PRIVACY STATEMENT & PERSONAL DATA PROTECTION

IN ACCORDANCE WITH REGULATION (EU) 2016/679

I. GENERAL INFORMATION

1.1 In the context of its activities, our business maintains and processes Personal Data that we collect from you or about you when you visit our premises or communicate with us in writing or orally or through our website or from other sources for the purpose of supporting, promoting, and executing our contractual relationship, protecting transactions, and informing you about the services provided.

1.2 At our Company, we understand the importance of protecting the privacy of our customers and make every effort to store and process carefully and in accordance with applicable legislation the information you share with us. For this reason, we have drafted this Privacy and Protection Statement to inform you, in accordance with Regulation (EU) 2016/679 and the provisions of the relevant applicable Greek legislation on the protection of personal data, about the way your personal data is collected, used, and disclosed.

1.3 For the purposes of the Privacy and Protection Statement, personal data means any information concerning you by which your identity is or can be identified. This information includes, for example, your full name, address, passport number, etc.

1.4 This Statement:

(a) provides an overview of the categories of personal data that our company collects, the purposes of their processing, their retention period, their sources, and their recipients,

(b) offers a summary of the practices by which we collect, use, disclose, transfer, and store your personal data,

(c) confirms the data security technical measures, internal management procedures, and physical measures we take to protect them,

(d) informs you about the type and manner of exercising your rights,

(e) is addressed to natural persons who are either existing or potential customers and partners.

1.5 This Privacy and Protection Statement applies:

(a) to the rental residences “SUN AND SEA” managed by our Company,

(b) to the website www.sunandseacreta.gr,

(c) to any Web location or Online application,

(d) to any Online and Offline promotional activity of our business, as well as

(e) to any Service or function provided by us and referred to in the Statement.

1.6 Before disclosing to us any personal data concerning you, we recommend that you take the necessary time and carefully read this document, which describes the privacy and personal data protection policy, in order to learn more about how we collect, store, use, transmit, and protect the information/personal data we receive.

III. SOURCES OF PERSONAL DATA In the course of our business activity, we collect and process different types of personal data, which we receive from our customers in person or through written, telephone, or electronic communication. We may also collect personal data which we lawfully obtain from other natural or legal persons, such as travel agencies, tour operators, travel offices, online booking systems (e.g., www.booking.com), and other reservation systems, as well as from publicly and commercially available sources (as permitted by law), which have the lawful right to share such data with us, as well as from third-party social networking services when you choose to connect to these services.

IV. CATEGORIES OF PERSONAL DATA

4.1 We collect and process various categories of personal data. These categories are as follows:
i) Identity data: full name, date of birth, passport or identity card number, communication language.
ii) Contact data: postal and email address, landline and mobile phone, etc.
iii) Billing data: credit/debit card number and type, and VAT number.
iv) Data concerning your children (under 16 years old): full name, date of birth, passport number.
v) Device and internet browsing data: number, date, and duration of calls from company phones, device identifier data, MAC address, Internet Protocol (IP) address, operating system version, time and duration of WIFI usage.
vi) Location data: such as the GPS signal of your device or information about WiFi access points that may be transmitted to us when you use Services (e.g., WiFi).
vii) Image data: image information, photos and video from closed-circuit surveillance cameras.
viii) Accommodation data: type of residence, day and time of arrival and departure, booking conditions, flight details, special preferences and interests, inquiries, requests, complaints, and comments made during or after your stay at our accommodation.
ix) Special categories of data collected under legal conditions directly from you: data revealing your racial/ethnic origin (nationality) and health data (e.g., mobility issues, etc.).

4.2 The processing of your data for the purposes mentioned below is fully governed by the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability, as defined in Article 5 of the General Regulation (EU) 2016/679.

V. METHOD OF COLLECTING PERSONAL DATA
We collect personal data in various cases such as:
i) During the performance of our activities and the provision of our services – short-term lease agreement (residence booking, check-in/out, payment, submission of requests, complaints).
ii) When you participate in marketing programs or events (subscribing to mailing lists in order to receive offers and other promotional material via email).
iii) Upon transmission of information from third parties (online booking systems, etc.).
iv) Through the operation of electronic devices (actions via electronic devices such as connection to our website, connection to the accommodation’s WiFi network) as well as through the operation of the video surveillance system.

