Personal Data Protection and Compliance with the General Data Protection Regulation ( GDPR )
This document is the property of Kappa Resort and may not be republished in whole or in part without the permission of the company.
|Date||Version||Author sector s||Description / Changes|
|08.03.2021||1.0||Maria Iakovidou||Original Edition|
TABLE OF CONTENTS
- Consent. 25
- Access to personal data. 26
- Right of correction, deletion, processing restriction, portability, objection and termination. 27
- Disclaimer for third party websites. 32
- Commercial communication – Newsletter. 32
- Repetitive marketing. 34
- Personal data breach. 34
- Contact the controller. 35
The Company attaches special importance and fully respects the confidentiality and confidentiality of personal data processed in the context of the provision of its services. For this reason, it has invested time and resources in full compliance with the current national, European and international legal framework and in particular with the General Data Protection Regulation 679/2016 of the European Union (hereinafter “GCC”), which entered into implementation in May 2018.
Responsible for the processing of personal data is the limited liability company with the name “CONSTRUCTION COMPANY OF THESSALONIKI EE”, which is based in Thessaloniki, 20 M. Botsari Street, PC 54643, with TIN. 084276844 – Δ.Ο.Υ. Thessaloniki, with no. Γ.Ε.ΜΗ. 41979806000, tel. +30 2310 825385, email. email@example.com, and is legally represented (hereinafter “Company”). The Company maintains the hotel “Kappa Resort” in Paliouri, Halkidiki, PC 63085, tel. +30 23743 00713, email. firstname.lastname@example.org.
The Company adheres to the following fundamental principles of personal data protection, the observance of which is required by the GCP:
- Legality, objectivity and transparency – Personal data is processed lawfully and transparently in a transparent manner in relation to the data subject.
- Restriction of purpose – Personal data are collected for specified, express and lawful purposes and are not further processed in a manner incompatible with those purposes; further processing for scientific research or statistical purposes is not considered incompatible with the original purposes according to Article 89 (1) of the GIP.
- Data minimization – Personal data is appropriate, relevant and limited to what is necessary for the purposes for which it is processed.
- Data accuracy – Personal data is accurate and, where necessary, updated; all reasonable steps are taken to promptly delete or correct personal data that is inaccurate in relation to the purposes of the processing.
- Limitation of the storage period – Personal data is kept in a format that allows the identification of data subjects only for the period required for their processing purposes; personal data can be stored for longer periods, as long as the personal data will be are processed only for the purposes of scientific research or for statistical purposes, in accordance with Article 89 (1) and provided that the appropriate technical and organizational measures required by the GCC are taken to ensure the data subject ‘s rights and freedoms.
- Integrity and confidentiality – Personal data is processed in a way that guarantees its appropriate security, including protection against unauthorized or illegal processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures.
- Accountability – The controller is responsible and able to demonstrate compliance with the above principles.
- The processing of personal data, including the transmission to third parties, shall be carried out only in accordance with Articles 6 and 9 of the GIP.
- The processing of data is carried out with respect to the rights of information, access and opposition of the subjects.
- The processing of personal data is confidential and is carried out by persons who are committed to maintaining confidentiality.
Personal data means any information concerning an identified or identifiable natural person. An identifiable natural person is one whose identity can be verified directly or indirectly, in particular by reference to an identifier such as name, address, ID number, credit card number, bank account information, social security number, etc. and / or to a or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Genetic data, biometrics and health data are specific (sensitive) data categories and require increased protection.
The nature of the Company’s activity is such that every day it comes in contact with a variety of personal data of customers, visitors, staff, partners – suppliers, website visitors, recipients of electronic communications, etc.
Personal data does not include any information that, on its own, cannot identify a person as a specific person or entity (eg anonymous information), as well as data collected for statistical purposes.
The personal data of the data subjects are collected either by the subjects themselves or by authorized employees of the Company per department, for the sole purpose of providing the respective service.
The personal data of the subject is processed in the following cases:
- For the provision of services.
- For information about the services provided.
- For booking management.
- For the management of human resource management issues, regarding the staff employed by the Company, regardless of employment relationship and specialty (recruitment, dismissals – resignations, salaries, evaluations, corporate communications, etc.).
