In collecting this information, we are acting as data controllers and, according to the European Union’s General Data Protection Regulation (GDPR) and Greek Law 4624/2019, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
Who we are
We are G. TZIERAKIS S.A. company, with the trade name Astir Beach Hotel (hereinafter Astir Beach Hotel).
We are located at Kato Gouves, Heraklion, Crete, GR 70014, Greece.
You can contact us through one of the following options:
- Post: In the above address
- Telephone: +30 28970 41141, +30 28970 41142
- E-mail: email@example.com
We are not required to have a Data Protection Officer, so any enquiries about our use of your personal data should be addressed to the contact details above.
What are Personal Data
According to Article 4 of the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person. This includes your full name, postal address, e-mail address, telephone number, and any piece of data which can be used to, directly or indirectly, identify you (the data subject).
What is Data Processing
According to the GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What personal data do we collect
The personal data we collect from you and process are the minimum required to achieve the purposes of processing activities. For processing activities that require your consent, we will not process your personal data without said consent. All processing activities are compliant with Greek and European legislation and security requirements.
In case you do not wish to disclose some of your personal information, this may have an effect in some of our interactions with you.
When you make a room reservation with our hotel, we collect and process your contact information (name, address, email, phone), identification information (ID number, nationality), reservation details (length of stay), and payment information (credit or debit card). The legal basis for processing is the contract for provision of services between the customer and the hotel.
Your personal data will be registered in the hotel’s reservation system and shared with the administrator of the reservation system, our cloud provider and the relevant authorities.
When you check-in at our hotel, either electronically through our website or at the hotel reception, we collect and process guest information from the reservation (name, date of birth, nationality, identification document number) as well as reservation details (room type, arrival and departure dates, booking agency). The legal basis for processing is the performance of a service contract between the customer and the hotel.
Your personal data will be kept in physical form in the reception file, electronically in the company’s reservation program, and will be disclosed to the administrator of the reservation program and competent authorities.
Your data will be kept by us until the end of the season, unless there is a legal or other obligation of the company (with a maximum retention time of ten years).
When using the hotel facilities (spa and gym), the collection of the guest’s medical information is required, including a signed disclaimer and medical history. This information includes information about the visitor’s health and condition that may affect the safety and well-being of the visitor and other users of the facilities. The legal basis for the collection and processing of the visitor’s medical data is the legal obligation of the business.
This data will be kept by our hotel in a secure physical and digital file for a period of ten years or for as long as required in case of legal claims. They will be shared with the cloud computing service provider and the relevant authorities.
The visitor’s medical information will be processed strictly for the safety of the visitor and other users of the facilities and will not be used for any other purpose.
When you connect to the customer Wi-Fi network our hotel offers, the router may collect some data necessary to provide the service. These include information about the device you are connecting to (MAC address, hardware model, operating system, browser), and the connection log (date, time, and duration of connection, assigned IP address).
The above data is retained for a short duration by the company and includes only the strictly necessary data to ensure smooth connectivity and healthy operation of the network. The data will be deleted after it is no longer needed to maintain network health and operation. The Internet Service Provider used by the hotel may also have access to this data.
The customer network is protected by a firewall and is isolated from the company’s business networks. All appropriate security measures are also taken to protect the users connected to it.
At the end of your stay, you will be presented with an optional satisfaction questionnaire that you may fill-in and submit. On it, we will ask for your explicit consent to collect and process your e-mail address and country of residence. The purpose of processing this information is statistical research regarding customer satisfaction at our hotel.
Your personal data will be stored in a secure file cabinet at our facilities, and will be processed in spreadsheet software once anonymized. If you submit the questionnaire digitally, your data will be shared with Microsoft as they maintain the digital form service. If you consent explicitly to this, we may contact you regarding the scores or comments you left on the questionnaire.
Your personal data will be kept by us until the end of the holiday season, and then they will be completely anonymized.
Guest accdient or incident
We take the safety and wellbeing of our guests seriously at our hotel, which is why we also collect and process personal data in the case of a guest accident or incident. This includes the guest’s full name, the conditions of the accident or incident, data on any third persons involved, and any information related to physical or health damage. We do this to preserve the vital interests of our guests and employees, as well as fulfill our legal obligations, and with the purpose of dealing with the accident or incident and compiling a report.
