The Anonymous Company under the name “THALASSA MONOPROSOPI A.E.”, regarding its hotel business THALASSA BEACH RESORT, in the municipality of Agia Maria in Chiana, located in the Old National Road – Mikis Theodorakis Avenue, Chania prefecture, 249 Agias Marina Str., PC 73014, with TIN 996723798 and registration number GE.MI 173839058000 (hereinafter “the Company”) wishes to be an exemplary corporate citizen and to demonstrate the sensitivity and attention it displays in the handling and security of the personal data of its customers, partners, partner travel agencies, suppliers, agents and employees, which it processes for its operation and execution of corporate purposes.

Our Company strives to carry out its business activities in accordance with the principles of privacy, as we believe that they demonstrate our unwavering commitment to ethical and responsible practices. We recognize that innovation and new technologies lead to constant change in risks, expectations and legislation, and therefore we follow the standards of privacy and aim to adapt in a timely manner to the response to these changes.

This Policy sets out our standards for the management and protection of Personal Data by or on behalf of our company, which originates directly or indirectly from any country in the European Economic Area (EEA), and Switzerland and is transferred to any other country, including transport between EEZ countries. It is valid for our activities in each country, for any activity that involves the processing of information about individuals we conduct in each of our subsidiaries and in each of our sectors / sectors of activity (including any successors to our business), including, but not limited to , research, production, commercial activities, corporate support and data transport necessary to carry out the above activities, including, but not limited to:

  • Research and Production: aunch, management and funding of research studies / evaluation and involvement of researchers, external collaborators and partners to support research studies and the development of our products / recruitment for research studies / security evaluation, Effectiveness and quality of our developing and commercially available products / keeping our commitments regarding the safety and quality of our products, including the management and reporting of adverse effects and complaints on product quality / submission of an application for approval and registration of our products to the principles of health regulations / compliance with the relevant legal, regulatory or ethical requirements.
  • Commercial activities: market evaluation of our products / advertising, marketing, sales, distribution and delivery of our products / communication with our customers and other end users of our products / sponsorship and event / evaluation and encouragement of our partners to support our commercial activities / compliance with the relevant legal, regulatory or ethical requirements.
  • Corporate support: recruitment, management, development, communication with, and compensation of employees / provision of benefits to employees and their protected family members / conducting performance appraisals and talents of employees / providing training and other educational and development programs/ conducting disciplinary proceedings and managing employee complaints / managing concerns about ethics and privacy and conducting surveys / managing and securing our physical and virtual assets and infrastructure / supply and payment for products and services / fulfillment of our commitments on the environment, health and safety and corporate responsibility / communication with the media / and compliance with the relevant legal, regulatory or ethical requirements.

This Policy also applies to all persons whose data we process, including but not limited to customers, prospective, current and former employees and their affiliates, partners, investors and shareholders, civil servants and other interested parties.

All Employees of the Company and the executives of the Management have important responsibilities regarding the protection of privacy which they must observe.

We acknowledge that unintentional errors and erroneous judgments about data protection can pose risks to individuals’ privacy and risks to our Company’s reputation, processes, compliance and finances. Every employee of the Company, and other people who process data for our company, are responsible for understanding and complying with their obligations under this Policy and existing laws.

We adhere to our privacy values ​​in everything we do and that includes people, including how we apply privacy standards. The four values ​​of privacy include:

Respect

We recognize that privacy concerns are often related to the essential questions of who we are, how we view the world, and how we define ourselves. Thus, we try hard to respect the perspective and interests of individuals and societies and to be fair and transparent in how we use and share information about them.

Trust

We know that trust is vital to our success, so we strive hard to build and maintain the trust of our customers, employees and other stakeholders in respecting and protecting the information related to them.

Damage prevention

We understand that misusing information related to people can cause tangible and intangible harm to individuals, and so we try to prevent physical, financial harm, damage to their reputation or other harm related to privacy.