- For the smooth cooperation of the Company with its associates.
- To manage issues of cooperation with suppliers of products and services and other partners, through relevant contracts or additional acts.
- To respond to requests from auditing authorities and to manage statutory requirements and audits.
- To manage visitor complaints.
- For the management of ancillary services such as access, security, entry control at the Kappa Resort, including CCTV for the protection of persons and property.
- To inform the public about the services offered by Kappa Resort, through the organization of information events, through electronic media including social media as well as through other activities of all kinds.
- To promote Kappa Resort public relations (corporate social responsibility actions, sponsorships, etc.).
- For handling legal issues (through the legal service).
- For the management of accounting and tax services.
- When the subject communicates with Kappa Resort directly, through the website or through ads he has posted on other websites or in the press, for a job posting his CV.
The Company requests the data subjects to help it to keep their information up to date and accurate, informing it of any changes in their personal data.
More details regarding the processing of personal data through the website maintained by the Company:
and e) in general the improvement of the services provided by the controller. Your personal data may not be used by any third party, except as provided by law and this.
The Company collects and processes information that is considered personal data and other information that is not considered. Information that can not identify someone as a specific person is used without restriction and can be provided to third parties at its discretion.
The Company’s website is not intended for children or minors. If personal data of persons under the age of 18 are processed, without the valid consent of their parents or legal guardian, the Company reserves the right to delete the data it has acquired.
Unless required by law, the Company will not obtain the user’s consent before collecting personal data from third parties. Instead, it will be assumed that the user has previously provided such consent to any third party from whom the Company obtains such information.
More details on the processing of personal data through the video surveillance system installed by the Company:
Kappa Resort systematically and on a large scale processing of simple as well as special category of personal data for the observation or control of the movements or the location / geographical location in real or not time of identified or identifiable natural persons, using data collected through video surveillance system located in a private area, ie inside and outside the Kappa Resort, accessible to an unlimited number of people.
The legal bases for the processing of personal data are mentioned in articles 6 par. 1 and 9 of the GCP.
The Company processes personal data, in particular, under the following legal bases:
- Consent (art. 6 § 1 case a ‘GKPD)
- Execution of contract (art. 6 § 1 case b ‘GPD)
- Compliance with a legal obligation (art. 6 § 1 para. C ‘GKPD)
- Safeguarding our legal interests (art. 6 § 1 case d ‘GKPD)
- Execution of obligations in the field of labor law and social security and social protection (art. 9 § 2 par.
- Establishment, support or exercise of legal claims (art. 9 § 2 approx. In GKPD).
Indicatively, the personal data collected by the Company and are subject to processing include the necessary data for a customer visit, booking management, hiring an employee, cooperation with supplier – subcontractor – other partners, the electronic sending of a newsletter / newsletter to third parties, the operation of the CCTV closed circuit for reasons of protection of persons and goods and so on.
In the case of customers – either by their physical presence upon arrival at Kappa Resort or via online booking platforms or by email or telephone – contact information (eg name, address, telephone number, email) and business status are collected ( eg occupation), nationality, police ID or passport number, date of arrival and departure and number of visitors. Payment processing information (eg bank account or credit card) is also collected.
In the case of visitors to the Company’s website, information is collected from the use of the Company’s website and all types of digital platforms that the Company uses or may use in the future, in order to inform third parties about the services it provides. In particular, technical information that constitutes personal data, such as the Internet Protocol address of the visitor’s device, may be collected. This technical information is used for the smooth operation and performance of the website and electronic services, and is not permanently stored in the Company’s infrastructure, while the data is kept in a centralized form, so that it is not possible to identify users as much as possible.
More details regarding the processing of personal data through the website maintained by the Company:
When the user browses the website, the Company does not collect or process sensitive personal data e.g. health data, genetic or biometric data, data revealing sexual life, sexual orientation, racial or ethnic origin, political beliefs, religious or philosophical views or membership in a trade union.
The IP (Internet Protocol) address is being collected. An IP address is a number given to a user’s computer when using the Internet.
