Privacy Notice

Last Updated: May 24th, 2018

At HPH PELAGIA SINGLE MEMBER S.A, we are committed to protecting and respecting your privacy. Please read this notice as it contains important information about how we use personal data that we collect from you or that you provide to us.

Information & Consent

This Privacy Notice describes how we collect, use, process, and disclose your information, including personal information about you (hereinafter, the “User”), in conjunction with your access to and use of our booking system.

By reading this Privacy Notice, the user is hereby informed on how we collect, process and protect personal data furnished through the booking engine.

The User must carefully read this Privacy Notice, which has been written clearly and simply, to facilitate its understanding, and to freely and voluntarily determine whether they wish to provide their personal data, or those of third parties, to HPH PELAGIA SINGLE MEMBER S.A.

When this notice mentions “booking system,” “booking engine,” “system,” “website,” “platform,” “app,” “webapp,” “services,” “online services,” it refers to all pages and functions under https://outoftheblue.reserve-online.net/ unless specified otherwise.

By accessing the platform or providing information, you agree to our privacy practices as set out in this privacy statement. We may change this notice from time to time. You should check this notice frequently to ensure you are aware of the most recent version.

Identity

When this notice mentions “we,” “us,” or “our,”, “data controller,”, “controller,”, it refers to HPH PELAGIA SINGLE MEMBER S.A.

Data Controller

HPH PELAGIA SINGLE MEMBER S.A operates this booking system through a data processor, as explained below. For the purposes of the General Data Protection Regulation (“GDPR”) (EU) 2016/679, we are the Data Controller. There is a strict contractual framework between the data controller and the data processor for the protection of your personal information. We are:

Out Of The Blue Resort & Spa “HPH PELAGIA SINGLE MEMBER S.A”
Agia Pelagia
71500, Agia Pelagia, Crete
GR

Data Processor

WebHotelier operates this booking system on behalf of HPH PELAGIA SINGLE MEMBER S.A and is committed to protecting the privacy of the users of this system. WebHotelier is:

WebHotelier Technologies Limited
Mnasiadou 9 (Demokritos Building, Office 16)
1065 Nicosia
Cyprus

For the purposes of the GDPR, where WebHotelier processes your personal data on behalf of HPH PELAGIA SINGLE MEMBER S.A, WebHotelier is the the Data Processor. When this notice mentions “data processor,” “processor,” “WebHotelier,” it refers to WebHotelier Technologies Limited.

WebHotelier is a certified PCI-DSS Level 2 Service Provider audited monthly by Trustwave.

The User may contact WebHotelier's Data Protection Officer:

Data Protection Officer
dpo@webhotelier.net

Obligatory nature of providing the data

The data requested in the forms accessible from the booking engine are, in general, mandatory (unless specified otherwise in the required field) to meet the stated purposes. Accordingly, if they are not provided or are not provided correctly, we will be unable to process the request.

Personal data we collect and process

This will include:

• personal information about you which we ask you for (e.g. your name, address, and email address) when you make a booking from our booking engine;
• financial details in order to process your booking when we require pre-payment;
• details of transactions you carry out through our booking engine and details of the fulfilment of your orders.
• our data processor may only collect and process personal data collected and/or processed on behalf of us in accordance with our instructions. WebHotelier cannot process it in any other way or for any other purpose.

We grant permission to our data processor:

• to use your personal information for reserving rooms and/or other services for you at HPH PELAGIA SINGLE MEMBER S.A;
• to pass on your financial details to HPH PELAGIA SINGLE MEMBER S.A and/or appropriate third party (for example, credit card company) for the purpose of confirming or paying for a booking;
• to use your information for marketing purposes (where you explicitly agree to this); and
• to pre-complete forms and other details on our website to make your next visit to our booking engine easier (e.g. when amending or cancelling a booking).

Social Login:

In the event of registration and/or access through a third-party account, we may collect and access certain information of the User’s profile from the corresponding social network, solely for internal administrative purposes and/or for the purposes indicated above.

Third-party data (e.g. book for a friend)

In the event that the User provides third-party data, they declare that they have the third party’s consent and undertake to provide the interested party -the data holder- with the information contained in this Privacy Notice, duly exonerating us and our data processor from any liability in this regard. However, we may carry out the necessary verifications to verify this fact, adopting the corresponding due diligence measures, in accordance with the data protection regulations.

Sensitive Data

Unless specifically requested, we ask that you not send us, and you not disclose, on or through the Services or otherwise to us, any Sensitive Personal Data (e.g., social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics, criminal background, trade union membership, or administrative or criminal proceedings and sanctions).

Use of Services by Minors

The Services are not directed to individuals under the age of sixteen (16), and we request that they not provide Personal Data through the Services.

