INFORMATION ON THE PROCESSING OF PERSONAL DATA
in the context of an Expression of Interest for participation in a hiking activity or similar outdoor activity with an external Organizer
1. Introduction
This Information Notice describes the processing of Personal Data carried out by the company LINDOS HOTELS S.A., which operates the hotel(s) Gennadi Grand Resort, hereinafter, for the sake of brevity, the “COMPANY”, “we”, “us”, “our”, in the context of customers expressing interest in participating in hiking activities or similar outdoor activities provided by an independent external cooperating organizer, hereinafter the “ORGANIZER”.
This Information Notice concerns in particular the processing of Personal Data that takes place during:
• the customer’s expression of interest,
• the recording of basic contact details,
• the recording of basic participation information,
• the provision of information to the customer,
• the transfer of strictly necessary data to the ORGANIZER.
The transfer of such data is carried out for the purpose of further communication by the ORGANIZER with the customer, the organization of the activity, and the assessment by the ORGANIZER himself of the possibility of participation.
The COMPANY acts solely as a point of promotion, expression of interest and referral to the ORGANIZER. The hiking activity is not organized or carried out by the COMPANY, but exclusively by the ORGANIZER.
The ORGANIZER is solely responsible for:
• organizing the activity,
• conducting the activity,
• ensuring the safety of participants,
• providing information about risks,
• assessing the possibility of participation,
• the final acceptance or rejection of the participant.
The COMPANY does not collect, record, assess or retain health data, fitness data, suitability declarations, risk assumption declarations or other data relating to the final ability to participate in the activity.
Any such data, where required, is requested and processed directly by the ORGANIZER, who acts as an independent Data Controller.
This Information Notice is provided in accordance with Articles 13 and, where applicable, 14 of the General Data Protection Regulation (EU) 2016/679, hereinafter the “GDPR”, as well as in accordance with the applicable national and EU legislation on the protection of personal data.
For the purposes of this Notice, “Personal Data Protection Legislation” means all applicable national and EU provisions governing the processing of personal data, privacy and security thereof, including in particular the GDPR, Law 4624/2019, legislation on the protection of privacy in electronic communications, as well as the applicable decisions, opinions, recommendations and guidelines of the competent national and European supervisory authorities.
2. Data Controller
The Data Controller for the Personal Data collected and processed by the COMPANY in the context of this Information Notice is:
LINDOS HOTELS S.A.
VAT No.: 998113248
Gennadi Grand Resort
Gennadi – South Rhodes, Rhodes, 85109, Greece
Tel.: +30 22440 43043 Hotel
Tel.: +30 22410 61786 Head Offices
Email: [email protected]
The COMPANY acts as an independent Data Controller solely for the personal data that it collects itself in the context of the expression of interest and the transfer of strictly necessary data to the ORGANIZER.
The ORGANIZER acts as an independent Data Controller for the data that he collects and processes himself in the context of the organization, assessment, safety and final acceptance of participation in the activity, including any health declarations, physical fitness declarations, participation declarations or risk assumption declarations.
The COMPANY is not responsible for the processing of data carried out directly by the ORGANIZER in the context of his own procedures and his own privacy notice.
3. Data Protection Officer
The COMPANY has appointed a Data Protection Officer, whom you may contact for any matter concerning the processing of your Personal Data by the COMPANY, as well as for the exercise of your rights under the GDPR.
Contact details of the Data Protection Officer:
Email: [email protected]
For matters concerning personal data collected and processed directly by the ORGANIZER, such as participation declarations, health declarations, physical fitness declarations or risk assumption declarations, you should contact the ORGANIZER directly.
4. What data the COMPANY collects
The COMPANY collects only the data that is strictly necessary for managing the expression of interest and transferring the necessary information to the ORGANIZER.
Such data may include:
• customer / contact person full name,
• contact telephone number,
• contact email, where required,
• number of interested participants,
• preferred date of activity,
• preferred time of activity, where required,
• language of communication, where required,
• any practical information necessary for forwarding the expression of interest and not relating to health or physical condition.
The COMPANY applies the principle of data minimization and does not request more data than is required for the above purpose.
5. Purposes of processing
The COMPANY processes your personal data for the following purposes:
• recording your interest in participating in the activity,
• communicating with you in relation to the expression of interest,
• confirming basic contact and participation details,
• transferring the strictly necessary data to the ORGANIZER,
• customer service,
• administrative monitoring of the request,
• financial or accounting management, where required,
• compliance with legal obligations of the COMPANY,
• protection of the COMPANY’s legitimate rights, where required.
The COMPANY does not use the data collected in the context of this expression of interest for direct marketing purposes, unless there is a separate legal basis and appropriate information has been provided.
