GDPR NOTICE
PRIVACY NOTICE
The company Grandbay Limited (hereinafter called “Grandbay”), as a Controller, processes its clients’ personal data in accordance with the European Regulation 2016/679 as well as the respective European and national legislative frame on personal data protection, as in force, by which Grandbay fully abides.
TYPE OF PERSONAL DATA PROCESSED – PURPOSE OF PROCESSING
In the frame of provision of hotel services by our company to you, and in order for us to be able to proceed with a reservation of a room upon your request, to provide you with our services, to have your check- in completed upon your arrival, to complete the transaction for the payment of your accommodation or to be able to satisfy any kind of special requests of yours, to reply to any complaints of yours, we will need to process the following personal data of yours: name, surname, email, booking details, contact telephone number, residence address, passport number, date of birth, credit card details, your signature.
Specifically, in order to complete your room reservation, we will process your name and surname and your credit card details.
Furthermore, upon your arrival at your check-in, we shall process your name, surname, your email, your contact phone number, your residence address, your passport number, your birth date, your credit card details, and your signature.
In case you have special requests that you may want to share with us, in order for us to be able to satisfy them, we shall process your contact details, as well as the content of your request, while in case of complaint management we will again need to process your complaint and your contact details, in order to get back to you.
Upon your checkout, in case you pay by a credit card, we will process your credit card’s details, or in case of an invoice issuance, we may need to process additional financial data, such as your VAT number, any competent Tax Office of yours, your profession and your professional registered address, as well as your professional phone number.
Finally, we may process your name, surname, and your email address, in order for us to send you newsletters regarding any offers of our hotel or other news that may be of your interest.
LAWFUL BASIS
- The lawful basis for the processing of the above-mentioned personal data, in most of the above cases, is the need for us to fulfill the contractual obligations deriving from the contract between you and Grandbay for the accommodation and other tourist services.
- Especially in relation to any special request of yours or any complaint, the lawful basis of processing is our legitimate interest to provide customer service and to improve our services while in case we process any special categories of personal data of yours (as for example health data) that you might share with us, the process will only take place upon your prior consent.
- Finally, in the case of newsletters, the lawful basis is Grandbay’s legitimate interest to keep you posted in relation to the provided services. You will be able to request stop receiving newsletters at any time, without any impact on the lawfulness of the processing made up to the moment of the submission of the request.
PERSONAL DATA TRANSFER TO THIRD PARTIES- RETENTION PERIOD
Our company applies the necessary technical and organizational measures in order to ensure the adequate level of security against any risk of loss of your personal data to third non authorized parties or against unauthorized use or access to them.
- There is no other transfer of personal data by Grandbay to third parties, except for the transfer to our authorized employees, to any collaborating travel agencies or our business partners in the field of reservation management, or to public authorities, in case of any inspection. There is no transfer of data outside the EEA (European Economic Area).
- The above-mentioned personal data will be retained for as long as it is necessary in accordance with the respective legislation, while after this period they will be deleted or anonymized.
Especially in relation to personal data processed for the newsletter emails, they will be retained for 2 years or until you request their interruption.
YOUR RIGHTS RELATED TO PERSONAL DATA PROCESSING
- You may freely exercise all your rights deriving from the European Regulation 2016/679 and, especially, the right to request access to your data, the right to request their correction, the right of erasure, of restriction of processing, the right to data portability, the right to object to the processing, the right to invoke your consent in case the processing is based on your consent, upon submission of a respective request, as well as the right to lodge a complaint before the competent Authorities ( Hellenic Data Protection Authority) (www.dpa.gr).
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA THROUGH A VIDEO SURVEILLANCE SYSTEM
1. Data Controller:
“GRANDBAY LIMITED” (hereinafter “Data Controller” or “Company”) with a branch located in Moschato Attikis Greece (Makrygianni 20).
2. Purpose of Processing and Legal Basis:
We use a surveillance system for the purpose of protecting individuals and property. The processing is deemed necessary for the purposes of the legitimate interests pursued by the data controller (Article 6(1)(f) GDPR).
3. Analysis of Legitimate Interests:
Our legitimate interest lies in the need to protect our premises and the property therein from illegal acts, such as thefts. This extends to ensuring the safety of life, physical integrity, health, and property of our personnel and third parties lawfully present on the monitored premises. We only collect image data and limit the recording to areas where there is an increased probability of unlawful acts such as theft, without focusing on areas where the privacy of individuals where individuals’ privacy, including their right to respect for personal data, might be unreasonably compromised.
4. Recipients:
The recorded material is accessible only to our authorized personnel responsible for premises security. This material is not disclosed to third parties, except in the following cases: a) when necessary information for the investigation of a criminal offense involving the persons or property of the data controller is included, it may be disclosed to the competent judicial, prosecutorial, and law enforcement authorities; b) data may be shared with the competent judicial, prosecutorial, and law enforcement authorities when lawfully requested in the exercise of their duties; and c) when the data may serve as evidence of a criminal offense, it may be disclosed to the victim or perpetrator of said offense.
5. Retention Period:
We retain the data for fifteen (15) days, after which it is automatically deleted. If an incident is discovered during this period, we isolate a portion of the video and retain it for up to one (1) additional month for the investigation of the incident and the initiation of legal proceedings to defend our legitimate interests. If the incident concerns a third party, we will retain the video for up to three (3) additional months.
6. Data Subject Rights:
Data subjects have the following rights:
- Right of access: you have the right to know if we are processing your image/sound and, if so, to receive a copy of them.
- Right to restriction: you have the right to request that we restrict processing, such as retaining data that you deem necessary for establishing, exercising, or supporting legal claims.
- Right to object: you have the right to object to processing.
- Right to erasure: you have the right to request the erasure of your data.
You can exercise your rights by sending an email to privacy@adornosuites.gr or a letter to our postal address. To examine a request related to your image, you must specify approximately when you were within the range of the cameras and provide us with an image of yourself to facilitate the identification of your data and the concealment of third-party data. Alternatively, we offer you the opportunity to come to our premises to view the images in which you appear. We also note that exercising the right to object or erasure does not entail immediate deletion of data or modification of processing. In any case, we will respond in detail as soon as possible, within the deadlines set by the GDPR.
7. Right to Lodge a Complaint:
If you believe that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Greece is the Hellenic Data Protection Authority, Kifisias 1-3, 115 23, Athens. You can also visit their website at https://www.dpa.gr/ or contact them via telephone at tel. 2106475600.
