This Data Protection Policy sets out the Metaxa Hospitality Group’s arrangement in place to comply with its obligations under the General Data Protection Regulation (GDPR – 2016/679).
Further to compliance with data protection law, this policy helps to protect the organization from other risks such as damage to the reputation of the organization and trust in the services that it provides.
The policy provides demonstrable commitment and support from senior management to ensure compliance with data protection law.
Data protection policy elements
In accordance with the GDPR Metaxa Hospitality Group adopts and implements the following principles across the organization:
- Purpose specification and purpose limitation: the purpose(s) for which Metaxa Hospitality Group collects and uses personal data shall be specified and legitimate. The data shall not be used for anything other than the specified purposes;
- Transparency: clear information shall be provided to individuals about the purpose(s) for which personal data are collected and used, at the time the data is collected;
- Data minimization: Metaxa Hospitality Group shall only collect personal data that is strictly necessary for the specific purpose(s) i.e. the minimum personal data required shall be collected and used;
- Accuracy: personal data shall be accurate and where necessary kept up to date;
- Retention: personal data shall not be kept for longer than is necessary;
- Security: appropriate measures to protect personal data shall be implemented maintained;
- International transfers: personal data shall only be transferred to countries outside the European Economic Area when the countries have an adequate level of data protection; and
- Accountability: the organization will be able to demonstrate that it has implemented measures to comply with the abovementioned principle.
Further to the above, Metaxa Hospitality Group shall ensure that it has measures I place to ensure that it respects and conforms with the rights of individuals under data protection law, namely:
- The right to be informed about the collection and use of their information;
- The right of access to their personal data;
- The right for individuals to have their personal data rectified when it is inaccurate or incomplete;
- The right for individuals to have their personal data erased when there is no compelling reason or it to be processed;
- The right for individuals to request the restriction or suppression of their data, when the accuracy of the data is contested, or processing is unlawful, but the individuals opposes erasure and requests restriction instead;
- The right to data portability whereby in certain circumstances individuals can request for personal data that they have submitted via automated means and in electronic format to be moved, copied or transferred to another organization in a safe and secure way, without affecting its usability;
- The right of individuals to object to processing of their personal data when it is based on “legitimate interests” or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), or when processed for purposes of scientific/historical research and statistics; and
- The right not to be subject to decisions solely on automated means without human intervention.
Governance and accountability
Under data protection law every person that handles personal data has some responsibility to ensure that it used appropriately. However, the following person(s) within the organization have key responsibilities:
- Chief executive officer – has overall responsibility for ensuring that the organization meets its obligations under data protection law.
- Data protection officer – shall be responsible for:
- Day to day implementation and management of this policy;
- Advising the organization and its employees on data protection compliance;
- Planning and coordinating activities within the organization to ensure the objectives of this policy are met;
- Monitoring compliance with data protection law;
- Reporting directly to the CEO on data protection;
- Ensuring that the appropriate data protection training and awareness is provided to staff;
- Acting as the contact point for the Information Commissioner;
- Cooperating with the Information Commissioner;
- Approve this policy and periodically review its implementation and effectiveness to ensure ongoing compliance with data protection law.
- IT manager: he is responsible for ensuring that the organization has appropriate IT security measures in place to protect the personal data help.
When Metaxa Hospitality Group collects information about individuals, Metaxa Hospitality Group provides written notice to the individuals from whom the data is collected that includes the following information:
- The identity of the organization, as the data controller, including contact details;
- The contact detail of the Data Protection Officer;
- The purpose for which the information is collected and use, including the lawful basis (to also include the right to withdraw consent when the lawful basis to the processing is based on consent);
- The period for which the data will be kept;
- Whether the information will be shared, and if so, with who;
- Whether the information will be transferred outside of the EEA;
Information about the rights of the individual under the GDPR (as identified in section2);
- The right of individuals to lodge a complaint with the Data Protection Authority (DPA);
Where applicable, inform the individual that the requirement to provide the personal data is a statutory requirement, contractual requirement or a requirement necessary to enter into a contract;
- Identify and inform individuals where they are obliged to provide personal information together with the possible consequences of failure to provide the information; and
- Where applicable, the existence of automated decision-making (including profiling) including meaningful information about the logic involved and the significance and envisaged consequences for the individual and envisaged consequences for the individual.
The abovementioned information and notice is provided by Metaxa Hospitality Group in the following manner-
- Electronically on the websites operated by Metaxa Hospitality Group: (mention the websites);
- As a hard copy at the front office of the hotel;
- As an annex to the contracts drawn up by Metaxa Hospitality Group; and
- As a hard copy attached to the forms that consent is required.
Purpose specification and purpose limitation
Metaxa Hospitality Group collects and processes personal data only for-
- Fulfilling Metaxa Hospitality Group’s obligations to the State
- Performing a contract between you and Metaxa Hospitality Group
- Providing the services you request
- Personalizing the services according to your personal preferences
- Communication you about goods and services according to your personal preferences
The abovementioned purposes rely respectively on the following lawful basis:
- Processing is necessary for compliance with a legal obligation to which the controller is subject to;
- Processing is necessary for the performance of a contract to which the data subject is party;
- Processing is necessary in order to take steps at the request of a data subject;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller;
- Processing takes place given your consent.
Collection of Data
We collect Personal Data in accordance with law as follows:
- Name, Email address, Phone number
- Date of birth
- ID/Passport Number
- Credit Card Number
- Room Preferences
- Medical information
- Transportation details (flight number, etc.)