Compliance

We have learned that laws and regulations do not always go hand in hand with rapid advances in technology, data flow, and the associated changes in privacy risks and expectations. So we try hard to comply with the spirit and regulations of privacy and data protection laws in a way that demonstrates consistency and operational adequacy for our global business operations.

  1. We incorporate our privacy standards into all activities, processes, technologies and relationships with third parties using Personal Data.
  2. We design privacy checks on our processes and technologies that are consistent with our privacy values and standards and applicable law. The 8 privacy principles described below summarize the privacy standards and key requirements for high-level processing, activities, and support technologies.

    Privacy Principle & Our Key Commitments

      Necessity – Before collecting, using or distributing Personal Data, we determine and record the specific, legitimate business purpose for which this is necessary.

      • We determine and record the time period for which Personal Data is required for these specified business purposes.
      • We do not collect, use or share more Personal Data than required, or retain Personal Data in a recognizable form for a longer period of time than is necessary for those specified business purposes.
      • We anonymize the data when business requirements make it necessary for information about the activity or process to be retained for a longer period of time..
      • We ensure that these necessary requirements are incorporated into any supporting technologies and that third parties supporting the activity or processing are notified.

      Justice – We do not process Personal Data in ways that are unfair to those concerned.

      • We determine whether the proposed collection, use or other form of processing of Personal Data is a risk of actual or indeterminate damage to individuals, in accordance with the Privacy and Damage Prevention principle.
      • If the nature of the data, types of people or activity contain an inherent risk of actual or undetermined harm to individuals, we ensure that the risk of harm does not outweigh the corresponding benefits to those individuals or our mission to save and to improve human lives.
      • In cases where the risk is inversely proportional to the benefits to individuals, we process the Sensitive or Personal Data only with the clear consent of the persons or as explicitly required or permitted by existing laws.
      • We record the risk analysis and design any required mechanisms for obtaining and recording data that demonstrate consent to supportive technologies.

      Transparency – We do not process Personal Data in ways or purposes that are not transparent.

      • All persons whose Personal Data is processed under this Policy will be entitled to a copy of this Policy. We will make copies of this Policy available online at https://www.thalassaresort.gr/el/. The Data Protection Officer will provide digital and / or physical copies of this Policy upon request to the addresses listed below.
      • When Personal Data is collected directly from individuals, we inform them through a clear, unambiguous, and easily accessible privacy notice or similar means, before collecting information about (1) the corporate entity or entities responsible for processing, (2) the type of data to be collected(3) the purposes for which they will be used, (4) with whom they will be shared, including any requirements to disclose Personal Data following legal requests from state authorities, (5) how long they will be withheld, (6) the manner in which individuals may ask questions, express concern or exercise their data rights, and (7) the electronic link of this Policy, where applicable and appropriate.
      • When Personal Data is collected from other sources and not necessarily under the direction of our company, before the data is obtained, we verify in writing that the data provider has informed individuals of the ways and purposes for which the company intends to use the information.
        If the written verification cannot be obtained from the provider, we use only anonymous data, or before using Personal Data, we inform the persons affected by a privacy notice or similar means for (1) the corporate entity or entities responsible for processing, (2) the type of data to be collected, (3) the purposes for which it will be used ,(4) with whom they will share, including any requirements to disclose Personal Data following legal requests from state authorities, (5) how long they will be withheld, (6) how individuals may ask questions, to express concern or exercise their rights regarding the data, and (7) the electronic link of this Policy, where applicable and appropriate.
      • We ensure that the necessary transparency mechanisms, including, where possible, mechanisms that support individual rights requests, are introduced into supporting technologies, and that third parties supporting the activity or processing do not process individual data in ways that are inconsistent with what has been said to individuals, through privacy notice or other verifiable means, about how we and others working for us will use the data.

