NOTIFICATION TO COUNTERPARTIES REGARDING THE PROCESSING OF THEIR PERSONAL DATA

1. Introduction & General Terms

The company under the name “KOS HOTEL S.A.”, having its registered seat in the municipality of Kos (address Charmilou, no. 2, Postal Code 85300) (the “Company”) collects, stores and processes in general Personal Data (as defined below) in accordance with the General Data Protection Regulation (ΕΕ) 2016/679 (the “GDPR”) and the local data protection legislation (jointly “Data Protection Legislation”).

This Notification of the Company to its counterparties according to the Articles 13 and 14 of the GDPR (the “Notification”) describes the way by which the Company collects, uses and processes in general Personal Data relating to its counterparties (if they are natural persons) or their legal representatives, the directors, the beneficial owners or/ and the contact persons of their counterparties, in case the counterparties are legal entities (“You”).

 

2. Types of Personal Data collected - Sources

 

For the purposes of this Notification, Personal Data means any information which relates to an identified or an identifiable person, or which may be used for the identification of a person (“Personal Data”).

The types of Personal Data that the Company may process include, as the case may be, inter alia:

• Name, surname, father’s name, mother’s name, email address, products or services provided, as the case may be;
• Where the counterparty is a natural person: VAT number and Tax Authority, number of ID document, date of issue and issuing authority;

• Where the counterparty is a legal entity: working position within the counterparty/ capacity.

Your Personal Data are in principle collected from you or from the Company’s counterparty which transferred to the Company your data in the context of their agreement or for the purpose of concluding an agreement. Moreover, we may obtain your Personal Data from other sources such as publicly available sources, creditworthiness assessment companies, etc.  

 

3. Personal Data of Third Parties

In case you provide the Company with Personal Data of third parties (e.g. legal representatives, employees), you must notify these persons about the processing of their Personal Data by the Company and their respective rights (for example by disclosing this Notification).

Moreover, if required by law, you must obtain the consent of these persons relating to the transfer of their data to the Company and the relevant processing of their data by the Company. If you provide Personal Data of third parties, the Company considers that the relevant consent of these third parties has been obtained, upon their having received the respective notification.

4. Why does the Company collect, use, disclose and store Personal Data?

The Company collects, uses, discloses and stores Personal Data for the following purposes: (1) choice of counterparty, (2) conclusion of an agreement with the counterparty (3) service of the agreement with the counterparty, including the management of the relevant payment fees under this agreement, (4) assessment of the cooperation with the counterparty, (5) to safeguard its rights under the applicable law, (6) to fulfil its obligations required by law, (7) to safeguard the compliance with the internal policies/ proceeding of the Company, (8) research (market investigation, satisfaction survey etc.) and (9) direct marketing purposes.

 

5. Legal Basis of the processing of your Personal Data

 

The legal basis for the collection, usage and processing in general of your Personal Data is defined in Article 6, para. 1 b), c) and f) of the GDPR. This means that we are processing your data: (i) in order to execute the agreement with the Company that you have entered into or to take measures for its conclusion, (ii) for the Company to comply with its legal obligations, (iii) for the legitimate interests of the Company or any third party, unless your rights and freedoms prevail over these interests (e.g. to safeguard the Company’s legitimate interests, prevention of fraud, internal investigation). As long as the legal basis of the processing of your personal data is your consent, the latter will be obtained, where applicable, separately.

 

6. Recipients of your Personal Data

 

The Company may from time to time disclose your Personal Data to third parties for any of the aforementioned purposes. Examples of third parties to whom the Company may transfer your Personal Data include, inter alia:

• Third parties which provide us services (e.g. IT companies etc.)
• Entities which are within the same group of companies with the Company.
• Consultants or auditors.
• Any court or judicial authority of the relevant jurisdiction, mediator, arbitrator, taxation authority or regulatory or public authority.
• Public or national authorities, where required by law.
• Otherwise, if you have given your consent for that disclosure.

 

7. Overseas transfers of Personal Data

 

Due to the nature of our work, we may disclose your Personal Data to third parties established outside the European Economic Area (EEA). In these cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection (currently Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay), we require such recipients to comply with appropriate measures designed to protect the Personal Data.

 

8. Retention period of your Personal Data

 

We will retain your Personal Data for as long as we consider to be necessary in order to fulfil the purpose for which they were collected or to comply with legal, regulatory, accounting, auditory requirements or requirements provided in our internal policies/ proceedings. In order to define the adequate retention period of your Personal Data we take into consideration the applicable legislation, as well as the quantity, the nature and the sensitivity of the Personal Data, the prospective risk of damage caused due to an unauthorized use or disclosure of your Personal Data, the purposes for which we collected your Personal Data and whether we can fulfil the purposes through other means. 

 

9. Your rights and obligations

 

(α)        Your obligation to notify us for any change

 

It is important your Personal Data that we store are updated and accurate. Please notify us in case there is a change on your Personal Data that you have provided us with.

 

(β)        Your rights in relation to your Personal Data

 

In certain circumstances, you have the right by law to:

 

• Request access to your Personal Data.
• Request the correction of your Personal Data that we store about you.
• Request the erasure of your Personal Data.
• Object to the processing of your Personal Data (e.g. you have the right to object in writing in case we process your Personal Data for direct marketing purposes by contacting us at the email address mentioned below).
• Request the restriction of the processing of your Personal Data.
• Receive your Personal Data in a structured format or request the transfer of your Personal Data to a third party (“data portability”).
• Withdraw, in case we process your Personal Data based on your consent, your consent at any time. Notably, the withdrawal of your consent will not affect the legality of the processing which was based on your consent prior to its withdrawal.
• Request, where applicable, not to be subject to decisions based on automated decision-making, including profiling.

If you want to exercise your rights in accordance with the above, or you have any query relating to this Notification, please contact us at [email protected].

Finally, you have the right to lodge a complaint with the competent Data Protection Authority (for Greece: www.dpa.gr).

 

10. Changes to this Notification

 

We reserve the right to update this Notification at any time, and we will notify you by updating this Notification on our website at: www.divinehotels.gr. Any changes to this Notification are applicable by the time of its update on our website, unless otherwise provided.