BOOK NOW

Privacy Policy

Ι. GENERAL INFORMATION
1.1 In the course of our activities our Company retains and processes the personal data we collect from you or about you, when you visit our facilities or when you communicate with us in writing or orally or through our website or through other sources in order to support, promote and perform the contract between us, secure transactions and inform you about our services.
1.2 In our Company we understand the importance of protecting our clients’ privacy and we make every possible effort to store and process the information you share with us with due regard and in compliance with the current legislation. That is why we present you this Privacy Protection Notice to inform you about the way we collect, use and share your personal data in accordance with the Regulation (EU) 2016/679 and the relevant Greek legislation about personal data protection.
1.3 For the purposes of this Privacy Protection Notice, personal data means any information relating to you, through which you are or can be identified, such as your name, your address, passport number etc.
1.4 The present Notice:
(a) provides an overview of the categories of personal data that our Company collects, the purposes of the processing, the period for which the personal data will be stored, the sources and the recipients of the personal data,
(b) offers an overview of the practices we use to collect, use, share, transfer and store your personal data,
(c) confirms the technical data protection measures, the internal procedures and the natural measures taken to protect your personal data,
(d) informs you about the type of your rights and the ways you can exercise them,
(e) addresses natural persons whether they are present or future clients or partners of our company.
1.5 The present Privacy Protection Notice applies to:
(a) our hotel “MAGDA” operated by our Company “MAGDA S.A.” and our affiliate companies.
(b) the website www.magdahotel.gr
(c) all websites or Online applications,
(d Online and offline promotional actions of our Company as well as
(e) Any service or function provided by us, which is mentioned in this Privacy Notice.
1.6 Before any sharing of your personal data, we suggest that you devote the necessary time to read thoroughly the present text which describes our Privacy and Data Protection Policy in order to become aware of the way in which we collect, store, use, transfer and protect the information/ personal data we receive.

ΙΙ. WHO WE ARE
2.1 Our Company is a legal person which was established based on Law 2190/1920 as a société anonyme (S.A.) under the name “CHEIRAKAKIS – HOTEL TOURISM AND COMMERCIAL ENTERPRISE SOCIETE ANONYME” and trade name “MAGDA S.A.” It is a hotel and touristic company located at Kato Gouves in Municipality of Chersonisos in Heraklion Crete (Greece) with Tax registration no. (VAT) 094235716 – Tax Office of Heraklion and General Commerce Register No. 122184527000. This company operates the hotel under the name “MAGDA” located at Kato Gouves in Municipality of Chersonisos.
2.2 For the purposes of the present Privacy and Personal Data Protection Notice controller meaning the legal person which alone or jointly with others, determines the purposes, conditions and means of the processing of personal data is our Company. Our Company acts mainly as Controller or as a joint Controller and if applicable, as Processor in accordance with the General Data Protection Regulation (EU) 2016/679.

ΙΙΙ. SOURCES OF PERSONAL DATA
When providing our services and performing our business activities, we collect and process different types of personal data that we receive from our clients in person or by telephone, through written or electronic communication. Additionally, we may collect personal data obtained legally by other natural or legal persons, such as tourist agencies, tourist agents, tourist/travel offices, online reservation systems – (for example www.booking.com) and other reservation systems, by available public and commercial sources (in accordance with the provisions of the law) that have the legal right to share data with us and by third party social networking services, when you choose to connect to such services.

ΙV. TYPES OF PERSONAL DATA
4.1 We collect and process different categories of personal data. These categories are the following:
i) Identity Data: first and last name, date of birth, passport or identity number, communication language.
ii) Contact Data: postal and email address, telephone number, mobile number etc.
iii) Financial Data: number and type of credit/debit card and tax identification number.
iv) Data related to children (under the age of 16): first and last name, date of birth, passport number.
v) Data provided by devices and surfing the internet: number, date and duration of calls made by hotel phones, identifiers provided by devices, MAC address, internet protocol (IP) address, operating system version, time and duration of WIFI use.
vi) Location Data: such as GPS signals of your device or information about Wi-Fi access points that may be transferred to us when using services (e.g. Wi-Fi).
vii) Image Data: picture data, photographs and videos from Closed-circuit television cameras.
viii) Accommodation Data: room number, date and time of arrival and departure, information about good’s consumption or/and used services, tourist agency or office, reservation terms, flight data, special preferences and interests (e.g. non-smoking room, preferred floor, type of bed, sports, cultural interests, diet), questions, requests, complaints and comments during or after your stay in our hotel.
ix) Special categories of personal data that are collected directly by you in accordance with the legal conditions: data revealing your racial/ethnic origin (nationality) and health data (for example, allergy in certain type of food or physical disabilities etc.).
4.2 Data processing for the purposes referred bellow is governed by the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability, as defined in article 5 of the General Data Protection Regulation (EU) 2016/679.

