Privacy Policy

INTRODUCTION

This privacy policy sets out how NLH Hotel Management SA., hereinafter the “The Company, or Us, or We, or the Hotel” processes the personal data of the individuals with whom it interacts. This policy describes how the Company collects and uses your personal information and how you can exercise your rights. The Company always processes your personal data with respect to the fundamental rights of natural persons in accordance with the European and Greek legislation (including General Data Protection Regulation (EU) 2016/679, Greek law 4624/2019 and any other relevant applicable legal provision).

CONTROLLER OF PERSONAL DATA

NLH Management S.A. is based in Athens Greece, at No 14 Vasilisis Sofias Avenue and operating hotels in Fix, Monastiraki and Keramikos is the data controller which alone or jointly with others, determines the purposes and means of the processing of personal data. If you have any questions about processing of personal data, please find the contact information at the end of this privacy policy.

PRINCIPLES OF PROCESSING OF PERSONAL DATA

The Company, acting, either as data controller or in certain cases as data processor for specific processes strictly adheres to the data processing principles as defined at the GDPR.

LAWFULNESS, FAIRNESS AND TRANSPARENCY

The company will process, personal data only if a legal ground exists and to the extent the processing is carried out in a fair and transparent manner towards the individuals whose personal data is collected and used.

PURPOSE LIMITATION

We collect and process personal data to accomplish specified, explicit and legitimate purposes and not process personal data beyond such purposes unless the further processing is considered compatible with the purposes for which the personal data was originally collected

DATA MINIMIZATION

We only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed. When storing personal data, we ensure that the information retention period is limited only to the minimum strictly necessary in relation to the purpose intended, using the appropriate procedures and technical measures.

ACCURACY

We take all reasonable measures to ensure the data is accurate and, where necessary, kept up to date by implementing processes to prevent inaccuracies during the data collection process (i.e., verifying the data is accurate, complete and not misleading), as well as during the ongoing data processing in relation to the specific use for which the data is processed.

STORAGE LIMITATION

We are always keeping track of personal data not being kept for longer than necessary for the purposes for which the personal data were processed. Once the information is no longer needed, personal data are securely deleted with proportionately available technical measures.

INTEGRITY AND CONFIDENTIALITY

The Company collects and processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)’. We have implemented an information security framework to protect and preserve personal data throughout its life cycle (where appropriate we may use techniques such as pseudonymisation and encryption of personal data). In addition, when the processing involves sensitive personal data, we take extra care as controllers by evaluating the potential impact on individuals that a breach of the integrity or confidentially of the personal data may cause and we are constantly trying to implement measures that sufficiently protect individuals.

TYPES OF PERSONAL DATA THAT WE PROCESS

The personal data processed by us are necessary for the purposes for which they are collected. We collect the following data depending on each individual case:

  • Identity data: e.g. first name, surname
  • Contact information: e.g. phone number, e-mail address
  • Details that you provide in the contact form
  • Data collected using cookies: e.g. IP address
  • Information we collect for the purpose of recruitment (CV data)
  • Booking and Visitors’ information (Dates of arrival and departure, special requirements and preferences, comments, and queries)
  • Payment Information (Credit or Debit Card or other payment data)

PURPOSE OF THE PROCESSING OF PERSONAL DATA

We process your personal data only for the specified purpose we intend to pursue. Depending on the case, we may process the personal data to:

  • make or complete a reservation on behalf of a customer
  • recruit personnel to fill a vacant position
  • direct marketing purposes based on consent and with an option to freely unsubscribe
  • respond to any questions we receive from you and satisfy any requests you may have
  • administrate our website and offer the user the best services
  • use your data to manage and resolve litigation in accordance with the law

LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA

We ensure that any processing of personal data that we perform is lawful because it is based on at least one of the following legal grounds:

  • The processing is necessary for the performance of the contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • The processing is necessary for the fulfilment of a legal obligation of the Company.
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • The processing is necessary for the pursuit of a legitimate interest of the Company if the pursuit of a legitimate interest does not have serious consequences for the fundamental rights and freedoms of natural persons.
  • The processing is based on the user’s informed, specific, freely given, and unambiguous consent regarding the purpose of the processing of the person’s personal data.

RECIPIENTS OF PERSONAL DATA

Your personal data will be processed within the Company by the necessary personnel for this purpose, in compliance with all data protection principles.

The Company uses a variety of third-party service providers to help us provide services related to our customers. Service providers may be located inside or outside of the European Economic Area (“EEA”). These include financial and legal service providers, booking platforms and channel managers as well as various consultants.

