PRIVACY POLICY


Introduction


We would like to assure you that, for the company “ATTICA BLUE HOSPITALITY SINGLE-MEMBER SOCIÉTÉ ANONYME”, the protection of our customers’ personal data is of primary importance. For this reason, we take appropriate measures to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations set by the applicable legal framework, both by the Company itself and by third parties processing personal data on behalf of the Company.

Data Controller – Data Protection Officer (DPO)


The Company under the name “ATTICA BLUE HOSPITALITY SINGLE-MEMBER SOCIÉTÉ ANONYME”, with the distinctive title “ATTICA BLUE HOSPITALITY”, having its registered office in Kallithea, Attica, at 1–7 Lysikratous Street and Evripidou Street, 176 74, as owner/operator of the hotel “Naxos Resort”, tel.: +30 22850 26650, email: info@naxosresort.gr, website: https://naxosresort.gr/, hereinafter referred to as “the Company”, informs that, in the context of operating the Naxos Resort hotel and carrying out its business activities, it processes personal data of customers, website visitors and other transacting parties, in accordance with applicable national legislation and Regulation (EU) 2016/679, as in force.

For any matter concerning the processing of personal data, please contact the Data Protection Officer (DPO) directly, email: dpo@attica-group.com.

How do we collect your personal data?

We collect your data from the following sources:


1. Directly from you:

  • when you browse the website
  • in the context of your communication with the Hotel through our communication channels (contact form, email, telephone)
  • in the context of using the booking tool on our website
  • where such option is available, through your subscription to receive newsletters

2. Through cooperating booking platforms, such as, indicatively, Booking.com, with which we cooperate in the context of reservation management.

3. Through other external partners, such as recruitment agencies.

Categories of data subjects and personal data we process

The processing may indicatively concern the following categories of data subjects:

  • website visitors and users of electronic services,
  • customers and their representatives,
  • job applicants,
  • employees and partners of the Company,
  • suppliers and other external partners,
  • persons who communicate with the Company through any available channel.

The personal data we process are those that are strictly necessary, appropriate and relevant for achieving our purposes and are limited to what is necessary in each case, and are summarized as follows:

Personal data that you provide to us, such as:
  • Identification data (name, surname, date of birth, nationality and any other information that may appear on your passport or other official identification document).
  • Contact details (telephone number, email address).
  • Additional information, such as address, city and other information that you provide to us when responding to our communications or completing any form (in paper or electronic format).
  • Booking, payment and other customer/visitor preference data.
  • Data relating to a contractual or cooperation relationship, such as contract details, signed annexes, and details of subcontractors or legal representatives.
  • Employment data, such as payroll information or evaluation data, where required.
  • Curriculum vitae (CV) data submitted in the context of expressing interest in a job position.
  • Image data collected through video surveillance systems (CCTV), where relevant signage is in place.
  • Website traffic and usage data, such as IP addresses, cookies, browsing data and technical data (logs). For more information, please refer to the Company’s Cookies Policy.
  • In certain cases, special categories of data (e.g. health data) may be processed, where this is required by law or relates to the services provided and always in accordance with the applicable legal framework.

Please note that data relating to your identity or your contact details are strictly necessary for any transaction or contractual relationship with the Company, and that the type and amount of any additional data depend in each case on the contract that has been or is to be concluded and/or on the services provided.
You are informed that you should promptly notify the Company of any changes to your personal data that you have submitted on your own initiative, as well as respond to any request for the updating of your information.

How and why do we use your personal data?

We process your personal data for the following purposes:

  • For the provision of the services you wish to receive from us, the performance of the relevant contract and, in general, the fulfillment of our obligations towards you.

We collect your personal data in order to provide our services following the conclusion of the relevant contract. In order to communicate with you and generally to fulfill our obligations, your personal data, including your contact details, are necessary.

