A. Controller’s details

The company bearing the name FATTAL ESPERIA DEVELOPMENT & MANAGEMENT HOTEL ENTERPPRISES SINGLE MEMBER REAL ESTATE S.A. (and distinctive title NYX Esperia Palace Hotel Athens) established in Athens (street Pentelis Avenue Street, no. 7A, zip code 15235, (hereinafter referred to as the “Hotel“) hereby informs you, as the controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as "GDPR") and the relevant provisions of Greek legislation on the protection of personal data, as applicable, on the type of personal data collected, the source of their collection, the reason for their collection and processing, any recipients thereof, their time of retention, their transmission outside the EEA and your rights in relation to your data as customers of the Hotel and how you can exercise them.

B. Type of data and sources

The personal data collected and processed by the Hotel refer to its clients, adults and minors, and are:

1. Identification and pricing details, full name, father’s name, mother’s name, gender, date of birth, Tax Identification Number, ID number/passport number.
2. Your contact details, postal and e-mail address, telephone number (landline, mobile).
3. Payment details, credit cards, redemptions/debts.
4. Reservation details, dates, type of reservation, any special preferences, etc.
5. Health data (e.g. any allergies, disabilities) and preferences (e.g. any dietary preferences), if applicable.
6. Data we collect automatically (e.g. language settings, IP address, location, device settings, device operating system, activity details, time of use, redirect URL, status report, user information (information about browser version), operating system, browsing result (simple visitor or registered customer), browsing history. We may also collect data through cookies. For information on the use of cookies, https://www.nyx-hotels-greece.com/privacy-policy.

The personal data referred to in points 1-4 above are provided to the Hotel directly by our customers (you), as data subjects. The provision of your data is a requirement for the conclusion and performance of the contract between us, which will not be possible if you refuse to provide them. Your repayments and debts information arises during the course of your transaction relationship with the Hotel and is maintained by it. The provision of the data under point 5 above is not mandatory and any refusal to provide them results in the absence of specialized services (e.g. special diets). The process of the data referred under point 6 is obligatory for the normal operation of our website.

C. Purposes and legal basis for processing

The Hotel collects and processes the aforementioned personal data concerning you for the following purposes and legal bases:

1. Provision of hotel and tourism services

   The aforementioned personal data are processed for the purpose of providing tourist/hotel services to you, including your identification, communication with you, etc. The legal basis for the processing of your identification, communication and booking data is the performance of the contract between us, in accordance with Article 6(1)(b) GDPR. If you provide us with special categories of data, such as health data (any allergies, disabilities, nutritional preferences, etc.), the legal basis for the processing is your consent, in accordance with Article 9(2)(a) GDPR.

2. Invoicing of services

   The data under points 1, 2 and 3 above of Section B. relating to your payments as appropriate are further processed for the purpose of invoicing the Hotel’s services and the legal basis for their processing is the fulfilment of the Hotel’s legal obligations under tax law, in accordance with Article 6(1)(c) GDPR.

3. Direct promotion by electronic means

   Your electronic contact details are used for the purpose of promoting similar services by electronic means (e-mail/sms), based on the overriding legitimate interest of our company in the direct marketing of its services (art. 6(1)(f) GDPR and 11(3) of Law 3471/2006).

D. Transfer of data - Recipients

For the Hotel to fulfil the aforementioned functions and its related obligations, it communicates the personal data of its customers to categories of persons or bodies (recipients). The recipients have access only to those of your Personal Data that are strictly necessary for the performance of the tasks or the provision of the services they have undertaken to the Hotel. These categories are as follows:

1. Processors: the Hotel shall cooperate with the following processors on its behalf in order to assist it in the performance of its legal or contractual obligations, which are
   • accounting service providers
   • providers of IT support services
   • providers of hosting services, cloud providers
   • providers of product and service promotion services

subject to the confidentiality of your data.

2. Financial institutions, to the extent necessary for the execution of the transaction.
3. Tax authorities, in accordance with applicable tax legislation.
4. Lawyers, in so far as this is necessary for the exercise of the rights of the Hotel and the protection of its legitimate interests.
5. Bailiffs, notaries, judicial, prosecutorial and police authorities, as well as audit/supervisory authorities, where required by legislative provisions or judicial decisions or at their legal request in the performance of their duties.

E. Data retention time

Your data is kept by the Hotel throughout the period of the provision of its services to you for 20 years in accordance with article 249 of the Hellenic Civil Code.

If, by the end of the above periods, judicial proceedings are ongoing, in which the Hotel is involved and directly or indirectly concern you, the time for keeping your data shall be extended until a final judgment is issued.

After the expiry of the above time intervals, your personal data will be erased/destroyed.

F. Transfer of data outside the EEA

The Hotel transfers to Carmelon Digital Marketing, based in Israel to fulfil its purpose of digital marketing, based on its legitimate interest to assign the marketing operations to outside contractor and in accordance with the adequacy decision 2011/61/EU of the European Comission.

G. What rights do you have in relation to your data and how to exercise them

As clients of the Hotel you have several rights, in accordance with the provisions of Articles 15-22 of the GDPR, in relation to your personal data, which are processed by the Hotel.

The table below lists your rights per processing purpose and corresponding legal basis. In this table you will find detailed information (concept, method and time limits) and form for the exercise of each right.

If you wish to exercise a right, or acquire any information concerning the process of your personal data, communicate it via email to the following address Questo indirizzo email è protetto dagli spambots. È necessario abilitare JavaScript per vederlo.. It is noted that in case there are reasonable doubts concerning the identity of the data subject, we might request the provision of additional information necessary to confirm the identity.

It is noted that the Hotel has the right in any event to refuse partially or fully to comply with your request to restrict the processing or erasure of your data, if the processing or retention of your personal data is necessary for the establishment, exercise or support of its legitimate rights or the fulfilment of its legal obligations.

The Hotel must reply to your request within one month of receipt. This time limit may be extended by a further two months, if necessary, at the discretion of the Hotel, taking into account the complexity of the request and the number of requests, in which case the Hotel will inform you within one month of receipt of the extension in question and of the reasons for the delay.

If the Hotel does not act on your request in the exercise of the above rights or following its reply, you consider that the aforementioned rights have been infringed, you have the possibility to lodge a complaint with the Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens, https://www.dpa.gr, tel. +030 2106475600.