Personal Data Protection Policy
PERSONAL DATA PROTECTION POLICY
We hereby expressly and thoroughly inform you about the manner of collection, processing, use and storage of your Personal Information (hereinafter referred for brevity as the “Personal Data” or “Personal Information”). Building trust in a relationship is a cornerstone for our Company, therefore, the protection of your Personal Data is a top priority for us.
1) Framework of Personal Data Protection Policy
Personal Data is collected, processed and used in accordance with the provisions of the applicable Greek and EU law, indicatively, according to the provisions of law 3471/2006 “On the Protection of Personal Data and Privacy in the Telecommunications Sector”, law 3917/2011 “On the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public networks” of the European Privacy and Electronic Communications Directive (EU-EC Directive) and Directive 2009/136/EC (ePrivacy Directive), and in particular Directive 680/2016 and Regulation (EU) 679/2016 for Protection of Personal Data (General Data Protection Regulation-GDPR).
This Protection Policy is fully harmonized with the provisions of Regulation 679/2016, taking all appropriate precaution, protection and security measures and exercising due diligence in the direction of User’s Personal Data Protection. We can mention indicatively the following: provision of a full and detailed consent policy for Cookies, ensuring possibility of communicating at any time with the Data Controller, full protection of the Data Subject’s rights, but also possibility to delete the data at any time, upon request (“right to be forgotten”), pseudonymization and/or encryption of the Data.
Furthermore, for the purposes of this Personal Data Protection Policy, the provisions and what is generally defined by the General Data Protection Regulation are applied strictly and absolutely. Indicatively, it is defined as:
“personal data” means any information relating to an identified or identifiable natural person (“data subject”), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
“data controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its appointment may be provided for by Union or Member State law,
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller,
“supervisory authority” means an independent public authority which is established by a Member State pursuant to article 51 of General Data Protection Regulation.
The Company explicitly states that it is not liable in any way for the current conditions under which the Personal Data of users are collected, processed and used by other websites, to which the respective user may be redirected through links from the Company Website.
2) Data Controller:
In accordance with the definitions of this Statement, as a Data Controller is defined the following
Name: GASSI HOLIDAYS PRIVATE COMPANY
Contact Phone: 2310260077
Email address: firstname.lastname@example.org
Address: Egnatia st. 103, Thessaloniki
3) Collection of Personal Data
(a) No registration of any kind is required to navigate our Website. Nevertheless, in order to use the services provided, registration of the requested data is required.
(b) The Company collects, processes, uses and stores personal data, both personal information (e.g., name, surname, address and so on, detailed below (see (c)), as well as financial information required to carry out the transaction and invoicing information (billing information, debit or credit card information, payment information, etc., similarly detailed below (see (c)), and also information about the use of the Website and online activity, as derived from the users’ visit to the Website. It is explicitly stated that the registration and generally the expression of interest on behalf of any User in the special contact form of our Website constitutes consent to collection, processing, use and storage of the User’s Personal Data, as specifically defined in these terms. It is explicitly stated that the previously given consent of each User may be revoked at any time, with a written statement addressed to the Company, submitted either through a written submission of revocation statement or through an electronic mail message (to the Company’s e-mail address email@example.com).
(c) What Personal Data is collected, processed, used and stored:
– Identity Data, provided upon completion of your reservation, when assigning us certain work, as well as when expression of interest, in particular, the name and status of the User.
– Contact data, provided a) on a mandatory basis upon completion of your reservation, upon assigning us with certain work or upon expression of interest, in particular, telephone and e-mail, b) optionally, upon expression of interest in receiving newsletters.
– Demographic Data, provided upon completion of your booking, when assigning us a certain task or when expressing interest, as well as when registering to receive newsletters, in particular: place of residence, age.
– Financial data, provided upon completion of your reservation for a certain event, upon payment and upon issuance of the relevant proof of payment, in particular: billing and invoicing information.
– Profile Data, provided upon completion of registration for a certain event, upon assigning us with certain work or upon expression of interest, indicatively: status, events you attend or express interest. In addition, any use of information or data from your social media on our Website may create a public profile, consisting of various information (e.g., name, place of residence, etc.).
– Electronic identity data, for example MAC address, IP address and Cookies (please see details below, Cookies Policy, collected during browsing and generally during the use of our services.
(d) Purposes of collection, processing, use and storage of Personal Data:
The Company explicitly declares that the above collected Data is processed, only for the following legitimate purposes or for proper execution of a contractual or pre-contractual relationship (created through participation in a certain event or through the assignment of certain work to us and in general in any convenient way related to the statutory purposes of the Company), to protect our/your vital interest or to fulfill our legitimate interest, namely:
– For fulfillment of the main obligations, which derive from any contract concluded between you and the Company and the resulting legal relationship, in particular, for provision of mediation services, in order to facilitate the conclusion of the contract between the User and the each of our partners.
– For fulfillment of ancillary obligations arising from any contract, such as, for example, informing the Client about the progress of the work, providing information, any obligations arising from the principle of good faith, etc.
– For managing service-related requests or exercising your legal rights.
– For correct and safest billing and invoicing process for the services provided by us.
– For ensuring the proper functioning of this Website www.gassiholidays.gr.
– In order to respond to your relevant requests and questions, as well as information in relation to services provided, especially offers and promotions, if you have explicitly stated that you wish to receive relevant updates.
– For analyzing the traffic of our Website and consequently for improving and ensuring the quality of the services provided by us.
– For supporting and resolving queries, in relation to the services provided.
– In order to ensure the security of the network and prevent the commission of criminal acts, especially electronic crime (indicatively, fraud).
– For providing the requested information to the competent services and authorities, if so required, in compliance with the legal procedures.
(e) Legal Basis of Processing personal data
It is explicitly agreed that collection, processing, use and storage of personal data is based on one of the cases expressly provided below:
– on your consent given on a voluntary basis (see above (1)),
– on a certain pre-contractual or contractual relationship, with your counterparty – exclusively or inter alia. The processing is necessary for execution of a contract, one of contracting parties of which is the Data Subject (i.e., you), and/or before conclusion of a contract in order to take the necessary actions, upon request of the Data Subject. In the event that the requested Personal Data is not provided, we cannot provide the requested service, i.e., completing your reservation or providing the requested information.
– on compliance with the Company’s legal obligations (e.g., tax, related to e-commerce legislation),
– protection of our Company’s legitimate interests. Your Personal Data may be collected on a case-by-case basis during the operation of our Company, the collection of which is considered as reasonably expected and in any case your interests, fundamental rights and/or freedom are not substantially affected. In other words, in the event that the processing of Personal Data is necessary for protection of the Company’s interests, its rights are weighed against the specific interest of the Data Subject.
– On any other basis expressly provided by the current legislation.
- f) How we collect, process, use and store Personal Data
Your Personal Data is collected – after obtaining prior consent – by using our services, such as:
– by making a reservation either in a service provided directly by our Company or in a service provided by our partner,
– by submitting a request for participation, as well as by completing registration in a certain service,
– by sending an e-mail, making a phone call and generally communicating with us, either for purpose of purchasing a product or conclusion of a relevant contract or for purpose of complaints, comments or expression of opinion,
– by registering, after selecting the relevant provision, in a list to receive newsletters, informative material and general promotional actions,
– by visiting our Website and subsequent collection (through the use and acceptance of Cookies) of information from your terminal device, such as for example, Internet Protocol Address (IP Address), the Media Access Control Address (MAC Address), the operating system used, browser type and version and other web log data,
– by receiving documents, requests, orders, judicial documents, warrants and all kinds of related documents and orders, from bodies and authorities, such as supervisory, prosecutorial, judicial, tax authorities, for purpose of investigating crimes, protecting you against fraud, combating any form of criminal acts and criminality in general and prevention of infringement of legal goods and protectable rights of any kind (e.g., intellectual property, industrial property and so on).
- g) Principles of collection and processing
It is expressly stated that the Company and its specialized staff strictly apply the seven (7) Processing Principles of the General Data Protection Regulation, i.e., the principles of: a) lawfulness, fairness and transparency, b) purpose limitation, c) data minimization, d) accuracy, e) storage limitation, f) integrity and confidentiality (security), g) accountability, as provided by the current legislation. The above principles apply indiscriminately to all processing operations and services provided.
4) Data Security
The Company takes the necessary technical and organizational measures upon transmitting Personal Data between your system and ours in order to ensure the privacy, confidentiality, integrity and availability of your Data. Such protection measures include for example the use of firewalls and specialized detection systems that recognize potential attempts to gain access to Personal Data by unauthorized persons, establishment of distinct levels of access, tokenization, systematic training of authorized personnel, conducting periodic audits, compliance with international security and business continuity standards and generally any appropriate means to ensure the protection of your Personal Data. Additionally, our technicians are constantly working to ensure the use of the Website, upgrading the protection provided where necessary.
Also, it is explicitly stated that the appropriate internal policies have been established to ensure the protection and lawful and correct processing of the Data, and the appropriate technical measures are applied both at the time of determining the means of processing and at the time of processing, strictly observing the Data protection principles “data protection by design” and “data protection by default”.
In particular, during the stage of planning processing operations and processing systems, as well as determining the means of processing, the Data Controller – taking into account the risk-based approach and various other parameters (such as for example the technological developments, cost of implementation and nature of the measures applied, scope of application, context and purposes of the processing, etc.) – implements appropriate measures and uses technologies to enhance privacy by default and general Data protection. Such protection measures include for instance the pseudonymization of Data (i.e., replacement of personally identifiable information with artificial identifiers), encryption of Data (i.e., coding of personal Data, in such a way that it becomes readable only by authorized personnel), minimization of the existing processing of the Data and in general integration of all necessary guarantees throughout the processing process, in such a way that the terms and obligations of the Regulation are met, including the obligation to prove compliance based on the Regulation (obligation of accountability) and to ensure the protection of the rights of data subjects.
Accordingly, the Data Controller is obliged to apply the appropriate technical and organizational measures, in order to ensure that only the Personal Data necessary for the purpose of processing are processed (privacy by default). The said obligation extends in particular to the scope of the collected Data, degree of processing, storage period, their accessibility, in order to ensure on the one hand that only the necessary data are processed, with the highest level of privacy protection, and on the other hand that the Data accessible to an indefinite number of natural persons, without the intervention of another natural person.
5) Transfer of your Personal Data to third parties
It is explicitly stated that our Company transfers Personal Data with third parties, however, taking the necessary measures to protect your privacy. In particular, your Data necessary for reservation is transferred to our partners with whom you made the reservation, as well as possibly necessary for completion of your payment to our partners and third parties that process all kinds of payments. In other words, your Personal Data is shared either with our partners to complete your reservation or with financial institutions to process your payment. In addition, it is stated that Personal Data is shared with third parties who provide services and process Personal Data on behalf of our Company (for instance, processing of Data related to credit cards and payments in general, management, storage and maintenance of Personal Data, general service management etc.). In the event that third parties process your Personal Data, transferred by our Company, this processing takes place on the basis of contracts that we enter into with these third parties (which we have carefully selected) and through which they are obliged to observe the appropriate technical and organizational measures for protection of Personal Data (taking into account the Commission Implementing Decision (EU) 2021/915), in compliance with the relevant provisions of national, EU and international law (e.g. General Regulation on Data Protection, law 4624/2019 etc.).
Nevertheless, it is explicitly stated that the Company may transfer your Personal Information in order to respond to requests of law-enforcement authorities or when required by applicable law or court decisions. In particular, with regard to police and supervisory authorities, administrative bodies, judicial or other public authorities, emergency services and generally services and authorities, to which we are obliged to provide information or are authorized to request it. In addition, it is possible to disclose your Personal Information in order to protect the rights, property or safety of the Company and the Website or the rights of users or for any reason provided by applicable law. Finally, the use of your Personal Data is possible for purpose of exercising any legal right or objection and defense against any claims.
Additionally, it is clarified that with any use of information or data from your social media on our Website, a public profile may be created, consisting of various information (e.g., name, place of residence, etc.). Within the mentioned context, you yourself may share your Personal Data (even relevant for your possible interaction with our Company) to third parties, such as by sharing content on your social media.
6) Obligations and Rights of the User:
Regarding your Personal Data, you have the following obligations and rights.
(a) Obligations: By using the Website, you accept that you are under an obligation to declare the true, accurate and complete information requested by the Company during registration process and creation of a personal account. You further agree that you are obligated to provide true, complete and accurate information whenever otherwise requested.
You may contact us at any time in order to be informed about what data exactly we keep and how we process it. It is expressly stated that the Company ensures to the extent possible all eight (8) of your rights provided for in the GDPR and related to the use of Personal Data, namely:
- I) Right of access (article 15 GDPR): that is, the right to know about the processing of information of each Data Subject, as well as the more specific terms of processing, such as for example the purposes and categories of the processed Data, retention period of the Data,
ΙΙ) Right to data portability (article 20 GDPR): the Data Subject may take over the Data held, in a machine-readable format, and transmit it to another Data Controller, as well as claim direct transmission from one Controller to another, as long as this is possible and indicated by the other Controller or the Organization,
III) Right to rectification (article 16 GDPR): the Data Subject is entitled to claim from the Controller rectification of his/her inaccurate personal data, as well as completion of any incomplete Data,
- IV) Right to be informed (articles 13 and 14 GDPR): it should be clear and transparent to the Data Subject that his/her Personal Data are collected, used, stored or used,
- V) Right to erasure (“right to be forgotten”) (article 17 GDPR): if the Data Subject does not wish the further processing and storage of his/her Personal Data, he/she is entitled to request the Data Controller to erasure them, and the Data Controller is obliged to do it without delay, provided that the Data is not kept for a certain legal purpose or agreed purpose,
- VI) Right to object (article 21 GDPR): the Data Subject is entitled to object at any time to the processing of the Data, under the conditions established in the current legislation, especially if it is for purposes of direct commercial promotion, including the creation of a personalized “profile”,
VII) Right to restriction of processing (article 18 GDPR): the Data Subject may at any time wish to request the Data Controller to limit the processing,
VIII) Right to automated individual decision-making, including profiling (article 22 GDPR): the Data Subject is entitled to refuse decision-making based on automated processing (for example profiling), if it produces legal effects, which concern the Subject, or affect him/her in any relevant way.
It is explicitly stated that the aforementioned rights of the Data Subject are exercised as long as the conditions set forth in the General Data Protection Regulation are met and according to formalities expressly provided for by the Regulation. Furthermore, the exercise of the above rights is possible either through your physical presence or by sending an electronic message (e-mail) or by using another relevant means. However, when exercising your rights remotely, you should prove your identity using all appropriate means and required supporting documents, which may be requested. The Company, in the event that the exercise of a certain right requires conditions and in order to maintain the security of the Personal Data, reserves the right to request proof from the Customer regarding fulfillment of the said conditions and presentation of relevant supporting documents.
In addition to the aforementioned provisions, you retain the right to appeal to the Data Protection Authority. If you consider that the protection of your Personal Information is not sufficiently ensured or that your Data or your rights are infringed by anyone, you have the right to appeal to the said Authority. Furthermore, the right to appeal to the Authority is provided for any issue related to processing of your Data in general (for more information: www.dpa.gr).
7) Data Retention
The Personal Data is kept exclusively for the period of time imposed by the contractual terms of each service, based on purpose of processing, unless its retention is required by current legislation, after which the Data is anonymized or destroyed. Furthermore, it is possible to request the erasure of the Data at any time, by submitting a relevant written request to the Data Controller, in which case the Data will be deleted without culpable delay, provided that its retention is not required by applicable legislation or other binding contracts. In any case, our Company does not keep your Personal Data for a period longer than 3 years, unless their retention is required by current legislation.
8) Targeted advertising
9) Links to Third Party Websites
10) Contacting with the Company
11) Validity of the Personal Data Protection Policy – Amendments
The Personal Data Protection Policy was published by the Company on 12/09/2022, it is valid from publication and replaces all previously published Protection Policies, as well as the previous, implemented protection practices. The Company reserves the right to modify the existing Policy, however, it has the obligation to notify the specific modifications within a reasonable period of time to the Users, when browsing the Website. In case of continued use by the respective User, after any notification thereof, the acceptance of the amended Personal Data Protection Policy is presumed.
This Personal Data Protection Policy is governed by the provisions of national and Community law, regarding the protection of Personal Data (see also paragraph 1) and generally the protection of privacy and confidentiality, as well as any applicable international treaties. If there are amendments to the above regulatory texts, we are going to modify – if necessary – this Policy, as well as the applied practices, with the aim of harmonizing it with the relevant regulatory framework. In this case, the amendments to this Policy are expressly notified, otherwise the abovementioned provisions apply.