Privacy Policy

PERSONAL DATA PROTECTION POLICY

Information on the Processing of Personal Data

We would like to inform you that the company under the title “GEORGIOS KOUROUPIS Sole-Member Private Company ” (hereinafter referred to as the “Company”), with the distinctive title “OUT OF THE BLUE CAPSIS ELITE RESORT” is active in the field of hotel services. For the company, being sensitive to the privacy and protection of our customers’ personal data, such protection is of paramount importance. Building trust relationships is a priority and a fundamental commercial practice. For this reason we take the appropriate measures to protect the personal data we process and to ensure that personal data is always processed in accordance with the legal requirements (GDPR 679/2016), both by the company itself and by third parties who process your personal data on behalf of the company.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new European Union (EU) regulatory framework in the field in question. The purpose of the law is to establish the conditions for the processing of personal data in order to protect the rights and freedoms of natural persons and in particular the right to protection of personal data. Thus, all the concepts mentioned in this policy are defined by this Regulation (Rule 4).

Categories of Personal Data

Personal data: any data that alone or in combination with others can uniquely identify a person. Such data shall be considered as follows: name, identity card number, passport number, Taxpayer identification number, address, phone, photo, IP address, hardware identifiers, online profiles, social networks, subscription data, device fingerprinting, or any other identifiable means,

Special category data (sensitive personal data): According to the wording of the law, these data relate to data relating to political and religious beliefs, sexual preferences, the economic status of the individual, racial characteristics, and finally medical, genetic and biometric data.

Data Concepts

Processing of personal data: any act or series of acts performed with or without the use of automated means over personal data or personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval, search for information, use, disclosure, forwarding or any other form of distribution, association or combination, restriction, or deletion or destruction.

Data subject: the personal data of a natural person being processed

Method of data collection

To process your personal data, we collect it in the following ways:

  •  If you are a Hotel customer, your personal data is collected directly upon arrival at the reception desk by filling in the relevant form.
  • If you are not a customer of the Hotel and wish to make use of the Hotel’s services (e.g. spa services, or other treatments, etc.), your personal data will be collected upon arrival at the appropriate department, filling in the relevant information form there.
  • If you are an external partner or supplier, your personal information is collected when you sign a service contract or through your invoice details.

Data collection

The following categories of data are collected to process your personal data:

  • Identification details, such as: full name, gender, VAT registration number of TIN, ID card number, passport number, nationality, date of birth.
  • Contact details, such as: landline and / or mobile phone, home and / or work address, email address.
  • Health data exclusively as needed, such as: eating habits issues, health issues for which questionnaires are completed for various services you would like to receive within the Hotel, health issues that may arise during your stay and should be disclosed to the hotel physician, and elsewhere within the Hotel’s boundaries, that should be produced by you so that there is no risk to your life and your health.
  • Financial information required to perform contractual obligations, such as bank accounts, debit or credit card numbers, Tax Office of registration where required, and finally, for the issuance of invoices regarding suppliers and associates.
  • Photos or any other audiovisual material from receptions, events, or even daily activities within the Hotel.
  • Identity and transaction data that is collected electronically while using the website, such as the IP address or other data provided through the devices used by the customer as location identifiers, as well as the navigation data (cookies) that, on their own or in combination with unique identifiers, can be used to identify and create profiles.

Purpose of processing Personal Data

The reasons why we process your personal data are:

  • Establish a customer relationship, proceed with the room reservation procedure for Hotel customers.
  • Providing Hotel services to customers.
  • Send emails to measure service satisfaction from affiliated companies
  • Send news letters from the Company and / or affiliated companies (third parties)
  • Send personal data where deemed necessary to obtain services from third parties such as (but not limited to) Wi-Fi providers, Digital Marketing support and Marketing purposes, and services – provisions in general.
  • Contact with Tour Operators, Travel Agents and providers or tourism booking services, travel hosting, and of relevant activities, etc.
  • Display of personal data such as (but not limited to) Name, Photos etc.) on advertising material, TV Channels, Social Media, Company Site & Partner Sites (third parties).
  • Reporting of personal data such as (but not limited to) Name, Photos etc. in press releases issued by the Company and / or affiliated companies (third parties)
  • Company Payments through Banking Institutions & use of credit cards for the services provided during your stay.
  • Settlement of financial matters to or from the Company through Banking Institutions & use of credit cards.
  • Accounting for partners and suppliers.

Legal basis for the processing of personal data

Personal data shall be processed in a lawful and fair manner in a transparent manner to the customer. The collection, use and general processing of personal data is solely made by consent, or if permitted by law. A legal ground for processing other than the customer’s consent is the performance of the contract or compliance with a legal obligation and any other grounds provided for in Article 6 of the GDPR as well as in national law.

Personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes, or further processed for archiving purposes in the public interest or for purposes of scientific or historical research or statistical purposes not considered incompatible with the initial purposes.

Personal data is suitable, relevant and limited to what is necessary for the purposes for which it is processed.

Personal data is accurate and, where necessary updated; all reasonable steps should be taken to immediately delete or correct those that are inaccurate with respect to the purposes of processing.

