The present Private Data Protection Policy (hereinafter “the Policy”) is meant to describe and regulate the approach that the Company “TOURISTIKAI EPICHIRISEIS ESPERIA A.E.” [ESPERIA TOURIST ENTERPRISES S.A.”] (hereinafter “the COMPANY”) has adopted to ensure the protection of personal data processed within the context of its activities.
The present Policy is understood to provide information to personal data subjects in the sense of and in accordance with the terms of the General Data Protection Regulation No. 679/2016/EU (hereinafter “the GDPR”).
Executive offices and all staff members of the Company are expected to take knowledge of the terms of the present Policy, which they are obliged to implement throughout the terms of their employment with the Company.
The COMPANY hereby assures and undertakes the responsibility that whatever processing of personal data it may carry out shall at all times be conformant with the terms of the GDPR as well as those of national legislation, qualified opinions, resolutions and acts by the Personal Data Protection Commission (hereinafter “the PDPC”) and in abidance with all lawful and correct private data protection practices, consonant to the terms of this Policy.
Moreover, the COMPANY hereby assures and undertakes the responsibility that whatever processing of personal data it may engage itself in shall at all times be carried out in accordance with the principles of legitimacy, transparency, accuracy, availability and integrity of the data in all of their aspects, further also warranting to be consistently implementing all appropriate Technical and Organisational Measures indicated for the protection of personal data.
The term “Personal Data” or “Private Data” refers to any information concerning an identified or identifiable natural person presently alive (“the data subject”). An identifiable natural person is the individual whose identity may be established even indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specifying the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Special private data categories comprise any data evocative of racial or ethnic origins, political views, religious or philosophical convictions, affiliation to trade unions, as well as genetic and biometrical data subjected to processing towards unmistakably identifying a person; data referring to health as well as data evocative of a natural person’s sex life and sexual orientation. As a special category (sensitive data) is also meant any data relevant to criminal offenses and convictions.
Personal Data Processing refers to any action or sequence of actions carried out with or without use of automated means concerning personal data or batches of personal data, such as collection, recording, classification, articulation, storage, adaptation or amendment, retrieval, data search, use, sharing by way of transfer, diffusion or any other form of disposal, association, combination, restriction, elimination or destruction of data.
As Consent of the subject is understood any manifestation of intent, freely formulated, specific, explicit and in full conscience, by which the data subject expresses their approval, whether by statement or an unambiguous assertive action, to their data being processed.
The Data protection controller is the natural person, legal entity or even a public authority, service or any other agent which, whether individually or jointly with other factors, are meant to determine the objectives and ways of processing of personal data. Hereon the COMPANY is according to law the Data protection controller.
A Data Processor is the natural person, legal entity or a public authority, service, or such other agent as there may be designated for the processing of personal data on account of the data protection controller.
3. Use of webpage, cookies
By browsing through the COMPANY’s website, each visitor is assumed to have unreservedly endorsed the terms of the present Policy as well as the cookies policy, to which each visitor is offered the discretion to freely consent or not consent, according to the options and customised possibilities provided.
4. Legal grounds of data processing
The processing of private data by the COMPANY shall only happen in those circumstances expressed under the GDPR.
The legal grounds justifying the processing of personal data according to the GDPR are the following:
- The consent of the data subject to one or several objectives.
- The execution of a contract to which the data subject is party or the adoption of measures upon request of the data subject, at the stage of negotiations.
- The compliance with a legal obligation of the data protection controller.
- The catering to vital interests (i.e. interests related to the life or to the eventuality of serious or irreversible damage threatened upon the health of the data subject or of any other person whatsoever.
- The fulfilment of a duty in the name of public interest or as part of the exercise of public authority by the data protection controller.
- The catering to legitimate interests put forward by data protection controller, conditional on such legitimate interests or the fundamental rights and freedoms of the data subject, in the name of which the protection of the latter’s personal data is eventually called for, are not overriding.
The legal grounds enabling processing of personal data pertaining special categories are:
- an [express] consent on the part of the data subject to such processing, for one or several specific purposes.
- redeeming an obligation and exercising specific rights by the data protection controller or by the data subject, within the realm of labour law or of social securities and social protection law, provided so is allowed under the EU law or under the law of a member state or under a collective agreement entered in accordance with national legislation and conditional on appropriate guarantees are provided for in the matter of protection of fundamental rights and interests of the subject of the data at stake.
- the protection of vital interests of the data subject or of any other natural person whatsoever in case the subject of data in physically or legally incapacitated to provide one’s consent.
- data processing within the context of lawful activities of a foundation, an organisation or other types of non-profit agencies set to pursue political, philosophical, religious or syndicalist objectives, provided that processing is exclusively targeted to data relevant to affiliates and former affiliates of such entities or persons being in regular contact with the entity, on issues relevant to the entity’s objectives and conditional on such data not being communicated to anyone outside such entity without previous consent on the part of the subjects of such data.
- the processing of uncontestably publicised personal data.
- evidencing, raising or otherwise sustaining legal claims as well as processing within the context of a judicial authority acting under their jurisdictional competences.
- processing justified on the grounds of substantial public interest, such that may be considered proportionate to the purpose pursued, respecting the essence of the right to data protection, whilst providing for specific and as appropriate measures towards safeguarding the fundamental rights and interests of the data subject.
- processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or under the terms of a contract eventually entered with a health professional.
