The Company, acting, either as data controller or in certain cases as data processor for specific processes strictly adheres to the data processing principles as defined at the GDPR.
The company will process, personal data only if a legal ground exists and to the extent the processing is carried out in a fair and transparent manner towards the individuals whose personal data is collected and used.
We collect and process personal data to accomplish specified, explicit and legitimate purposes and not process personal data beyond such purposes unless the further processing is considered compatible with the purposes for which the personal data was originally collected
We only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed. When storing personal data, we ensure that the information retention period is limited only to the minimum strictly necessary in relation to the purpose intended, using the appropriate procedures and technical measures.
We take all reasonable measures to ensure the data is accurate and, where necessary, kept up to date by implementing processes to prevent inaccuracies during the data collection process (i.e., verifying the data is accurate, complete and not misleading), as well as during the ongoing data processing in relation to the specific use for which the data is processed.
We are always keeping track of personal data not being kept for longer than necessary for the purposes for which the personal data were processed. Once the information is no longer needed, personal data are securely deleted with proportionately available technical measures.
The Company collects and processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)’. We have implemented an information security framework to protect and preserve personal data throughout its life cycle (where appropriate we may use techniques such as pseudonymisation and encryption of personal data). In addition, when the processing involves sensitive personal data, we take extra care as controllers by evaluating the potential impact on individuals that a breach of the integrity or confidentially of the personal data may cause and we are constantly trying to implement measures that sufficiently protect individuals.
The personal data processed by us are necessary for the purposes for which they are collected. We collect the following data depending on each individual case:
We process your personal data only for the specified purpose we intend to pursue. Depending on the case, we may process the personal data to:
We ensure that any processing of personal data that we perform is lawful because it is based on at least one of the following legal grounds:
Your personal data will be processed within the Company by the necessary personnel for this purpose, in compliance with all data protection principles.
The Company uses a variety of third-party service providers to help us provide services related to our customers. Service providers may be located inside or outside of the European Economic Area (“EEA”). These include financial and legal service providers, booking platforms and channel managers as well as various consultants.
If we use a third- party provider (subcontractor) or business partner who processes personal data on our behalf, (Data Processor) we will ensure that the third party processing on our behalf has adequate security and privacy measures in place, such as the law defines and processes the personal data only to fulfil its contractual obligations to us and always in accordance with the instructions we have given and for no other reason.
If third party service providers are outside the EEA, we have (prior to sharing your information with such corporate affiliate or third party service provider) established the necessary means to ensure an adequate level of data protection either an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or an agreement on the basis of the EU Model Clauses (a set of clauses issued by the European Commission).
In some cases, your personal data may be transferred to the competent police or judicial authorities to defend our legal rights, and only in cases where this is required by applicable law.
We only process your personal data as long as it is necessary for the fulfilment of the respective purpose, unless there is a legal provision for their further storage or we need them to cover and fulfil our legal requirements.
Some of these countries are subject to a European Commission adequacy decision. If your personal data is transferred to such countries, we will take all necessary measures to ensure an adequate level of protection for personal data in accordance with applicable law. In the event that we are informed and/or suspected by our partner or a third party of sending or processing data to countries outside the EU/EEA, and in connection with ensuring the lawful processing of your personal data, we will make every effort to investigate the matter as quickly as possible and act accordingly. At the same time, we will endeavor to inform you, where it seems appropriate by the manner that the Company finds suitable.
Where we transfer, store, and process your personal information outside of the EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection. We rely on Standard
Contractual Clause approved by the European Commission to transfer data from the EEA, Switzerland and other countries outside of where you live. You may request a copy of the Standard Contractual Clauses by
Cookies are small text files that are stored on your computer or mobile device when you visit a website.
As data subject you have the following rights:
As the data subject you have the right of access so that you can verify the lawfulness of the processing. You have the right to be informed whether and how we process the personal data we have stored about you and receive additional information about the processing we have carried out.
The data subject has the right to request the rectification of inaccurate data or the completion of incomplete data.
The data subject has the right to request the restriction of the processing of personal data and the Company needs to react immediately if the data subject objects to its accuracy and until it is verified, or the data subject objects to the deletion of personal data and requests the restriction of its use, or if personal data are not necessary for the purposes of the processing but remain necessary for the establishment, exercise and support of legal claims, and finally, if the data subject objects to the processing and until it is verified that there are legitimate reasons for the Company to object to the processing that outweigh the reasons for which the data subject objects.
The data subject has the right to object at any time at the processing of personal data or to withdraw the consent.
The individuals have the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. They have also the right to request that a controller transmits
this data directly to another controller.
The data subject has the right to request the deletion of personal data. After evaluating the request, the Company will immediately take all necessary measures to fulfill the individual’s request by communicating with third parties (subcontractors) who use or process personal data on behalf of the Company and asking them to do the same. Deletion of personal data has the appropriate restrictions where retention is required by law.
You may exercise your rights at any time via the Data Subject’s Right Request [download pdf] and the Company will respond to you within thirty (30) days of receipt and confirmation of your identity, unless the request is unusually large and complex, in which case the response may be delayed for an additional sixty (60) days after your notification.
In principle, the response to your request is free of charge. However, if a request is clearly unfounded or excessive, a reasonable fee may be charged. In any case, you have the right to complain to the Authority for the Protection of Personal Data if we do not respond satisfactorily to your request: 1-3 Kifissias, Athens / www.dpa.gr, Tel. 2106475600.
Individuals may contact for any information or clarification regarding the processing of personal data either by post to the address: Data Protection Officer, NLH Management S.A 14 Vas. Sofias Av, 106-74, Athens, Greece or sending an e mail at firstname.lastname@example.org
The Company has the right to change this statement, if it considers that it is necessary for legal, general, regulatory and technical reasons or due to changes in the services offered or the nature or layout of its services. Any change will be effective from the date of its publication on the Website.