Purpose of processing personal data

Depending on the User’s requests, the personal data collected will be processed in accordance with the following purposes:

• To manage the bookings made, including payment management (where applicable) and the management of the user’s requests and preferences.
• To manage registration in loyalty or membership programs, as well as obtaining and redeeming points.
• To manage the User’s contact requests with us through the channels provided to this end.
• To manage the sending of personalised commercial communications from us, by electronic and/or conventional means, in cases in which the User expressly consents.
• To manage the provision of the contracted accommodation service, as well as additional services.
• To manage surveys and/or evaluations regarding the quality of the services provided by us and/or the perception of its image as a company.

Data Retention

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law or if the User requests their withdrawal from us, opposes or revokes their consent.

The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services or if you have a booking that has not yet been fulfilled)
• Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them)
• Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations)

Legitimate interest for processing your data

The data processing required in fulfilment of the aforementioned purposes that require the User’s consent cannot be undertaken without said consent.

Likewise, in the event that the User withdraws their consent to any of the processing, this will not affect the legality of the processing carried out previously.

To revoke such consent, the User may contact us through the appropriate channels.

By the same token, in those cases in which it is necessary to process the User’s data for the fulfilment of a legal obligation or for the execution of the existing contractual relationship between us and the User, the processing would be legitimized as it is necessary for compliance with said purposes.

Data Disclosure

We will use and disclose Personal Data as we believe to be necessary or appropriate:

• to comply with applicable law, including laws outside your country of residence;
• to comply with legal process;
• to respond to requests from public and government authorities, including authorities outside your country of residence and to meet national security or law enforcement requirements;
• to enforce our terms and conditions;
• to protect our operations;
• to protect the rights, privacy, safety or property of our own, you or others; and
• to allow us to pursue available remedies or limit the damages that we may sustain.

We may use and disclose Other Data for any purpose, except where we are not allowed to under applicable law. In some instances, we may combine Other Data with Personal Data (such as combining your name with your location). If we do, we will treat the combined data as Personal Data as long as it is combined.

International transfers of personal data

We may transfer your personal information to our data processor(s) or/and sub-processor(s) based outside of the EEA for the purposes described in this notice. If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘ Privacy Shield’ scheme).

Our data is stored in the cloud using Amazon Web Services in N. Virginia, USA and in Frankfurt, Germany. If you are accessing any of our systems from outside the USA, you acknowledge that your personal information may be transferred to the USA, a jurisdiction which may have different privacy and data security protections from those of your own jurisdiction, to be processed and stored.

User's Responsibility

The User:

Guarantees that they are of legal age or legally emancipated, where applicable, fully capable, and that the information furnished to us is true, accurate, complete and up-to-date. For these purposes, the User is responsible for the truthfulness of all the data communicated and will keep the information updated, so that said data reflects their actual situation.

Guarantees that he/she has informed third parties on whose behalf he/she has provided data, where applicable, of the aspects contained in this document. Also guarantees that he/she has obtained the third party’s authorisation to provide their data to us for the purposes indicated.

Will be responsible for false or inaccurate information provided through the Website and for damages, whether direct or indirect, that this may cause to us or third parties.

Exercise of Rights

The User may contact us at any time free of charge, to:

• To obtain confirmation about whether or not personal data concerning the User are being processed by us.
• To access their personal details.
• To rectify any inaccurate or incomplete data.
• To request the deletion of their personal data when, among other reasons, the data are no longer necessary for the purposes for which they were collected.
• To confirm revocation of consent.
• To obtain from us the limitation of data processing when any of the conditions provided in the data protection regulations are met.
• To request the portability of your data.

Likewise, the user is informed that at any time he/she may file a complaint regarding the protection of their personal data before the competent Data Protection Authority.

Security Measures

We will process the User’s data at all times in an absolute confidential way and maintaining the mandatory duty to secrecy with regard to said data, in accordance with the provisions set out in applicable regulations, and to this end adopting the measures of a technical and organisational nature required to guarantee the security of their data and prevent them from being altered, lost, processed or accessed illegally, depending on the state of the technology, the nature of the stored data and the risks to which they are exposed.

NEW: Overnight Tax that will apply from 01.01.2018

The new Overnight Tax that will apply starting from 01.01.2018 is not included in the hotel rates and will be paid upon arrival by the guests on a separate account.

 

 

PERSONAL DATA PROTECTION POLICY

Information on the Processing of Personal Data

We would like to inform you that the company under the title "HPH PELAGIA SINGLE MEMBER SA " (hereinafter referred to as the “Company"), with the distinctive title "OUT OF THE BLUE RESORT & SPA” is active in the field of hotel services. For the company, being sensitive to the privacy and protection of our customers’ personal data, such protection is of paramount importance. Building trust relationships is a priority and a fundamental commercial practice. For this reason we take the appropriate measures to protect the personal data we process and to ensure that personal data is always processed in accordance with the legal requirements (GDPR 679/2016), both by the company itself and by third parties who process your personal data on behalf of the company.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new European Union (EU) regulatory framework in the field in question. The purpose of the law is to establish the conditions for the processing of personal data in order to protect the rights and freedoms of natural persons and in particular the right to protection of personal data. Thus, all the concepts mentioned in this policy are defined by this Regulation (Rule 4).

