At the Apostolata Island Resort and Spa we collect and process your personal data in accordance with the EU Regulation 2016/679 (GDPR) as well as the current Greek legislation on personal data protection, and we take all reasonable technical and organizational measures for their protection and preservation.
- Purpose of this Policy
This Personal Data Protection Policy concerns the Apostolata Island Resort and Spa and the personal data of individuals processed by the Company. This policy provides to any individual, customer or visitor of the hotel or visitor of the website of our Company https://www.apostolata.gr/, with concise and transparent information regarding the practices followed for the management and protection of personal data.
It concerns any transaction or series of transactions performed with or without the use of automated means, in personal data or in personal data sets, such as the collection, registration, organization, structure, storage, adaptation or modification, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
The Policy is updated from time to time and may be amended whenever necessary, without prior notice, always within the applicable legal framework and in accordance with any changes in the current legislation on personal data protection. We therefore suggest that you check our website https://www.apostolata.gr/, in which, any posted revised version of this policy, prevails over the printed version.
- Company Information (Data Controller)
Xydias Techniki S.A. (Henceforth “Apostolata Island Resort and Spa” or «COMPANY» or «HOTEL») with Tax Number: 099789185, Tax Office: F.A.E. Piraeus, Address: Skala, 28086, Kefalonia.
The term “personal data” hereinafter referred to as “Personal Data or Data”, is any information concerning a specific natural person or person whose identity can be verified (e.g., name, identity number, address, etc.). Data related to health (physical or mental condition, receiving medical services, etc.) are included in the general term personal data; however, they constitute a special category of data.
- Legal Framework
Since May of 2018, 2016/679 General Regulation on the Protection of Personal Data (GDPR) of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data is in place. At the same time, the Company applies Law n. 4624/2019 and any relevant national legislation, as applicable.
- Data Protection Measures
The company takes the appropriate technical and organizational measures to ensure compliance with the legislation for the protection of personal data of its customers, as well as the users of its website. The company also ensures, through the above measures that access to personal data is not given to anyone other than the appropriate authorized persons, and only for the purposes of processing, specified in this policy.
- Categories of Personal Data – Purposes of Processing – Legal Bases
The personal data are obtained from the data subjects either in person or through our website, or through contracted third parties and are as follows:
- Personal data related to your reservation, stay, arrival or departure, which you provide to us in person, electronically (via our website https://www.apostolata.gr/ or via email) or by phone before or during your stay in our hotel facilities:
- Identification Information (Name, Surname, Identity / Passport Information, etc.)
- Personal Characteristics (interests, habits, travel-trips, etc.)
- Information regarding your family status (marital status, etc.)
- Information related to your financial situation (VAT, tax office bank accounts, credit cards, etc.)
- Electronic communications data (IP Address, Mac Address, Web Browser Information, etc.)
- Contact details (landline / mobile phone, email, etc.)
The legal basis for the processing of the above categories of personal data is the performance of the contract between us in accordance with Article 6, par. 1(b) of the GDPR.
Regarding the data concerning your financial situation, the legal basis of the processing is additionally the compliance with a legal obligation to which our company is subject, according to Article 6, par. 1(c) of the GDPR.
- Electronic communications data (IP Address, Mac Address, Web Browser Information etc.) during the use of our website (log files) https://www.apostolata.gr/ by its visitors and customers. The above data is collected to ensure the availability, integrity and confidentiality of information and data from accidental or illegal or malicious actions or events, to investigate any cyber-attacks and incidents and to support any relevant legal claims. The legal basis for this processing is the legitimate interest of the Data Controller, according to Article 6, par. 1(f) of the GDPR. Note: Our site is not intended to collect data from underage visitors, unless authorized by parents or guardians. However, we cannot check if a visitor is a minor. We encourage parents to participate in their children’s online activities in order to avoid the collection of data about their children without parental consent.
- Data related to electronic communications (IP Address, Mac Address, etc.) during the use of the shared wireless WIFI network in our hotel facilities by our guests and customers. The above data is collected to ensure the availability, integrity and confidentiality of information and data from accidental or illegal or malicious actions or events, to investigate any internal network attacks and/or cyber-attacks and incidents and to support any relevant legal claims. The legal bases for this processing are: the legitimate interest of the Data Controller, according to Article 6, par. 1(f) of the GDPR as well as the performance of the contract between us in accordance with Article 6, par. 1(b) of the GDPR.
- Personal data that you provide to us in cases where you wish to plan any kind of event at our hotel facilities. The submission of your data is done at your own will and their processing is necessary in order to facilitate the performance of the contract between us in accordance with Article 6, par. 1(b) of the GDPR.
- Personal data that you willingly provide us with in order for us to respond to your requests and meet your special needs as hotel guests, in cases where you inform us about it, e.g., for any medical issue, disability or other request related to your health or diet. The legal basis for the processing of the above special categories of data (“sensitive”) regarding your health, is the explicit consent of the data subject, according to Article 9, par. 2(a) of the GDPR. You have the right to withdraw your consent at any time by contacting us in writing, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent.