V. MEANS OF COLLECTING PERSONAL DATA
We collect personal data in different cases such as:
i) when performing our hotel activities and providing our services (room reservation, check-in/ out, payments, applications, complaints).
ii) when you participate in marketing programs or events (subscription to mail lists in order to receive offers and other promotions by email).
iii) when transmitting information from third parties (tourist agencies, tourist/travel offices, online reservation systems, other affiliated hotels).
iv) when operating electronic devices (actions through electronic devices such as connection to our website, connection to our hotel’s Wi-Fi network, completion of online forms e.g. reservation forms, precheck-in forms, complaint forms) as well as when operating the video surveillance system.

VΙ. PROCESSING PURPOSES – LEGAL BASE OF PROCESSING
6.1 The Regulation allows us to process personal data, when processing is lawful, meaning that at least one of the prerequisites of article 6 of the General Data Protection Regulation (EU) 2016/679 is met. When processing your personal data, we rely on one of the following lawful bases:
i) Processing is necessary for the performance of the contract of hospitality - hotel services contract between us.
In this case processing is performed for the following purposes:
- To identify you and communicate with you prior to your arrival in our hotel, during your stay and afterwards, for reasons of security of transactions.
- To manage your room reservation, your stay and other hospitality services (check-in/out and payment, seat reservation or/and use of the services of our hotel, such as providing a safe box).
- To appropriately prepare and satisfy on time your special requests related to your stay (e.g. room preferences, diet etc.).
- To manage lists of clients’ personal data for functional reasons such as lists with dates of arrival – departure or lists with special categories of clients (e.g. VIP or people with disabilities).
- To monitor the use of the provided services (e.g. room telephone, mini bar, room service, WiFi access etc.).
- To manage any request/report/complaint.

ii) Processing is necessary for the compliance with legal obligations laid down by the current applicable legal, regulatory and supervisory framework in national and European level and decisions of any authority (public, supervisory etc.) or judgements of courts.
In this case processing is performed for the following purposes:
- To issue and maintain legal – tax documents (e.g. receipts, invoices etc.) in accordance with the current legislation.
- To edit, issue and maintain legal documents in accordance with the current legislation.
- To send anonymous data of nationality to public authorities that are related to Tourism or process data for statistical purposes.

iii) Processing is necessary for the purposes of the legitimate interests pursued by our Company or a third party
This processing is always performed after balancing the interests of our Company with fundamental rights and freedoms that provide for the protection of your personal data.
In this case processing is carried out for the following purposes:
- To protect our legitimate interests by the contract between tourist – travel agency and us.
- To protect the legal rights and interests of our Company in cases of court disputes.
- To improve our hotel services in order to adapt our products and services to your needs so that you are fully satisfied by your accommodation in our hotel.
- To carry out market researches and analyze questionnaires and comments of clients.
- To evaluate our services and create statistic data based on this evaluation.
- To handle complaints of clients.
- To protect the facilities and the equipment of our hotel from malicious or illegal actions and avoid fraud.
- To inform clients and satisfy their requests after their departure.

iv) Based on your consent
On your arrival at our hotel, you may be asked to give your explicit consent to the processing of certain data for a specific purpose and in particular:
i) data of identity and contact data in order to send you updates via email/SMS/newsletters/ letters, to inform you about programs/offers/sales or/and other promotional actions of our Company.
ii) data of image for purposes of advertising and promotion of the company, especially when posting your images to social media or to www.magdahotel.gr
iii) health data in order to provide improved services and specialized medical services when needed (e.g. special accommodation, accident management etc.)
iv) In case we process data related to persons (children) under the age of 16, consent or approval should be given by the holder of parental responsibility over the child. The Company bears no responsibility if the consent of the person holding parental responsibility over the child is false or inaccurate.