- Date of reservation made
- Start and end date of reservation
- The date and time you made a booking
- Reference Code
- Amount due
- Final date when payment is due
- IP address
- Preferences during browsing
In more limited circumstances, we also may collect:
- Data about family members and companions, such as names and ages of children
- Images and video and audio data via: (a) security cameras (images and audio data are stored for 15 days and they are deleted afterwards) (b) hotel activities taking place during your visit, given your consent.
We collect personal data either directly from you, when you visit our hotel or through online services (the websites we operate, www.santocollection.gr, the software application made available by us, Santo Maris Oia Luxury Suites & Spa App, our social media pages).
Special categories of personal data
Unless specifically requested, we ask that you not send us, and you not disclose, any Sensitive Personal Data (e.g. social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics, criminal background, trade union membership, or administrative or criminal proceedings and sanctions)
The Data Protection Officer will keep an inventory of all the personal data that the organization holds and processes (“the Inventory”). The Inventory shall include a justification for the collection and use of each data set processed. Any data set, which is not strictly necessary for the purposes for which the data is collected shall be removed from the organization’s data processing activities. The Inventory shall be reviewed on an annual basis.
The Data Protection Officer shall ensure that the Inventory records the following for each data set-
- The data source;
- The organization’s need for accuracy of data; and
- The time sensitivity of each data set.
The organization has established appropriate measures to ensure that the data that it processes is accurate and up to date.
The Data Protection Officer shall ensure that there is a clear policy on how long each data item is to be retained, including the reason(s) for doing so, such as any legal requirements to retain data for a certain reason:
On a yearly basis each department of Metaxa Hospitality Group purges its filing systems (manual and electronically) of personal data that is no longer required, in accordance with the retention periods established in the Inventory.
Details of the purges carried out including how it was carried out and by whom are recorded and signed by the Data Protection officer.
To ensure that the organization has appropriate security measures in place to protect the personal data that it processes from being accidentally or deliberately compromised, the organization has established organizational and technical measures.
Data breach management and notification
As part of its data breach management procedure, Metaxa Hospitality Group shall notify DPA without undue delay and where feasible within 72 hours, after becoming aware of a data breach, unless it is determined that the breach is unlikely to result in a risk to the individuals affected. If it is determined that the breach is likely to result in a high risk to the individuals affected, Metaxa Hospitality Group shall notify those individuals of the breach without undue delay.
Metaxa Hospitality Group shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including whether it has been notified to the DPA and/or the individuals affected.
Data subject’s rights
As described in section 2, Metaxa Hospitality Group informs all individuals about their data protection rights. Any request from individuals is internally directed to the Data Protection Officer who ensures that the request is processed and responded to without undue delay and in any event within one month of receipt of the request.
You may exercise your rights at email@example.com or send a letter at 28A Alex. Papanastasiou Ave., Heraklion, Crete, Greece, 71306.
Data protection by design & by default
Metaxa Hospitality Group will consider the data protection and privacy implications of any project proposal that involves the use the use of personal data, prior to its implementation.
Further, periodically reviews shall be undertaken to make appropriate adjustments to the data processing with the aim of improving data protection and privacy, taking into account technological developments.
The organization will:
- Require the advice of the Data Protection Officer before processing on a new data processing activity, particularly when it involves special categories of data, data relating to criminal convictions and\or new technology. A record active list is kept;
- Continuously strive to minimize the data that the organization processes by carrying out periodic audits;
- Implement pseudonymization to the maximum extent possible;
- Limit staff access to personal data to only the information that is strictly necessary for them to carry out their tasks;
- Ensure that persons authorized by Processor to process the Personal Data on behalf of Controller are suitably informed, trained and instructed in respect of Applicable Data Protection Law and have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement the Technical and Organizational Measures which meet the requirements of Applicable Data Protection Law and especially of article 32 of the GDPR;
Data protection impact assessments
Where a data processing activity is likely to result in a high risk to individuals, Metaxa Hospitality Group shall carry out a Data Protection Impact Assessment (DPIA), particularly when-
- New technologies are used,
- Systematic and automated processing resulting in decisions that affect individuals take place, special categories of personal data and/or data relating to criminal convictions are processed on a large scale, or
- Systematic monitoring of a publicly accessible area on a large scale occurs.
Metaxa Hospitality Group shall:
- Seek the advice of the Data Protection Officer in regard to DPIAs.
- Include the following in its DPIAs:
- A description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued;
- An assessment of the necessity and proportionality of the processing in relation to the purposes;
- An assessment of the risks to the rights and freedoms of individuals; and
- The measures envisaged addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
Metaxa Hospitality Group only uses third parties to carry out an activity on the personal data that we hold, when the third party provides sufficient guarantees that it will process the data in compliance with the GDPR and DPA. These are:
- Iterweave Agency
- Review Pro
- Legal Advisors
Further, all the activities on the personal data that we hold carried out by third parties on your behalf, shall be governed by a written contract as per Articles 28 and 29 of the GDPR.
We collect certain data from cookies, which are pieces of data stored directly on the computer or mobile device that you are using. Cookies allow us to collect data such as browser type, time spent on the Online Services, pages visited, referring URL, language preferences, and other aggregated traffic data. We use the data for security purposes, to facilitate navigation, to display data more effectively, to collect statistical data, to personalize your experience while using the Online Services and to recognize your computer to assist your use of the Online Services. We also gather statistical data about the use of the Online Services to continually improve design and functionality, understand how they are used and assist us with resolving questions.
Significant note: only functional cookies are stored by default in the device you are using. All the other kinds of cookies (marketing cookies, statistics cookies, preferences cookies) are used only if consent to it.
You can learn more about our cookies at Cookies Policy and change your tracking preferences at any time by clicking on “Cookie Settings” at Cookies Policy located at the bottom of our homepage. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Online Services.