In this document described as PERSONAL DATA PROTECTION POLICY or PRIVACY STATEMENT in short, the company “GIONA – AQUAMAR Private Company” as the owner of the business AQUAMAR BEACH situated in Kavros Apokorona Chania Crete, here in after referred to as “the Company”, describes the ways, means and purposes – for which collects, holds and processes personal data of employees, customers, suppliers, as well as any other third parties or partners with whom it maintains cooperation, and the measures it takes to protect such data.

The Company is committed to maintain and process personal data in compliance with the rules and provisions of the applicable national and EU legislation, in particular the General Data Protection Regulation EU 679/2016 (also known as GDPR). In particular Itundertakes to safeguard the securityand confidentiality of personal data and to comply with the security requirements in order to prevent, as far as possible, any loss of data, its illegal or unauthorized use, and any unauthorized access.

General information

This Privacy Statement applies to all personal data collected, maintained and processed by the Company, such as the data of employees (permanent and seasonal), customers – visitors, suppliers and other third parties.

The purpose of this document is to list the type of personal data collected, maintained and being processedby the Company and also the different ways, means and purposes of the processing of data and finally the recognition of responsibility on the part of the Company’s management for appropriate data protection measures that it has taken.

This document does not describe in a specialized, technical way the appropriate technical & organizational measures taken and implemented by the Company for data protection. It makes sense that these measures are part of its internal procedures and policies for security of personal data and information kept and processed.

Definitions – terminology

For the purposes of this privacy policy text, the following key definitions are used (based on Article 4 of GDPR EU 679/2016):

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identity such as name, ID number, location data, online ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person,

‘Processing’ means any operation or series of operations performed with or without the use of automated media, personal data or personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval, retrieval of information, use, disclosure, dissemination or other disposition, association or combination, restriction, deletion or destruction,

‘Data Controller’ means the natural or legal person, public authority, service or other body which, alone or in conjunction with others, defines the purposes and manner of processing personal data; when the purposes and manner of such processing are defined by Union law or the law of a Member State; the controller or the specific criteria for his appointment may be laid down by Union law or the law of a Member State;

‘Data Processor’ means the natural or legal person, public authority, service or other body processing personal data on behalf of the controller;

‘Consent’ of the data subject: any indication of a free, specific, explicit and fully informed will with which the data subject indicates that he or she agrees, by declaration or by clear affirmative action, to process the data; personal data relating to it.

This Privacy Statement contains the following sections:

1. Types & categories of personal data collected by the Company 4
1.1. Employees 4
1.2. Clients – visitors 4
1.3. Suppliers & Partners 5
2. Purposes of data processing by the Company 6
3. Consequences of non-consent to the provision of personal data 7
4. Data Controller & Data Protection Officer 7
5. Processing objectives and privacy impact assessment 7
6. Data Processors 8
7. Addressees of personal data 8
8. Transmission of personal data outside the European Union 8
9. Time of Retention of Personal Data 8
10. The Rights of the Personal Data Subjects 9
11. Security and Protection of Personal Data 10
12. Privacy Statement Updates 12
13. Communication 12

1. Types &categories of personal data collected by the Company

Personal Data is any information about a person from which that person can be identified. The concept of personal data does not include any anonymous data from which the natural person cannot be identified.

1.1. Employees

The Company collects, maintains and processes personal data of the employees it hires and employs, former employees and job candidates.

The personal data of employees held by the Company include:

• Personal information: name, surname, date of birth, family status, nationality information, ID number, or passport number, legal residence and work permit in Greece.
• Contact information: home address, telephone numbers (fixed and mobile), personal email address (email).
• Personal Employment Information (individual employee file): past employment & historical employment information, employment contract (duties, responsibilities, position in the Company’s Organization Chart), training data, leave history, or employee evaluation forms.
• Relatives of close relatives: relatives of first degree relatives such as children, or of a spouse (eg in cases of family leave, parental leave, health problem, etc.)
• Special – sensitive personal data: medical examination record and history for specific categories of staff (eg restaurant, cooks, etc.)

1.2. Clients – visitors

The Company also collects, maintains and processes only the strictly necessary personal data of the business’s clients and visitors, as obtained from our affiliated Travel Agencies. These data include:

• Personal information: name, surname, gender, nationality information, identity card or passport details.

In some cases additional personal details may be requested for the business’s visitor, such as health information, in cases such as: people with special skills or disabilities, special dietary preferences and more. The sole purpose of receiving and maintaining this data, and only for the period the visitor stays in our business is to provide the best guest care and to provide specialized services, wherever possible, to ensure the greatest possible comfort and security during his stay.

1.3. Suppliers & Partners

The Company receives, maintains and processes the data of its suppliers & other external partners. The data they contain:

• Personal & business information: company name, job title.
• Contact information: business address, contact numbers (fixed and mobile), corporate – professional email address (email).
• Billing details: Business name, business activity, head office, tax ID, bank account, credit or debit card details.