We make it clear that you always have the right to withdraw your consent for the above-mentioned purposes of processing at any time without affecting the lawfulness of processing based on consent before its withdrawal. Your decision needs no reasoning and there will be no negative consequences or penalties because of it (except for the cessation of benefits that may derive from your consent such as the cessation of sending informative – promotional material to you). For this purpose, you can send your request to us via email at dataprivacy@magdahotel.gr.

VII. PERIOD OF DATA RETENTION AND STORAGE
7.1 The Company will retain (in printed or/and electronic form) and will process your data for as long as it is needed for achieving the purpose for which they have been collected or based on the applicable legislation or until the limitation period of any relevant claims elapses.
7.2 To define the suitable retention period for personal data, we evaluate the quantity, the nature and the sensitivity of personal data, the potential risk of causing harm by an unauthorized use or disclosure of your personal data, the purposes for which we process personal data, whether we are able to achieve those purposes by other means, the limitation period of possible civil law claims and the applicable legitimate or contractual obligations.

VII. DISCLOSURE OF PERSONAL DATA/ RECIPIENTS OF PERSONAL DATA
In the course of carrying out the contractual and legitimate/ statutory obligations of our company, meeting its legitimate interests as well as in cases when you have given your consent to the Company, recipients of your data can be the following:
i) Affiliated- cooperating companies
Your data may be used jointly with affiliated companies of MAGDA S.A. Furthermore, we may use your personal data jointly with our business partners. Those bodies may use your data to provide you with services you have asked for or/and promotional and advertising material provided that you give your consent.

ii) Authorised employees of the Company.
We give access to your data or certain categories of your personal data to our authorized staff in order to provide you with the best possible services. The hotel’s staff (Reservations Department, IT Department, Marketing/Guest Relations Department, Legal Department when and if needed, Medical Services when and if needed) is included in the authorized staff. Our authorized for this purpose employees are responsible for the evaluation of your requests, the management and operation of the hospitality contract between us or the contract of our company with the tourist- travel agency with which you booked your trip, the fulfillment of the obligations deriving from it as well as the relevant obligations imposed by law, public authorities or courts.

iii) Service Providers or individuals/ bodies who have been assigned to perform certain duties on behalf of our Company (processor).
In the above-mentioned persons are included indicatively but not restrictively lawyers, law firms, notaries and bailiffs, accountants, product providers or/and providers of information technology or/and providers of support of any kind of information and electronic systems and networks, including online systems and platforms, computer service companies, companies of storing, filing, managing and destroying files and data, telephone service companies, postal services companies.
The legal or/and natural persons will process your personal data, exclusively for the purpose of providing services to our Company and not for their own personal benefit, acting as processors and committed in written to keeping the obligation of confidentiality and personal data protection and the necessary organizational and technical measures for your data security.

iv) Public Authorities.
We may share your personal data with public authorities based on special legislative provisions to comply with legislation or an obligatory legal proceeding (such as a research warrant or other judicial order or ruling). In those authorities are included indicatively the courts, the judicial authorities, the authorities imposing the law or regulatory, governmental bodies.

v) Other third parties.
We may share your personal data with other third parties, when imposed by law or when we must protect our services to ensure our compliance or comply with the policies that govern our services and in order to protect the rights, the property or the safety of MAGDA S.A. or any affiliated Company, business partner or client of us. Additionally, we may share personal data when needed to exercise controls related to personal data protection and security and/or to research or answer to a complaint or a security threat.

vi) Other third parties related to business transactions.
We may share your data with third parties in case of a merge or transfer, in case of bankruptcy, or in case, we stop having the management and control of our hotel.

