1. Purpose and Principles of the processing of personal data
The Personal Data Protection Policy (hereinafter referred to as the “Policy”) aims to protect the personal data processed by THE SYNTOPIA HOTEL and to prevent any form of unfair processing.
The Policy and the processing of personal data pursuant to this Policy, is based on the following principles:
- Lawfulness, objectivity and transparency in processing (‘lawfulness, fairness and transparency’)
- Limitation of the purpose of processing (‘purpose limitation’)
- Minimisation of the data being processed (‘data minimisation’)
- Accuracy and where necessary, updating of the data being processed (‘accuracy’)
- Integrity and confidentiality in processing (‘integrity and confidentiality’)
- Limitation of the retention/storage time (‘storage limitation’)
- Compliance with the applicable legal and regulatory framework
THE SYNTOPIA HOTEL is responsible for, and able to demonstrate its compliance with the above principles, as specified in this Policy. THE SYNTOPIA HOTEL checks, reviews and updates at regular intervals and, in any event, whenever necessary, this Policy, taking into account the applicable legal and regulatory framework.
"Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.
"Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one can be identified, directly or indirectly.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data that have been or will be made known to THE SYNTOPIA HOTEL, both under relations with individuals and in the context of information that THE SYNTOPIA HOTEL receives from third parties, natural or legal, persons or public sector bodies, in the exercise of their legal rights or the rights of THE SYNTOPIA HOTEL.
"Individuals" means natural persons who trade / cooperate with THE SYNTOPIA HOTEL (customers, contractors, etc.) and any other natural person contracted with THE SYNTOPIA HOTEL, other than its personnel.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"Restriction of processing" means the marking of stored personal data with the aim of limiting their processing in the future.
"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, THE SYNTOPIA HOTEL shall be deemed to be the Controller.
"Data protection officer" means the natural or legal person designated by the controller to participate in all matters relating to the protection of personal data in accordance with this Policy and the applicable legal and regulatory framework.
"Data subject" means any identified or identifiable natural person to whom the personal data being processed relates.
3. Processing of personal data
3.1. Legal basis of the processing
We process your personal data in the following cases, in accordance with the specific provisions of the applicable legislation and the terms and conditions laid down in it:
- To ensure the quality of the services provided and to protect your health, with your express consent to the processing of your personal data (point (a), par. 1, Article 9, GDPR),
- For the correct and lawful performance of our contractual obligations towards you (point (b), par. 1, Article 6, GDPR),
- For the service of our legitimate interests (point (f), par. 1, Article 6, GDPR)
3.2. Type of personal data
We process personal data that have been or will be submitted by you or your legal representatives and which are necessary for the services we provide.
For your service, the Company collects, retains and processes the following categories of data, necessary under applicable law and limited to the minimum required for the purposes for which they are processed:
- Identity details,
- Contact details,
- Medical data and
- Financial data.
3.3. Purposes of processing
The purposes of processing your personal data are:
- the fulfillment of our contractual obligations,
- the protection of the health of our customers,
- the better service of our customers and upgrading of the services we provide,
- the service of our legitimate interests (e.g. protection of persons and goods).
3.4. Data retention period
Your personal data shall be retained and stored in a secure environment, solely and exclusively for the purposes for which they are intended and only for as long as is necessary to achieve those purposes, without prejudice to the more specific provisions of the applicable legislation.
3.5. Recipients of the data
The recipients of your personal data are THE SYNTOPIA HOTEL and, if the legal conditions are met, the competent judicial authorities. We shall disclose your personal data to those authorities if required by law, court or regulatory decision in order to exercise legal remedies. For the processing of your personal data, we use third party technical support providers and other partners acting on our behalf (processors), for the above mentioned processing purposes. These partners are committed to THE SYNTOPIA HOTEL to maintain confidentiality.
4. Your rights
a) You have at any time the right to information and access (‘right of access and information’) to the personal data concerning you, as well as for the purposes of their processing, the legal basis of the processing, the recipients or the categories of recipients and the period of their storage.
b) You have at any time the right to correct (‘right to rectification’) inaccurate data and to complete incomplete data that we process.
c) You have the right to delete (‘right to erasure’) your data, without prejudice to our obligations and our legal rights for their retention for a minimum specific period of time, under the applicable legal and regulatory framework.
d) You have the right to restrict the processing (‘right to restriction of processing’) of your data, provided that the accuracy of your personal data is contested, or their processing is unlawful, or the purpose of the processing is no longer required and provided that there is no legitimate reason for their retention.
e) You have the right to portability of the data (‘right to data portability’) provided that the processing is based on your consent and is carried out by automated means. The satisfaction of this right is without prejudice to our legitimate rights and obligations to retain the data and fulfill our duty to the public interest.
g) You have the right to object to the processing of your data, on grounds relating to your particular situation.