If we use a third- party provider (subcontractor) or business partner who processes personal data on our behalf, (Data Processor) we will ensure that the third party processing on our behalf has adequate security and privacy measures in place, such as the law defines and processes the personal data only to fulfil its contractual obligations to us and always in accordance with the instructions we have given and for no other reason.

If third party service providers are outside the EEA, we have (prior to sharing your information with such corporate affiliate or third party service provider) established the necessary means to ensure an adequate level of data protection either an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or an agreement on the basis of the EU Model Clauses (a set of clauses issued by the European Commission).

In some cases, your personal data may be transferred to the competent police or judicial authorities to defend our legal rights, and only in cases where this is required by applicable law.

STORAGE PERIOD OF PERSONAL DATA

We only process your personal data as long as it is necessary for the fulfilment of the respective purpose, unless there is a legal provision for their further storage or we need them to cover and fulfil our legal requirements.

TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA

Some of these countries are subject to a European Commission adequacy decision. If your personal data is transferred to such countries, we will take all necessary measures to ensure an adequate level of protection for personal data in accordance with applicable law. In the event that we are informed and/or suspected by our partner or a third party of sending or processing data to countries outside the EU/EEA, and in connection with ensuring the lawful processing of your personal data, we will make every effort to investigate the matter as quickly as possible and act accordingly. At the same time, we will endeavor to inform you, where it seems appropriate by the manner that the Company finds suitable.

Where we transfer, store, and process your personal information outside of the EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection. We rely on Standard
Contractual Clause approved by the European Commission to transfer data from the EEA, Switzerland and other countries outside of where you live. You may request a copy of the Standard Contractual Clauses by
contacting us.

SOCIAL MEDIA

Our Company has a page on a social networking site (Facebook, Instagram etc). We remind you that this page is publicly accessible and any content, comment, personal information you provide will be visible to the general public and we strongly suggest that you read carefully their privacy policy and be extra cautious about the content of the information you post.

COOKIES

Cookies are small text files that are stored on your computer or mobile device when you visit a website.

The cookies policy provides further details on the use of cookies and inform you about how you can delete or prevent the storage of specific cookies on your computer or mobile device.

DATA SUBJECT’S RIGHTS

As data subject you have the following rights:

RIGHT OF ACCESS

As the data subject you have the right of access so that you can verify the lawfulness of the processing. You have the right to be informed whether and how we process the personal data we have stored about you and receive additional information about the processing we have carried out.

RIGHT OF RECTIFICATION

The data subject has the right to request the rectification of inaccurate data or the completion of incomplete data.

RIGHT TO RESTRICTION OF PROCESSING

The data subject has the right to request the restriction of the processing of personal data and the Company needs to react immediately if the data subject objects to its accuracy and until it is verified, or the data subject objects to the deletion of personal data and requests the restriction of its use, or if personal data are not necessary for the purposes of the processing but remain necessary for the establishment, exercise and support of legal claims, and finally, if the data subject objects to the processing and until it is verified that there are legitimate reasons for the Company to object to the processing that outweigh the reasons for which the data subject objects.

OBJECTION TO PROCESSING OF PERSONAL DATA

The data subject has the right to object at any time at the processing of personal data or to withdraw the consent.

RIGHT TO DATA PORTABILITY

The individuals have the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. They have also the right to request that a controller transmits
this data directly to another controller.

RIGHT TO DELETION

The data subject has the right to request the deletion of personal data. After evaluating the request, the Company will immediately take all necessary measures to fulfill the individual’s request by communicating with third parties (subcontractors) who use or process personal data on behalf of the Company and asking them to do the same. Deletion of personal data has the appropriate restrictions where retention is required by law.

EXERCISE OF RIGHTS

You may exercise your rights at any time via the Data Subject’s Right Request [download pdf] and the Company will respond to you within thirty (30) days of receipt and confirmation of your identity, unless the request is unusually large and complex, in which case the response may be delayed for an additional sixty (60) days after your notification.

In principle, the response to your request is free of charge. However, if a request is clearly unfounded or excessive, a reasonable fee may be charged. In any case, you have the right to complain to the Authority for the Protection of Personal Data if we do not respond satisfactorily to your request: 1-3 Kifissias, Athens / www.dpa.gr, Tel. 2106475600.

CONTACT

Individuals may contact for any information or clarification regarding the processing of personal data either by post to the address: Data Protection Officer, NLH Management S.A 14 Vas. Sofias Av, 106-74, Athens, Greece or sending an e mail at dpo@nlh.gr

POLICY UPDATING

The Company has the right to change this statement, if it considers that it is necessary for legal, general, regulatory and technical reasons or due to changes in the services offered or the nature or layout of its services. Any change will be effective from the date of its publication on the Website.

PUBLICATION DATE: 11/11/2021

The NLH Hospitality
Experience Begins Here