VIIΙ. DATA TRANSFERS
Our servers where we store and protect your data are located within the European Economic Area (EEA). However, our third-party contractors or/and service providers of our Company may be located or use servers in other countries. Every time we transfer personal data out of the EEA, we make our best effort to ensure the same level of protection of personal data following a specific policy. In particular:
i) If needed, we transfer personal data only to those countries, which offer an adequate level of personal data protection based on the evaluation of the European Commission.
ii) In the cases of certain service providers, we preserve the right to use special contracts approved by the European Union, which provide the same level of protection to personal data as in Europe.
iii) When providers are located in the United States of America, we preserve the right to transfer data to them, if they participate in the Privacy Shield that requires from them to provide the same level of protection to personal data shared between Europe and USA. You can communicate with us at dataprivacy@magdahotel.gr for any clarification for this mechanism used by us in transferring personal data out of the European Economic Area.

ΙΧ. YOUR RIGHTS
9.1 According to the General Data Protection Regulation (EU) 2016/679, you have the following rights:
i) Right of information and access (article 15): the right to know the categories of personal data that we keep and process, their origin, the purposes of the processing, the categories of the recipients of the personal data, the period for which the personal data will be stored, your relevant rights, your right to lodge a complaint with a supervisory authority, the existence of automated decision-making, including profiling and the right to obtain a copy of your data.
ii) Right of rectification (article 16): the right to ask for the rectification of incomplete or inaccurate personal data or/and have them completed, so that they are complete and accurate.
iii) Right to restriction of processing (article 18): the right to ask for the restriction of processing of your data under conditions.
iv) Right to object (article 21): the right to object at any time to further processing of your personal data retained by us under conditions.
v) Right to erasure (“right to be forgotten” - article 17): the right to ask for the erasure of personal data concerning you from the files kept by us under conditions.
vi) Right to data portability (article 20): the right to ask our company under conditions to receive the personal data concerning you in a structured and commonly used format, where technically feasible, in order to have the personal data transmitted to another controller.
viii) Right to withdraw your consent (article 7 par. 3) where processing is based on consent.
9.2 Please keep in mind the following regarding the above-mentioned rights:
1. Your rights mentioned at 9.1 iii), iv) and v) may not be satisfied, partly or fully, when they are related to data necessary to protect the legitimate interests of our Company or the fulfillment of an obligation deriving from law or a decision of public Authorities or a judgement of a Court.
2. In any case, the Company has the right to refuse to act on your request to limit the processing of data or erase your personal data, where processing or retention of data is necessary for the establishment, exercise or protection of the legal claims of the Company or the fulfillment of our obligations.
3. The exercise of your rights acts for the future and does not affect the prior processing of data.

Χ. WAYS TO EXERCISE YOUR RIGHTS/ WAYS TO LODGE A COMPLAINT
10.1 You can exercise your rights by registered letter sent to the following address of our Company:
Hotel “MAGDA”
Kato Gouves Chersonissos
Heraklion Crete, Greece
or contact the Data Privacy Department of our Company at the following email address: dataprivacy@magdahotel.gr.
10.2 Furthermore, you have the right to contact the Hellenic Data Protection Authority at any time to submit complaints in written form to its Protocol Office (Kifisias 1-3, PC 115 23, Athens, telephone: 210-6475600 /fax 210-6475628) or electronically at complaints@dpa.gr. For further information, please visit the website: www.dpa.gr.
10.3 The Company makes every possible effort to answer your request within thirty (30) days of the submission of the request. That period may be extended by sixty (60) further days where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within thirty (30) days.
10.4 The above-mentioned service is provided free of charge by the Company “MAGDA S.A.”. However, in case you ask us to send you an answer by post, you may bear the delivery charges. Before sending our answer, we will inform you about the exact cost of it.
10.5 The Company may refuse to act on a request, which is manifestly unfounded, excessive or repetitive.
10.6 To process your request properly, effectively and safely, we need to identify the data of the person submitting the request. That is why we may request from you to provide additional information necessary to confirm your identity and send supporting documentary evidence.
10.7 Below you will find templates regarding each right to help you exercise your rights provided for in Articles 15 - 22 of the General Data Protection Regulation (EU) 2016/679. You can fill in the application and send it with the relevant attached documents to our address or electronically at dataprivacy@magdahotel.gr by registered letter. Please fill in all the information asked in each application so that our Company can process your request successfully.

