NOTIFICATION TO COUNTERPARTIES REGARDING THE PROCESSING OF THEIR PERSONAL DATA
Introduction & General Terms
The company under the name “KOS HOTEL S.A.”, having its registered seat in the municipality of Kos (address Charmilou, no. 2, Postal Code 85300) (the “Company”) collects, stores and processes in general Personal Data (as defined below) in accordance with the General Data Protection Regulation (ΕΕ) 2016/679 (the “GDPR”) and the local data protection legislation (jointly “Data Protection Legislation”).
This Notification of the Company to its counterparties according to the Articles 13 and 14 of the GDPR (the “Notification”) describes the way by which the Company collects, uses and processes in general Personal Data relating to its counterparties (if they are natural persons) or their legal representatives, the directors, the beneficial owners or/ and the contact persons of their counterparties, in case the counterparties are legal entities (“You”).
Types of Personal Data collected - Sources
For the purposes of this Notification, Personal Data means any information which relates to an identified or an identifiable person, or which may be used for the identification of a person (“Personal Data”).
The types of Personal Data that the Company may process include, as the case may be, inter alia:
Name, surname, father’s name, mother’s name, email address, products or services provided, as the case may be;
Where the counterparty is a natural person: VAT number and Tax Authority, number of ID document, date of issue and issuing authority;
Where the counterparty is a legal entity: working position within the counterparty/ capacity.
Your Personal Data are in principle collected from you or from the Company’s counterparty which transferred to the Company your data in the context of their agreement or for the purpose of concluding an agreement. Moreover, we may obtain your Personal Data from other sources such as publicly available sources, creditworthiness assessment companies, etc.
Personal Data of Third Parties
In case you provide the Company with Personal Data of third parties (e.g. legal representatives, employees), you must notify these persons about the processing of their Personal Data by the Company and their respective rights (for example by disclosing this Notification).
Moreover, if required by law, you must obtain the consent of these persons relating to the transfer of their data to the Company and the relevant processing of their data by the Company. If you provide Personal Data of third parties, the Company considers that the relevant consent of these third parties has been obtained, upon their having received the respective notification.
Why does the Company collect, use, disclose and store Personal Data?
The Company collects, uses, discloses and stores Personal Data for the following purposes: (1) choice of counterparty, (2) conclusion of an agreement with the counterparty (3) service of the agreement with the counterparty, including the management of the relevant payment fees under this agreement, (4) assessment of the cooperation with the counterparty, (5) to safeguard its rights under the applicable law, (6) to fulfil its obligations required by law, (7) to safeguard the compliance with the internal policies/ proceeding of the Company, (8) research (market investigation, satisfaction survey etc.) and (9) direct marketing purposes.
Legal Basis of the processing of your Personal Data
The legal basis for the collection, usage and processing in general of your Personal Data is defined in Article 6, para. 1 b), c) and f) of the GDPR. This means that we are processing your data: (i) in order to execute the agreement with the Company that you have entered into or to take measures for its conclusion, (ii) for the Company to comply with its legal obligations, (iii) for the legitimate interests of the Company or any third party, unless your rights and freedoms prevail over these interests (e.g. to safeguard the Company’s legitimate interests, prevention of fraud, internal investigation). As long as the legal basis of the processing of your personal data is your consent, the latter will be obtained, where applicable, separately.
Recipients of your Personal Data
The Company may from time to time disclose your Personal Data to third parties for any of the aforementioned purposes. Examples of third parties to whom the Company may transfer your Personal Data include, inter alia:
Third parties which provide us services (e.g. IT companies etc.)
Entities which are within the same group of companies with the Company.
Consultants or auditors.
Any court or judicial authority of the relevant jurisdiction, mediator, arbitrator, taxation authority or regulatory or public authority.
Public or national authorities, where required by law.
Otherwise, if you have given your consent for that disclosure.
Overseas transfers of Personal Data
Due to the nature of our work, we may disclose your Personal Data to third parties established outside the European Economic Area (EEA). In these cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection (currently Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay), we require such recipients to comply with appropriate measures designed to protect the Personal Data.
Retention period of your Personal Data
We will retain your Personal Data for as long as we consider to be necessary in order to fulfil the purpose for which they were collected or to comply with legal, regulatory, accounting, auditory requirements or requirements provided in our internal policies/ proceedings. In order to define the adequate retention period of your Personal Data we take into consideration the applicable legislation, as well as the quantity, the nature and the sensitivity of the Personal Data, the prospective risk of damage caused due to an unauthorized use or disclosure of your Personal Data, the purposes for which we collected your Personal Data and whether we can fulfil the purposes through other means.
Your rights and obligations
(α) Your obligation to notify us for any change
It is important your Personal Data that we store are updated and accurate. Please notify us in case there is a change on your Personal Data that you have provided us with.