VI. PURPOSES OF PROCESSING – LEGAL BASIS FOR PROCESSING
6.1 The Regulation allows us to process personal data, provided that the processing is lawful, i.e., meets one of the conditions of Article 6 of the General Regulation (EU) 2016/679. When we process your personal data, we rely on one of the following legal bases:

i) Performance of the short-term lease agreement between us
Processing in this case is carried out for the achievement of the following purposes:

• To identify you and communicate with you prior to your arrival at our accommodation, during your stay, and afterwards, for transaction security purposes.
• To manage your residence booking and stay (check-in/out, payment, etc.).
• To appropriately prepare for and promptly fulfill your special requests related to your stay.
• To monitor the use of the services provided (e.g., WiFi access, etc.).
• To manage various requests/complaints/issues.

ii) Compliance of the Company with its legal obligations
These are obligations imposed by the applicable legal, regulatory, and supervisory framework at the national and European level, as well as decisions of any Authorities (public, supervisory, etc.) or Courts.
Processing in this case serves the following purposes:

• Issuing and maintaining legal and tax documents in accordance with applicable law.
• Drafting, issuing, and keeping legal documents, in accordance with applicable law.

iii) Serving the legitimate interests of the Company or third parties
Such processing is always performed following a balancing of the Company’s interests with your fundamental rights and freedoms that require protection of your data.
Processing in this case is carried out for the achievement of the following purposes:

• Defending the Company’s legal rights and interests in case of legal disputes.
• Improving our services in order to meet your needs as much as possible and ensure your full satisfaction with your stay at our accommodation.
• Conducting market research and analyzing customer questionnaires and feedback.
• Evaluating our accommodation and generating statistical data based on it.
• Managing customer complaints.
• Protecting the facilities and equipment of the accommodation from malicious or illegal actions and preventing fraud.
• Informing customers and satisfying their requests after their departure.

iv) Your consent
Upon your arrival at our accommodation, you may be asked to give your explicit consent for the processing of specific data for a specific purpose. Specifically:
i) Identity and contact data for the purpose of sending updates in the form of email/SMS/newsletters/letters, to inform you about programs/offers/discounts and other promotional actions of the Company.
ii) Image data for the promotional display of the business, particularly through posting your photos on social media or on the website www.sunandseacreta.gr.
iii) In the event that the data we process concerns individuals (children) under sixteen years of age, consent or approval of processing must be provided by the person exercising parental responsibility over the minor. The Company bears no responsibility if the declaration by the person claiming to have parental responsibility is false or inaccurate.

We make it clear that you always retain the right to withdraw your consent for the above processing purposes at any time, without affecting the lawfulness of the processing based on your consent prior to its withdrawal. You are not required to justify your decision, and you will not suffer any negative consequences or penalties from this (except for the discontinuation of benefits that may have resulted from your consent, e.g., cessation of our promotional mailings). For this purpose, you may send a related request to the email address: info@sunandseacreta.gr.

VII. RETENTION AND STORAGE PERIOD OF DATA
7.1 The Company will retain (in printed and/or electronic form) and process your data for as long as required to fulfill the purpose for which it was collected or according to applicable legislation or until the statute of limitations of any related claims has expired.
7.2 To determine the appropriate retention period for personal data, we consider the quantity, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through other means, the statute of limitations of any legally actionable claims, and our applicable legal or contractual obligations.

VIII. DISCLOSURE OF PERSONAL DATA / DATA RECIPIENTS
In fulfilling the Company’s contractual and legal/regulatory obligations, serving its legitimate interests, or when your consent has been obtained, recipients of your data may include the following:

i) Affiliates – Partner Companies
Your information may be shared with affiliates of our business. We may also share your personal data with our business partners. These parties may use your information to provide services you have requested or, with your consent, to send you promotional and advertising material.

ii) Authorized Employees of the Company
To provide you with the best possible service, access to your personal data or specific categories thereof is granted to our authorized personnel. These employees are responsible for evaluating your requests, managing and executing the short-term lease agreement between us, fulfilling legal obligations derived from said contract, or as required by law, public authorities, or courts.

