The Greek Retreats shall inform individuals of the purpose for which it collects and uses their personal data and the types of third parties to which it may disclose that information. The Greek Retreats shall provide individuals with the choice and means for limiting the use and disclosure of their personal information, where applicable. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to The Greek Retreats, or as soon as practicable thereafter, and in any event, before The Greek Retreats uses or discloses the information for a purpose other than that for which it was originally collected.
1. What are the personal data?
1.1. Personal data means any information relating to you which allows us to identify you, such as your name, contact details, booking reference number, payment details and information about your access to our website.
1.2. We may collect personal data from you when you do a reservation with us (either directly or indirectly through our trusted third-party partners), use our website and other websites accessible through our website, or when you contact us.
2. What Types of Personal Data Does the Greek Retreats Process and How do we Use your Personal Data?
2.1. We will only use your data in ways that are compatible with the purposes for which it was collected or authorized by you. Unless required or authorized by law, The Greek Retreats will not process sensitive personal information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual. In case we need to process such data, we shall implement high-security standards, according to the law.
2.2. Personal details about your physical or mental health, alleged commission or conviction of criminal offences, or photographs of you in the electronic version are considered special categories of personal data under applicable data protection law. We will process any such data only if you have given your explicit consent, or you requested special assistance, or you have deliberately made this information public.
2.3. We will only process your information, where:
- you have given your consent to such processing (which you may withdraw at any time, as detailed below);
- the processing is necessary to provide our contractual services to you;
- the processing is necessary for compliance with our legal obligations (e.g. for tax reasons or to prevent a threat to life, health or safety of a customer); and/or
- the processing is necessary for our legitimate interests (e.g. safety internet connection) or those of any third party recipients/partner of ours that receive your personal information.
2.4. More specifically, we may process your data for specific purposes, as follows:
a) Provision of our booking services
Following your request for a reservation, either if you act as an individual client, a villa owner, or a villa management company, we shall collect and process your data to provide you with the services that you require from us.
We may collect:
i) Your name, age, address, telephone number, email, ID or passport number, nationality and country of residence, necessary for the provision of our services to you.
ii) Information for the payment of our services, such as credit/ debit card number(s), including associated billing address(es) and expiration date(s), according to your explicit consent, as provided by you at a specific authorization form and as described below.
iii) Other information necessary to facilitate your travel or other services, including travel companion(s) names/ passport numbers/age, any dietary or other restrictions
– Use of products and services such as self-service devices, flight status notification and web check-in, necessary for the services required by us.
b) Payment Information
When you use our Payment Services, such as when booking accommodation or a travel-related experience through us or establishing a Supplier relationship via us, we require certain financial information (like your bank account or credit card information) to process payments and comply with applicable law. If you are a Supplier, we may require additional information such as your ID or tax ID (where permitted by applicable law), and other proof of identification or verification to verify your identity, provide the Payment Services to you, and comply with applicable law. If you are a Guest, we may retain your financial information to assist you with booking travel-related experiences with third parties. We only process such data according to your explicit consent and written authorization.
c) Advertising and Marketing Related Purposes
According to your explicit consent, we may process information such as your email address or your IP address, to:
i) Send you promotional messages, marketing, advertising, and other information that may be of interest to you, based on your communication preferences (including information about The Greek Retreats or our partners’ campaigns and services).
ii) Administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by The Greek Retreats or its third-party business partners.
iii) Carry out profiling on your characteristics and preferences (based on the information you provide to us, your interactions with our services, and your search and booking history) to send you promotional messages, marketing, advertising and other information that we think may be of interest to you.
d) Employee and Human Resource Related Purposes
i)The Greek Retreats collects personal information from applicants to open positions within The Greek Retreats, including private contact details, CVs, professional qualifications and previous employment history, necessary to reach to employment decisions. Once employed, The Greek Retreats collects information on staff for human resource, performance, payroll and tax purposes. The Greek Retreats may process similar information relating to consultants contracted on a freelance basis.
