CUSTOMER PERSONAL PRIVACY POLICY CHARTER

Valid from: 07/02/2020

OUR COMMITMENT

At GRECOTEL - HELLENIC COMPANY OF HOTEL ENTERPRISES and our affiliated companies (collectively "GRECOTEL"), the protection of your personal information is a priority. This reflects our philosophy of maintaining satisfied customers and building strong, trustworthy relationships.

We understand the importance of your personal data and make every effort to store and process with care the information you share with us.

We value your trust. Therefore, we have drafted this Policy to inform you about how we process (e.g., collect, use, disclose, etc.) your personal data and about your rights under Regulation (EU) 2016/679 ("General Regulation") and Greek law.

At GRECOTEL, we enhance the protection of your personal data through technical security measures, internal management procedures, and physical safeguards. We constantly develop our systems and procedures in an effort to stand out from third parties.

Thanks for your continued interest and support.

Useful Definitions

To better understand this document, the following terms are used with the meanings described:

1. Personal Data

Any information relating to a natural person that directly or indirectly identifies them (e.g., full name, ID number, tax number, home address, phone numbers, age, gender, physical characteristics, family status, occupation, interests, etc.). A subset of personal data includes "sensitive data" ("special categories of data" under the General Regulation), which relate to the hard core of human personality and enjoy stricter protection (e.g., health status, political views, religious or philosophical beliefs, etc.). The natural person to whom the data refers is called the "data subject."

2. Processing

Any action performed on personal data, such as collection, storage, transmission to third parties, deletion, etc.

3. Legal basis for processing

Conditions set by the General Regulation, such as:
a) For "simple" data: consent, contract execution, legal obligation of the data controller, protection of vital interests, or legitimate interest (Article 6 GDPR).
b) For special categories ("sensitive" data): explicit consent, establishment/exercise/defense of legal claims, substantial public interest based on EU or Greek law (Article 9 GDPR).

Categories of Personal Data Subject to Processing

GRECOTEL collects the personal data you provide either directly or through third parties to whom you turn for room reservations (e.g., travel agencies, Global Distribution Systems/GDS, online booking systems/platforms, etc.), as well as during your stay at our hotels.

Specifically, we process (collect, store, and use) the following categories of personal data:

1. Personal data required by applicable legislation, such as:
i) Personal information (e.g., full name, father's name, date of birth, place of birth, nationality, identity card or passport number, issuing authority, as well as information regarding your minor children staying with you at our hotel),
ii) Contact details (address, phone numbers, email address),
iii) Room number, check-in and check-out dates, (flight company)

2. Data required for billing and issuance of legal tax documents, such as Tax Identification Number (TIN), Tax Office, as well as payment-related data (e.g., credit or debit card number).

3. Personal data related to the use of our services, such as room phone usage, mini-bar consumption, restaurant or bar charges, online room service, etc.

4. Data regarding your preferences and interests (e.g., specific room type, bed type, sports or cultural interests, etc.).

5. Personal data collected via closed-circuit television (CCTV) systems in areas intended to monitor entry and exit (e.g., main entrance, reception area, elevator/stairwell access points), as well as in cash storage areas, for the protection of the lives and property of our guests, our employees, and our business.

Purposes and Legal Basis for Data Processing

1. Provision of the hotel services you request (booking, confirmation, accommodation, in-stay services, processing of payments for accommodation and services).
The legal basis for these processing activities is compliance with applicable hotel legislation, as well as the conclusion and performance of the hotel services contract between us.

2. Calculation of usage of the services provided and the issuance of the necessary tax documentsThe legal basis for this processing is the performance of our contract and compliance with applicable tax legislation, which requires the collection of your data and Tax Identification Number (TIN) for issuing legal receipts and retaining them for a specific period, as well as transmitting them to the Independent Authority for Public Revenue (IAPR).

3. Security of individuals and property (our guests, employees, and facilities), handling of potential claims, and disclosure of data to third parties for judicial use. The legal basis for these processing activities is, on the one hand, our legitimate interest in protecting individuals and property on our premises, and our legal protection in case of claims against the company until final (judicial or out-of-court) resolution of the dispute; on the other hand, the legitimate interest of third parties in receiving and using specific data held by our company to defend their rights before judicial authorities—always under the condition that such disclosure is deemed necessary and appropriate by our company for achieving the stated purpose.

4. Communication with you during your hotel stay, in order to provide you with useful information that will make your stay comfortable and pleasant (e.g., room access management, hotel activities and programs), which is sent via email or SMS. The legal basis in this case is the hotel's legitimate interest in informing you about activities taking place within the premises and fulfilling its obligation to provide hotel services.

5. Communication for marketing purposes and participation in loyalty programs (loyalty clubs). The legal basis for this processing is your consent, which you may withdraw at any time.

6. Provision of specific services (e.g., Spa treatments), which may require the collection of sensitive personal health data. The legal basis for this processing is your consent, which you may withdraw at any time.

7. In exceptional cases (e.g., accidents), the collection and potential further processing of your personal data (e.g., sharing with third parties such as a doctor or hospital) is done to protect your vital interests (i.e., your life and health), either with your consent or, if you are unable to provide it, without it.

Retention Period of Personal Data

The data we are legally required to collect is retained for as long as stipulated by the relevant provisions. Specifically, data mandated by hotel legislation is kept for ten years, while your billing data related to the hotel services we provide is stored for the duration required by the applicable tax legislation, in order to enable us to comply with potential audits by the competent authorities.