Location of Processing Personal Data

The processing of personal data takes place within the European Union. Exceptionally, if the data is transmitted to a third country, then there will be provision so that the transmission takes place to a country for which the European Commission has decided that an adequate level of data protection is guaranteed and that the processor has provided appropriate safeguards for such protection.

Recipients of Personal Data – Transmission

The personal data collected is processed by “CAPSIS ELITE RESORT” Company as well as by its domestic partners.

The data is additionally transmitted to third parties, partners of the Company, for the performance of the services provided by the Company. Indicatively and not restrictively, these include travel offices and agencies and other third parties within and outside the EU, providing marketing services, hotel services and anything else related to the Company’s subject matter.

Personal data may also be transmitted to police, municipal, tax authorities and / or public or private emergency services providers where necessary and where required by law.

Measures for the Protection of Personal Data

The Company takes appropriate technical and organizational means to ensure the protection of personal data against loss, misuse and unauthorized access, disclosure, destruction and breach. Taking into account the best practices using state-of-the-art technology and application costs, it has implemented a comprehensive information security program including firewall security, restricted access to data extraction, daily backup of the entire database, regular security checks, penetration tests, creation of identity and access management templates, network access control, information security risk and incident management templates, business continuity templates and disaster recovery, etc.

Time of Retention of Personal Data

What are your rights regarding your personal data?

Any natural person whose data is processed by the Company under GRPR 679/2016 (Articles 15,16,17,18,19,20,21 and 22), hase the following rights:

  • Right of access (GDPR 679/2016, Article 15). The customer (data subject) has the right to be informed from the Data Controller whether or not the personal data concerning him are being processed.
  • Right of correction (GDPR 679/2016, Article 16). The Customer has the right to demand from the Data Controller without undue delay the correction of inaccurate personal data concerning him. In view of the processing purposes, the customer has the right to request the completion of incomplete personal data, including through a supplemental statement.
  • Right to delete (GDPR 679/2016, Article 17). The Customer has the right to request from the Data Controller the deletion of personal data relating to him and the Controller shall be obliged to delete the Personal Data without undue delay.
  • Right to restrict processing (GDPR 679/2016, Article 18). The Customer is entitled to ensure from the Data Controller the restriction of processing when:
  • The accuracy of personal data is disputed by the customer himself for a period of time allowing the Data Controller to verify the accuracy of personal data.
  • The processing is illegal and the customer opposes the deletion of personal data and requests restriction of its use instead.
  • The Data Controller no longer needs personal data for the purpose of processing.
  • Right of disclosure regarding the structuring or deletion of personal data or the restriction of processing (GDPR 679/2019, Article 19). The Data Controller shall notify about any correction or deletion of personal data or restriction on the processing of data carried out in accordance with Article 16, Article 17 and Article 18 to any recipient to whom the personal data were disclosed, unless this is proven to be impracticable or entails a disproportionate effort. The Data Controller shall inform the customer of such recipients upon request by the customer.
  • Right to data portability (GDPR 679/2016, Article 20). The Customer has the right to receive the personal data relating to him that has been provided to a Controller in a structured commonly used and machine-readable format, as well as the right to transmit such data to another Controller without objection by the controller who received the personal data.
  • Right to object (GDPR 679/2016, Article 21). The Customer has the right to object at any time and for reasons related to his particular situation, to the processing of personal data relating to him.
  • Automated individual decision making, including profiling (GDPR 679/2016, Article 22). The Customer has the right not to be subject to a decision made solely on the basis of automated processing including profiling, which produces legal effects that affect or substantially affect him in a similar manner.

Requests for Exercising Rights

• Request access to personal data

• Request for correction of personal data

• Request for deletion of personal data

• Request for restriction of processing of personal data

• Request for disclosure of personal data

• Request for portability of personal data

• Request for objection to personal data

• Request for non-automated decision making in personal data

The exercise of these rights is done by completing the form for exercising each right and is sent either by mail to the address of “CAPSIS ELITE RESORT” at Agia Pelagia, Heraklion Crete, PC 71500, either electronically at gdpr@capsis.gr or dpo@capsis.gr

Also, the customer has the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr), being the competent supervisory authority, if he considers that his rights are in any way infringed by the processing of his data

Use of Cookies

Websites collect information through cookies. Cookies are small text files that are stored by a website in a web browser during the navigation of the visitors and then recognize them the next time they visit the site. Cookies do not contain any personal information that could allow anyone to contact the site visitor, such as by email, etc. More information will be mentioned in the Cookies Policy which will be posted shortly.

Contact Information

Data Controller

The company “GEORGIOS KOUROUPIS SINGLE SHOP” with the distinctive title “OUT OF THE BLUE CAPSIS ELITE RESORT »based in Crete, Agia Pelagia Heraklion Crete, 71500, email: gdpr@capsis.gr, phone 2810-811212, as legally represented, informs that, for the purposes of conducting its business, it processes the personal data of its customers in accordance with GAGD 679/2016 and applicable national legislation on the protection of individuals with regard to the processing of personal data and the free movement of such data, as applicable.

Data Protection Officer:

For any information regarding the processing of personal data you may use the following contact details:

Data Protection Officer (DPO): Christodoulidis Stavros (email: dpo@capsis.gr)