6. Legal basis for processing
The processing of your personal data by the COMPANY is based, as applicable, on the following legal bases under Article 6(1) of the GDPR:
a. Taking steps at your request / performance of a contract
Article 6(1)(b) GDPR
The processing is necessary for managing your request or expression of interest in participating in the activity and for taking steps at your request prior to the possible provision of the relevant service.
b. Legitimate interest of the COMPANY
Article 6(1)(f) GDPR
The COMPANY has a legitimate interest in managing customer requests, facilitating communication with external partners / organizers and supporting services or activities provided in the context of the hotel’s operation, provided that the rights and freedoms of the data subjects do not override such interest.
7. Transfer of data to the ORGANIZER
For the purpose of further communication and organization of the activity, the COMPANY transfers to the ORGANIZER only the strictly necessary data, such as:
• full name,
• contact details,
• number of interested participants,
• preferred date of activity,
• preferred time of activity, where required.
The ORGANIZER uses these data to contact you, organize the activity and complete his own assessment and participation acceptance procedure.
The ORGANIZER acts as an independent Data Controller and is required to provide you with his own privacy notice regarding the processing activities he carries out himself.
8. Role of the external ORGANIZER
The ORGANIZER is solely responsible for:
• organizing and carrying out the activity,
• selecting and assessing the route,
• providing information regarding the nature, requirements and risks of the activity,
• assessing the possibility of participation,
• the final acceptance or rejection of participation,
• collecting and managing any participation declarations,
• collecting and managing any health or physical fitness declarations,
• collecting and managing any risk assumption declarations,
• providing his own privacy notice,
• managing safety matters, incidents or insurance coverage.
The COMPANY does not have access to the content of the above declarations and does not participate in the assessment of the physical or medical suitability of participants.
9. To whom the data may be disclosed
Your personal data may be disclosed to:
• the ORGANIZER of the activity,
• authorized personnel of the COMPANY managing the expression of interest,
• accounting, technical or other partners of the COMPANY, only where necessary,
• public authorities, where required by applicable law.
The COMPANY does not sell, rent or make your personal data available to third parties for commercial purposes.
10. Method of transfer and security
The transfer of the necessary data to the ORGANIZER is carried out securely, such as:
• via corporate email,
• via an approved secure system,
• or via another approved secure communication channel
.
The COMPANY applies appropriate technical and organizational measures to protect the data, such as:
• restricted access only to authorized persons,
• use of corporate communication accounts,
• avoidance of the use of personal emails or personal devices,
• secure storage,
• limitation of the retention period,
• secure deletion or destruction when the data are no longer necessary.
11. Retention period
The COMPANY retains your personal data only for as long as required for:
• managing the expression of interest,
• transferring the necessary data to the ORGANIZER,
• serving any related requests,
• financial settlement, where required,
• compliance with accounting, tax or other legal obligations,
• protection of legitimate rights or handling of possible claims.
After the necessary period has elapsed, the data are securely deleted, destroyed or anonymized.
The data are not retained indefinitely.
12. International transfers
The COMPANY does not transfer your personal data outside the European Economic Area, unless this becomes necessary and provided that the appropriate safeguards provided for by the GDPR are applied.
13. Automated decision-making
The COMPANY does not use your data for automated decision-making or profiling that produces legal effects concerning you or significantly affects you.
14. Your rights
According to the GDPR, you have the following rights:
• right of access to your personal data,
• right to rectification of inaccurate or incomplete data,
• right to erasure, where applicable,
• right to restriction of processing,
• right to object to processing,
• right to data portability, where applicable,
• right to withdraw consent, where the processing is based on consent,
• right to lodge a complaint with the competent supervisory authority.
To exercise your rights in relation to the data retained by the COMPANY, you may contact the COMPANY or the Data Protection Officer using the contact details set out in this Information Notice.
For data collected directly by the ORGANIZER, such as participation declarations, health declarations, physical fitness declarations or risk assumption declarations, you should contact the ORGANIZER directly.
15. Lodging a complaint
You have the right to lodge a complaint with the competent supervisory authority:
Hellenic Data Protection Authority
Website: www.dpa.gr
We encourage you to contact the COMPANY first, so that we may promptly examine and address any matter concerning the processing of your personal data by the COMPANY.
16. Mandatory provision of data
The provision of basic contact details and expression of interest information is necessary for managing your request and transferring the necessary data to the ORGANIZER.
If you do not wish to provide the necessary data, the COMPANY may not be able to manage your expression of interest or forward your request to the ORGANIZER.
17. Information regarding health data
The COMPANY does not request or collect health data, physical condition data or physical / medical suitability data.
If a health declaration, physical fitness declaration or other related information is required for participation in the activity, this will be requested directly by the ORGANIZER and will be subject to his own privacy notice.
18. Contact
For any question regarding this Information Notice or the processing of your personal data by the COMPANY, you may contact the COMPANY using the contact details provided in Section 2