iii) Service providers or individuals/entities contracted by our Company (data processors)
These may include, without limitation: lawyers, law firms, notaries and bailiffs, accountants, providers of IT products/services and support for any type of IT and electronic systems and networks, including online systems and platforms, IT companies, storage, archiving, file and data management and destruction companies, call center services, and postal service providers.
These legal or natural persons will process your personal data solely for the purpose of providing services to our Company and not for their own benefit, acting as data processors and contractually bound to confidentiality and personal data protection, as well as to implement necessary organizational and technical security measures.

iv) Public Authorities
We may disclose your personal data to public authorities under specific legal provisions to comply with legislation or respond to mandatory legal processes (such as a search warrant or other judicial order or decision). These authorities may include, but are not limited to, Courts, judicial authorities, law enforcement, or regulatory and governmental bodies.

v) Other third parties
When required by law or when necessary to protect our services, to confirm or enforce compliance with our service policies, or to protect the rights, property, or safety of our business, affiliates, business partners, or clients. Personal data may also be disclosed when necessary for audits regarding data protection and security and/or for investigating or responding to a complaint or security threat.

vi) Other third parties in relation to corporate transactions
We may share your information with third parties in the context of a merger or transfer or in the event of bankruptcy or if we cease to manage or operate our business.

VIII. DATA TRANSFERS
Our servers, on which your data is stored and protected, are located within the European Economic Area (EEA). However, our external partners and/or service providers may be located in or use servers in other countries. Whenever we transfer your personal data outside the EEA, we make every effort to ensure a similar level of protection by applying a specific policy. In particular:
i) If necessary, we only transfer personal data to countries recognized by the European Commission as providing an adequate level of personal data protection.
ii) Where we use specific service providers, we reserve the right to use special contracts approved by the European Union that ensure the same data protection level as in Europe.
iii) When using providers based in the United States, we reserve the right to transfer data to them if they participate in the Privacy Shield, which requires them to provide similar protection for personal data shared between Europe and the USA.
Please contact us at info@sunandseacreta.gr for any clarification about the specific mechanism we use for transferring your personal data outside the European Economic Area.

IX. YOUR RIGHTS
9.1 Under the General Regulation (EU) 2016/679, you have the following rights:
i) Right to information and access (Article 15): to know the categories of your personal data we maintain and process, their origin, the purposes of processing, the categories of their recipients, their retention period, your relevant rights, the right to lodge a complaint with the supervisory authority, the existence of automated decision-making including profiling, and to receive a copy of your data.
ii) Right to rectification (Article 16): to request the correction of any inaccuracies or omissions in your data and/or their completion to be complete and accurate.
iii) Right to restriction of processing (Article 18): to request, under certain conditions, the restriction of the processing of your data.
iv) Right to object (Article 21): to object at any time, under certain conditions, to any further processing of your personal data.
v) Right to erasure (“right to be forgotten” – Article 17): to request, under certain conditions, the deletion of your personal data from our records.
vi) Right to data portability (Article 20): to request, under certain conditions, that the Company provides your data in a structured, commonly used, and machine-readable format, when technically feasible, to transmit it to another data controller.
vii) Right to withdraw your consent (Article 7, paragraph 3): where the processing is based on your consent.

9.2 Please note the following regarding the above rights:

1. Your rights under iii), iv), and v) may not be fully or partially satisfied if they concern data necessary for the protection of the Company’s legitimate interests or for fulfilling its obligations under the law or decisions by public authorities or courts.
2. The Company reserves the right to deny your request to restrict or erase data if processing or retention is necessary for the establishment, exercise, or defense of its legal claims or the fulfillment of its obligations.
3. The exercise of these rights applies prospectively and does not affect data processing already completed.