- the processing dictated by reasons of public interest in the field of public health.
- processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Hereon, actually in most of the cases where personal data processing by the COMPANY may be applied is one of the following:
(a) the processing is necessary for the materialisation of a contractual relationship with the subjects of the data involved;
(b) the processing is called for in abidance with a legal obligation;
(c) the processing is indispensable for reasons relevant to the legitimate interests the COMPANY is set to pursue;
(d) an express consent has been provided by the subjects as to the processing of their personal data. Be it noted, that in the event of a consent having been given, towards an eventual processing, by the COMPANY, of private data, the data subject shall nevertheless be entitled to revoke such consent at any moment, albeit with effect solely for the future. Revocation of the consent, in such case shall not affect the legitimacy of processing carried out prior to such revocation taking effect. In the event of revocation of the consent, the COMPANY shall be entitled to continue the processing of the personal data involved solely in the event other legal grounds apply, such as to justify such processing.
5. Time over which personal data may be preserved
The COMPANY shall determine the period of time over which physical and electronic personal data records may be preserved, in conformity with requirements established in the matter of personal data storage under the GDPR as well as in accordance with relevant provisions eventually applying under national legislation in effect, as to the time of preservation, the type of records and category of data to be preserved. Be it noted that the time over which each particular record may be preserved shall be determined in accordance with the terms provided for under Article 30 of the GDPR in the matter of Processing Activities Record.
Upon lapse of the period of time to be established in accordance with the terms set forth above, there will take place a safe elimination/deletion of all relevant processing records, by way of application of methods indicated for such purpose.
6. Recipients and transmissions
Any transmission of data to third-party recipients shall be effected in accordance with relevant terms and conditions under the GDPR.
7. Technical and organisational measures
The COMPANY formally warrants to have, already at the stage of inception of all types of processing and further on as of the implementation thereof and ever since, been efficiently implementing appropriate technical and organisational measures in way such as for the requirements applicable under the current legislation to be met and for all rights of the data subjects to be protected. Such commitment also applies for the management, the staff, all partners irrespective of status as well as any agent eventually carrying out data processing assignments on account of the COMPANY.
The COMPANY is expected
to be safely processing such persona data as it may happen to come in possession of. Such obligation to ensure safe data processing is meant to extend over:
- Physical personal data records, for instance written documents, staff member record files, curricula vitae, e.a.
- Electronic records of all kind.
- Photos, sound recordings and audio-visual material as a whole eventually used for events and activities of all kinds.
- Any other kind of personal data likely to be subjected to processing.
Special emphasis is placed upon the safekeeping of data pertaining special categories.
Entrusting third parties with the task of data processing shall be under specific contractual commitments and regular monitoring shall be ensured as to the adoption of safety measures by such assignees, in accordance with the terms of the respective contracts and in due conformity with relevant requirements under the GDPR.
8. Record of Processing Activities
The COMPANY maintains a Record of Processing Activities, in the sense of and in accordance with the terms of Article 30 of the GDPR.
9. Data subjects’ rights and facilitation of exercise thereof
Data subjects bear the following rights, as far as their personal data is concerned:
- right of access, allowing data subjects to become informed on which personal data of theirs are processed by each data processing controller, what the purpose of such processing is and which the potential recipients of the product of such data processing could be.
- right to rectification, allowing for the correction of any data omissions or inaccuracies.
- right to erasure (“right to be forgotten”), making possible the deletion of personal data once processing thereof is no longer necessary or if preservation of such data is not required as part of the controller’s commitment vis-à-vis observing one’s statutory obligations or for the latter to be in a position to defend one’s interests before the Court.
- right to restriction of processing, in case the accuracy of data is challenged. More specifically, a restriction of processing may be applied for by the data subject concerned under either of the following circumstances: (a) in case of the accuracy of data is questioned as for as long verification thereof has been obtained; (b) in the event of the data subject being opposed to the erasure of personal data, requesting instead of an erasure, a restriction of use thereof; (c) in the event of personal data not being necessary for the purposes of processing albeit indispensable for documentation, pursuit and support of legal claims and (d) in the event of the data subject opposing oneself to processing and until verification is obtained as to the existence of legitimate grounds concerning the controller, such as to override the grounds invoked by the data subject opposing the processing.
- right to data portability, enabling data subjects to be served with their data in a structured and commonly usable format.
- right to object, to be considered in the event of the data subject not wishing one’s data to be used for direct marketing purposes.
- right to file a complaint with the Personal Data Protection Authority (www.dpa.gr).
The COMPANY is expected to facilitate data subjects in exercising their rights, responding to relevant requests within one month from due receipt thereof. Such deadline may be extended by an additional two months, if so is deemed necessary, taking into account the complexity of a particular issue as well as the number of pending requests, in which case data subjects are to be notified of the extension as well as for the reasons of the delay.
A form destined for use in connection with the exercise of any such right as well as a complaint form may be provided upon submission of relevant request at the Data Protection Controller’s e-mail address.
10. Updates – amendments to the terms of this Policy
The COMPANY reserves the right to amend this Policy at any time it so deems advisable, depending on the needs and practices adopted as well as the requirements of the relevant legislation in the matter.
11. Data Protection Controller
On any matter relevant to the terms of this Policy, as well as on matters relevant to the exercise of any right whatsoever, you may refer yourselves to the Data Protection Controller designated by the COMPANY at the following e-mail: