Introduction

The privacy of the visitors of our website is a priority for the company “Pefki Monoprosopi IKE” (Hereinafter referred to as “our company” and/or “we” and/or “us”), and we are committed to safeguarding it.

This policy explains what we will do with your personal data, which you provide mandatorily and optionally, when you visit our website, purchase and use our services, register for various applications related to services provided by our company, as well as at any later time, or interact with us in any way, the way we process this data lawfully, provided that you supply it to us correctly and accurately and notify us of any changes, and the purpose of this processing, as well as your rights arising from Regulation 679/2016 of the E.U. (General Data Protection Regulation, hereinafter “GDPR”) and the overall union and Greek legislation on this matter.

By accepting the privacy policy, which complies with the GDPR, you agree to the terms of collection, processing, storage, and use of your personal information by our company.

We only collect personal data that is necessary to achieve the purposes specified in this Policy, namely, to provide our visitors and customers with the requested services and to respond to their requests for better service. Browsing our website and using our online and any other services, as well as providing information on your part, implies knowledge and acceptance of the terms of this Policy, as well as the terms of use of our website. This policy governs the terms of use of the Website, online platforms, and any mobile application related to it.
By providing personal data to our company, you consent to the collection and processing of this data by our company for the purposes and under the terms described in this Privacy Policy. The provisions for personal data protection included herein supplement the Terms of Use of our company’s website, which also govern this policy.

Please do not disclose any information to us if you do not wish it to be used as described below. Additionally, please read this Policy carefully to be informed about the information collected from you when visiting the website and using its online services, the information posted on it, their use, and your rights.

This Policy serves as a notification to data subjects under Articles 13–14 of the General Data Protection Regulation (EU) 679/2016.

If you have any questions about this Policy and, in general, about how our company collects and processes your personal data, please contact us at the email address listed below.

 

Definitions

For better understanding of this policy, we use the following terms with their
respective explanations:

“Personal Data”: Any information that refers to an identified or identifiable individual (e.g., full name, ID number, Tax ID, home address, phone numbers, age, gender, physical characteristics, marital status, profession, interests, etc.).

A subset of personal data includes “sensitive data” (referred to as “special categories of data” under GDPR), which pertains to the core of human personality and enjoys stricter protection (e.g., health status, political beliefs, philosophical and religious convictions, sexual orientation, etc.). The company processes sensitive personal data only in accordance with the law. The individual to whom the personal data refers is called the “data subject.”

“Processing”: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Legal Basis for Processing”: The conditions defined in the GDPR, including, but not limited to:
i) for “ordinary” data, consent, performance of a contract, compliance with a legal obligation, safeguarding vital interests of the data subject, or legitimate interests of the controller (Article 6 of the GDPR);
ii) for special categories of data (“sensitive” data), explicit consent, establishment, exercise, or defense of legal claims, substantial public interest under EU or national law (Article 9 of the GDPR).

“Data Controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. Our company is the data controller of the personal data we collect from you and the owner of this website. You may contact us, aside from cases explicitly defined by this policy or applicable law, at the phone number +30 2374062222 or by sending an email to gtpr@pefkideluxe.com, alternatively by sending a letter to Pefki Deluxe Residences, Pefkochori 63085, Greece.

“Processor”: The natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.

“Data Protection Officer”: The individual designated by the data controller and the processor, as required by law, based on their professional qualifications and expertise in data protection practices. Their main duty is to oversee all matters relating to the protection of personal data.

“Recipient”: the natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular investigation in accordance with Union or Member State law are not regarded as recipients; the processing of such data by these public authorities is carried out in compliance with applicable data protection rules according to the purposes of the
processing.

“Third party”: any natural or legal person, public authority, agency, or body other than the data subject, the controller, companies of the same Group of Companies with shared interests, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process personal data.

We collect and process data only when absolutely necessary. We respect your privacy and do not trade, disclose, or share your personal information with third parties without your consent. Data is collected and processed only when necessary.
We respect your privacy. We do not exchange, disclose, or share your personal information with third parties without your consent.

Categories of personal data we collect and process

Our company collects the personal information you provide directly or through third parties you contact for room reservations (travel agencies, booking centers, etc.), as well as during your stay at our hotel, provided you have consented to their use under this policy (indicatively and not limited to, by using our website, our services, or by completing the relevant forms, either online or in paper format, available on our website, etc.).
These data are collected at every pre-contractual and contractual stage between us, with the relevant distinctions set out below (e.g., visiting our website, registering for our services, using our services, making reservations by any means, subscribing to our newsletter, etc.). We ensure that we collect only data strictly necessary to serve the purpose for which they were provided, and they are used exclusively for the purposes for which they were collected.
The following types of personal information may be collected, stored, and used:
During your visit to our website and the use of our services, to become informed
about your visit and offer you the best possible browsing experience, we automatically collect non-personal technical information regarding the identity of the device that submitted the connection request to our website, the operating system and version of your computer or other device identifiers, the external links you follow on our company’s website and your activities on it, connection data such as date, time, and duration of the visit, the country code where the device is located, Internet Protocol (IP) address, and other details concerning the connection protocol, such as the website’s domain name, browser type, URL address of the specific page, your geographical location, language preferences, and other diagnostic data, such as information sent by the browser each time you visit our website.
These constitute browsing data, which are necessary to transmit to the website for the functioning of the computers on which it operates and the internet communication protocols. These details alone, as well as cookies, cannot be used to reveal your individual identity and are recorded as statistical data or log files to
collect general demographic information for aggregated use, stored under the terms of the law, subject to their use for identifying and locating offenders of any computer crimes committed against or through this website. Since non-personal information does not personally identify you, we may collect, use, or disclose such information without your consent for any purpose beyond the above, indicatively to safeguard our legitimate and commercial interests and improve our website and services.
When you communicate with us, submit an inquiry, subscribe to newsletters, make a reservation, complete any form, or purchase any service, we may collect your personal data, including but not limited to your full name, email address, phone number, nationality, residential address, booking details, dates of stay, room preferences, payment details, company information where relevant, tax details where applicable, vehicle registration data, identification document details, passport details, billing information, accompanying persons’ details, special requests, dietary preferences, preferences related to your stay, loyalty program data, details relating to your communication with us, and any other information you voluntarily disclose to us.
During your stay at our hotel, we may also collect and process information such as check-in and check-out details, room number, room service requests, charges incurred, restaurant and bar consumption, mini bar use, spa or wellness reservations, parking usage, Wi-Fi use, concierge requests, lost and found reports, complaints, incident reports, and other operational information necessary for the provision of our services and the management of your stay.

If you contact us for employment opportunities, collaboration, supply, or any other business relationship, we may collect and process the data you submit to us, such as CV details, work experience, educational background, contact details, identification details, financial and tax data, and any documents or information relevant to the evaluation and management of that relationship.

We may also collect data through CCTV systems operating in our hotel premises, solely for the protection of persons and property, under the conditions provided by
law. We may process personal data obtained through our social media pages and
platforms when you choose to interact with us through those means, always subject to the privacy settings and policies of the respective platform, as well as this Policy.
Our company may collect and process data concerning minors only where required for the provision of hotel services, reservations, legal compliance, or where consent has been provided by the holder of parental responsibility, where applicable. We do not knowingly collect more data than necessary, and we ask you not to provide us with special categories of data unless strictly necessary and legally justified.

 

Purposes and Legal Basis for Processing Your Personal Data

We process your personal data for the following purposes and under the following legal bases:
1. For the operation of our website, the provision of digital services, the maintenance of security, the prevention of cyber incidents, and the improvement of the browsing experience.
Legal basis: our legitimate interests, compliance with legal obligations, and where required, your consent.
2. To respond to inquiries, requests, and communications submitted by you through email, telephone, forms, social media, or any other communication channel.
Legal basis: your consent, our legitimate interests, and pre-contractual measures taken at your request.
3. For the management, processing, confirmation, and execution of reservations, the provision of accommodation and related hospitality services, and the handling of changes, cancellations, and special requests.
Legal basis: performance of a contract, pre-contractual measures, and compliance with legal obligations.
4. For billing, invoicing, accounting, tax, and legal compliance, including compliance with obligations arising from hospitality, tourism, employment, public health, accounting, tax, and commercial legislation.
Legal basis: compliance with legal obligations.
5. For customer service, quality control, complaint handling, incident management, and service improvement. Legal basis: performance of a contract, our legitimate interests, and in some cases your consent.
6. For promotional communication, newsletters, offers, loyalty-related communication, and commercial updates, where such communication is permitted by law or based on your consent. Legal basis: your consent and/or our legitimate interests where applicable.
7. For the operation of CCTV systems for safety and security purposes, including the protection of persons, employees, visitors, facilities, equipment, and assets.
Legal basis: our legitimate interests and compliance with applicable law.
8. For the establishment, exercise, or defense of legal claims, the handling of disputes, fraud prevention, internal controls, audits, and regulatory compliance.
Legal basis: our legitimate interests, compliance with legal obligations, and where relevant Article 9 GDPR conditions.

9. For recruitment, employment-related communication, and the assessment of professional collaboration requests, where applicable.
Legal basis: pre-contractual measures, performance of a contract, legal obligations, and legitimate interests.
10.For the management of relationships with travel agencies, booking platforms, tour operators, service providers, suppliers, and commercial
partners.
Legal basis: performance of a contract, pre-contractual measures, legal obligations, and legitimate interests.
Where the legal basis of processing is your consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Source of Data
We collect personal data:
● directly from you,
● from persons authorized to act on your behalf,
● from travel agencies, tour operators, booking platforms, and reservation
intermediaries,
● from public authorities or publicly available lawful sources, where necessary,
● from our website, cookies, technical systems, and communication channels,
● from social media platforms where you interact with us.

Data Retention

We retain personal data only for as long as necessary for the purposes for which they were collected and processed, and in accordance with the applicable legal, tax, accounting, contractual, and regulatory obligations.

Retention periods may vary depending on the category of data and the purpose of
processing. Indicatively:
● booking, invoicing, and financial data may be retained for as long as required by tax and accounting legislation,
● communication records may be retained for the time necessary to serve the request and for a reasonable period thereafter,
● CCTV data are retained for the period permitted by law,

● newsletter and marketing data are retained until withdrawal of consent or objection, where applicable,
● data required for the establishment, exercise, or defense of legal claims may be retained until the final resolution of the matter and the expiration of any limitation periods.
At the end of the applicable retention period, data are securely deleted or
anonymized, unless further retention is required by law.

Cookies and Similar Technologies

Our website may use cookies and similar technologies to ensure proper operation, improve performance, analyze website traffic, remember your preferences, and enhance the user experience.

Cookies may include:
● strictly necessary cookies,
● functionality cookies,
● performance and analytics cookies,
● third-party cookies,
● marketing or advertising cookies, where applicable.
Where required by law, we request your consent before placing non-essential
cookies on your device. You may configure your browser settings to refuse or delete cookies, although this may affect the functionality of the website or certain services.
For more information, please refer to the relevant cookie information available on our website.

Newsletter and Promotional Communication

If you subscribe to our newsletter or otherwise consent to receive promotional communication, we may use your contact details to send you news, offers, updates, promotional content, and information related to our services.
You may unsubscribe from such communication at any time by following the unsubscribe instructions included in the communication or by contacting us at gtpr@pefkideluxe.com.
We do not send direct marketing communications where this is not permitted by law.

Social Media
Our company may maintain pages, profiles, or presence on social media platforms. Any interaction with us through such platforms is also governed by the terms, privacy policies, and settings of the respective platform.
Please note that when you visit or interact with our social media pages, the operators of those platforms may collect and process personal data independently, under their own privacy policies.
We are not responsible for the independent practices of such third-party platforms.

CCTV
For the protection of persons and property, our company may operate a CCTV
surveillance system in selected areas of the hotel premises, in compliance with the
applicable legal framework. CCTV is used solely for security purposes and not for purposes incompatible with that objective. Relevant signage is placed in monitored areas. Access to recorded material is restricted to authorized persons only.
Retention of CCTV material is limited to the period provided by law, unless longer retention is required for the investigation of an incident or for legal claims.

Recipients of Personal Data

Your personal data may be disclosed, where necessary and lawful, to:
● employees and authorized staff of our company,
● affiliated companies or companies with common interests where lawful and necessary,
● IT service providers, website hosting providers, software support providers, and data processors,
● payment service providers, banks, card processors, and accounting service providers,
● travel agencies, online travel agencies, booking platforms, booking engines, tour operators, and intermediaries,

● legal, tax, accounting, compliance, audit, and consulting professionals,
● insurance companies where relevant,
● transport providers, external partners, and contractors where necessary for service provision,
● public authorities, supervisory authorities, courts, police, tax authorities, and other competent bodies, where required by law or for the protection of legal rights.

All processors and third parties receiving data are contractually or legally bound to process them securely and lawfully.

Security of Personal Data

We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and security of your personal data and to protect them against unauthorized or unlawful processing, accidental loss, destruction, or
damage. Such measures may include access controls, internal policies, confidentiality obligations, secure systems, monitoring, data minimization practices, staff awareness, encryption where appropriate, and restriction of access to those who need it.
Despite our efforts, no system can guarantee absolute security. Therefore, you should also take reasonable precautions when transmitting information to us electronically.

Data Breaches
We will report any unlawful data breach within 72 hours of becoming aware of it and will take all necessary legal, technical, and organizational actions to promptly
address and contain the breach.

Transfer of Personal Data to Third Countries

Our company does not transfer your data outside the EU. However, our services may be provided using resources and servers located in various countries worldwide. As a result, your Personal Data may be transferred across international borders, outside the country where you use our services, including countries outside the European Economic Area (EEA).
If such a transfer is required, it will be conducted only for lawful and contractual reasons, as stipulated by the GDPR, and solely to enable the conclusion and execution of hotel service contracts. This may involve transferring data to third-party companies (e.g., travel agencies) based in a country outside the EEA. In such cases, we ensure a level of data protection equivalent to that in the European Union.

Your Rights

You may exercise the following rights at any time, under the conditions specified by Greek and European legislation, by sending an email to our Data Protection Officer at gtpr@pefkideluxe.com. You may also send your request to our company’s postal address, Pefki Deluxe Residences, Pefkochori 63085, Greece, or to gtpr@pefkideluxe.com with the subject “Data Subject Request.”

Specifically: “Right to Information,” meaning you have the right to be informed clearly, transparently, and accurately about how we use, store, and process your personal data and your rights.

“Right of Access,” meaning you have the right to know which Personal Data we collect about you and any individual you legally represent in the exercise of your legal rights and obligations (e.g., your child), how these are processed, their processing purpose, who accesses them, their storage duration, your rights concerning the processing of your personal data, whether automated decision-making occurs, to obtain copies of these data, as well as any other information regarding the processing carried out.

“Right to Rectification,” meaning you have the right to request the correction of inaccurate personal data concerning you, the completion of any incomplete personal data, and their updating in our database (e.g., in case you change your email address).

“Right to Erasure,” meaning you have the right to request the deletion of your data if they are no longer necessary in relation to the purposes for which they were collected, if you wish to withdraw your consent to their processing, and no other legal basis for processing exists beyond that consent.

“Right to Restriction of Processing,” meaning you have the right to request a restriction of processing your personal data for data you have asked us to delete or rectify, as well as in cases where our company must delete your data, but you wish to retain them solely for your own purposes, e.g., to defend yourself or make legal claims.

“Right to Data Portability,” meaning you have the right to receive your data in a readable electronic format or/and have them directly transferred to third parties, other data controllers, as you will indicate to us. This right applies to data we process based on a legal basis such as contract, law, or consent.

“Right to object to the Processing of Your Personal Data,” meaning you have the right to object at any time to the processing of your data, provided there are no other compelling and lawful reasons for the processing that override your right. The exercise of this right can be done in one of the ways outlined at the beginning of this section. If you object to the collection of your data, the service may no longer be available to you for technical reasons. Accordingly, we inform you that if the transfer of data is necessary for the establishment, exercise, or defense of legal claims in court or out of court, our company’s legitimate interest prevails, and the right to objection you may exercise cannot be satisfied.

“Right to Withdraw Consent,” meaning you have the right to withdraw at any time the consent you have given for the processing of specific data collected and processed only upon your consent, as described in detail for each such action and purpose in this Policy.

When exercising any of the above rights, we may need to request specific information from you to help us verify your identity and ensure your legal rights, as well as for any authorized person you designate. This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it. We may also contact you to request further information regarding your request.

We strive to respond to all legitimate requests within one month. Depending on the case, it may take us more than a month and for up to an additional two months from the submission of the request if it is particularly complex or involves a series of requests and a particularly large volume of information. In this case, we will inform you about the progress of your request and keep you generally updated.

If the requests are manifestly unfounded or excessive, especially due to their repetitive nature, our company may impose a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action, or refuse to follow up on the Request and fulfill it, providing justification for its response.

For information on the progress of your request, you can contact our company’s Data Protection Officer, whose details are listed below in this Policy.

If you do not receive a response within the prescribed period, or the response you received was unsatisfactory, or your issue has not been resolved, you can contact the Data Protection Authority (www.dpa.gr), as well as in any case where you believe that your personal data or/and the data of individuals you legally represent
are affected in any way.

Protection of Personal Data in the Event of Changes to the Ownership Structure of Our Company Please note that in the case of a legal transformation of our company, your information will be shared only with your renewed consent, which you will provide in any appropriate manner, in addition to your prior acceptance of this current privacy
policy.

Modification of This Privacy Policy

We reserve the right to modify and update this privacy policy at any time, as well as any text concerning your personal data that may be posted on this website, to comply with current legal or regulatory obligations.

We will not explicitly and personally inform our customers or website users of these changes. Before any potential changes in the processing of personal data, we will amend this policy accordingly and post it on our website so that you may be informed and effectively exercise your rights.

The date indicated will mark the last modification of this Policy, and any change will apply from its publication on our website. For this reason, we recommend that you systematically and regularly check our company’s website regarding the protection of your personal data, especially before making a reservation at our hotel.
Use of the website after such changes constitutes your acceptance of the revised

Terms of Use and Privacy Policy.

Our company may provide additional privacy notices to website users in specific sections of the website during the collection of personal data on a case-by-case basis. These notices supplement this Privacy Policy and jointly apply under the terms outlined above.

IMPORTANT NOTICE: For the collection of personal data that does not occur electronically for users of our website and does not concern our visitors/customers and users of any of our services but involves the processing of personal data of employees, job applicants, partners, suppliers, and, in general, natural persons with whom we have contractual or transactional relationships, separate written and detailed information is provided to the data subjects (either in person, through posting on our website, or by any other means) during the collection of such data, which may also be accompanied by relevant contractual texts.

It is noted that this Policy may also be supplemented by additional informative notices, which you will find posted on our website.

Applicable Law and Jurisdiction

The applicable law is Greek law, as shaped by the GDPR, and the current national and European legislative and regulatory framework for personal data protection.
The competent courts for any disputes related to your data are the courts of Thessaloniki.

Questions and Contact – Data Protection Officer

You can contact us with any questions, comments, or complaints regarding this Policy, to exercise any of your aforementioned rights, submit a related request, or inquire about the processing of your data.

The Data Protection Officer (DPO) of our company, whom you may contact, is:

Karamanlis Dimitrios
Pefki Deluxe Residences, Pefkochori 63085, Greece
+30 2374062222
gtpr@pefkideluxe.com

Upon the Visitor’s/Customer’s explicit consent, which can be provided at any time by completing the relevant form titled “declaration of consent,” the processing of personal data will be carried out under the framework of the service provision contract. This will be done in accordance with this Policy, to fulfill the contractual purpose and improve service delivery, in compliance with the GDPR, relevant national and European legislation, the Operating Regulation of the Personal Data Protection Authority, and the Authority’s decisions, as defined herein.