ΧΙ. SECURITY MEASURES
11.1 The security of your personal data is of high priority to us. Therefore, the personal data stored by us are protected by technical and organizational measures, effectively preventing loss or misuse by third parties.
11.2 Where personal data are not given directly by you, but by other means (e.g. by a travel agency), we inform you that the Company maintains a strict Personal Data Protection Policy regarding the processing of your personal data, which has been announced to our staff and our partners and its implementation is regularly reviewed.
11.3 At first we collect that information needed for the aim pursued. Then we check whether the purpose of processing is lawful and whether the data are collected in a manner that is compatible with the principles of data processing (article 5 of GDPR). In particular, if the processing of personal data is necessary for the legitimate interests of our company or a third party, these interests are balanced with your rights in accordance with the provisions of the Regulation.
11.4 The Company makes every possible effort to keep your data secure. It takes appropriate organizational and technical measures for the security of your data, for ensuring privacy, their processing and the protection from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure of, or access to, or any other way of unlawful processing. Our IT Department complies with the international standards and practices in order to ensure network security and the encryption of personal data. The technical security measures are regularly monitored for the purpose of a long-term protection of your data and where necessary, they are adapted to the corresponding prevailing standards of technology.
11.5 The Company knows the significance of the security of your personal data and totally respects your fundamental rights and freedoms. Therefore, we make every possible effort to comply with the provisions of the General Data Protection Regulation (EU) 2016/976 and the applicable Greek legislation.
11.6 In any case, please keep in mind that despite of the reasonable measures we take for the protection of your personal data, no information system and network as well as no transmission via internet is totally secure. Despite of the efforts made by our Company, security against all threats can not be guaranteed.
11.7 In case of loss or personal data breach, we have employed a group of experts that follows a clearly specified procedure of handling such cases in order to restore the breach as soon as possible, limit the potential consequences and ensure our compliance with our obligations by law.
11.8 Additionally, access to personal data is limited to those employees, agents, contractors and other third parties that have a business need to know them in order to fulfill their professional duties. They will process your personal data only in accordance with our instructions and they are committed to complying with the relevant terms of privacy.

ΧΙΙ. AMENDMENTS OF THE PRESENT NOTICE
12.1 The present Privacy and Personal Data Protection Notice may change periodically in order to include all of our current privacy policies. That is the reason why we kindly ask you to check the present Policy from time to time and mainly before making your reservation to our hotel in order to be sure that you are aware of any changes.
12.2 You can always find the most recent edition of the Privacy Notice at the website: www.magdahotel.gr. When we make changes, we will note the date of amendment or review in the beginning of the present Notice.
12.3 To be informed about the latest update of the Privacy Notice, please check the “date of entry into force” in the beginning of the text. You can find a printed form of the present Notice at the Reception of our Hotel.
The current version was updated on 17th May 2018. You can communicate with us for earlier versions. The present Notice replaces all former updates that we may have provided you with regarding our information practices in the past. We reserve our rights to change the current Notice and make any change to the information that have been previously collected in accordance with the provisions of the law. When we make substantial changes to the present notice or when our information practices are changed for the future, you will be informed since we will upload the changes on our website.

ΧΙΙΙ. COMMUNICATION
For any question regarding the current Privacy Policy or generally the protection and security of the data by our Company and our affiliated companies, you can communicate with the Data Privacy Department at the following communication data:
CHEIRAKAKIS- HOTEL TOURISM AND COMMERCIAL ENTERPRISE
SOCIETE ANONYME (MAGDA S.A.)
Data Privacy Department – For the attention of Mr. Nikitas Cheirakakis
Kato Gouves Chersonisos, Heraklion Crete – Greece
Telephone: +30 28970 42307
Fax: +30 28970 42294
E-mail: dataprivacy@magdahotel.gr

