At Vasia Hotels & Resorts, we guarantee our commitment to respecting and protecting your privacy, as well as safeguarding your personal data. With respect to the applicable national and European legal framework about data protection, especially the new European General Data Protection Regulation 2016/679 (GDPR), we provide you hereby a lawful, fair and transparent policy in order to inform you about the personal data we collect, how we use it, and how the use of this information can benefit your experience while visiting our premises and/or our online platforms (website and mobile application).
– what personal data we collect and how we use them;
– the purposes we process your personal data and the relevant legal basis under which we process your personal data;
– your rights related to your personal data.
What Personal Data we collect and how we use them
A.1. Data collected for booking purposes
Online booking engine through our Vasia App/ Website / In-house Website:
If you decide to make a booking reservation through our Vasia App/ Website / In-house Website, we will collect your name and surname, address, city, country, telephone, email, any special requests you may have, your credit card details (card type, card number, secure code, expiration date, card owner), arrival date and departure date as well as flight details in case of a transfer request.
Booking confirmation form:
If you contact us directly, to make a reservation, we will send you the booking confirmation form in order to provide us the necessary information, such as name and surname, address, telephone, email, your credit card details (i.e. card type, card number, expiration date, card owner).
Third parties’ online booking engines and/or travel agents:
In this case, we receive an email confirming your booking, including information such as your name and surname, country, arrival date and departure date, flight details in case of transfer, any (family) members that will accompany you, any special requests (i.e. requirement for transportation, declaration of special preferences and/or allergies that we should be aware of).
A.1.1. Purposes of processing – legal basis
We collect your booking data in order to:
A.2.Registration Data – Check-in procedure
When you arrive at Vasia Hotels & Resorts – Check-in procedure:
During your arrival at Vasia Hotels & Resorts, you will provide us with the necessary information for the check-in procedure. More specifically, we collect your title, your first and last name, your language, your address (street, postcode, city, country), your nationality, your telephone number, your email address, names of any (family) members that will accompany you and their date of birth, your date of birth, passport/ID number, car plate, your credit card details, arrival date and departure date as well as room number.
Allergies/Special Preferences Declaration:
Allergies and special preferences may constitute in some cases sensitive personal data. We may collect such data only if you voluntarily provide us, or when we ask you to do so and you provide us your explicit consent.
If you wish to share with us your allergies or other preferences, in order to register this information in our systems and inform the relevant departments during your stay at our premises, we will ask you to provide us your consent to keep this data and subsequently inform adequately our a la carte restaurants and/or housekeeping department for your safety, convenience and esteemed personalized services. In such case, we will collect your name, surname, date of birth, arrival and departure date and room number, as well as any allergy or any preference request.
A.2.1. Purposes of processing – legal basis
We collect your registration data for:
A.3. Room Service
In case you wish to submit an “In room Dinning” request, then your order (including food preferences and any allergies, if reported) along with your name and your room number will be collected. This information will be properly destroyed upon your departure.
A.3.1. Purposes of processing – legal basis
We collect data you provide us via room service for:
A.4. Membership Data
If you have been registered as a Vasia Hotels & Resorts Member, we collect your name, surname and membership number and we process this information when you make use of the relevant privileges.
A.4.1. Purposes of processing – legal basis
We collect your VASIA Membership data to:
A.5. Restaurants’ Reservations Data
Reservation via our call center:
In case you wish to make a restaurant reservation through each hotel’s call center, we collect your name, surname, room number and any other special request you may have.
Reservation via Vasia App/ In-house Website:
In case you wish to make a restaurant reservation via our Vasia App/ In-house Website, we collect your name, surname, room number and relevant booking details.
A.5.1. Purposes of processing – legal basis
We collect the data you provide us for Restaurant Reservations for:
A.6. Personal Data when you visit our Spa/Gym Facilities
When you visit our Spa/ Gym facilities, we collect personal information which is necessary for the provision of our services.
A.6.1. Purposes of processing – legal basis
We collect the data you provide us when you visit our Spa/Gym facilities for:
A.7. Personal data you provide in the course of Children/Sport Activities.
We collect and process minors’ (i.e. under the age of 18) personal data for their participation in different Children or Sport Activities which are organized and held at Vasia. We do not collect these data directly from the minors, but from their legal guardians.
A.7.1. Purposes of processing – legal basis
We collect the data you provide us when your child is registered:
A.8. Personal Data collected via Guests’ Questionnaires
For us, your feedback is valuable, as it helps us improve our services to you. You may at any point provide us with your feedback, by completing our Guest Questionnaire via Vasia App/ In-house Website. If you wish to complete it, the provision of personal information (i.e. your name, surname, room number email, address, country, profession, arrival data, length of stay, data of birth) is optional.
A.8.1. Purposes of processing – legal basis
We collect the data you provide us through our Guests Questionnaires for:
Evaluating your experience, improving our services, as well as to further contact you to discuss your experiences during your stay at our premises, and evaluate services rendered to you in the future. Our legal basis is our legitimate interest.
A.9. Personal Data collected for Security reasons
We collect, process and store images through our video- surveillance systems (“CCTV systems”), where installed, for security reasons, pursuant to the requirements and standards set by the national and union law for the retention of data, sound and images.
Reports including personal data are being prepared by our Security department for security reasons (i.e. incident reports, object lost reports, open safe list etc.). Such reports may include personal information, such as name, surname room number and will be recorded only for security purposes.
In case that an accident occurs in our premises, you will be requested to provide information such as your name, surname, date of birth, room number, duration of stay, as well as some additional information about the accident, such as the location of the incident, date and time of incident, it’s nature and any further relevant details.