Personal data necessary for the conclusion or performance of our contract is retained for the entire duration of the contract and for five (5) years after its termination. In the event of legal claims, this data is retained until a final, non-appealable court decision is issued, or, in the case of a settlement, for twenty (20) years from the fulfillment of the terms of the settlement, provided there is any outstanding obligation.

Additional information that is not required by law or contract (e.g., your preferences) is generally retained for two (2) years from your last stay at our hotel and is then encrypted, so that identification is no longer possible, except in cases where GRECOTEL has an overriding legitimate interest - such as compliance with requests from public authorities or the handling of potential legal claims.

Image data collected through closed-circuit television (CCTV) is automatically deleted after 15 days, unless it records an illegal act, in which case it is retained for up to 3 months, in accordance with specific provisions set by the Hellenic Data Protection Authority.

Recipients of Personal Data

As previously mentioned, it is a core part of our philosophy and a fundamental principle to protect the confidentiality of your personal data. For this reason, your data is used only by authorized GRECOTEL personnel, strictly within the scope of their duties (e.g., hotel staff, reservations departments, IT, commercial departments, etc.).

By way of exception, we may disclose your data to third parties only when necessary for a specific lawful purpose of processing, such as:

1. Businesses and professionals acting as independent "data controllers" who bear individual responsibility for the lawful processing of personal data, in accordance with their own data protection statements (e.g., insurance companies, lawyers, certified public accountants, healthcare service providers such as public and private hospitals, diagnostic centers, and healthcare professionals). We may disclose your data to these parties in the event of a serious accident, in order to safeguard your vital interests. Additionally, we may contact the bank with which you are affiliated to confirm your card’s credit limit and process related charges.

2. External service providers cooperating with our company, who are bound by confidentiality obligations and to whom we transfer only the data necessary for them to carry out the task assigned to them (e.g., IT service providers, accountants, etc.).

3. Competent authorities, whenever required for compliance with legal obligations or for the protection of lawful rights (e.g., courts, prosecutors, police, the General Secretariat for Consumers of the Ministry of Development and Competitiveness, the Independent Authority "Consumer Ombudsman," relevant ministries, regional authorities, tax offices, the Financial and Economic Crime Unit [SDOE], and the Independent Authority for Public Revenue [AADE]).

Transfer of Personal Data to Third Countries

In order to enable the conclusion and execution of hotel service contracts, our company may transfer personal data to third-party companies (such as travel agents) based in countries outside the European Economic Area (EEA).

In such cases, we ensure a level of data protection equivalent to that of the European Union, as the transfer is carried out only if at least one of the following safeguards is in place:

a) We transfer personal data to third countries for which the European Commission has determined that they ensure an adequate level of data protection. For more details, please refer to the official website of the European Commission on Adequacy decisions.

b) In cases where we use service providers located in non-EU countries not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission, which provide personal data with the same level of protection as within the European Union. For more information, refer to the official European Commission webpage on Standard Contractual Clauses for data transfers between EU and non-EU countries.

c) If no appropriate safeguards are in place, the transfer or series of transfers of data to a third country or international organization will take place only if at least one of the specific conditions/exemptions explicitly provided for in the applicable data protection legislation is met.

Your Rights

You may exercise the following rights at any time, subject to the conditions set out in Greek and European legislation, by sending an email to Grecotel's Data Protection Officer at [email protected]:

1. Right of access - To be informed whether your personal data and/or that of your child is being processed, to receive copies of such data, and to obtain further information regarding the processing activities.

2. Right to rectification - To request the correction or completion of inaccurate or incomplete data (e.g., if your email address changes).

3. Right to erasure ("right to be forgotten") - To request the deletion of data that is no longer necessary for the purposes for which it was collected, or where deletion is required by law.

4. Right to restriction of processing - To request that we restrict the processing of your data, either while a deletion or correction request is pending, or when Grecotel is obliged to delete the data but you wish for us to retain it exclusively for your own use (e.g., for legal defense or claims).

5. Right to data portability - To receive your personal data in a readable electronic format and/or to request that we transmit it directly to a third party of your choosing. This right applies to data processed on the basis of a contract, law, or your consent (see section "Purposes and Legal Basis for Processing").

6. Right to object - To object, for specific reasons, to the processing of your data, such as:
i) To the sending of notifications via postal mail, email, or SMS. In this case, we will cease sending such communications.
ii) To the transfer of data to third parties for judicial purposes, subject always to the hotel's assessment that such a transfer is necessary and appropriate to support the (third party's) rights before judicial authorities.
iii) Please note that in cases where the data transfer is essential for the establishment, exercise, or defense of legal claims (whether in court or out of court), the legitimate interests of our company prevail and the right to object may not be honored.

7. Right to withdraw consent - To withdraw, at any time, the consent you have given for the processing of specific data as mentioned above.

Additionally, if you believe that your personal data and/or that of your minor children is being violated in any way, you have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

Revisions

Before any potential changes to the processing of personal data through the Website, we will accordingly update this Notice and publish it so that you are informed and can effectively exercise your rights. For this reason, we kindly ask you to review this Notice before making a reservation, either at http://www.grecotel.com/data-protection or to request a printed copy at the reception of our hotels.

Questions and Contact

You have the right at any time to submit a written request to Grecotel's Data Protection Officer ([email protected]) to inquire whether we hold any personal data about you and, if so, to exercise the rights provided by applicable law as described above. You may also request any information or clarification regarding the processing of your personal data.

Click here to view the Collaborator Personal Data Protection Charter>
Click here to view the HR Personal Data Protection Charter>