Table of Contents
- Introduction. 1
- Definitions. 1
- What kind of data we collect and process and why. 2
- Processing of special categories of personal data. 3
- Personal data about children. 4
- Who are the recipients of your data. 4
- How long we retain your data for 5
- Your rights, according to GDPR. 5
- The way to exercise your rights and file a complaint. 6
- Security of your data. 7
- Social Media. 7
- Yes!Hotels’ Statements. 8
- Useful contact details. 8
Data Subject means an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly. Here, means the user or visitor of this website.
Personal data means any information that may identify, directly or indirectly, a living natural person, such as their name, their address, their contact details (phone number, mobile phone number), their email address etc.
Processing is considered to be any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, searching for information, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data of which the Company has or will become aware, either directly from you through the page or under the transaction relationship with the Company.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Data Protection Officer (DPO) designated by the Company, who has the position and duties defined by the current legal framework for personal data protection.
As a Data Controller we collect and process the above personal data under certain legal bases and specific purposes:
|Login to our website||IP address, date and time of access (timezone. Timestamp), access provider, browser version, operating system version, device id||Providing personalized services to you, proper connection creation, security and system stability||a. legitimate interest
in the context of making our website available to the general public and providing services to it
|Contact by email||name, last name, e-mail, phone number, content of the message||Communication, management / settlement of your claim, your query or your complaint||a. the transactional relationship between us
b. legitimate interest, in the context of your service
|Communication via telephone calls||telephone number, name, surname, content of the communication||Communication, management / settlement or resolve of the claim, your query or your complaint||a. the transactional relationship between us
b. legitimate interest, in the context of your service
|Booking Enquiry via the website||Name, e-mail, telephone
Arrival and departure dates (check- in, check- out), additional comments
|Registration of customer data, booking||a. the contractual relationship between us (and hotel contract)
b. the transactional relationship between us
c. legal obligation
We must inform you that all personal data provided by you for the above purposes is necessary for us in order to achieve any settlement, management or resolution of your request, question or complaint and of course your best service when booking or searching for the availability of our rooms. Therefore, the non-provision of your data could make the communication between us through the website inefficient and / or impossible.
Our Company does not process sensitive personal data (special categories of personal data) through this website, such as data related to your racial or ethnic origin, your religious or philosophical beliefs, health data or data related to your sex life or your sexual orientation, as the above data is not necessary for us.
In case such kind of personal data is provided by you, for the purpose of submitting a request or comment or in the context of our communication, their processing is carried out based on your explicit consent to the processing or if it is considered that there is a reason to defend our legal claims.
Our Company does not process personal data of persons who have not completed the 18th year of their age (minors). We reserve the right, in case we find that a minor has provided data to us, without the consent of his legal representative, to delete such data. If you notice that a minor has provided his/her data to us without the consent of his/her legal representative, please contact us.
When the processing of personal data is based on consent in accordance with art. 6 par. 1 a GDPR, in relation to information society services directly to a child, the consent provided by the minor and therefore the processing is legal, if the minor is at least 15 years old. In case the minor is under the age of 15, processing is legal only if the consent is given or approved by the legal representative of the minor (art. 8 GDPR in combination with art. 21 No 4624/2019).
Access to your personal data is available to:
- the trained and authorized personnel of our Company to cover the needs of your service, bound by absolute confidentiality and non-disclosure
- our Company’s partners in which the Company entrusts the execution of specific tasks on its behalf as for example the support of the present website and with which it has ensured the accordant to the Regulation (GDPR) processing, for the protection of your data, through signed contracts and legal binding of upholding sufficient measures, under the accordant provisions of the GDPR (articles 28, 32)
- Public authorities, courts, law enforcement agencies, regulatory bodies, including any data privacy, security or similar audits, in compliance with applicable laws
At this point we should inform you that we do not transfer your personal data to third countries (outside the EU or EEA) or international organizations, which do not ensure an adequate level of protection. Any transfer of your data follows and complies with the relevant provisions of the applicable legal framework, in particular Articles 44 et seq. of the GDPR. In any case, you will be informed accordingly.
We take every reasonable step to ensure that your Personal Data are only retained for as long as they are needed in connection with a lawful purpose.
We retain your personal data in accordance with the requirements of the legislation, in particular for as long as provided for on a case-by-case basis, for as long as the nature and purpose of the processing so require, as long as defined by the applicable legal and regulatory framework and in each case the entire duration of the transaction between us and our individual contractual commitments, depending on its nature, taking also into account the legal obligations of our Company and any legal claims that may arise from it, in order to justify the retention time of the personal data.
In case you have given your consent in view of specific processing and there is no other legal basis for it, you have the right to withdraw it, with a simple statement of withdrawal, which will be addressed to the Company (Yes!Hotels), by completing a form of exercising your rights or through other means, without offending the legitimacy of the processing that was based on your consent until it was withdrawn.
In any case, we apply, as a maximum period, the twenty (20) years of retention (General Statute of Limitation on claims), with the chance of extending that period in case any form of arrogation or pending legal dispute or indication of control from a public authority arises. After the above period of time passes, the data which are no longer necessary will be erased in a safe and non-recoverable way.
In the above cases, your data will be immediately erased unless there is a lawful and valid ground for further retention. In any case, you will be informed respectively.
In any case, you have control over the processing of your personal data. Specifically, according to the provisions of the General Data Protection Regulation for the Data Protection of natural persons (EU 679/2016), as a subject of personal data processing you preserve the following rights:
- The right to be informed, announced and briefed about exercising your rights (Art. 12, 13, 14 GDPR), meaning your right to be informed on how your personal data are used (as it is thoroughly done in the present Briefing).