Categories of Personal Data

Personal data: any data that alone or in combination with others can uniquely identify a person. Such data shall be considered as follows: name, identity card number, passport number, Taxpayer identification number, address, phone, photo, IP address, hardware identifiers, online profiles, social networks, subscription data, device fingerprinting, or any other identifiable means,

Special category data (sensitive personal data): According to the wording of the law, these data relate to data relating to political and religious beliefs, sexual preferences, the economic status of the individual, racial characteristics, and finally medical, genetic and biometric data.

Data Concepts

Processing of personal data: any act or series of acts performed with or without the use of automated means over personal data or personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval, search for information, use, disclosure, forwarding or any other form of distribution, association or combination, restriction, or deletion or destruction.

Data subject: the personal data of a natural person being processed

Method of data collection

To process your personal data, we collect it in the following ways:

 If you are a Hotel customer, your personal data is collected directly upon arrival at the reception desk by filling in the relevant form.

 If you are not a customer of the Hotel and wish to make use of the Hotel's services (e.g. spa services, or other treatments, etc.), your personal data will be collected upon arrival at the appropriate department, filling in the relevant information form there.

 If you are an external partner or supplier, your personal information is collected when you sign a service contract or through your invoice details.

Data collection

The following categories of data are collected to process your personal data:

 Identification details, such as: full name, gender, VAT registration number of TIN, ID card number, passport number, nationality, date of birth.

 Contact details, such as: landline and / or mobile phone, home and / or work address, email address.

 Health data exclusively as needed, such as: eating habits issues, health issues for which questionnaires are completed for various services you would like to receive within the Hotel, health issues that may arise during your stay and should be disclosed to the hotel physician, and elsewhere within the Hotel's boundaries, that should be produced by you so that there is no risk to your life and your health.

 Financial information required to perform contractual obligations, such as bank accounts, debit or credit card numbers, Tax Office of registration where required, and finally, for the issuance of invoices regarding suppliers and associates.

 Photos or any other audiovisual material from receptions, events, or even daily activities within the Hotel.

 Identity and transaction data that is collected electronically while using the website, such as the IP address or other data provided through the devices used by the customer as location identifiers, as well as the navigation data (cookies) that, on their own or in combination with unique identifiers, can be used to identify and create profiles.

Purpose of processing Personal Data

The reasons why we process your personal data are:

 Establish a customer relationship, proceed with the room reservation procedure for Hotel customers.

 Providing Hotel services to customers.

 Send emails to measure service satisfaction from affiliated companies

 Send news letters from the Company and / or affiliated companies (third parties)

 Send personal data where deemed necessary to obtain services from third parties such as (but not limited to) Wi-Fi providers, Digital Marketing support and Marketing purposes, and services - provisions in general.

 Contact with Tour Operators, Travel Agents and providers or tourism booking services, travel hosting, and of relevant activities, etc.

 Display of personal data such as (but not limited to) Name, Photos etc.) on advertising material, TV Channels, Social Media, Company Site & Partner Sites (third parties).

 Reporting of personal data such as (but not limited to) Name, Photos etc. in press releases issued by the Company and / or affiliated companies (third parties)

 Company Payments through Banking Institutions & use of credit cards for the services provided during your stay.

 Settlement of financial matters to or from the Company through Banking Institutions & use of credit cards.

 Accounting for partners and suppliers.

Legal basis for the processing of personal data

Personal data shall be processed in a lawful and fair manner in a transparent manner to the customer. The collection, use and general processing of personal data is solely made by consent, or if permitted by law. A legal ground for processing other than the customer's consent is the performance of the contract or compliance with a legal obligation and any other grounds provided for in Article 6 of the GDPR as well as in national law.

Personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes, or further processed for archiving purposes in the public interest or for purposes of scientific or historical research or statistical purposes not considered incompatible with the initial purposes.

Personal data is suitable, relevant and limited to what is necessary for the purposes for which it is processed.

Personal data is accurate and, where necessary updated; all reasonable steps should be taken to immediately delete or correct those that are inaccurate with respect to the purposes of processing.

Location of Processing Personal Data

The processing of personal data takes place within the European Union. Exceptionally, if the data is transmitted to a third country, then there will be provision so that the transmission takes place to a country for which the European Commission has decided that an adequate level of data protection is guaranteed and that the processor has provided appropriate safeguards for such protection.

Recipients of Personal Data - Transmission

The personal data collected is processed by “CAPSIS ELITE RESORT” Company as well as by its domestic partners.