      Purpose Limitation – We Use Personal Data only in accordance with the principles of Necessity and Transparency

      • If new reasonable corporate purposes are identified for Personal Data already collected, we ensure that either the new corporate purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the consent of the individual to the new use of his Personal Data.
      • We do not apply the above principle to anonymous data or where we use Personal Data solely for historical and scientific research purposes and (1) a Management Control Committee, or other competent auditor, has determined that the risk of such use for individuals’ privacy or other rights is acceptable and (2) there is respect for the existing Legislation.
      • We ensure that limitations, due to purpose limitation, are incorporated into supportive technologies, including any reference capabilities and data distribution.

      Data Quality – We keep Personal Data accurate, complete and up to date, and in agreement with their desired use.

      • We ensure that periodic data control mechanisms are integrated into supportive technologies to validate data accuracy in relation to the source and systems.
      • We ensure that Sensitive Data is validated as accurate and up-to-date before use, evaluation, analysis, reporting or other processing that carries the risk of injustice to individuals if inaccurate or non-current data is used.
      • When changes occur in Personal Data by our company or third parties working for our company, we ensure that these changes are communicated in a timely manner where reasonably possible.

      Safety – We incorporate safety valves to protect Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure or destruction.

      • We have implemented a detailed information security programme and we are implementing security controls based on information sensitivity and the magnitude of the risk of activity, taking into account the best practices of modern technology and the cost of implementation. Our operational security policies include, but are not limited to, operational continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.

      (1) We transfer only Personal Data or allow third parties to be processed if the following conditions are met, and we are responsible for ensuring that the third parties we work with meet these conditions:

      Data Transfer – We are responsible for maintaining the security of the privacy of our Personal Data when it is transferred to or from other organizations or border states.

      • If the role of the third party is to process Personal Data for or on behalf of our company before the third party receives the Personal Data, we: (1) we complete the legal review of privacy to assess the privacy practices and risks associated with these third parties, 2) we obtain warranties through a contract from these third parties that they will process Personal Data in accordance with our company’s instructions, and in accordance with this Policy, including, without limitation, all 8 Privacy Principles and other standards set by this Policy and existing Legislation, and will inform our company in good time of any Privacy Event; including any inability to comply with the standards set out in this Policy and existing legislation, or Security Event, and will cooperate together to rectify any documented Event and address to individual rights as set out in Section 2 below; and that they will allow our company to conduct audits and supervise their practices during processing in terms of compliance with these requirements. In addition, if the third party processes Personal Data originating in a country or territory with legislation restricting the transfer of Personal Data, we will ensure that the transfer to the third party qualifies for cross-border transportation described below in Section 2. Where one of our subsidiaries acts solely on behalf of another subsidiary of our company for the processing of Personal Data, and where required by the Law, these subsidiaries of our company will perform an internal data processing in accordance with Principle 8 of this Policy.
      • If the role of the third party is to provide Personal Data to our company before we obtain the Personal Data from the third party, we ensure that the Transparency requirements for the collection of Personal Data from other sources are met and not specifically under the supervision of our company, and we obtain warranty through a contract from the third party that it does not violate any Law or the rights of any third party by providing Personal Data to our company.
      • If the role of the third party is to obtain from our company data for processing that is not specifically under the supervision of our company, before delivering the data to the third party, we ensure that the data has been anonymised, and we obtain written guarantees from the third party that they will use the data only for the operational purposes set out in the agreement and in accordance with existing legislation, and that it will not attempt to reverse the process of anonymising the data.
      • (2) We transfer Personal Data cross-border from or on behalf of our company in accordance with this Policy. We will implement this Policy in the transfer of Personal Data from any other country or territory with legislation that restricts the transfer of Personal Data.

      Legally Permitted – We only process Personal Data only if the requirements of applicable law are met.