More details on the processing of personal data through the video surveillance system installed by the Company:
The Company processes a special category of personal data and specific image data of individuals that circulate inside and outside its premises. It also processes vehicle registration numbers. The video surveillance system does not process audio data or other categories of personal data.
- Hotel customers
- Hotel guests
- Prospective customers
- Third parties
In particular, the transfer of personal data is made solely on the basis of the legal bases of Article 6 of the GBER for simple personal data or Article 9 of the GBER for specific categories of personal data (sensitive).
The Company undertakes not to use the personal data of the data subjects for purposes other than those collected and will not disclose / disclose them to third parties without a legal basis for processing in accordance with the GCP.
The Company restricts the access of the data of the subjects only to the persons who are necessary to use them for a specific purpose.
Recipients of the personal data processed by the Company may be the following:
- Employees or associates who may process personal data under the instructions of the Company.
- Collaborating companies within their responsibilities.
- Any competent supervisory authority.
- Any public or judicial authority, if required by law or court order.
In more detail regarding the processing of personal data through the video surveillance system installed by the Company, the kept material is accessible only by the competent / authorized personnel of the Company who is in charge of the security of the space. This material shall not be transmitted to third parties, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities when it contains information necessary for the investigation of a criminal offense involving persons or property of the controller; competent judicial, prosecutorial and police authorities when requesting data, lawfully, in the performance of their duties, and (c) to the victim or perpetrator of a crime, in the case of data which may constitute evidence of the act.
The personal data processed by the Company will be used exclusively for the specified, explicit, specific and legal purposes explained above and not in a manner incompatible with them. In addition, the collection of data is limited to those that are appropriate, relevant and necessary for these purposes.
The purpose of processing the image data and vehicle registration numbers of the subjects through the video surveillance system is to protect the persons and material goods located inside and outside the Kappa Resort as well as to prevent the commission of illegal acts.
The Company keeps the personal data and other information for as long as required by the respective processing purpose or the current legislation, according to the specific information provided separately in each category of data subject.
For clients in particular, the retention period of their personal data is 10 years, unless legal proceedings are pending, in which case their retention period is extended until an irrevocable court decision is issued.
Regarding the processing of personal data through the video surveillance system installed by the Company, the data from the cameras are kept for seven (7) days. In the event that an incident is detected during this period, part of the video is isolated and kept for up to one (1) month, in order to investigate the incident and initiate legal proceedings to defend the legal interests of the Company, while if the incident concerns third, the video will be kept for up to three (3) more months.
When the Company no longer needs the personal data of the subject, it will destroy, delete or anonymize the information without prior notice to it.
Especially for the data that the Company processes based on the consent of the subject (eg for marketing purposes), these are kept from obtaining the relevant consent and until it is revoked.
The following is a table of personal data retention periods:
|Α / Α||Data – Personal Data||Data Retention Period|
|1||Customer / reservation details||10 years. In case of legal claims, the data are kept until the issuance of an irrevocable court decision.|
|2||Recruitment data||5 years after the end of the contract. In case of legal claims, the data are kept until the issuance of an irrevocable court decision.|
|3||Payroll information||They are not deleted.|
|4||Data for fulfillment of tax obligations||They are not deleted.|
|5||Data for fulfillment of employer / insurance obligations||They are not deleted.|
|6||Details of candidate staff||6 months.|
|7||Details of Service Invoices / Receipts of Service||10 years.|
|8||Data collected by video surveillance system||7 days.|
|9||Details for sending email – newsletter||5 years.|
|10||Email details||5 years.|
|11||Data from contract file||5 years from the expiration of the contract.|
|12||Data from a complaint file||1 year.|
|13||Data for managing SDAP documents and files||5 years.|
|14||Information for managing / keeping a file of information resources||They are not deleted.|
|15||Data for access control||5 years.|
|16||Details for keeping a key file||5 years.|
|17||Information for keeping a log of tasks in the computer room||5 years.|
|18||Details for keeping a record of suppliers||20 years.|
|19||Data for data recovery process||5 years.|
|20||Data for business continuity management||5 years.|
|21||Information security information management||5 years.|
Personal data are processed within the European Economic Area (EEA).