A.9.1. Purposes of processing – legal basis
Our Security department collects data for:
B.1. Personal Data Collected via your registration to our Newsletter
When you register for receiving our newsletter, we collect and store your email address and if you wish you can submit your name, surname and country.
B.1.1. Purposes of processing – legal basis
We use data you provide us when you register to our Newsletter for:
B.2. Online Technologies
C.1. Job Applicants
If you wish to apply for a job vacancy, we will collect and further process only the personal information which is necessary for the assessment of your suitability to the job position (e.g. name, surname, contact details, education, working experience etc.). We collect these data when you submit an application by any means (e.g. by sending an email to the Company’s email address, using recruitment platforms, accessing through the Company’s website), as well as through the documents you enclose with your application (e.g. CV, certifications, certificates etc.). Moreover, during the assessment of your application, we may use further questionnaires or personality tests which reveal information about you, in order to further evaluate your suitability for a particular job position, ensuring having obtained your prior consent. When you include into your application the contact details of your previous employers, we may contact them, so as to provide us with information about your position, collaboration with them and their evaluation for you.
C.1.1. Purposes of processing – legal basis
We collect your data in order to:
We collect and process personal information related to the employment relationship, as defined in the relevant agreement. Indicatively, such data may include the name, surname, forenames, date of birth, place of birth, gender, nationality, home address, e-mail address, contact telephone numbers, ID number, Tax Identification Number, Social Security Number and other insurance registry numbers, health booklet, criminal record (if required by the relevant position), work permit, bank account number (IBAN), CV, education diploma, health, marital status and data of depending members of the family, data on your education and training, on your working experience, as applicable for the exercise of our statutory obligations. We always provide you with a relevant privacy notice as an Annex to our Agreement, respecting your privacy and your respective rights.
C.2.1. Purposes of processing – legal basis
We collect your data in order to:
Special Categories of Personal Data – Sensitive Personal Data
When referring to the notions of “special categories of personal data” or “sensitive personal data”, they reflect the kind of personal information that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data which allows to uniquely identify a natural person, health data and/or data regarding sexual orientation. We may collect such data only if you voluntarily provide us, or when we ask you to do so and you provide us your explicit consent.
We do not seek or obtain personal data directly from minors (i.e. under the age of 18), instead we endeavor to collect such data from their legal guardian and when necessary we obtain relevant consent. However, as it is impossible to always determine the age of persons who access and use our websites, we encourage parents or guardians to contact us if they notice any case of unauthorized data provision by minors in order to exercise accordingly their rights such as deletion of their data.
Transfer of Personal Data
The personal information you provide us is being kept secured and safeguarded. We may share your information within our group for the above described purposes.
Furthermore, we may disclose your personal data to third parties (legal entities or individuals) which process your personal data under our written order and clarifications (Data Processors). We always guarantee that these third parties imply the same measures for the protection of your personal data and act only under our written orders with respect to your personal data.
More specifically, in the context of pursuance of the processing purposes, personal data may be transferred to:
– Third companies which provide us relevant services (e.g. hosting services, finance, legal or technical support, payroll, etc). In any case, all these companies are contractually bound with us in order to ensure the observance of confidentiality, as well as commitment to the data protection legislation.
– Companies in our Group, to the extent that this transfer is necessary for the pursuance of our purposes.
– Public authorities (Police, prosecuting authorities, tax authorities etc.) in the context of issuance of fines, or upon relevant request.
When the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), we always check whether:
In any other case, the transfer to a third country is not allowed and we may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).
Third-Party Websites’ Disclaimer
We may provide hyperlinks to third-party websites as a convenience to our users; VASIA does not control third-party websites and is not responsible for the content of any linked-to third-party websites or any hyperlink in a linked-to website. We are not responsible for the privacy practices or the content of third-party websites.
At VASIA, we endeavor to protect and respect your rights, as set forth by General Data Protection Regulation, including more specifically:
(i) your right to be informed on the processing of your personal information (i.e. right of access) and to request and obtain further information on the processing applied;
(ii) your right to request for correction of their inaccurate personal data;
(iii) your right to request for deletion of personal information provided, unless prohibited by legitimate reasons;
(iv) your right to request for limitation of processing;
(v) your right to request for portability of your personal information; and
(vi) your right to objection/opposition to further processing thereof.
In these cases, VASIA will respond in writing within 30 days upon receipt and identification of the request.
In addition, in the event of exercising one or more of the above-mentioned rights of correction, deletion and restriction of your data, these requests shall also be forwarded to any third-party recipient to whom the personal information may have been disclosed in the scope of pursuance of the aforementioned processing purposes.
Data Protection Officer
VASIA HOTELS & RESORTS,
72 400 Sissi, Crete, Greece
tel: +30 28410 71001
In case you consider that we have not properly responded to your request, you can always contact the relevant Greek Data Protection Authority (www.dpa.gr).
Although, no method of transmission over the Internet or method of electronic storage is 100 percent secure, at VASIA we have taken all commercially reasonable measures and precautions in order to maintain your data accuracy and to ensure the appropriate use of information we collect about you, as well as to secure and protect your personal information from unauthorized access, while you enjoy products and services we provide you during your physical presence in our premises or your digital visits in our online environment, respectively.
Retention Period of Personal Data
Your personal data is retained for a predetermined and limited period depending on the purpose of processing, after the end of which, these personal data is being deleted from our files unless another retention period is required or permitted by applicable law.
LAST UPDATE: 5.1.2022