      While the other 7 privacy principles, as well as the Individual Rights requirements described below, are intended to ensure that the requirements for most privacy and data protection laws applicable to our industry around the world are met, in some countries we need to meet additional conditions, including, but not limited to:

      1. Where required, we will obtain specific forms of consent for the processing of specific Personal Data, including, but not limited to, the approval of processing by employment councils or other trade unions.
      2. Where necessary, we will register the processing of Personal Data with the applicable privacy or data protection regulatory authority.
      3. Where necessary, we will further limit the data retention periods for Personal Data.
      4. Where required, we will enter into agreements that include special contract clauses, including agreements on cross-border data transfer to third parties.
      5. Where necessary, we shall disclose personal data following legitimate requests from public authorities, including the satisfaction of requests related to national security or security principles.

      In the event of a conflict between this Policy and existing legislation, the standard that provides more protection to individuals will prevail.

  3. We will address requests in a timely manner regarding individual rights to access, correct, modify or delete Personal Data or object to the processing of Personal Data.

    • Access, Correction and Deletion – Under Greek Law individuals have the right to access Personal Data about them, and to correct, modify or delete Personal Data that is inaccurate incomplete or obsolete. We will approve all requests from individuals for access, correction and deletion of Personal Data. If an application for access, correction or deletion is defined by existing Legislation that provides greater protection for individuals, we will ensure that the additional requirements are met under Legislation.
    • Selection – In accordance with the privacy principles for “Respect” and “Trust”, we approve individual requests for objection to the processing of Personal Data, including, but not limited to, the option of not participating in programs or activities in which individuals had previously agreed to participate; processing personal data about them for direct marketing purposes for communication that targets them and based on Personal Data, and for any evaluation or decision-making about them, which has the potential to significantly affect them, and that is done through the use of algorithms or automation.


      Except where it is prohibited by the Law, we may refuse the choice where a particular application may impede the company’s ability to: (1) comply with the Law or a moral obligation, including whether we are obliged to disclose personal data in response to legitimate requests from public authorities, due to the conditions of the security authorities or national security; (2) investigate, defend or seek legal claims, and (3) enter into contracts, manage relationships, or perform other permitted professional activities consistent with the principles of Transparency and Purpose Limitation and which have been established on the basis of the data of the persons associated with them. Within fifteen working days of any decision to refuse selection in accordance with this Policy, we will record and contact the applicant.

  4. We will respond in a timely manner and escalate all questions related to privacy, complaints, concerns and any privacy incident or Security Event.

    • Any person whose Personal Data we process within the framework of this Policy may ask questions, complain or express concerns to our company at any time, including the request to provide a list of all of our subsidiaries subject to this Policy. We expect that our employees, and other individuals working on behalf of our company, will provide timely notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual, or any notice from an employee or other person working on behalf of our company, should be addressed to the Data Protection Officer:

      1. by email: george@thalassaresort.gr
      2. by tel: στο +30 28210 60660
      3. by FAX: στο +30 28210 60601
      4. by post: (DPO), «THALASSA MONOPROSOPI A.E.» for the hotel THALASSA BEACH RESORT, Agia Marina, Chania, Chania, Crete, Arna, St. 249, PC 73014.
    • Employees and contractors are obliged to inform the Data Protection Officer in their field in good time of any questions, complaints or concerns regarding our privacy practices.

    • The Data Protection Officer will review and investigate, or cooperate with the Legal Service to investigate, all questions, complaints or concerns related to our privacy practices, whether they were received directly by our employees or by other individuals or third parties; including, but not limited to, regulatory services, liability employees or other state authorities. We will respond to the person or entity who asked the question, Complaint or concern to our company within thirty (30) or maximum within sixty (60) calendar days except for a Law or applicant / third party requiring a response within a shorter period of time or the circumstances, such as a parallel government survey, require a longer period of time. In this case, the person or applicant/third person will be notified in writing as soon as possible that the general nature of the circumstances contributing to the delay allows that.
    • The Data Protection Officer, in cooperation with the Legal Office and the Compliance Office, will work with the Privacy Regulatory Authority in response to any investigation, inspection or investigation.
    • For complaints that cannot be resolved between our company and the person who made the complaint, our company has agreed to participate in the following dispute resolution processes, in the investigation and resolution of complaints to resolve disputes related to this Policy.
    • However, if, at any time, persons residing in the FEZ, or persons whose Personal Data fall under the FEZ Data Protection Act and are transferred outside the EEC, and whose data are subject to processing relating to this Policy, have the right, on the basis of this Policy, to impose the conditions of this Policy as eligible third parties, including the right to take legal action to claim damages for infringing their rights due to this Policy and the right to receive compensation for damages caused by such infringement. Persons residing in the FEZ or persons whose Personal Data fall under the FEZ Data Protection Act and who are transferred outside the FEZ (for reasons of clarity, including the United States), may have claims under this Policy, from the Company