X. HOW TO EXERCISE YOUR RIGHTS / FILE A COMPLAINT
10.1 To exercise your rights, you may send a registered letter to the following contact address of our Company:
Pitsidia, Municipality of Faistos, Heraklion, Crete, location “XYPOTARIES” – Greece, ZIP 70200,
or contact the Company’s representative via email at: info@sunandseacreta.gr.
10.2 You also always have the right to contact the Hellenic Data Protection Authority, which accepts the submission of related complaints. For more information, visit www.dpa.gr.
10.3 The Company will make every effort to respond to your request within thirty (30) days of submission. This deadline may be extended by an additional sixty (60) days, if necessary, depending on the complexity and number of requests. The Company will inform you of any extension within thirty (30) days.
10.4 This service is provided free of charge by the Company. However, if you request a response by post, you may be charged for postage. The Company will inform you of the exact cost before sending it.
10.5 The Company may refuse to respond to a request that is clearly unfounded, excessive, or repetitive.
10.6 For the proper, effective, and secure processing of your request, the requester’s identity must be verified. For this reason, the Company may request additional information to identify you, as well as supporting documents.
10.7 To facilitate the exercise of your rights under Articles 15–22 of Regulation (EU) 2016/679, sample request forms per right are provided below. You may complete the relevant form and send it to us either by registered mail at the address above or electronically to info@sunandseacreta.gr, along with the accompanying documents. Please complete all the information indicated in each request so that your request may be successfully processed by our Company.

XI. SECURITY MEASURES
11.1 The security of your personal data is a high priority for us. Therefore, we protect your data stored with us through technical and organizational measures to effectively prevent loss or misuse by third parties.
11.2 If Personal Data has not been provided by you directly but in another way (e.g., by a travel agent), we inform you that the Company adheres to a strict Personal Data Protection Policy for the processing of your personal data, which has been communicated to its staff and partners and whose application is regularly reviewed.
11.3 As a rule, we collect only the information necessary for the intended purpose. We then assess whether the purpose of processing is lawful and whether the method of data collection is consistent with the principles of data processing (Article 5 of the Regulation). Specifically, if the processing of personal data is necessary for the purposes of the legitimate interests of our Company or a third party, we perform a balancing of interests in accordance with the provisions of the Regulation.
11.4 The Company makes every effort to ensure your data is secure. It implements appropriate organizational and technical measures to safeguard your data, ensure the confidentiality of its processing, and protect it from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access and any other form of unlawful processing. Our IT Department follows international standards and practices to ensure network security and data encryption. To ensure the long-term protection of your data, security measures are regularly monitored and, if necessary, adapted to the prevailing technology standards.
11.5 The Company, recognizing the importance of the security of your personal data and fully respecting your fundamental rights and freedoms, makes every possible effort to comply with the provisions of Regulation (EU) 2016/679 and the relevant Greek legislation.
11.6 In any case, it should be acknowledged that despite all reasonable measures taken to protect your personal data, no information system or network, and no Internet transmission, is absolutely secure. Despite the efforts made by our Company, security cannot be completely guaranteed against all threats.
11.7 In the event of a personal data loss or breach, we have a specialized team that follows a clearly defined incident response procedure, in order to restore the breach as quickly as possible, limit possible consequences, and comply with our legal obligations.
11.8 Additionally, we restrict access to your personal data to those employees, agents, contractors, and other third parties who need to know them to perform their professional duties. They will process your personal data solely according to our instructions and are bound by relevant confidentiality terms.

XII. CHANGES TO THIS STATEMENT
12.1 This Privacy and Personal Data Protection Statement may be modified periodically to reflect our current privacy practices. For this reason, we ask you to review it periodically and especially before making a booking, to ensure you are aware of any changes.
12.2 The most recent version of the Statement will always be available at www.sunandseacreta.gr. When changes are made, we will note the date of modification or revision at the beginning of this Statement.
12.3 You may check the “effective date” at the beginning of the text to confirm when the Privacy Statement was last updated.
You may contact us to request earlier versions. This Statement replaces all previous notices we may have provided regarding our information practices. We reserve the right to change this statement and to apply any changes to previously collected information, in accordance with legal requirements. If there are material changes to this statement or our practices regarding information change in the future, we will notify you by posting the changes on our website.

XIII. CONTACT
For any questions regarding this Privacy Policy or in general about the protection and security of data at our Company and its affiliated companies, please contact the Company’s representative using the following contact information:

To the attention of Ms. Christina Zacharioudaki
Pitsidia, Municipality of Faistos, Heraklion, Crete, location “XYPOTARIES” – Greece
Phone: +30 6949377371
Email: contact@sunandseacreta.gr