1.    Purpose of this Policy

 

By this Policy, the Company under the registered name ‘’Astor Hotel S.A.’’ (hereinafter referred to as the “Company”), with headquarters in Athens  (16 Karageorgi Servias Str., PC 10562, T +30 210 33 51 000, and e-mail address: reservations@astorhotel.gr ), to which this website belongs, provides as Data Controller, within the meaning of the applicable legislation, to the users/visitors of its website, information on the processing of their personal data during browsing and use thereof, when necessary, based on the relationship with them.

 

2.    Definitions

 

Data Subject:  The website user and any other natural person who visits our website;
Personal data: Any information that can directly or indirectly identify a natural person (the “Data Subject”), such as name, surname, address, contact details (telephone number, e-mail address)etc.;
Processing: Any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, searching for information, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data of which the Company has or will become aware, either directly from you through the website or under the transaction relationship with the Company;
Controller:  The company under the name ‘‘’Astor Hotel S.A.’’, to which this website belongs and which determines the purposes and means of the processing of personal data;

Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient: A natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not;

Data Protection Officer – DPO: the person designated by the Data Controller, who has the position and performs the duties defined by the current legal framework for personal data protection;

 

3. What type of data we collect, for what purpose and on what legal basis

 

We collect and process the following personal data of yours on a case-by-case basis:

 

Business Activity/ Processing	Personal Data (or categories of personal data)	Purpose of the processing	Legal basis for the processing
Login to our website astorhotel.gr	IP address, date and time of access (timestamp-timezone), access provider, browser and its version, operating system and its version.	Provision of personalized services to you, design of proper connection, security and system stability, continuous provision of our services while you browse the website.	a) legitimate interest in the context of making our website available to the public in a safe way and providing services to it.
Communication and Evaluation Form	E-mail address, content of the message (comment, evaluation) are required data, while name, surname and telephone number are optional data	Communication, request/query/complaint handling and information provision   Improving our services	a) the contractual relationship between us and your specific request   b) legitimate interest, in the context of providing services to you
Booking request [Book now]	Country of origin, name, surname, email address, phone number, payment details, (optional: address, company, purpose of stay, special comments such as booking preferences, special instructions) NOTE: The registration of your data is carried out through the secure environment of Webhotelier who is processor, after redirection	Details entry and booking finalization   Satisfaction of your special requests & needs within the framework of the contractual relationship with the hotel.	a) Company’s compliance with legal obligations and the applicable legislative framework   b) provision of our services in the context of our contractual relationship and your specific request
Registration to Astor Hotel Athens Members Club	E-mail address	Registration and enjoyment of relevant privileges while booking.	a) The contractual relationship between us and your specific request for registration as well as the performance of a contract regarding the provision of services and privileges to members of the program.
Subscription to Astor Hotel’s newsletters	E-mail address	Receiving offers from Astor Hotel	Your consent
Information regarding the use of Cookies: Our website uses Cookies. Our Company, through the published Cookies Policy, provides users/visitors of its website with information about the use of Cookies, such as the type of Cookies used by the website, the data retention period, the type of data collected, the purpose of use of each Cookie, the way in which the user/visitor has the possibility to turn on or disable the use of cookies and so on.

 

We shall inform you that all personal data provided by you through our website for the above purposes is necessary for us in order to provide you our services the best possible way and to achieve any settlement, management or resolution of your request, question or complaint. Therefore, the non-provision of your data could make the communication between us through the website and in general the contractual relationship between us inefficient and / or impossible.

 

 

4. Processing of special categories of personal data

 

Our Company does not process special categories of personal data through this website, such as data related to your racial or ethnic origin, your religious or philosophical beliefs, health data or data related to your sex life or your sexual orientation, as the above data are not necessary for us. For this reason, we kindly ask you not to include such data when filling in message fields, which otherwise will be processed by us on your own initiative and as an integral part of any request you may have (indicative example: preferences during the reservation regarding your stay or the way of providing you our services, particular requests or needs regarding our provision of services to you).

 

 

5. Data concerning minors

 

Our website does not concern natural persons, who have not reached the age of eighteen (18). Therefore, our Company does not process personal data of minors. However, our company, with a particular sense of responsibility regarding the sensitive age of children, declares that it does not process personal data arising from visitors/users of the website under the age of eighteen (18), without the prior consent of the person who has parental care of the child. It should be pointed out that, when the processing of personal data is based on consent in accordance with art. 6 par. 1 a of the GDPR 2016/679, in relation to information society services directly provided to a child, the consent provided by the minor and consequently the processing is lawful if the minor is at least 15 years old. In case the minor is less than 15 years old, this processing is lawful only if and to the extent that the said consent is provided or approved by the person who has parental care of the minor (see art. 8 of the GDPR 2016/679 in conjunction with art. 21 of law 4624/2019).

 

6. Recipients of your personal data

 

The personal data we collect from you in the context of our relationship are processed by:

1. the authorized and properly trained competent staff of our Company bound by absolute secrecy and confidentiality,
2. partners of our Company, to whom the Company, in accordance with art. 28 of the GDPR entrusts the execution of specific tasks on its behalf (processors) and with which it has ensured GDPR-compliant processing for the protection of your data, by signing contracts and undertaking to observe adequate measures, in accordance with the corresponding GDPR provisions (art. 28, 32), such as, indicatively but not limited to, third party partners – companies in the context of managing the website and newsletters as well as providing support services for our applications. In particular, we would like to inform you that when you make your reservation through this website, you are redirected to the reservation environment of Webhotelier Technologies Ltd, which processes the personal data included in your reservations, on behalf of the hotel, as Processor, providing the relevant guarantees in particular regarding the processing of information/payment data (indicative: complies/is certified with the PCI DSS Security Standard).
3. public bodies and authorities, such as public agencies and bodies, independent authorities, regulatory authorities, police, competent authorities, prosecutors, other administrative agencies, etc., when we are required to do so by the applicable legal framework.