- Personal data related to the provision of wellness and care services (e.g., Spa) during your stay or visit in our hotel facilities. The legal basis for the processing of the above special categories (“sensitive”) health data, is the explicit consent of the data subject, according to Article 9, par. 2(a) of the GDPR. You have the right to withdraw your consent at any time by contacting us in writing, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent.
- Your special categories of (“sensitive”) data (medical data) may be processed by our authorized personnel if you find yourself in an emergency or life-threatening situation during your stay at our hotel. The legal basis for processing is the Protection of your Vital Interests under the GDPR, Article 9, par. 2(c).
- Data contained in CVs/Resumes (identification, personal characteristics, family status, education, work, contact details, etc.) that you willingly send to us through our website or to our corporate email addresses. The provision of your personal data in the context of submitting a CV to find a job in our company takes place voluntarily on your part, as it would not be otherwise possible to assess the possibility of your recruitment. The legal basis for this processing is the explicit consent of the data subject, according to Article 6, par. 1(a) of the GDPR. Your data is kept only for this purpose and is processed by the relevant responsible Departments of our Company and its authorized personnel (i.e., Human Resources Department, Accounting Department, etc.)
- Our company processes, through a video surveillance system, data regarding to image/video etc. of visitors and customers in our premises in Skala Kefalonia, Zip Code: 28086, aiming at the protection and safety of persons and goods, protection and safety of our customers, visitors, employees and other third parties as well as the facilities and assets of our Company. The image/video capture has a maximum file retention period of 15 days and the cameras are positioned at the hotel’s entrances, exits, cashier and critical facility areas, e.g., computer room etc. The legal basis for this processing is the legitimate interest of the Data Controller, according to Article 6, par. 1(f) of the GDPR and is carried out in accordance with Directive 1/2011 of the Greek Personal Data Protection Authority.
- Newsletter: By entering your e-mail, you accept to receive our Newsletter. Your email will be used only by our company (Data Controller) for the purpose of sending the newsletter to you, and will only be communicated to its contracted partner (Data Processor) who will be responsible for handling the Newsletters. In order to document your electronic statement of consent, as well as the service of a possible access request on your part, we keep an electronic log file. You can withdraw your consent at any time by following the link at the bottom of each Newsletter. Your email will be retained in our database, for the purpose of sending you the Newsletter, until your consent is revoked, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent. The legal basis for this processing is the explicit consent of the data subject, according to Article 6, par. 1(a) of the GDPR.
- Personal data (your contact details) that you provide to us before, after or during your stay in our hotel facilities in order to receive information messages and / or calls regarding our hotel services, in the context of promotions of our company, or in order for us to be able to invite you to our company events via email, online advertising, social media, telephone, messaging (SMS and MMS), announcements, through our call center and other media (including sending messages within the premises, such as on TV in your room). The legal basis for this processing is the explicit consent of the data subject, according to Article 6, par. 1(a) of the GDPR. You have the right to withdraw your consent at any time by contacting us in writing, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent.
- Cookies: Our website uses Electronic “Cookies”. Cookies are small pieces of information sent by us to your computer (via the web browser) and stored on your hard drive to allow our website to recognize you when you visit the website again in the future. They help us improve our website and provide a better, more personalized service. Through the cookies’ implementation platform of our website, you can choose which cookies you will give your consent to. The legal basis for this processing is the explicit consent of the data subject, according to Article 6, par. 1(a) of the GDPR. You have the right to withdraw your consent at any time by contacting us in writing, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent. For more information, please visit our website “Cookies Policy”.
- Who are the recipients of your Data?
We may disclose your personal information (in whole or in part, as required each time) indicatively to:
- All authorized persons of our Company, e.g., Legal advisers, business consultants, travel agencies, car rental companies, booking companies, external accountants, insurance companies, security technicians, etc.
- Specific persons of our Company, necessary for the selection process of candidate employees, e.g., HR Department, Accounting Department, Administration, IT Manager etc.
- External partners (car service companies, transport companies, etc.), necessary for the execution of the contract between us.
- Providers of support for these data processing systems.
- Judicial or supervisory or control authorities, within the scope of their jurisdiction.
- Third parties who have a legal interest in establishing, exercising or supporting legal claims.
In cases where your consent is required for the disclosure of your data to third parties (where they are not mentioned by law), this will be explicitly requested by you, and you have the right to revoke it at any time. In these cases, the Company assures you that it is under constant vigilance and takes all necessary security measures, so that the transfer of personal data is carried out in the safest possible way.
The Company undertakes the obligation to not trade your personal data by making it available for sale or rental by transferring or disclosing it to third parties or using it in any other way and for other purposes that might jeopardize your privacy and your rights and freedoms, unless required by law, court decision / order, administrative act or if it is a contractual obligation necessary for the smooth operation of the Company’s website and the performance of its functions.
Your personal data may be transferred to partners, or third parties, who are required to comply with the terms of this Policy and are committed to maintaining its confidentiality, and who act on behalf of the Company for further processing in order to provide services (e.g., data management, technical support etc.). These third parties have contractually agreed with the Company, that they will use the personal data only for the legal agreed purposes, and will not transmit personal information to third parties, as well as will not disclose it to third parties unless required by law.