In the event that an investigation is required for the provision of services outside the E.O.X. then this is done with the explicit consent of the subject (Article 49 § 4 GCC).
In more detail regarding the processing of personal data through the video surveillance system installed by the Company, the data is not transmitted to third parties, third countries or international organizations.
The Company makes every effort to protect the personal data of the data subjects it processes, both in terms of confidentiality / confidentiality of information, as well as in terms of their integrity (not to be altered, not to be accidentally damaged, etc. .). Ensures that personal data is processed securely, adhering to policies and procedures in accordance with the purposes of the processing.
In general, the Company, as the person responsible for the processing of personal data, taking into account the available technology and application costs, the nature, scope, scope and purposes of the processing, as well as the severity and probability of the risks posed by the processing for the rights and freedoms of individuals, implement appropriate technical and organizational measures to ensure the appropriate level of security for personal data. The Company, in cases it deems appropriate and effective, applies the technical and organizational measures of pseudonymization and encryption.
Indicatively, the Company observes the following security measures:
- Access to personal data is limited to a limited number of authorized persons for specific purposes.
- The Company’s staff that has access to personal data is committed to the Company to maintain confidentiality and confidentiality for any information that comes to its notice or is disclosed to it by the customer or third parties (partners, suppliers, etc.).
- Special categories of personal data are stored on computers and information systems with authorized access. Also, when kept in hard copy, they are locked in cabinets with access only to authorized persons.
- The Company selects reliable partners, who are bound in writing in accordance with article 28 of the GCP with the same obligations regarding the protection of personal data. The Company reserves the right to control them.
- Computer systems used to process data are technically isolated from other systems to prevent unauthorized access, for example through hacking.
- Access to these computer systems is monitored on a permanent basis in order to detect and prevent illegal use at an early stage.
- The website maintained by the Company uses HTTPS protocol.
- Personal data is stored on encrypted and with server security protocols (server) and is accessible only by the Company, and only when necessary, e.g. to manage the subject’s requests.
The subject should also treat all information provided to the Company as confidential and personal and not disclose it to third parties. In addition, it is his sole responsibility to restrict or block access to his computer and browser.
The management of sensitive personal data of data subjects (especially the health data of employees and / or customers) is done with great care and discretion by the Company’s staff. In particular, the following have been pointed out to staff:
- The personal data of employees and / or customers must be handled with absolute discretion.
- Staff must be very careful when handling documents containing customer data.
- Staff should be very careful when handling a computer – when moving away from the computer, care should be taken to lock it.
- Computer passwords are strictly personal and staff should not share them with anyone.
- When staff become aware that a third party has gained unauthorized access to patient data they should inform the General Manager.
- When staff have any doubts about the proper management of customers’ personal data they should inform the General Manager.
Cookies are used to collect information, exclusively for the effective operation of the website www.kapparesort.com and to improve the online experience of users. Website users can click on the corresponding option to continue or to see detailed descriptions of cookies and choose whether to accept certain cookies or not. If they do not accept cookies, they may not be able to use some features of our website.
Cookies are pieces of information, which in the form of a very small alphanumeric text, are stored on the user’s computer, after his own approval, helping the most efficient operation of the website. Cookies in no case cause damage to users’ computers or to the files stored on them.
Most web browsers automatically accept and collect cookies. However, the user can make the appropriate settings so that the web browser accepts all cookies or rejects all cookies or notifies him when a cookie has been set. Depending on the security settings of the user’s web browser, he may be able to reject all cookies. If it rejects all cookies, it may not be able to use our website. More information on how the user will modify their browser settings or how to block or manage cookies can be found at www.allaboutcookies.org.
- For statistical purposes, the Company uses Google Analytics cookies, in order to understand how users visit and browse its website and to identify the areas in which improvement is required, e.g. navigation. The collected data is processed in a way that the user cannot be identified (anonymized IP address). Google Inc. discloses this information to third parties only to the extent required by law. To opt-out of Google Analytics you can visit the Google Analytics Opt-out Browser Add-on .