ii)For security reasons in commonly used spaces within our offices, we have installed security cameras systems (CCTV). We ensure that any recording within the offices of our company is not directed to any of our employee’s office/working space. All our employees are officially informed of this security measure and of the processing of some of their data that may arise thereof, which does not aim to the recording of their performance.
e) Web visitors- IP addresses – Cookies
i)The Greek Retreats collects named information about visitors to our website, www.thegreekvillas.com, where this is provided by them by filing our online contact form, for example where a client requests information on a The Greek Retreats service or where someone wants to apply for a vacant position with The Greek Retreats. Through the use of cookie-based technologies, The Greek Retreats may collect various data linked to virtual identities (IP addresses) allocated to visitors when they access our website. This data is used for various purposes, including site analytics and first-party or third-party marketing. In certain cases, these virtual identities are linked to the real-world identities of visitors only when they choose to provide their named information at the contact form, as described.
ii) Automatically Generated Data
In the course of using the pages on our website, personal data may be automatically processed. Typically, this relates to the name of your internet provider, your IP address, your location, the time and date of access, the browser you are using, your operating system, the web pages you visited on our website and the website from which you accessed our website. This information is used to analyse trends, administer the Site, track user’s movement, and gather broad demographic information for aggregate use.
iii). Cookies Policy
– In addition to using cookies and related technologies as described above, we also may permit certain third-party companies to help us tailor advertising that we think may be of interest to users and to collect and use other data about user activities on our Sites and/or Services (e.g., to allow them to tailor ads on third party services). These companies may deliver ads that might also place cookies and otherwise track user behaviour.
– This website uses the Google AdWords remarketing service to advertise on third party websites (including Google) to previous visitors to our site. With remarketing, you may see ads for our products you have previously looked at. For this to happen, Google or other remarketing providers will read a cookie that is already in your browser, or they place a cookie in your browser when you visit our site (This can only happen if your browser is set to let it happen). You can set preferences for how Google advertises to you using the Google Ad Preferences page, and opt-out of interest-based advertising entirely by cookie settings or by using the Google Analytics Opt-Out Browser add on.
3. Is personal information disclosed to third parties?
3.1. We do not and will not sell, rent out or trade your personal information. We will only disclose (transfer, share, send, or otherwise make available or accessible) your personal information to third parties in the ways set out in this Policy.
3.2. The Greek Retreats may disclose your personal information to a third party or use it for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual, only if you consent to such further processing, or if it required by law.
3.3. We may also share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above.
3.4. In case we need to transfer your information to our affiliate companies, such as The Greek Villas LTD, or to other service providers (e.g. in the course of sending goods or promotional material, or in the case of competitions), we will ensure that they adhere to our contract and the relevant legal data protection regulations and obligations thereof.
3.5. We may share individuals’ personal information with our agents, contractors or partners in connection to services that they perform for, or with, The Greek Retreats, such as tour operators, airlines, hotels, car rental companies, transfer handlers and other related service providers. We shall ensure that any third party to which personal information may be disclosed subscribes to the principles set hereby and is subject to the applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection. For example, we may receive logs of the installed security systems from the processing security company, according to our written contract. Also, our employees’ information may be transferred to travel agencies to facilitate the arrangement of business travels and bookings and to arrange travel-related services and/or products.
3.6. We may transfer your data to our external business advisers (such as lawyers, accountants, auditors and recruitment consultants), and our contractors, suppliers including suppliers of IT-based solutions that assist us in providing products and services to you (such as any external data hosting providers we may use);
3.7. In some cases, The Greek Retreats may disclose personal information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent vital individual’s interests (e.g. from physical harm) or in connection with an investigation of suspected or actual illegal activity.
3.8. We may also transfer personal information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, The Greek Retreats will direct the transferee to use personal information in a manner that is consistent with this Policy?
3.9. Finally, we may disclose your personal information to certain overseas recipients. We will ensure that any such international transfers, which are lawfully enforced or are necessary for the performance of our contract, are made subject to appropriate contractual and technical safeguards, as required by GDPR and any other applicable law. We will provide you with copies of the relevant safeguard documents upon request.