We do not transfer your personal data to third countries (outside the EU or EEA) or international organizations, which do not ensure an adequate level of protection (according to an adequacy decision or certification). In any case, any transfer follows and complies with the relevant provisions of the applicable legislative framework, in particular art. 44 et seq. of the GDPR 2016/679 while there will be relevant information to the users with an update of this personal data protection policy or with a more specific statement/information by the Company.

 

7. Data retention period

 

We retain your personal data for as long as required by the nature and purpose of each processing or as defined by the applicable legislative and regulatory framework, taking into account the legal obligations of our Company, our contractual relationship and any legal claims arising from it, in order to accordingly justify the retention time of the personal data. During the pre-contractual stage and especially in case of filling out an electronic communication form on the company’s website, your data are kept for up to 5 years.

In any case, we apply a maximum retention period of twenty (20) years (general limitation of legal proceedings). After the expiration of the above period, the data that are no longer necessary will be erased in a secure and unrecoverable manner.

 

 

8. Your rights according to the GDPR

 

In any case, you have control over the processing of your personal data. Each user, as a data subject, may at any time exercise their rights, as provided for in the GDPR and in particular articles 12 to 23 thereof, but also the relevant national legislation and in particular:

1. The right to be informed, announced and briefed about exercising your rights (Art. 12, 13, 14 GDPR), meaning your right to be informed on how your personal data are used (as it is thoroughly done in the present Policy).
2. The right to access the personal data that concern you and to the extent the Company processes them, as a Data Controller (Art. 15 GDPR). Our Company will provide you a copy of the personal data upon your relevant request.
3. The right to rectify inaccurate data as well as to add data when they are incomplete (Art. 16 GDPR).
4. The right to erase your personal data (“The right to be forgotten”), subject to the obligations and legal rights of the Company over their preservation according to the applicable legislative and regulatory provisions (Art. 17 GDPR).
5. The right to restrict the processing of your personal data if, either their accuracy is doubted, or the processing is illegal, or they lack the purpose of processing, but their erasure is not applicable (Art. 18 GDPR).
6. The right to transfer your personal data to another Data Controller (data portability), if the processing is based on you consent and is conducted with automated means or to execute the contract between us (Art. 20 GDPR). In such a case, you have the right to receive the personal data concerning you, which you provided us, in a structured, commonly used and machine-readable format.
7. The right to object for reasons that concern your special condition in case your data are being processed for purposes of the Company’s legitimate interest (Art. 21 GDPR) and especially the right to object to the automated decision-making including profiling (Art. 22 GDPR).
8. The right to withdraw the already given consent (article 7 par. 3 GDPR) at any time, for the processing based on the consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Moreover, you have the right to lodge a complaint with the competent supervisory authority in the Member State in which you have your residence or place of work or is the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (art. 77 GDPR) and that your request has not been sufficiently satisfied by us. The competent supervisory authority in Greece is the Hellenic Data Protection Authority (1 – 3 Kifisias Avenue, 115 23, Athens, +30 2106475600, contact@dpa.gr ).

 

9.The way to exercise your rights and lodge a complaint

You have the right to exercise your rights either by sending an email to the e-mail address dpo@president.gr (by filling in the Rights Exercise Form we provide you) or by letter to our postal address or by hand delivery in our Company’s headquarters.

Our Company will make every effort to take the required actions within (1) month from the date of receipt of your request, unless the tasks related to the satisfaction of the request are characterized by particularities and/or complications, based on which the Company reserves the right to extend the time of completion of actions.

In any case, you will receive an update on the progress of your request within one (1) month of its submission. We reserve the right to request certain information from you in order to confirm your identity and to ensure your right to access your personal data (or to exercise any other right). This is a protective measure that ensures that personal data are not disclosed to any person who does not have the right to receive them. We also reserve the right to contact you for more information about your request in order to shorten the response time.

 

 

10. Security of your personal data

 

Our company applies reasonable and appropriate technical and organizational security measures to ensure an appropriate level of security and protection of your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed as well as to ensure the preservation of both technical and physical security in accordance with article 32 of the GDPR. The Company applies relevant Policies and in general, it observes the principles of processing in accordance with the wording of the GDPR (Art. 5 GDPR), to ensure the availability, integrity, and confidentiality of your personal data. 

 

 

11. Statements of the Company

 

1. The Company is not liable for any damage (direct, indirect, positive, deponent) that may be caused to the visitor on account of the website or its use. The visitor is solely responsible for the protection of their system against viruses.
2. The Company does not make decisions or proceed to profiling based on an automated processing of your data.
3. The present policy may be amended / updated at any time. You will be informed about all the significant changes, while, every time the Policy is amended, the updated version will be posted on the page. For this reason, the visitor must be updated and regularly refer to this Policy.
4. No other use of the visitor’s personal data will be made for purposes other than those mentioned herein, without prior information and, where necessary, their consent.

 

12. Useful Contact Details

 

Data Controller Contact Details

Astor Hotel S.A. Address: 16 Karageorgi Servias Str., 105 62 Tel.: +30 210 33 51 000 Email: reservations@astorhotel.gr Website: www.astorhotel.gr

Data Protection Authority Contact Details (HDPA, competent national Supervisory Authority)

Address: 1-3 Kifisias Avenue, Athens, Greece, 115 23 Tel: +30 210 6475600 Fax: +30 210 6475628 Email address: contact@dpa.gr Website: www.dpa.gr

Data Protection Officer (DPO) contact details

Email: dpo@president.gr