  • For the improvement of our services and the protection of our business interests

Our business purposes help us enhance the quality of our services and meet your expectations. For example, we may contact you via email or telephone to manage requests or complaints. In addition, when visiting the Company’s website, you may complete the contact form by providing your details in order to receive a response as soon as possible. We may also invite you to participate in satisfaction surveys, without any obligation to respond.

  • For informing you about our services and offers

Where you have provided your consent, and where a relevant subscription option is available, we may send you informational and/or promotional material regarding our services and offers.

  • For compliance with legal obligations

We process your personal data in order to comply with obligations arising from the applicable legal framework (including, indicatively, employment, social security and tax legislation, as well as decisions of judicial or administrative authorities). In addition, we may process data for the investigation of complaints, the prevention and detection of fraud, as well as for addressing security-related issues.

  • For the protection of our legitimate interests and the safeguarding of persons, property and facilities, including through the installation and operation of video surveillance systems (CCTV).

It is clarified that the processing of your personal data for the above purposes does not involve decision-making based solely on automated processing, which produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR.

What are the legal bases for processing your personal data?

We process the personal data you provide to us only where there is a lawful basis for such processing.
The legal bases for processing your personal data are:

(α) Performance of a contract
The proper performance of the contract between us or the taking of steps at your request prior to entering into a contract, in order to provide you with services within the framework of our cooperation.
(b) Legitimate interests
The safeguarding and protection of legitimate interests, both yours and those of the Company. Indicatively, we process personal data for:

  • the protection of persons, property and facilities,
  • the security of networks and information systems,
  • the prevention of malicious activities,
  • the support of information systems,
  • the establishment, exercise and defense of legal claims,
  • the overall organization and development of our business activities.

(c) Compliance with legal obligations
Our compliance with obligations imposed by the applicable legal framework (including, indicatively, employment, tax and social security legislation).
(d) Consent
The consent you provide, where required by the applicable legal framework, such as, for example, for sending updates regarding the Company’s services, news and offers.

Where do we transfer your data?

The Company transfers personal data to the following categories of recipients:

  • Company Personnel

Your data are accessed by authorized employees of the Company, within the scope of their responsibilities, for the assessment and fulfillment of your requests and the management of the contractual relationship.
Your personal data are treated with the highest level of confidentiality, as employees are bound by confidentiality obligations and/or are subject to appropriate statutory confidentiality requirements.

  • Public authorities, law enforcement authorities, within the scope of their duties

Competent public authorities may have access to your personal data, within the scope of their duties, where this is necessary and permitted by law, in particular for the purposes of compliance with legal obligations or for the prevention and suppression of unlawful activities.

  • Processors: Third-party partners who process data on behalf of the Company, such as, for example, providers of booking systems, technical support, website hosting, or professional advisors.

In such cases, the Company ensures that these partners act only on its instructions and are bound by appropriate contractual obligations, in accordance with Article 28 of the GDPR.

  • Independent data controllers: Third-party entities that process data for their own purposes, such as public authorities, insurance bodies or other organizations, within the scope of their responsibilities and in accordance with the applicable legislation. In such cases, these entities act as independent data controllers and are themselves responsible for the processing of your data.

Data Retention Period

The data retention period is determined based on the following specific criteria, depending on the case:

  • Where processing is required as an obligation under applicable legal provisions, your personal data will be retained for as long as required by such provisions (e.g. tax legislation, which may require retention for up to ten (10) years).
  • Where processing is carried out on the basis of a contract, your personal data are retained for as long as necessary for the performance of the contract and, thereafter, for as long as required for the establishment, exercise and/or support of legal claims. Indicatively, data related to your reservation are retained for the duration of the cooperation and for a reasonable period following its termination, which may extend up to five (5) years, unless otherwise required by law.
  • Where processing is based on consent (e.g. marketing), the data are retained until such consent is withdrawn. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal. To withdraw your consent, you may contact the Data Protection Officer (DPO) at: dpo@attica-group.com or use the relevant unsubscribe link included in electronic communications.

