PERSONAL DATA PROTECTION POLICY

Latest Update: 01 December 2019

Α. Introduction

Our Company, CHANDRIS HOTELS (HELLAS) S.A., (hereinafter the Company), who is the owner of the hotels “Athens Marriott Hotel”, “The Met Hotel Thessaloniki” and “Chios Chandris Hotel”, takes under serious consideration the protection of visitors’, customers’, suppliers’, partners’ and its employees’ privacy. Therefore, we strictly comply with this present Personal Data Protection Policy (hereinafter the Policy), which ensures a high level of the services offered and is based on the legislative framework in force. The personal data related to you are being collected and maintained, for predetermined, explicit and lawful causes, during the absolutely necessary and lawful time periods, and they are being processed lawfully and legitimately in a lawful, fair and transparent manner, in accordance with the legal framework in force and are subject to integrity and confidentiality. Each time, these data are proper, relevant, appropriate and not more than those required, in view of the above lawful and clear purposes, they are precise and, if needed, they are being updated.

Β. Particulars of the Company CHANDRIS HOTELS (HELLAS) S.A.

The particulars of the Company, in which you may address or with which you may transact in any way, are as follows:

Trade Name: CHANDRIS HOTELS (HELLAS) S.A.  Seat: 377 Syggrou Avenue – 175 64 Palaio Faliro

Tax Number: 094025227  Tax Office: Piraeus Tax Authority for SAs [F.Α.Ε. PIRAEUS]

SA registration number 6146/01ΝΤ/Β/86/670

Athens Prefecture

General Commercial Registry Number 121811801000

and the particulars of the Data Protection Officer for the hotels of the company CHANDRIS HOTELS (HELLAS) S.A. are:

Angeliki Sougle, 377 Syggrou Avenue – 175 64 Palaio Faliro, 210 9484720, dpo@chandris.gr.

C. Purpose

Pursuant to this Policy, the terms and conditions observed by our company are being defined, which are solely related to the protection of visitors’, customers’, suppliers’, partners’ and our employees’ privacy, as well as of any other person’s privacy who does transactions with us in any way, the personal data of whom are being processed in order for hotel services to be provided and of the privacy of the websites  www.chandris.gr, www.themethotel.gr, www.chioschandishotel.gr users.

It is noted that the Athens Hotel and the Website of “Αthens Marriott Hotel” are subject, as far as the protection of Personal Data is concerned, to the Global Group Privacy Declaration of the Marriott companies, and you are entitled to require access to, rectification or erasure of your Personal Data or to you may object to their processing, by sending an e-mail at the address privacy@marriott.com or by mail at the address: Global Compliance, Privacy, 10400 Fernwood Road, Bethesda, MD, 208717, U.S.

This Policy aims at informing you about the way of collecting, maintaining and processing of the information related to you, like the personal data that you provide to us.

The Company maintains the right to amend and adjust this Policy, whenever it deems necessary, whereas these amendments come into force from the time they are uploaded to the Websites www.chandris.gr, www.themethotel.gr, www.chioschandrishotel.gr.

In any case we suggest that you check this Policy from time to time, because it is possible that we have performed amendments in order to improve it.

D. Definitions

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,

‘special categories of personal data’ are among others genetic, biometric, data concerning health, racial or ethnic origin etc.,

‘personal data processing’ means any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Ε. Personal data protection legal framework

The ‘personal data protection legal framework’, out of which this Policy derives, is the General Data Protection Regulation no. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Law 4624/2019 Government Gazette Issue Α’ 137/29-08-2019 and every Law or Regulation that has been issued following or for the implementation of the above General Regulation, as well as any national law which is in force and applies and relates to the processing and to the protection of personal data in general.

F. Means of collecting your information

We collect and process your personal data each time you use our services (either those services are provided directly by us or by other companies or agents acting on our behalf), when you stay at the Hotel, when you visit our restaurants, in general when you interact with us, when you use our sites, or when you use our call centers or our mobile and tablets apps. Also, information about you is collected by us:

• Through the browser cookies that you use when navigating our Websites, in order for us to respond, promote and accurately route your request. In this case, it is possible that we collect information about the type of browser that you use for the purposes of administering our system and in order to compile aggregate information for the visitors of our Website, of a purely statistical nature, which does not identify any individual.
• When you use contact forms to request more information or post a comment.
• When we communicate with you.
• When connecting to our Hotels wi-fi.

G. Purposes of data collection

We collect your data, on the one hand, so that we can provide the services you have requested, and on the other hand, in order to improve them. In particular, we collect data for the following purposes:

1. Booking a room and other related services (e.g. keeping required documents, in accordance with applicable law, accommodation related requests) and staying at the Hotel (room access, use of mini bar services, room phone etc.).
2. For organizational purposes (e.g. list of customers checking-in / checking-out on the same day, list of customers with special offers).
3. To use data analytics tools in order to improve our websites, our products / services, our relationships with customers and to better respond to your needs.
4. To optimally run and protect our business, our websites, and our systems in general.
5. In order to comply with the Greek and European legislation that is in force each time.
6. To assist you in further activities that you would like to perform e.g. restaurant reservations, taxi calls, excursions or guided tours.
7. In order to provide you with personalized services, we may collect personal preferences including your interests, activities, food preferences, drinks, potential allergies and general requests relating to services and benefits.
8. In order to inform you about our news and services.