- Social Networks
Any posts or comments you send to the Social Networks of our hotel (for example, on our Facebook page), will be transmitted according to the terms of the relevant social networking platform (e.g., Facebook / Instagram).
Other organizations, not us, control these platforms. We are not responsible for this disclosure of your personal information. We encourage you to review the terms and privacy policies of your social networking platforms. This way, you will understand how your information is used or shared, and how to prevent it if you are not satisfied with it.
- How do we ensure that the Data Processors respect your Personal Data?
The Data Processors have agreed and are contractually committed with the Company to:
- preserve the data confidentiality,
- not send data to third parties without the permission of the Company,
- take the appropriate security measures,
- comply with the legal framework for the protection of personal data and in particular the GDPR Regulation.
- Do we send your Data outside the E.E.?
We do not send your data to third parties outside the European Union (EU). Your Personal Data is stored and processed only within the EU.
- How long do we store your Data for and when do we delete it?
The data provided by you will be kept / stored by us only for the period of time required for the fulfillment of the purpose for which you have communicated your data to us and in accordance with the applicable legal provisions. More specifically:
- The Data Controller is entitled by the current legislation (Article 937 – Civil Code – Limitation) to keep the data concerning his clients, for twenty (20) years.
- The Data Controller is entitled by the current legislation (L.4174 / 2013 as amended by article 32 par. 2 L.4646 / 2019 and is valid), to keep the details of the financial transactions with his customers, for a period of ten (10) years from the end of the year in which the deadline for submission of the tax declaration or the last tax declaration expires in case more than one declaration is foreseen.
- If you have given us your permission to use your special categories of data (e.g., health related data), we will retain this data until you notify us of something different and / or withdraw your consent, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent.
- If you have given us your permission to use your data for direct marketing reasons (e.g., newsletter), we will retain this data until you notify us of something different and / or withdraw your consent, a fact that however will not affect in any way the lawfulness of the processing made until the withdrawal of your consent.
- Your personal data which is contained in the CV/Resume that you send us, will be kept in the database of our company for 12 (twelve) months. They will be used solely for the purpose of sending you updates on new available jobs at our hotel, and will not be transmitted or notified to any third party. In case you do not consent to the preservation of your CV in the database of our company for 12 months, you have the right to request its deletion, forwarding your wish to the e-mail [email protected]
- Data that are collected by the Cookies are retained and deleted according to our Cookies Policy, which can be found at https://www.apostolata.gr/.
- The image/video data captured by our CCTV system of visitors and customers at our hotel in Skala Kefalonia, ZIP Code: 28086, has a maximum file retention period of 15 days. In the event that during this period we identify an incident, we isolate part of the video and keep it for another (1) month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident concerns third parties, we will keep the video for up to three (3) more months.
- The data of electronic communications concerning the use of our website by you (log files) as well as the data concerning the use of the shared wireless network (WIFI) in our hotel facilities, are kept for a period of 12 months, unless there is a need for further investigation or legal claim in which case, they are retained for the period of time required for those purposes.
- Do we use automated decision making / including profiling when processing your Data?
We do not make decisions, nor do we make profiles, based on automated processing of your Data.
- Is your Data safe?
We are committed to safeguarding your Personal Data. We have taken the appropriate organizational and technical measures to secure and protect your Data from any form of accidental or improper processing.
We use Electronic Security Certificate (SSL – Secure Socket Layer), to ensure the secure exchange of data between the website and your browser. These measures shall be reviewed and amended as necessary.
Any kind of processing of your Data is allowed only to persons authorized by us, our employees and associates exclusively for the above-mentioned purposes.
- What are your rights as a data subject and can you exercise them?
Regarding your personal data, you have the option of exercising the following rights: right of access, right of rectification, right of deletion, right of limitation of processing, right of data portability and right to object, by submitting a written request in person at the Apostolata Island Resort and Spa premises or by sending the request by post, or email with your authenticated signature. Apostolata Island Resort and Spa will respond to your request free of charge, without delay and in any case within one month of receipt of the request, except in exceptional circumstances, when that deadline can be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. We will inform you of any extension within one month of receipt of the request, as well as of the reasons for the delay. If it is not possible to meet your request, we will notify you without delay and at the latest within one month of receipt of the request for the reasons. This information is in principle provided free of charge by the Company, provided that the request for notification and information is not exercised repeatedly, in excess and/or is clearly unjustified.
Finally, you have the option to file a complaint to the Hellenic Data Protection Authority (HDPA): www.dpa.gr. (Postal address: 1-3 Kifissias, Zip Code: 115 23, Athens, tel. 2106475600, e-mail address: [email protected]).
- How can you exercise your rights?
If you wish to contact us for any issue related to the processing of your Data and the exercise of your rights, you can contact the Data Protection Officer (DPO) of the company: MILTIADIS KLONARIS, Address: 41 Solonos street, 106 72, Athens, Greece, Phone: (30) 2103604021, Fax: (30) 2103605208, E-mail: [email protected]