More information about the cookies used and the purposes for which the Company uses them can be found in the table below:
|_ga||Google Analytics||Analysis / Performance||Google Analytics|
|_gid||Google Analytics||Analysis / Performance||Google Analytics|
|_fbp||Facebook Pixel||Marketing / Tracking||Saves and tracks visits between web pages.|
|CultureLanguage = en-Us||reserve-online.net||Reservations||abouthotelier.com|
For the safe navigation of the website, the Company complies with the European Directive 2002/58 / EC on the protection of personal data and privacy in the field of electronic communications, as amended by the European Directive 2009/136 / EC.
The Company can obtain personal information about the subject from different sources or by different methods. For each source or method, the method of consent may differ.
The subject can revoke his consent at any time by sending an email to email@example.com, without prejudice to the legality of the processing based on the consent before its revocation.
The subject has the right to receive confirmation from the Company as to whether or not his personal data is being processed and, if this is the case, he has the right to access his personal data, as well as a) the purposes of the processing, b) the relevant categories of personal data, the recipients or any categories of recipients to whom the personal data have been disclosed or will be disclosed; (c) if possible, the period for which the personal data will be stored or, where impossible, the criteria (d) the existence of a right of request to the controller for the correction or deletion of personal data or a restriction on the processing of personal data or a right of objection to such processing;(f) the right to lodge a complaint with a supervisory authority; (g) where personal data are not collected by the subject, any available information about their origin; as well as the significance and intended consequences of such treatment for the subject.
The subject may request the Company to provide him with a copy of his personal data being processed. For additional copies that may be requested, a fee of fifteen (15) Euros is provided.
Any request for access to information should be addressed to the Company at firstname.lastname@example.org. Each request submitted must be accompanied by the identity of the data subject and contain the necessary information. The Company may request the provision of additional methods to confirm the identity of the data subject.
The Company will respond to the request of the subject within a period of one (1) month. This time limit may be extended by a further two months, if necessary, taking into account the complexity of the request and the number of requests. The subject will be informed of this extension within one month of receipt of the request, as well as of the reasons for the delay. If the subject submits the request by electronic means, the information is provided, if possible, by electronic means, unless the subject requests otherwise. If the Company does not act on the request of the subject, the latter will be informed, without delay and no later than one month from the receipt of the request,
The Company has undertaken the obligation to ensure the observance of the confidentiality of the personal data of the subject and to ensure the exercise by him of the rights of access, correction, deletion, restriction, portability and objection, by sending an email to info @ kapparesort. com. Each request submitted must be accompanied by the identity of the data subject and contain the necessary information. The Company may request the provision of additional methods to confirm the identity of the data subject.
The Company will examine your request without delay and will respond to you within one (1) month of receipt of the request. This time limit may be extended by a further two months, if necessary, taking into account the complexity of the request and the number of requests. The subject will be informed of this extension within one month of receipt of the request, as well as of the reasons for the delay. If the subject submits the request by electronic means, the information is provided, if possible, by electronic means, unless the subject requests otherwise. If the Company does not act on the request of the subject, the latter will be informed, without delay and no later than one month from the receipt of the request,
The subject has the right to request from the Company the correction, without undue delay, of inaccurate personal data concerning him. Having regard to the purposes of the processing, it has the right to request the completion of incomplete personal data, including through a supplementary declaration.
to which the controller is subject; (f) personal data have been collected in connection with the provision of information society services. Requests for deletion of personal data are processed within a period of one (1) month. In case of disclosure of personal data, the Company, taking into account the available technology and implementation costs, takes reasonable measures, including technical measures, to inform the processors who process personal data, that the data subject has requested the deletion by those responsible for processing any links to such data or copies or reproductions of such personal data. Note that,
(d) the data subject has objections to the processing in accordance with Article 21 (1) of the GIP, pending verification as to whether the legitimate reason of the controller overrides the data subject’s reason. When processing is restricted, such personal data, other than storage, shall be processed only with the consent of the data subject or for the establishment, exercise or support of legal claims or for the protection of the rights of another natural or legal person or for reasons in the public interest of the Union or a Member State.