      1. In courts or in the data protection authority of the FEZ country from which their Personal Data were transferred, or
      2. in Greek courts or in the Hellenic Data Protection Authority.

      Our company will respond to the person or entity who asked the question, complaint or concern to our company within thirty (30) calendar days unless a Law or applicant / third party requires a response within a shorter period of time or outside and the conditions require greater time, and in this case the person or third party will be notified in writing.

Terms you need to know

  • Anonymization. The change, discontinuation, elimination or other restriction or alteration of Personal Data in order to make it impossible for them to be used for identification, detection or communication with the individual.
  • Legislation. All laws, rules, regulations and warranty orders that have the force of law in any country in which our company operates or in which Personal Data is processed by or on behalf of our company.
  • Our company. The company “THALASSA MONOPROSOPI A.E.” and the hotel company THALASSA BEACH RESORT that is exploited, in addition to the joint ventures in which our company participates.
  • Personal Data. All data about a recognized or unrecognized person, including the data that identifies the person or that could be used to identify, locate, monitor or communicate with. Personal Data also includes direct identification information such as name, identification number or unique work title, and indirect identification information such as date of birth, unique mobile or portable identification number, telephone number and encoded data.
  • Privacy Event. Violation or breach of this Policy or a privacy or data protection law, includes a Security Agreement. Determining whether a privacy incident has taken place and whether it has a physical nature will be done by the Data Protection Officer and the Legal Department / Compliance Department.
  • Processing. Conducting any process or series of processes in human data, with or without automated media, including, but not limited to, collecting, recording, organizing, storing, accessing, adapting, converting, retrieving, consulting, using, evaluating, analyzing , reporting, distributing, disclosing, and disseminating, transmitting, disposing, stacking, combining, blocking, deleting, deleting, or destroying.
  • Security Incident. Access by an unapproved person to Personal Data or disclosure to an unauthorized person of Personal Data or the reasonable suspicion of our company that this has happened. Access to Personal Data by or on behalf of our company without the intention to violate this Policy is not a Security Contract, provided that the specific Personal Data was then used and disclosed only as permitted by this Policy.
  • Sensitive data. Any type of data about people that contains an inherent risk of harm to individuals, including data defined by law as sensitive, including, but not limited to, health-related data, heredity, race, ethnicity, religion, political or philosophical beliefs or beliefs, criminal record, accurate geographic location information, bank or other financial account numbers, state numbers issued to minors, minors, sex life, relationships with trade unions, security , social security and other employer or government benefits.
  • Third person. Any legal entity, organization or person that does not belong to our company, or for which our company has no control interest, or that does not work for our company. Unless expressly specified by this Policy, no subsidiary or sector of our company is required to meet the requirements of a third party under this Policy; as all subsidiaries and sectors/segments are required to process data about people in accordance with this Policy, including where one of our subsidiaries supports one or more subsidiaries of our company during processing.

Changes to this Policy

This Policy may be revised occasionally, in accordance with the requirements of existing legislation. Whenever this Policy changes naturally, a notice will be posted on our company’s website (https://www.thalassaresort.gr/el/) for 60 days.

Effective date

May 25, 2018