The above data will be retained securely for 10 years or until a legal claim arises. We will share this data with the insurance company, medical personnel, the guest’s travel agency, and other relevant parties and authorities to ensure the effective management of the accident and any resulting claims.
The hotel premises are monitored by closed-circuit cameras (CCTV) in order to ensure the safety of guests and staff, to prevent criminal or delinquent acts, and to assist the authorities’ investigations in the event of an incident.
The data collected includes footage taken where there are surveillance cameras, which may include your image if you are at the location. The legal basis for the processing of this data is the safeguarding of the public interest.
The footage will be retained for approximately 15 days, after which it will be automatically deleted unless required by the relevant authorities. The material may be shared with the relevant authorities in the event of an incident, and may also be accessed by employees of the monitoring system maintenance company.
When you reach out to us using the contact form in our website, we collect and process your full name and e-mail address in order to provide you with a satisfactory answer to your request. The legal basis of processing here is our company’s legitimate interest.
Your personal data will be shared with Microsoft, who is our e-mail service provider.
Your personal data will be kept by us until your request is resolved, or if we haven’t heard back from you in one month.
Who will receive your data
The recipients of your personal data will include:
- The appointed staff of our company, within the framework of their responsibilities and on the basis of commonly accepted rules of confidentiality.
- Service companies, which will process your personal data strictly on our behalf. These service providers shall be contractually bound by confidentiality agreements and conditions.
- National and European Supervisory and Administrative Independent Authorities, as well as the Prosecuting and Judicial Authorities.
In the event that your personal data is transferred outside the European Union, the transfer will be governed by all necessary and indicative measures to ensure compliance with European and national legislation at all times.
How we protect your data
Our company has taken all necessary and recommended organizational and technical measures to ensure the security, protection, and confidentiality of your personal data, including protection from accidental or malicious processing, theft, or accidental loss. Our company has implemented appropriate business systems and procedures, and security procedures, restricting access through technical and physical measures. Access to your data is limited to authorized persons who handle the information under full confidentiality and as part of the performance of their duties.
These measures are subject to regular review.
In the event that we use third parties to process your personal data, this is done strictly according to written instructions, and third parties are contractually bound by confidentiality agreements and the obligation to implement appropriate technical and organizational measures to ensure the security of the data to which we allow them access.
For how long are your personal data retained
Your personal data are retained by our company for the period necessary to fulfill the purposes for which we have collected them unless a longer retention period is permitted by law.
After the retention period has elapsed, your data will be safely deleted and removed from our systems.
Legal basis of processing
The processing of your personal data is carried out on a case-to-case lawful basis, depending on the purposes of the processing activity in question. Specifically:
- fulfilment of our contractual obligations
- your written and unconditional consent, where necessary
- the current legal and regulatory framework
- the legitimate interests of our company
Your rights as data subject
Your rights as a ‘data subject’ include the following:
- The right to be informed. Our company is transparent in informing you about our use of your personal data and your rights over them. You can contact us at any time, so we can answer your questions.
- The right of access. You have the right to ask us, at any point, for access to your personal data, to learn and control the legality of the processing activities. Requests of access will be responded to within one (1) month from receiving your request.
- The right to rectification. You have the right to request the correction of inaccurate or incomplete personal data.
- The right to erasure. You have the right to request that we erase personal data about you, without undue delay, when there is no lawful basis for the continuation of processing and storage of your personal data.
- The right to restrict processing. You can exercise your right to restrict the processing of your personal data, if the data’s accuracy is contested, as an alternative to erasure in the circumstances that the processing is unlawful, where you need the data for legal claims but it is no longer required by us, or whilst a decision on an objection to processing is pending.
- The right to data portability. You have the right to request your data to be provided in a structured, commonly-used and machine-readable format, and to transfer your data to another party (e.g. service provider). This applies to personal data for which processing is based on your consent and the processing is carried out by automated means.
- The right to object. You have the right to object to processing based on the lawful basis of the legitimate interests of the controller, or of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Rights in relation to automated decision-making and profiling.
To submit a request regarding your personal data, you can contact us in the postal address or telephone number provided in the ‘Who we are’ section of this consent form, or by email at firstname.lastname@example.org.
Your right to complain
If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. However, you can also contact the Hellenic Data Protection Authority, via their website at www.dpa.gr or by telephone at +30-210 6475600, or write to them at:
Data Protection Authority Offices
Kifissias 1-3, 115 23
We will update the version number and date of this document each time it is changed.