,

the processing is unlawful and the data subject (i.e., you) opposes the erasure of the personal data and requests the restriction of its use instead,

the Data Controller (i.e., SANTA SA) no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims,

the data subject (i.e., you) objects to the processing while awaiting verification on whether the legitimate grounds presented by the Data Controller override those of the data subject.

Right to object to the way data is processed:

You have the right to object to receiving notifications for direct marketing purposes. In that case, you can contact us at the contact details given below.

You have the right to object to the processing of your Personal Data when this processing is based on a legitimate interest according to the above, if you believe that it affects your fundamental rights and freedoms,

Right to portability: You have the right to have Personal Data copied or migrated from our database to another. This only applies in the event of Personal Data having been provided by you and the processing is based on your consent or a contract and is automated.

Right to file a complaint: You have the right to file a complaint against the Data Controller with the Hellenic Data Protection Authority (HDPA).

In order to handle your requests according to the above, we may ask you to verify your identity.

CONTACT DETAILS

For any queries, questions, concerns or complaints regarding the implementation of this Policy and the exercise of your rights, described in this Policy under section 7 above, contact the company by email at [email protected] or send a letter to the following address:

Thessaloniki GREECE, area of N. Epivaton, on Gr. Lambraki 2 p.o. 57019

PROTECTION OF YOUR PERSONAL DATA

We have implemented a series of technical and organisational security measures to protect your Personal Data against unlawful or unauthorised access or use, as well as from accidental loss or damage to its integrity. These measures have been designed taking into consideration our IT infrastructure, the possible impact on your privacy and the relevant costs, as well as in accordance to the existing standards and practices on the market.

Your Personal Data will be processed by a third party Processor only if they agree to comply with these particular technical and organisational data security measures.

Maintenance of data security means protecting the confidentiality, integrity and availability of your Personal Data:

Confidentiality: we will protect your Personal Data against unwanted disclosure to third parties.

Integrity: we will protect your Personal Data from being altered by unauthorised third parties.

Availability: we will ensure that authorised parties have access to your Personal Data on an as-needed basis.

Our data security procedures include: safe access, backup systems, monitoring, review and maintenance, security incident and business continuity management, etc.

USE OF COOKIES OR SIMILAR MECHANISMS

We use cookies on our websites. This helps us offer you a better browsing experience and allows us to improve our websites.

For further information concerning our use of cookies and how you can avoid them, please refer to our cookies policy, which is available here.

LEGAL INFORMATION

The conditions contained in this Policy supplement but do not supplant any conditions existing under the current legal framework for data protection. In case of contradiction between what is mentioned in this Policy and the conditions set out by the current legal framework for data protection, the latter will prevail.

Our company reserves the right to amend this Policy at any time. When this happens, you will be notified of any changes made and will subsequently be asked to read the most recent version of our Policy.

DEFINITIONS

In this Policy the following terms are interpreted as follows:

The Data Controller determines the purposes and the way in which your Personal Data is processed. Unless otherwise stated, the Data Controller is our company.

The Data Processor processes your Personal Data on behalf of the Data Controller.

ΕΕΑ is the European Economic Area (i.e., the European Union member states and also Iceland, Norway and Lichtenstein).

Personal Data: See above, under section 2.

Processing is the collection, access and any type of use of your Personal Data.