ΧΙV. SUMMARY INFORMATION TABLE

PURPOSE OF PROCESSING CATEGORIES OF DATA LEGAL BASIS
Your identification and your communication with us at the stage prior to your arrival, during your stay and also afterwards, for reasons of transactions security. Identity Data
Contact Data
Data of Payment
Accommodation Data
The performance of the contract of hospitality – hotel services contract between us (legitimate interest)
The management of your room reservation, your stay and other hospitality services (check-in/out and payment, seat reservation or/and use of hotel services, such as providing a safe box) Identity Data
Contact Data
Billing Data
Accommodation Data
The performance of the contract of hospitality – hotel services contract between us (legitimate interest)
The suitable preparation and timely satisfaction of your special requests related to your accommodation (e.g. room preferences, diet etc.). Identity Data
Contact Data
Billing Data
Accommodation Data
The performance of the contract of hospitality – hotel services contract between us (legitimate interest)
The management of lists of clients’ personal data for functional reasons such as lists with dates of arrival – departure or lists with special categories of clients (e.g. VIP or people with disabilities). Identity Data
Contact Data
Accommodation Data
Special categories of data
The performance of the contract of hospitality – hotel services contract between us (legitimate interest) Consent
Monitoring the use of provided services (e.g. room telephone, mini bar, room service, Wi-Fi access etc.). Location Data
Accommodation Data
Billing Data
Data provided by devices and surfing the internet
The performance of the contract of hospitality – hotel services contract between us (legitimate interest).
The management of different requests / reports / complaints Identity Data
Contact Data
Accommodation Data
The performance of the contract of hospitality – hotel services contract between us (legitimate interest).
The issuance and maintenance of legal - tax documents (e.g. receipts, invoices etc.) according to the current legislation. Identity Data
Accommodation Data
Billing Data Contact Data
The compliance of the Company with legal obligations laid down by the current applicable legal, regulatory and supervisory framework in national and European level and decisions of any Authority (public, supervisory etc.) or judgements of courts.
To edit, issue and maintain legal documents in accordance with the current legislation. Identity Data
Accommodation Data
Billing Data Contact Data
The compliance of the Company with legal obligations laid down by the current applicable legal, regulatory and supervisory framework in national and European level and decisions of any Authority (public, supervisory etc.) or judgements of courts.
To send anonymous data of nationality to public authorities that are related to Tourism or process data for statistical purposes. Special categories of data The compliance of the Company with legal obligations laid down by the current applicable legal, regulatory and supervisory framework in national and European level and decisions of any Authority (public, supervisory etc.) or judgements of courts.
To protect our legal interests deriving from the contract between tourist- travel agency and us. Identity Data
Contact Data
Accommodation Data
Billing Data
Special categories of data
The fulfilment of the legitimate interests pursued by the Company or third parties.
To protect the legal rights and interests of our Company in cases of court disputes. Identity Data
Contact Data
Accommodation Data
Billing Data
Data of Image Special categories of data
The fulfilment of the legitimate interests pursued by the Company or third parties.
To improve our hotel services in order to adapt our products and services to your needs so that you are fully satisfied by your accommodation in our hotel. Identity Data
Contact Data
Accommodation Data
Billing Data
Data of Image
Data provided by devices and surfing the internet. Special categories of data
The fulfilment of the legitimate interests pursued by the Company or third parties.
To carry out market researches and analyze questionnaires and comments of clients. Identity Data
Contact Data
Accommodation Data
The fulfilment of the legitimate interests pursued by the Company or third parties.
The evaluation of our services and the formation of statistic data based on it. Identity Data
Contact Data
Accommodation Data
The fulfilment of the legitimate interests pursued by the Company or third parties.
The management of the complaints of clients. Identity Data
Contact Data
Accommodation Data
The fulfilment of the legitimate interests pursued by the Company or third parties.
To protect the facilities and the equipment of the hotel from malicious or illegal actions and avoid fraud. Data provided by devices and surfing the internet. Location Data
Data of image
The fulfilment of the legitimate interests pursued by the Company or third parties.
To inform clients and satisfy their requests after their departure. Identity Data
Contact Data
Accommodation
Data Billing Data
The fulfilment of the legitimate interests pursued by the Company or third parties.
To send updates via emails / SMS / newsletter / letters regarding programs / offers / sales or/and other promotional action of the Company. Identity Data
Contact Data
Consent
The advertising and promotion of the company, especially when posting your images to social media or to www.magdahotel.gr. Data of image Consent
To provide improved services and specialized medical services when needed (e.g. special accommodation, accident management etc.) Special categories of data The protection of vital interests of a subject Consent The protection of the legitimate interests pursued by the Company or third parties.