After the expiry of the above periods, the data are deleted and/or anonymized in a secure and documented manner, unless further retention is required or permitted under the applicable legal framework.

What are your rights in relation to your personal data
Every natural person whose data are processed by the Company enjoys the following rights:
Right of access
You have the right to be aware of and verify the lawfulness of the processing. Therefore, you have the right to access your data and to receive additional information regarding their processing.
Right to rectification
You have the right to review, correct, update or modify your personal data by contacting the responsible person of the Company using the contact details provided above.
Right to erasure
You have the right to request the deletion of your personal data when we process them based on your consent or in order to protect our legitimate interests. In all other cases (such as, indicatively, where there is a contract, a legal obligation to process personal data, or a public interest), this right is subject to specific restrictions or may not apply, depending on the case.
Right to restriction of processing
You have the right to request restriction of the processing of your personal data in the following cases: (a) when the accuracy of the personal data is contested and until it is verified, (b) when you object to the deletion of personal data and request the restriction of their use instead, (c) when the personal data are no longer necessary for the purposes of processing, but are required by you for the establishment, exercise or defense of legal claims, and (d) when you object to the processing and until it is verified whether there are legitimate grounds on our part which override your grounds for objecting.
Right to object to processing
You have the right to object at any time to the processing of your personal data where, as described above, such processing is necessary for the purposes of legitimate interests pursued by us as data controller, as well as to processing for direct marketing purposes and profiling.
Right to data portability
You have the right to receive your personal data free of charge in a format that allows you to access, use and process them using commonly used processing methods. You also have the right to request, where technically feasible, that we transmit the data directly to another data controller. This right applies to data that you have provided to us and where the processing is carried out by automated means based on your consent or for the performance of a contract.
Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw it. The withdrawal of your consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

To exercise any of your above rights, you may contact the Data Protection Officer (DPO), email: dpo@attica-group.com.

In the above cases, we will make every effort to respond to your request within thirty (30) days from its submission. This period may be extended by an additional sixty (60) days where necessary, taking into account the complexity of the request and the number of requests, in which case you will be informed accordingly within the aforementioned thirty (30)-day period.

Right to Lodge a Complaint
You have the right to lodge a complaint if you believe that we have not adequately addressed your request and that the protection of your personal data is in any way affected, through a dedicated online portal (https://eservices.dpa.gr/) with the Hellenic Data Protection Authority (Athens, 1–3 Kifisias Avenue, 115 23 | tel.: +30 210 6475600). Detailed instructions for submitting a complaint are provided on the Authority’s website (www.dpa.gr).

Personal Data Security
The Company implements appropriate technical and organizational measures to ensure the secure processing of personal data and to prevent accidental loss or destruction, as well as unauthorized and/or unlawful access to, use, modification or disclosure of such data. In any case, the nature of the internet does not allow for guarantees that unauthorized third parties will never be able to circumvent the technical and organizational measures in place.


Transfers of Personal Data to Third Countries or International Organizations
As a rule, personal data are not transferred to third countries outside the European Economic Area (EEA).
In the event that such a transfer is required, the Company ensures that it is carried out in accordance with the applicable legal framework and by implementing appropriate safeguards, such as, for example, adequacy decisions of the European Commission or other approved mechanisms.


Links to Other Websites
Our website may contain links to third-party websites. The Company is not responsible for the privacy practices or the content of such websites. Therefore, we recommend that you carefully read the privacy notices of each website you visit.


Other Policies and Compliance Mechanisms
The Company operates a whistleblowing reporting system through which named or anonymous reports may be submitted, in accordance with the applicable legal framework. For more information, you may refer to the relevant Policy Whistleblowing.

Changes to this Privacy Policy
The information provided in this Privacy Policy reflects the current status of data processing by the Company. In the event of any changes, this Policy will be updated accordingly.
The most recent version will always be available on our website, so that you can stay informed about how and to what extent your personal data are processed.
Last updated: May 2026