The subject has the right to receive the personal data concerning him / her, which he / she has provided to a controller, in a structured, commonly used and machine-readable format, as well as the right to transfer this data to another controller without objection by the controller to whom the personal data was provided, where: (a) the processing is based on consent in accordance with Article 6 (1) (a) of the GIP or Article 9 (2) (a) of the GIP or a contract in accordance with 6 (1) (b) GCC and (b) the processing is carried out by automated means.
The subject has the right to oppose, at any time and for reasons related to his particular situation, the processing of personal data concerning him, which is based on Article 6 (1) (e) or the GCC, including training profiles under these provisions. The controller shall no longer process personal data unless the controller demonstrates compelling and lawful reasons for the processing which outweigh the interests, rights and freedoms of the data subject or to the establishment, exercise or legal support of the data controller. claims.
The subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence or place of work or the place of the alleged infringement, if he considers that the processing of his personal data infringes 679/2016 (GDPR). In Greece, the competent supervisory authority is the Personal Data Protection Authority (Kifissias 1-3, PC 115 23, Athens, tel. +30 2106475600, fax +30 2106475628, email: email@example.com).
Links to third party websites. When a user visits the Company’s website, they may be redirected to third party websites that are not under its control. These links make it easy to use the internet. The Company assumes absolutely no responsibility for the privacy policies and practices or the content of these websites and expressly disclaims any responsibility for any loss or damage that may arise from the use of these links. The Company encourages users to be careful when leaving their website and to read the privacy policies of any website that processes personal data.
Social networking platforms and widgets. The Company also maintains a presence on social networking platforms such as Facebook, Instagram, Youtube. Any information, communications or data submitted by the subject to the Company through a social networking platform is at his own risk. The Company may not control the actions of other users of these platforms or the actions of the platforms themselves. The subject’s interactions with these functions and platforms are governed by the privacy policies of the companies that provide them.
The visitor / user can visit the website www.kapparesort.com , without revealing his identity and without providing any personal information, subject to the acceptance of the relevant cookies (see above).
Generally, no personal data is required to be submitted to the Company online, but the Company may request the subjects to provide certain personal data in order to obtain additional information about its services and events. The Company may also request their permission for certain uses of their personal data and the subjects may either consent to or deny such uses.
In order for the subject to become the recipient of electronic information material (eg newsletters) sent by the Company, in order to be informed about issues of our services, he can provide his explicit consent. It will be possible to delete from the relevant list of recipients at any time following the instructions contained in each communication. If the subject decides to unsubscribe from a service or communication, the Company will attempt to delete its data as soon as possible, although it may take some time and / or information before the subject can request processing.
The collected personal data is stored on restricted access servers controlled by passwords and the Company uses special technologies and procedures to enhance the protection of this information against loss or misuse, as well as to protect it from unauthorized access, notification, modification. the disaster. However, although the Company makes every effort to protect the above information, it cannot guarantee that the above technologies and processes will never be affected in any way.
To this end, if any visitor / user becomes aware of any illegal, malicious, inappropriate or improper use of personal data, which are related in any way to the use of the website, he undertakes the obligation to notify the Company directly to the Company.
The Company may use remarketing services to advertise on third party websites after the user visits its website.
Google AdWords Remarketing is provided by Google Inc.
For more information about Google’s privacy practices, visit the Google Web site at http://www.google.com/intl/en/policies/privacy .
In case of violation of the security and integrity of the personal data being processed, the Company will take the following measures:
- It will review and evaluate those procedures required to limit the breach.
- It will assess the risk and its impact on the rights and freedoms of data subjects.
- It will try to reduce as much as possible the damage that has been or may be caused.
- It will notify you within seventy-two (72) hours of being notified of the breach, if required.
- It will assess the impact on privacy and take appropriate measures to prevent a recurrence of the breach.
The Company unilaterally reserves the right to update, modify, add, change its services and this Policy, from time to time, whenever it deems necessary, without prior notice, always within the applicable legal framework and in accordance with any changes in current legislation on protection of personal data.
He will inform you about such changes by posting the revised policies on our website www.kapparesort.com .
If the data subject has any questions about our privacy practices or wishes to modify, delete or correct any personal data which is being processed, he or she may contact us by email at firstname.lastname@example.org or by mail at Paliouri, T.K. 63085, Halkidiki, Greece.