Your requests regarding your personal data and the exercise of your rights are submitted to the Data Protection Officer (DPO) of THE SYNTOPIA HOTEL, to the e-mail address firstname.lastname@example.org or to THE SYNTOPIA HOTEL, to the e-mail address email@example.com to the attention of the Data Protection Officer (DPO). To this end, you may fill in the special form of THE SYNTOPIA HOTEL available at the hotel reception.
If your request is not satisfied or in case you consider that the processing of your Personal Data violates the applicable legal framework for the protection of personal data, you can lodge a complaint with the Hellenic Data Protection Authority (Kifissias Avenue no. 1-3, 11523 Athens, Tel: 2106475600, E-mail: firstname.lastname@example.org).
5. Data security
5.1. Security of processing
THE SYNTOPIA HOTEL implements appropriate technical and organisational measures to ensure on an ongoing basis the required level of security against your rights and freedoms as data subjects. In this context:
- we have developed a personal data protection Policy and procedures for maintaining confidentiality and ensuring the integrity, availability and reliability of processing systems and services;
- we regularly carry out testing, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing, taking into account mainly risks arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- we ensure that any natural person acting under our supervision and having access to personal data (Processor), processes the data only within the limits of the relevant order given to him by THE SYNTOPIA HOTEL and under the terms and conditions set by THE SYNTOPIA HOTEL
5.2. Breach of personal data
Any breach of this Policy, as well as of the applicable to personal data and personal data protection legal and regulatory framework, and, in general, any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed shall constitute a breach of personal data.
In order to address possible cases of personal data breach, we have adopted and are implementing a policy to address and manage personal data breaches. In the event of any breach, THE SYNTOPIA HOTEL shall notify immediately and, where possible, within 72 hours of becoming aware of the event, the breach of personal data to the Hellenic Data Protection Authority, unless the breach may not cause a risk to the rights and freedoms of the subjects. In addition, in the event of data breach, THE SYNTOPIA HOTEL shall immediately inform the Data Protection Officer (DPO), who shall, in consultation with THE SYNTOPIA HOTEL, take all necessary measures and take all necessary steps to limit the extent of the breach and its restoration.
6. Our obligations
6.1. Data protection by design (privacy by design)
We shall apply effectively, both at the time of the determination of the means of data processing and at the time of processing, appropriate technical and organisational measures designed for the application of data protection principles, which we ensure that they meet on an ongoing basis the requirements of the GDPR and protect your rights as data subjects.
6.2.Data protection by default (privacy by default)
We apply appropriate technical and organisational measures to ensure that, by definition, only the personal data necessary for the purpose of the processing are processed. The above
obligation covers all the data collected, the degree of their processing, the period of retention and storage and access to them.
6.3. Staff training
We take care of the complete information and training of our staff on all issues related to the protection of personal data and its compliance with the obligations arising from the GDPR, the applicable legal and regulatory framework, as well as the policies / procedures that THE SYNTOPIA HOTEL has adopted.
7. Assignment of processing to processors
In cases where we entrust to third parties, the processing of your personal data, on our behalf, we only use processors that provide sufficient assurances for the implementation of appropriate technical and organisational measures, in such a way that the processing meets the requirements of the GDPR and the applicable legislative and regulatory framework, and to ensure the protection of your rights. The above assignment is made, under a written contract signed between THE SYNTOPIA HOTEL and the Processor, which binds the latter towards the hotel.
8. Data Protection Officer (DPO)
We have appointed a Data Protection Officer who participates, duly and in a timely manner, in all matters relating to the protection of personal data. The DPO shall inform and advise THE SYNTOPIA HOTEL and its personnel as regards its obligations arising from the GDPR, the applicable legal and regulatory framework, as well as the policies adopted by THE SYNTOPIA HOTEL relating to the protection of personal data. The DPO shall cooperate with the Hellenic Data Protection Authority and act as a point of contact with you for any matter relating to the processing of your personal data and the exercise of your rights.
You may contact the DPO of THE SYNTOPIA HOTEL at email@example.com.