The Company collects, holds and uses only those personal data which areabsolutely necessary to achieve its specific purposes as described in the following section.

The processing of personal data will be both automated and non-automated with physical file maintenance.

In any case of the collection of Personal Data, we shall keep them in a transparent and precise manner and in accordance with the principle of minimization. To this end, please inform us of any change to your personal information so that it is always be up to date.

2. Purposes of data processing by the Company

The personal data of the above categories, collected by the Company, is processed for the following purposes:

The Company collects, holds and process, personal data of the employeesin order to:

• Comply as an employer with the rules settled and required by relevant national or EU insurance and tax legislation, in relation to its employees: their selection, recruitment, employment, licensing, calculation and payment of payroll and benefits, timely coverage of their insurance contributions, retirement, etc.
• Keeping the employee’s official record with the details of his medical exams.
• Evaluate employees’skills and educational level (qualifications).
• Transmitting this data to an insurance company for any additional private insurance coverage.
• Posting on the Internet and the Company’s official website, photos of employees (only with their own written consent).

The visitor-client data is collected, maintained and processed by the Company for the purpose of:

• The coverage of its (financial and service) obligations with respect to the agreements it signs and adheres to with domestic and international tourist agencies and organizations for the provision of accommodation and visitor services.
• Providing accommodation and hospitality services, as well as pricing, directly to independent business’s guests.
• The compilation, evaluation and utilization of statistical data for the strategic management and development of the Company’s business activities.
• Address any incidents of illegal or criminal activity while staying at the business.

The data of its suppliers and affiliates is collected, maintained and processed by the Company for the purpose of:

• The fulfillment of its obligations (financial as well as the receipt and / or exchange of products and services) of the execution of the commercial contracts and agreements it signs with them, depending on the scope of their cooperation.

3. Consequences of non-consent to the provision of personal data

The provision of personal data is in no way mandatory. In any event, failure to provide personal data that has been designated as “mandatory” may prevent the Company from fulfilling the above processing purposes or any contractual trade agreement or performance of a contract. Failure to provide other, non-compulsory, personal data in any way cannot affect the part of the company providing its services.

4. Data Controller& Data Protection Officer

The Data Controller is the Company. In its cooperation with Travel Agencies up to date, it operates as a Data Processor, based on the commercial contracts it has entered into with them.

5. Processing objectives and privacy impact assessment

The Company has documented the purposes of processing of personal data that holds and process in its Processing Activities Register. The Register shall at least capture the following information:

• The processing purposes
• Description of the data subject categories and of the Personal Data categories
• The categories of recipients to whom the Personal Data will be disclosed or may be disclosed
• Where possible, deadlines for the retention and deletion of Personal Data
• To the extent possible, a description of the technical and organizational security measures in accordance with GDPR EU 679/2019.
On the basis of this Registry, as will be periodically updated, the Company undertakes to make periodic impact assessments of the above treatments and any breaches of the Personal Data Subjects.

6. Data Processors

The Company uses Data Processors who provide well enough assurances to protect the personal data and subjects of such Data. They are affiliated with the Company and are expressly committed to protecting your Personal Data through a contract or other legal act specifying the subject and duration of the processing, the nature and purpose of the processing, as well as the rights and obligations of the Data Processor, as described in GDPR EU 679/2016.

7. Addressees of personal data

Personal data may be processed by natural or / and legal persons established inside or / and outside the European Union, which act in the name and on behalf of the Company based on specific contractual obligations. Further, the transfer of personal data will only take place in the context of compliance with legal obligations, in the context of enforcement of a public order and in the exercise of its rights by judicial and administrative authorities.

8. Transmission of personal data outside the European Union

Within its obligations, the Company may transfer and disclose personal data to countries outside the European Union, specifically those including storage in databases managed by entities that act on behalf of the Company. Databases and processing of personal data shall always be managed within the framework of the processing purposes set out and in accordance with the applicable law on the protection of personal data.

9. Time of Retention of Personal Data

The Personal Data submitted to the above processing purposes (section 2) shall be maintained by the Company for the period deemed absolutely necessary to fulfill these purposes, including the fulfillment of any legal, accounting, financial or information requirements and obligations, as well as any duties performed in the public interest.

The Company may continue to store some Data for a longer period of time as may be necessary to protect and safeguard the Company’s legitimate interests in relation to possible liability related to the provision of the Service.The following are some examples of keeping different categories of data from the Company:

• We keep the data of former employees after they stop working with us for any reason, for a time period of at least ten (10) years as provided for by existing national, insurance legislation.

In some cases the Company may proceed to anonymization of personal data held so that they can no longer be associated with the data subjects (employees, visitors, vendors, partners) and not be able to identify them, serving statistics mainly purposes, so we can use this information indefinitely without further notice to the subjects.

