Version 2.0 (01/05/2020)
This Data Protection Policy sets out the Metaxa Hospitality Group’s arrangement in place to comply with its obligations under the General Data Protection Regulation (GDPR – 2016/679).
Further to compliance with data protection law this policy helps to protect the organization from other risks such as damage to the reputation of the organization and trust in the services that it provides.
The policy provides demonstrable commitment and support from senior management to ensure compliance with data protection law.
2. Data protection policy elements
In accordance with the GDPR Metaxa Hospitality Group adopts and implements the following principles across the organization:
a) Purpose specification and purpose limitation: the purpose(s) for which Metaxa Hospitality Group collects and uses personal data shall be specified and legitimate. The data shall not be used for anything other than the specified purposes;
b) Transparency: clear information shall be provided to individuals about the purpose(s) for which personal data are collected and used, at the time the data is collected;
c) Data minimization: Metaxa Hospitality Group shall only collect personal data that is strictly necessary for the specific purpose(s) i.e. the minimum personal data required shall be collected and used;
d) Accuracy: personal data shall be accurate and where necessary kept up to date;
e) Retention: personal data shall not be kept for longer than is necessary;
f) Security: appropriate measures to protect personal data shall be implemented maintained;
g) International transfers: personal data shall only be transferred to countries outside the European Economic Area when the countries have an adequate level of data protection; and
h) Accountability: the organization will be able to demonstrate that it has implemented measures to comply with the abovementioned principles.
Further to the above, Metaxa Hospitality Group shall ensure that it has measures I place to ensure that it respects and conforms with the rights of individuals under data protection law, namely:
a) The right to be informed about the collection and use of their information;
b) The right of access to their personal data;
c) The right for individuals to have their personal data rectified when it is inaccurate or incomplete;
d) The right for individuals to have their personal data erased when there is no compelling reason or it to be processed;
e) The right for individuals to request the restriction or suppression of their data, when the accuracy of the data is contested, or processing is unlawful, but the individuals opposes erasure and requests restriction instead;
f) The right to data portability whereby in certain circumstances individuals can request for personal data that they have submitted via automated means and in electronic format to be moved, copied or transferred to another organization in a safe and secure way, without affecting its usability;
g) The right of individuals to object to processing of their personal data when it is based on “legitimate interests” or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), or when processed for purposes of scientific/historical research and statistics; and
h) The right not to be subject to decisions solely on automated means without human intervention.
3. Governance and accountability
Under data protection law every person that handles personal data has some responsibility to ensure that it used appropriate. However, the following person(s) within the organization have key responsibilities:
a) Chief executive officer – has overall responsibility for ensuring that the organization meets its obligations under data protection law.
b) Data protection officer – shall be responsible for:
c) IT manager: he is responsible for ensuring that the organization has appropriate IT security measures in place to protect the personal data help.
When Metaxa Hospitality Group collects information about individuals, Metaxa Hospitality Group provides a written notice to the individuals from whom the data is collected that includes the following information:
a) The identity of the organization, as the data controller, including contact details;
b) The contact detail of the Data Protection Officer;
c) The purpose for which the information is collected and use, including the lawful basis (to also include the right to withdraw consent when the lawful basis to the processing is based on consent);
d) The period for which the data will be kept;
e) Whether the information will be shared, and if so, with who;
f) Whether the information will be transferred outside of the EEA;
g) Information about the rights of individual under the GDPR (as identified in section2);
h) The right of individuals to lodge a complaint with the Data Protection Authority (DPA);
i) Where applicable, inform the individual that the requirement to provide the personal data is a statutory requirement, contractual requirement or a requirement necessary to enter into a contract;
j) Identify and inform individuals where they are obliged to provide personal information together with the possible consequences of failure to provide the information; and
k) Where applicable, the existence of automated decision-making (including profiling) including meaningful information about the logic involved and the significance and envisaged consequences for the individual and envisaged consequences for the individual.
The abovementioned information and notice is provided by Metaxa Hospitality Group in the following manner-
5. Purpose specification and purpose limitation
Metaxa Hospitality Group collects and processes personal data only for-
a) Fulfilling Metaxa Hospitality Group’s obligations to the State
b) Performing a contract between you and Metaxa Hospitality Group
c) Providing the services you request
d) Personalizing the services according to your personal preferences
e) Communication you about goods and services according to your personal preferences
The abovementioned purposes rely respectively on the following lawful basis:
a) Processing is necessary for compliance with a legal obligation to which the controller is subject to;
b) Processing is necessary for the performance of a contract to which the data subject is party;
c) Processing is necessary in order to take steps at the request of a data subject;
d) Processing is necessary for the purposes of the legitimate interests pursued by the controller;
e) Processing takes place given your consent.
