Version 2.0 (01/05/2020)
This Data Protection Policy sets out the Metaxa Hospitality Group’s arrangement in place to comply with its obligations under the General Data Protection Regulation (GDPR – 2016/679).
Further to compliance with data protection law this policy helps to protect the organization from other risks such as damage to the reputation of the organization and trust in the services that it provides.
The policy provides demonstrable commitment and support from senior management to ensure compliance with data protection law.
2. Data protection policy elements
In accordance with the GDPR Metaxa Hospitality Group adopts and implements the following principles across the organization:
Further to the above, Metaxa Hospitality Group shall ensure that it has measures I place to ensure that it respects and conforms with the rights of individuals under data protection law, namely:
3. Governance and accountability
Under data protection law every person that handles personal data has some responsibility to ensure that it used appropriate. However, the following person(s) within the organization have key responsibilities:
When Metaxa Hospitality Group collects information about individuals, Metaxa Hospitality Group provides a written notice to the individuals from whom the data is collected that includes the following information:
The abovementioned information and notice is provided by Metaxa Hospitality Group in the following manner-
5. Purpose specification and purpose limitation
Metaxa Hospitality Group collects and processes personal data only for-
The abovementioned purposes rely respectively on the following lawful basis:
Collection of Data
We collect Personal Data in accordance with law as follows:
In more limited circumstances, we also may collect:
We collect personal data either directly from you, when you visit our hotel or through online services (the site we operate, www.metaxahospitality.gr, and our social media pages)
Special categories of personal data
Unless specifically requested, we ask that you not send us, and you not disclose, any Sensitive Personal Data (e.g. social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics, criminal background, trade union membership, or administrative or criminal proceedings and sanctions)
6. Data minimization
The Data Protection Officer will keep an inventory of all the personal data that the organization holds and processes (“the Inventory”). The Inventory shall include a justification for the collection and use of each data set processed. Any data set, which is not strictly necessary for the purposes for which the data is collected shall be removed from the organization’s data processing activities. The Inventory shall be reviewed on an annual basis.
The Data Protection officer shall ensure that the Inventory records the following for each data set-
The organization has established appropriate measures to ensure that the data that it processes is accurate and up to date.
The Data Protection Officer shall ensure that there is a clear policy on how long each data item is to be retained, including the reason(s) for doing so, such as any legal requirements to retain data for a certain reason:
On a yearly basis each department of Metaxa Hospitality Group purges its filing systems (manual and electronically) of personal data that is no longer required, in accordance with the retention periods established in the Inventory.
Details of the purges carried out including how it was carried out and by whom are recorded and signed by the Data Protection officer.
To ensure that the organization has appropriate security measures in place to protect the personal data that it processes from being accidently or deliberately compromised, the organization has established organizational and technical measures.
10. Data breach management and notification
As part of its data breach management procedure, Metaxa Hospitality Group shall notify DPA without undue delay and where feasible within 72 hours, after becoming aware of a data breach, unless it is determined that the breach is unlikely to result in a risk to the individuals affected. If it is determined that the breach is likely to result in a high risk to the individuals affected, Metaxa Hospitality Group shall notify those individuals of the breach without undue delay.
Metaxa Hospitality Group shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including whether it has been notified to the DPA and/or the individuals affected.
11. Data subject’s rights
As described in section 2, Metaxa Hospitality Group informs all individuals about their data protection rights. Any request from individuals are internally directed to the Data Protection Officer who ensures that the request is processes and responded to without undue delay and in any event within one month of receipt of the request.
You may exercise your rights at firstname.lastname@example.org or send a letter at 28A Alex. Papanastasiou Ave., Heraklion, Crete, Greece, 71306.
12. Data protection by design & by default
Metaxa Hospitality Group will consider the data protection and privacy implications of any project proposal that involves the use the use of personal data, prior to its implementation.
Further, periodically reviews shall be undertaken to make appropriate adjustments to the data processing with the aim of improving data protection and privacy, taking into account technological developments.
The organization will:
13. Data protection impact assessments
Where a data processing activity is likely to result in a high risk to individuals, Metaxa Hospitality Group shall carry out a Data Protection Impact Assessment (DPIA), particularly when-
Metaxa Hospitality Group shall:
14. Data Processors
Metaxa Hospitality Group only uses third parties to carry out an activity on the personal data that we hold, when the third party provides sufficient guarantees that it will process the data in compliance with the GDPR and DPA. These are:
Further, all the activities on the personal data that we hold carried out by third parties on your behalf, shall be governed by a written contract as per Articles 28 and 29 of the GDPR.
We collect certain data from cookies, which are pieces of data stored directly on the computer or mobile device that you are using. Cookies allow us to collect data such as browser type, time spent on the Online Services, pages visited, referring URL, language preferences, and other aggregated traffic data. We use the data for security purposes, to facilitate navigation, to display data more effectively, to collect statistical data, to personalize your experience while using the Online Services and to recognize your computer to assist your use of the Online Services. We also gather statistical data about the use of the Online Services to continually improve design and functionality, understand how they are used and assist us with resolving questions.
Significant note: only functional cookies are stored by default in the devise you are using. All the other kinds of cookies (marketing cookies, statistics cookies, preferences cookies) are used only if consent to it.
You can learn more about our cookies at Cookies Policy and change your tracking preferences at any time by clicking on “Cookie Settings” at Cookies Policy located at the bottom of our homepage. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Online Services.