The data is additionally transmitted to third parties, partners of the Company, for the performance of the services provided by the Company. Indicatively and not restrictively, these include travel offices and agencies and other third parties within and outside the EU, providing marketing services, hotel services and anything else related to the Company's subject matter.

Personal data may also be transmitted to police, municipal, tax authorities and / or public or private emergency services providers where necessary and where required by law.

Measures for the Protection of Personal Data

The Company takes appropriate technical and organizational means to ensure the protection of personal data against loss, misuse and unauthorized access, disclosure, destruction and breach. Taking into account the best practices using state-of-the-art technology and application costs, it has implemented a comprehensive information security program including firewall security, restricted access to data extraction, daily backup of the entire database, regular security checks, penetration tests, creation of identity and access management templates, network access control, information security risk and incident management templates, business continuity templates and disaster recovery, etc.

Time of Retention of Personal Data

What are your rights regarding your personal data?

Any natural person whose data is processed by the Company under GRPR 679/2016 (Articles 15,16,17,18,19,20,21 and 22), hase the following rights:

 Right of access (GDPR 679/2016, Article 15). The customer (data subject) has the right to be informed from the Data Controller whether or not the personal data concerning him are being processed.

 Right of correction (GDPR 679/2016, Article 16). The Customer has the right to demand from the Data Controller without undue delay the correction of inaccurate personal data concerning him. In view of the processing purposes, the customer has the right to request the completion of incomplete personal data, including through a supplemental statement.

 Right to delete (GDPR 679/2016, Article 17). The Customer has the right to request from the Data Controller the deletion of personal data relating to him and the Controller shall be obliged to delete the Personal Data without undue delay.

 Right to restrict processing (GDPR 679/2016, Article 18). The Customer is entitled to ensure from the Data Controller the restriction of processing when:

 The accuracy of personal data is disputed by the customer himself for a period of time allowing the Data Controller to verify the accuracy of personal data.

 The processing is illegal and the customer opposes the deletion of personal data and requests restriction of its use instead.

 The Data Controller no longer needs personal data for the purpose of processing.

 Right of disclosure regarding the structuring or deletion of personal data or the restriction of processing (GDPR 679/2019, Article 19). The Data Controller shall notify about any correction or deletion of personal data or restriction on the processing of data carried out in accordance with Article 16, Article 17 and Article 18 to any recipient to whom the personal data were disclosed, unless this is proven to be impracticable or entails a disproportionate effort. The Data Controller shall inform the customer of such recipients upon request by the customer.

 Right to data portability (GDPR 679/2016, Article 20). The Customer has the right to receive the personal data relating to him that has been provided to a Controller in a structured commonly used and machine-readable format, as well as the right to transmit such data to another Controller without objection by the controller who received the personal data.

 Right to object (GDPR 679/2016, Article 21). The Customer has the right to object at any time and for reasons related to his particular situation, to the processing of personal data relating to him.

 Automated individual decision making, including profiling (GDPR 679/2016, Article 22). The Customer has the right not to be subject to a decision made solely on the basis of automated processing including profiling, which produces legal effects that affect or substantially affect him in a similar manner.

Requests for Exercising Rights

• Request access to personal data

• Request for correction of personal data

• Request for deletion of personal data

• Request for restriction of processing of personal data

• Request for disclosure of personal data

• Request for portability of personal data

• Request for objection to personal data

• Request for non-automated decision making in personal data

The exercise of these rights is done by completing the form for exercising each right and is sent either by mail to the address of “CAPSIS ELITE RESORT” at Agia Pelagia, Heraklion Crete, PC 71500, either electronically at gdpr@capsis.gr or dpo@capsis.gr

Also, the customer has the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr), being the competent supervisory authority, if he considers that his rights are in any way infringed by the processing of his data

Use of Cookies

Websites collect information through cookies. Cookies are small text files that are stored by a website in a web browser during the navigation of the visitors and then recognize them the next time they visit the site. Cookies do not contain any personal information that could allow anyone to contact the site visitor, such as by email, etc. More information will be mentioned in the Cookies Policy which will be posted shortly.

Contact Information

Data Controller

The company "GEORGIOS KOUROUPIS SINGLE SHOP" with the distinctive title "OUT OF THE BLUE CAPSIS ELITE RESORT »based in Crete, Agia Pelagia Heraklion Crete, 71500, email: gdpr@capsis.gr, phone 2810-811212, as legally represented, informs that, for the purposes of conducting its business, it processes the personal data of its customers in accordance with GAGD 679/2016 and applicable national legislation on the protection of individuals with regard to the processing of personal data and the free movement of such data, as applicable.

Data Protection Officer:

For any information regarding the processing of personal data you may use the following contact details:

Data Protection Officer (DPO): Christodoulidis Stavros (email: dpo@capsis.gr)