Collection of Data
We collect Personal Data in accordance with law as follows:
In more limited circumstances, we also may collect:
We collect personal data either directly from you, when you visit our hotel or through online services (the website we operate, www.cretamaris.gr the software application made available by us, Creta Maris App, our social media pages)
Special categories of personal data
Unless specifically requested, we ask that you not send us, and you not disclose, any Sensitive Personal Data (e.g. social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics, criminal background, trade union membership, or administrative or criminal proceedings and sanctions)
6. Data minimization
The Data Protection Officer will keep an inventory of all the personal data that the organization holds and processes (“the Inventory”). The Inventory shall include a justification for the collection and use of each data set processed. Any data set, which is not strictly necessary for the purposes for which the data is collected shall be removed from the organization’s data processing activities. The Inventory shall be reviewed on an annual basis.
The Data Protection officer shall ensure that the Inventory records the following for each data set-
a) The data source;
b) The organization’s need for accuracy of data; and
c) The time sensitivity of each data set.
The organization has established appropriate measures to ensure that the data that it processes is accurate and up to date.
The Data Protection Officer shall ensure that there is a clear policy on how long each data item is to be retained, including the reason(s) for doing so, such as any legal requirements to retain data for a certain reason:
On a yearly basis each department of Metaxa Hospitality Group purges its filing systems (manual and electronically) of personal data that is no longer required, in accordance with the retention periods established in the Inventory.
Details of the purges carried out including how it was carried out and by whom are recorded and signed by the Data Protection officer.
To ensure that the organization has appropriate security measures in place to protect the personal data that it processes from being accidently or deliberately compromised, the organization has established organizational and technical measures.
10. Data breach management and notification
As part of its data breach management procedure, Metaxa Hospitality Group shall notify DPA without undue delay and where feasible within 72 hours, after becoming aware of a data breach, unless it is determined that the breach is unlikely to result in a risk to the individuals affected. If it is determined that the breach is likely to result in a high risk to the individuals affected, Metaxa Hospitality Group shall notify those individuals of the breach without undue delay.
Metaxa Hospitality Group shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including whether it has been notified to the DPA and/or the individuals affected.
11. Data subject’s rights
As described in section 2, Metaxa Hospitality Group informs all individuals about their data protection rights. Any request from individuals are internally directed to the Data Protection Officer who ensures that the request is processes and responded to without undue delay and in any event within one month of receipt of the request.
You may exercise your rights at email@example.com or send a letter at 28A Alex. Papanastasiou Ave., Heraklion, Crete, Greece, 71306.
12. Data protection by design & by default
Metaxa Hospitality Group will consider the data protection and privacy implications of any project proposal that involves the use the use of personal data, prior to its implementation.
Further, periodically reviews shall be undertaken to make appropriate adjustments to the data processing with the aim of improving data protection and privacy, taking into account technological developments.
The organization will:
13. Data protection impact assessments
Where a data processing activity is likely to result in a high risk to individuals, Metaxa Hospitality Group shall carry out a Data Protection Impact Assessment (DPIA), particularly when-
Metaxa Hospitality Group shall:
14. Data Processors
Metaxa Hospitality Group only uses third parties to carry out an activity on the personal data that we hold, when the third party provides sufficient guarantees that it will process the data in compliance with the GDPR and DPA. These are:
Further, all the activities on the personal data that we hold carried out by third parties on your behalf, shall be governed by a written contract as per Articles 28 and 29 of the GDPR.
We collect certain data from cookies, which are pieces of data stored directly on the computer or mobile device that you are using. Cookies allow us to collect data such as browser type, time spent on the Online Services, pages visited, referring URL, language preferences, and other aggregated traffic data. We use the data for security purposes, to facilitate navigation, to display data more effectively, to collect statistical data, to personalize your experience while using the Online Services and to recognize your computer to assist your use of the Online Services. We also gather statistical data about the use of the Online Services to continually improve design and functionality, understand how they are used and assist us with resolving questions.
Significant note: only functional cookies are stored by default in the devise you are using. All the other kinds of cookies (marketing cookies, statistics cookies, preferences cookies) are used only if consent to it.
You can learn more about our cookies at Cookies Policy and change your tracking preferences at any time by clicking on “Cookie Settings” at Cookies Policy located at the bottom of our homepage. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Online Services.