- The right to access the personal data that concern you and if the Company processes them, as a Data Controller (Art. 15 GDPR). The Company will provide a copy of the personal data after a relevant request is made from you.
- The right to rectify inaccurate data as well as to add data when they are incomplete (article 16 GDPR).
- The right to erase your personal data (“The right to be forgotten”), subject to the obligations and legal rights of the Company over their preservation according to the current legislative and regulatory provisions (Art. 17 GDPR).
- The right to restrict the processing of your personal data if, either their accuracy is doubted, or the processing is illegal, or they lack the purpose of processing but their erasure is not applicable (Art. 18 GDPR).
- The right to transfer your personal data to another Data Controller (data portability), if the processing is based on you consent and is conducted with automated means or to execute the contract between us (Art. 20 GDPR).
- The right to object for reasons that concern your special condition in case your data are being processed for purposes of the Company’s legitimate interest (Art. 21 GDPR) and especially to object to the automated decision-making (Art. 22 GDPR).
- The right to withdraw the already given consent (article 7 GDPR) at any time, for processing conducted based on the consent. The legitimacy of the processing of your data is not influenced by the withdrawal of your consent up to the point you requested the withdrawal.
- The right to lodge a complaint with the competent supervisory authority, that is to say the Hellenic Data Protection Authority (1 – 3 Kifisias Avenue, 115 23, Athens, +30 2106475600, email@example.com).
You are entitled to exercise your rights sending an email to the electronic address firstname.lastname@example.org or by letter to our address [Headquarters: Frangoklissias str. 9, Marousi 15125, or to each of our hotels] completing the appropriate rights request form that we provide you with (Data Subject Rights Request Form).
Your relevant requests must be accompanied by the appropriate identification documents of yourself, with the stated reservation of the Company to be able to ask for provision of additional information in order to identify and verify your personal information.
The above requests will be examined upon completing and sending the relevant rights request form, as it has been posted on our page and under the explicit instructions written in it.
Donkey Hotels, as Data Controller, will make every effort to proceed to the necessary actions within a month from the day of the request/exercise of the case-by-case right on your behalf, with the exception of the case in which the tasks concerning the fulfillment of your request are characterized by particularities and/or complications based on which the Company retains the right to extend the period of time taken to complete the actions.
In any case the Company will inform you about the course of your request within a month of its filing.
We abide by the Applicable Legislation and our privacy policies, and we apply reasonable and appropriate technical and organizational security measures to protect your personal data against accidental destruction, loss, unauthorized alteration, disclosure or access, misuse, and any other unlawful form of processing, covering any technology infrastructure point. We always secure that solely authorized users have access to your personal data, abiding by confidentiality clauses, on a need-to-know basis and to the extent necessary to fulfil the respective purposes.
Because the internet is an open-source system, the transmission of information via the internet is not completely secure. Although our Company will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk, and you are responsible for ensuring that any Personal Data that you send to us are sent securely.
We deliver every possible effort to have sufficient technical and organizational measures for the preservation of our technical and physical security in accordance with the requirements of article 32 and the principles (article 5) of the GDPR. (e.g., security policies for IT infrastructure, access matrix and application encryption etc.).
Our Company is on social media:
- Facebook: https://www.facebook.com/YesHotels
- Twitter: https://twitter.com/YesHotelsGroup
- Instagram: https://www.instagram.com/yeshotelsgroup/
- LinkedIn: https://www.linkedin.com/company/yes-hotels-group/
Regarding to certain processing, our Company and the Controllers of the social media platforms (the above social media), act as joint Controllers (article 26 GDPR).
As for the processing of the Social Media Data Controllers, we can only have a limited influence. We only act in accordance with the applicable legislation on the protection of personal data.
The social media platform Controller manages the overall information infrastructure of each service, maintains his own technical and organizational data protection measures and maintains his own relationship with you as a user and, therefore, as a Data Subject (under provided you are a registered member of the relevant social media service).
For more information regarding the processing of your data by the providers of social media platforms and in general about your rights, please refer to the respective Privacy or Security Policies of each provider.
Any data you provide to us when you visit our page on social media, such as comments, videos, images, “likes”, public messages, etc., are published on the platform of the social media of your choice and are not used or processed by us for purposes other than your information regarding our promotional activities, such as e.g. discounts, special offers, contests that we may organize, but also in the context of your service, when you wish to get in touch with us in this way. The processing of your personal data is carried out based on art. 6 par. 1 f GDPR, in the context of the provision of our services to you.
- DONKEY! HOTELS is not responsible for any damage (direct, indirect, positive, deponent) that may be caused to the visitor on account of the website or its use. The visitor is solely responsible for the protection of their system against viruses.
- DONKEY! HOTELS does not make decisions or proceed to profiling based on an automated processing of your data.
- The present policy is likely to be amended / updated at any time. You will be informed about all the significant changes, while, every single time, the updated version will be posted on the page.
- DONKEY! HOTELS declares that will not process the user’s/visitor’s personal data for any purpose not mentioned herein, without prior notice and, where required, his consent.
- DONKEY! HOTELS declares that does not process personal data from visitors / users of this website under the age of sixteen (16) years.
|1. Data Controller|
Address: Frangoklissias str. 9, Marousi, ZIP: 15125. , Athens, Greece
Phone: (+30) 210 3273200
|Data Protection Authority|
|Address: 1 – 3 Kifisias Avenue, PC 115 23, Athens
Phone: +30 2106475600
Fax: +30 2106475628
|2. Data Protection Officer|
Last updated: March 2023