10. The Rights of the Personal Data Subjects

According to what is provided by the GDPREU 679/2016 data subjects (i.e.. You) may exercise the rights below the line and within the limits set by the specific provisions of GDPR EU 679 /2016, namely:

• The right of access to data. You have the right to be informed by the Company about the type of data held on your behalf and the processing that the Company performs on them (Article 15 GDPR EU 679/2016).
• The right to correct the data. You have the right to request the correction of your personal data held by the Company if you find that it is incorrect (Article 16 of GDPR EU 679/2016).
• The right of cancellation (‘right to forgetfulness’). You have the right to request the complete and permanent deletion of your data in case there is a legitimate interest in this cancellation (article the 17 of the Regulation 679/2016), with the express reservation of any overriding interest of the company or legal obligation storage of personal data character.
• The right to limit processing. You have the right to request a restriction or suspension of processing of personal data by the Company, when you have a vested interest in this (article the 17 of the Regulation 679/2016).
• The right to data portability. You have the right to receive the data we held about you in a structured, commonly used and readable by machines format and the right to request forwarded these data to other controllers (Article 20 of the Regulation 679/2016).
• The right to object. You have the right to object to the processing of your data when there is a legitimate interest (in accordance with the terms and provisions of Article 21 of the Regulation 679/2016), including your right to object to any automated processing of your data and processing them for any marketing purposes.
• The right to object to any automated data processing & decision making process. You have the right (under Article 21 of GDPR EU 679/2016) to object to processing of data that you’ve given to the Company, if you learn that it uses them, through an automated process for creating profiles, without your own consent, or automated decision making that affects you.
• The right to withdraw consent. The Company should provide you with a convenient and immediate way to remove the consent you have given for specific purposes of processing your data (e.g. to receive informational messages with offers to plan your next visit).

All subjects for whom their data is kept and processed also retain the right to lodge a complaint with the competent supervisory authority in the event of unlawful processing of their data.

How to exercise your rights

You may exercise these rights, as long as the Company holds and processes the personal data you have provided to it, by sending an email to the address:

You will not need to pay any fees to the Company to access your personal data or exercise your rights. However, the Company may charge you a reasonable fee if your claim is manifestly unfounded or excessive, especially because of its repetitive nature.

The Company will make every effort to respond to your requests within one (1) month of their submission. In any case, due to the complexity or volume of your requests, it will take longer to receive information.

11. Security and Protection of Personal Data

In order to protect the personal data that it receives, maintains and processes, the Company has taken appropriate physical, technical and organizational measures. The measures taken by the Company in the field of data and information security are aimed at preventing unlawful, unauthorized access, loss, or alteration, or disclosure of data and information.

We want you to know that the physical & technical security measures of information and data received by the Company include, the following:

• Physical documents including personal data and / or sensitive personal data that the Company receives, holds and processes, are kept and stored in special locked rooms and lockers, accessible only to those authorized for data processing purposes employees and senior executives of the Company.
• PC equipment and equipment located in special secure areas and rooms within the Company’s premises, where protection measures are applied in the event of fire, overheating of the cables or the devices themselves, voltage fluctuations, or even and the appearance of threatening weather events.
• The Company has procured and installed the most reliable electronic protection programs against malicious and / or other malware against PCs and its Network.
• Uses sophisticated information management and storage systems and data from trusted suppliers in the domestic IT market.

The Company also implements a range of appropriate organizational measures that further enhance the protection of data and information it manages such as:

• Strict internal policy for defining authorized access of employees and their employees to the Company’s information systems.
• Continuous awareness and training of human resources in adhering to internal visitor data internal policies and procedures (by applying good practices in the use of emails, mobile devices, as well as passwords for using IT systems) and more.

Data breach incident

The Company applies appropriate controls to prevent and timely detect incidents of personal data breaches that may lead to damage or damage to the data subjects. Regular inspection of its hardware and software by experienced technicians, as well as regular rechecking of the proper implementation of internal data security policies & procedures by Company employees and executives are the safeguards for early detection of potential risks. that would lead to unwanted data breach incidents. In any event, in the event of a similar event occurring, the Company’s employees have been trained to respond appropriately, promptly and in a coordinated manner to respond to it in accordance with the provisions of GDPR EU 679/2016, following the internal procedures provided.

12. Privacy Statement Updates

This Privacy Statement may be amended from time to time. The Company reserves the right to change if or tomodify this Privacy Statement at any time. You may regularly review the Company’s Privacy Statement and especially before providing any new personal data.

13. Communication

If you have any questions or concerns about the use of your personal information, please contact us at the following information and we will make every effort to answer your questions.


“GIONA – AQUAMAR Private Company”
Kavros Apokoronas– Chania – Crete

Last modified: November 2019