4. Security measures
4.1. The Greek Retreats employs reasonable physical, electronic, managerial and technical procedures to safeguard and secure any personal information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Applied information security management helps us not only to grow, but also innovate and expand our services, as well as identify the risks related to this information, and to put in place appropriate controls to mitigate and manage the risk thereof. We destroy or de-identify personal information once we no longer require it for our business purposes, or as otherwise required by law.
4.2. Moreover, we train all personnel meticulously and we expect them to follow the principle of compliance with all relevant legal requirements.
4.3. We have a privacy incident response policy designed to promptly respond to and escalate all privacy-related questions, complaints, concerns, including any potential privacy or security breach incident.
a) General Controls: Controls are implemented on workstations (automatic computer locking, regular updates, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.) to adversely affect personal data. Our offices are supplied with shredders, to eliminate the possibility of unauthorized access to files containing personal data. Regular back-up procedures to our CRM server are implemented. Also, data saved to our server are encrypted at our Network Attached Storage (NAS Server).
b) Paper format files storage and protection: The Greek Retreats needs to store and process some necessary files (such as contracts, consent forms, invoices etc) containing personal information in hard-copy versions. All such paper-formatted files are archived and stored in specially designed storage areas within our company. These areas are locked and access is only granted to personnel at a need-to-know basis. Also, safety measures in the event of a fire are implemented, as we have fire-fighting equipment.
c) Electronic Filing and Storage: Some of your personal information will be stored in the database of this site or our company’s system (CRM). Each of our personnel accesses this database with his/her log-in passwοrds and have access to files saved at our network containing personal data, and especially personal data of special categories only on a need-to-know basis. Also, restrictions to the number of unsuccessful log-in attempts are provided. Also, we have applied strong anti-virus protection to all our computers.
d) File Transfer and Email: We use Microsoft Office 365 Exchange On-line and Microsoft Outlook mailbox, thus securing at a high-level way the content of our communications with you.
5. Data Integrity
The Greek Retreats shall only process personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes The Greek Retreats shall take reasonable steps to ensure that personal information is accurate, complete, current and reliable for its intended use.
6. Access – Individuals’ rights
6.1. Upon request, and as required by law, The Greek Retreats will provide the individuals access to their personal information, transmit their personal data in a common digital format (e.g., pdf) to themselves or another organization, allow them to correct, amend or delete inaccurate information, except where the rights of other persons would be violated, legal provisions prohibit it and in any case in accordance to the relevant provisions of GDPR.
6.2. The Greek Retreats reserves the right to charge in some cases a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals.
7. Data retention
7.1. We will not retain data longer than necessary to fulfil the purposes for which it was collected or as required by applicable laws and regulations.
7.2. The information you provide to us may be archived or stored periodically by us, according to backup processes and will only be retained for as long as is it required for the purposes for which it was collected, unless the law requires us to hold your personal information for a longer period, or delete it sooner, or unless you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
7.3. We will delete your data when the associated business purpose ceases to apply or as required by the relevant legal data protection framework. For instance, we will delete the CVs that individuals have sent us after 6 months upon the vacancy is filled, unless if the individuals have consented to their data being collected, processed and used for any relevant future purpose. In cases we process your data based on your consent, we will delete your data following the retraction of your approval or the discontinuation of the purpose of your consent.
7.4. Moreover, according to Direction no 1/2011 of the National Data Protection Authority, data logs of the security cameras system shall be stored for a specified time, according to the purpose for which they are processed. Unless otherwise provided by law, or unless it is necessary for the investigation of a security breach incident, such files should be destroyed every 15 working days.
8. Our commitment to children’s privacy
8.1. Protecting the privacy of children is especially important for us. For that reason, we do not intend to collect or maintain information at our Website from those we know are under 16 years of age, and no part of our Website is structured to attract anyone under 16.
8.2. Also, in cases we need to collect and process personal data of children under 18 years old, we only do that after obtaining explicit consent from their parents or legal guardians.
10. Contact Information
10.2. Moreover, we inform individuals within the EU, that they the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.