(β) Your rights in relation to your Personal Data
In certain circumstances, you have the right by law to:
Request access to your Personal Data.
Request the correction of your Personal Data that we store about you.
Request the erasure of your Personal Data.
Object to the processing of your Personal Data (e.g. you have the right to object in writing in case we process your Personal Data for direct marketing purposes by contacting us at the email address mentioned below).
Request the restriction of the processing of your Personal Data.
Receive your Personal Data in a structured format or request the transfer of your Personal Data to a third party (“data portability”).
Withdraw, in case we process your Personal Data based on your consent, your consent at any time. Notably, the withdrawal of your consent will not affect the legality of the processing which was based on your consent prior to its withdrawal.
Request, where applicable, not to be subject to decisions based on automated decision-making, including profiling.
If you want to exercise your rights in accordance with the above, or you have any query relating to this Notification, please contact us at [email protected].
Finally, you have the right to lodge a complaint with the competent Data Protection Authority (for Greece: www.dpa.gr).
Changes to this Notification
We reserve the right to update this Notification at any time, and we will notify you by updating this Notification on our website at: piazzadivino.gr. Any changes to this Notification are applicable by the time of its update on our website, unless otherwise provided.
NOTIFICATION RELATING TO THE PROCESSING OF PERSONAL DATA OF USERS OF THE SITE
The company under the name “KOS HOTEL S.A.”, having its registered seat in the municipality of Kos (address Charmilou, no. 2, Postal Code 85300) (the “Company”), acting as a Controller, notifies the person (“Data Subject”) that visits/ uses the website piazzadivino.gr (the “website”) about the following:
Use of the website by minors
The website is not meant for use by data subjects under the age of fifteen (15) years old. Any processing of personal data of data subjects under the age of fifteen (15) years old in the context of the website is carried out once the consent of the holder of the parental responsibility has been provided.
Purpose of processing of personal data and relevant legal basis
The Company or/ and third parties acting on the behalf of or at the discretion of the Company/ Processors (e.g. IT companies) may process personal data of the data subject:
a. for the completion of the Company’s communication with the data subject, upon relevant request of the data subject, through the form of communication. The relevant processing of the personal data of the data subject may be held on the legal basis of its consent, which consists of the positive action of completion of the form of communication; or
b. for the better function of its website and the amelioration of the navigation into it, by using cooking. Learn more in relation to the use of cookies in the website here or
c. for the protection of the Company’s interests on the legal basis of the relevant right of the Company which prevails over the interest or the fundamental rights or freedoms of the data subject or the foundation, exercise or support of the legal claims from the Company.
Finally, in respect of the processing of the personal data of prospective employees, in case of the sending of their CV through the website, learn more here.
These personal data are retained for as long as it’s required by the nature of the processing, in connection with the period determined by the relevant legislation.
Recipients of personal data
Recipients of the personal data is the Company itself as well as third parties/ processors on behalf of the Company, upon the relevant assignment of the processing to them by the Company (e.g. IT companies). The Company reserves the right to disclose information about the data subject, if the legislation introduces the respective obligation or the relevant right or if such disclosure is required by court’s decision, prosecutor’s order or recommendation or decision of other person or administrative body being competent by law to oblige for the disclosure of such information.
Non-transfer of personal data outside the EU
The processing of your personal data in the context of the website in held within the European Union.
Connection with third parties’ websites
Any connection of the present website with other third parties’ website through specific links, hypperlinks, banners etc., does not constitute the acceptance of any responsibility by the Company with regard to the context of this website, the quality and the completeness of any products or services which are presented there or the policy which is adopted there in relation to the processing of the personal data. The data subjects have to take care themselves for their information about the protection and the processing of their personal data by the above websites.
Data subjects’ rights
The data subject has the following rights:
(a) to receive a copy of the personal data maintained by the Company, including other information relating to the way of the processing;
(b) to request the correction of inaccurate personal data and, in some cases, to request the erasure or the restriction of its personal data;
(c) to object to the processing of its personal data;
(d) to request the erasure of its personal data;
(e) to request a copy or a copy of its personal data to be disclosed to another company (portability right) (to a machine- readable format), where the processing is necessary for the execution of an agreement;
(f) to withdraw its consent in relation to the processing of its personal data in the context of the website;
(g) to lodge a complaint with the competent data protection authority (www.dpa.gr) with regard to the processing of its personal data by the Company.
If the data subject wishes to obtain more information/ to be notified in relation to the processing of its personal data or to exercise any of the above rights, please send an email to the Data Protection Officer (DPO) exclusively and only at the email address: [email protected], or to send a letter to the aforementioned email address, being other means of communication explicitly excluded (e.g. by fax or phone communication).