Data Protection Notice
Data Protection Notice
The company under the trade name "HOTELS AND TOURISM COMPANIES VARNIKOS S.A." and distinctive title "VARNIKOS SA", with registered seat in Athens, at Vasileos Georgiou A' str., 10564, (tel.: 210 3352400, email: welcome@njvathensplaza.gr) (hereinafter the "Company") hereby informs you, as the Data Controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR") and the relevant provisions of Hellenic Law no. 4624/2019 as applicable, on the processing of your personal data.
- Definitions
For the purposes of the present Data Protection Notice, the following terms shall have the meaning set out below:
- 'Personal Data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Notice, the Company acts in its capacity as a Data Controller;
- 'Applicable Law' means the relevant national and Union legislation on the protection of personal data and in particular Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR"), the relevant jurisprudence of the CJEU, the Hellenic Laws no. 4624/2019, as and no. 3471/2006, as applicable and in force as well as the Decisions, Guidelines and Opinions of the European Data Protection Board (hereinafter referred to as the "EDPB") and the Hellenic Data Protection Authority (hereinafter referred to as the "HDPA").
- Data Processing Cycle
B1. Personal data we process for communication purposes
| Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
| Identification details | Interactive user communication | Article 6 para. 1 (g) GDPR - Our legitimate interest in the direct marketing of the Company's services | Until expiry of the relevant limitation period (Article 249 of the Hellenic Civil Code). | Processors:
|
| Contact data (e.g. e-mail address, telephone number) | ||||
| Data contained in contact forms | ||||
| Contact details | Subscription to our Newsletter | Article 6 para. 1 (a) GDPR & Article 11 par. 1 of the Law 3471/2006 | Until the expiry of the limitation period following the withdrawal of your consent/ until you object to the processing of your data. |
Β2. Personal data we process in the context of guest registration at our Hotel
| Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
| Identification and pricing details (full name, date of birth, nationality, ID number/ passport number, residential address, city, country) | Provision of hotel and tourism services, and compliance with relevant obligations under tax law | Article 6 para. 1 (b) GDPR - Performance of our contract | 5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code | Processors:
Financial institutions, to the extent necessary for the execution of transactions
Tax authorities, in accordance with applicable tax legislation
Lawyers, in so far as this is necessary for the exercise of the Company's rights and the protection of its legitimate interests |
| Contact Details (postal and e-mail address, telephone number) | ||||
| Reservation details (arrival and departure dates, type of reservation, room number, any special preferences, etc.) | ||||
| Payment details (credit cards, redemptions/ debts) | Article 6 para. 1 (c) GDPR - Compliance with tax law | |||
| Health data (e.g. any allergies, disabilities) and preferences (e.g. any dietary preferences), if applicable. | Article 9 para. 2 (a) - Specific consent |
B3. Personal data we process in the context of CCTV operation
| Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
| Image and video data | Security | Article 6 para. 1 (f) GDPR - Our legitimate interest in the security of our property and employee safety | 3 days
1 month in the event of an incident
3 months in the event of an incident involving a third party |
|
B4. Personal data we process in the context of evaluating candidate employees
| Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
| Identification details (full name, father's name, gender, date and place of birth, ID number/ passport number) | Assessment of the candidate for recruitment purposes | Article 6 para. 1 (f) GDPR - Our legitimate interest in the recruitment of qualified personnel | 6 months or for a greater period subject to your consent | Processors:
|
| Contact data (postal and e-mail address, telephone number) | ||||
| Data contained in CVs |
B5. Vendor data (natural persons)
| Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
| Identification details | Supply of goods and/or services to the Company | Article 6 para. 1 (b) GDPR - Performance of the contract | 5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code | 1. Data Processors:
2. Financial institutions, to the extent necessary for the execution of transactions
3. Tax authorities, in accordance with applicable tax legislation
4. Lawyers, in so far as this is necessary for the exercise of the Company's rights and the protection of its legitimate interests |
| Contact data (postal and e-mail address, telephone number) | ||||
| Transaction data | Compliance with relevant obligations under tax law | Article 6 para. 1 (c) GDPR - Compliance with legal obligation |
*No automated decision-making processing operation, including profiling is conducted.
Data we collect automatically e.g. language settings, IP address, location, device settings, device operating system, activity details, time of use, redirect URL, status report, user information (information about browser version), operating system, browsing result (simple visitor or registered customer), browsing history. We may also collect data through cookies. For information on the use of cookies, click here.
- Transfer of data outside the EEA
In principle, the Company does not transfer your personal data to third countries and/or International Organizations. In the event of a transfer of your personal data to a country outside the European Economic Area (EEA) or an International Organization, the transfer will be carried out pursuant to Chapter II and V of the GDPR cumulatively.
- Exclusion of Liability for Third Party Websites-Social Media Widgets
On this Website there are links to third party websites and/or social media widgets (e.g. Facebook, Instagram), through which, after the user logs in to the third party's website or social network, a special digital fingerprint is created in respect of which both the Company and the third party itself act as joint controllers.
As regards our Company, the purpose of processing such data is to improve the functionality of the Website and the services provided, as well as for traffic analysis. The lawful basis for the processing of personal data is the pursuit of the legitimate interest of the user and in particular the interoperability with applications used by them (Article 6(1)(f) GDPR).
The Company does not have control over and is not responsible for any further processing carried out on such data by the Joint Controllers.
For more information about the data processing policy and the options for configuring these networks, please visit the following websites:
- https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0
- https://www.tiktok.com/legal/page/eea/privacy-policy/en
- https://tripadvisor.mediaroom.com/gr-privacy-policy
- https://x.com/en/privacy
- https://www.linkedin.com/legal/privacy-policy
- Data subject rights
Each data subject has the following rights:
| Portability | Rectification |
| Erasure | Restriction |
| Access | |
You have the right to object to the processing of your personal data as regards any processing carried out by IHR based on our legitimate interests.
If you wish to exercise any of your rights or acquire any information concerning the processing of your personal data, you can contact us via email in the following address dpo@njvathensplaza.gr, and the Company will respond promptly [in any case within thirty (30) days of the request], notifying you in writing of the progress of the request.
If you have any complaints regarding this Notice or any data protection concerns, and if we fail to comply with your request, you may contact the Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens (www.dpa.gr).