Η. Data that we collect

Depending on the purpose of your visit and the service that you wish to obtain through our Websites, the nature of the personal data that we collect shall include information, such as name/last name, address, e-mail address, telephone number, vehicle plate number, as well as additional information such as airline company, flight number etc.

In some cases, it is also possible that we need to collect personal data of a sensitive nature, such as medical data, so that we are in the position to meet your particular needs e.g. potential allergies. We keep this kind of information only if we are so obliged pursuant to the applicable legislation or if you grant to us your explicit consent, in the context of the provision of our services, e.g. to provide a specific diet.

We preserve the right to collect, store and process different kinds of personal data relating to you. In particular:

• Customer’s identification data.
• Data in relation to invoicing (e.g. Tax Number, Tax Authority, number of the bank card used for payment)
• Arrival / departure date and room number
• Preferences and interests: e.g., preferred floor, type of bed, cultural interests
• Health information e.g. allergies, information about pathological conditions etc. that you communicate to us, so that we may serve you in the most appropriate way (e.g. cases of people with disabilities).
• Information in relation to persons below 18 years old are limited to name/last name, nationality and date of birth and are provided to us only by the adult having custody (guardian or parent).
• In the course of the provision of our services, it is possible that create accounts/profiles, for which it is possible that we ask you to provide information, such as e.g. name/last name, e-mail.
• When you order a product or a service, it is possible that we ask information so that we are able to process your order, such as name/last name, room data etc.
• In case you participate in one of our competitions or in one of our promotional activities, it is possible that you are asked to provide name/last name, communication data, e-mail, personal or professional interests etc.
• Device information (e.g. unique device IDs, IP address, device setting in order to access our Services etc.)
• Location information (e.g. GPS of your device etc.)
• Other information in relation to the use of our services from your part (e.g. interaction with a context offered through a Service).

I. Time period of storage of Personal Data

Our Company maintains your personal data solely as long as needed so that the purposes for which they have been collected are fulfilled (e.g. completion of legal/tax procedure). In addition, depending on the quantity, the nature and the sensitivity of the personal data, as well as the purposes for which we process them, we decide the appropriate time period of their storage.

We are entitled to anonymize your data, so that they cannot be associated with you, for the purpose of being used for research or statistical purposes, so we may use this information indefinitely, without further notice to you.

The CVs collected by the competent Human Resources Departments, are kept for one year and then they are destroyed, in accordance with the Destructions Policy followed by our company.

J. Access of third parties to your Personal Data

Our primary principle is not to disclose your information to third parties for their own independent business or commercial promotion activities without your consent.

However, aiming at the optimum provision of services to you, we grant access to your personal data or part thereof, to our properly trained personnel (hotel’s personnel, IT department, commercial promotion department, legal department, medical services, if deemed needed). The employees who have access to your personal data, use encrypted codes, which are regularly updated. In addition, we may disclose your personal data to business associates that we trust who comply with the requirements of the GDPR, as well as to the competent Authorities, in order to comply with the accounting and tax regulations and, in general, with the legislation in force, to confirm that we comply with the policies governing our services, as well as to achieve the highest level of security of the Company and of the Hotels.

Κ. Your rights in relation to data protection

The legislation relating to the protection of your Personal Data provides you the following rights, which you may, in principle, exercise for free and in accordance with the provisions of the legal framework:

• Right of access, namely to be informed about which data of yours we have collected and are being processed by the Company, their origin, the purposes and legal basis of processing, the potential receivers or categories of receivers of the personal data, especially in third countries, as well as the time period of storage.
• Right of rectification of potential inaccuracies of your Personal Data, so that they are accurate, by submitting to the company a relevant statement with your accurate Personal Data.
• Right to complete potential incomplete Personal Data of yours, so that they are complete, by submitting to the company a relevant statement with your complete Personal Data.
• Right to erase your Personal Data in the following cases: i. when your Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, ii. when you withdraw your consent on which the processing of your Personal Data was based and there is no other legal basis for processing, iii. when your Personal Data have been processed without the existence of the necessary legal basis, iv. the law provides that your personal data must be erased, v. when a child’s Personal Data have been collected in relation to the offer of information society services, following consent thereof or when consent is provided or approved by the person that has custody of the child.
• Right to restriction of your Personal Data processing, in the following cases: i. you contest the accuracy of your Personal Data and until such accuracy is verified by the Company,

1. when, instead of the erasure, you ask for the restriction of the processing of your Personal Data,

iii. when the Company no longer needs your Personal Data for the purposes of processing, but these Personal Data are required by you for the establishment, exercise or defence of legal claims.

• Right to oppose- object to the processing of your data, unless processing is justified on compelling and legitimate grounds, which override the interests, rights and freedoms of yours or for the establishment, exercise or defence of the Company’s legal claims.
• Right to data portability, namely to receive and transmit to another controller your Personal Data, which you have provided to our company, in an appropriate format, provided that processing of your Personal Data has taken place following your consent or it was necessary for the execution of the contract between us.
• Right to revoke the consent that you have provided for a matter relating to the Protection of Personal Data at any time (without any retroactive effect).

The above rights may be limited in case that another law must be applied, as for example in case that you request the erasure of data, whereas we are obliged to keep them pursuant to the law.

For all the above and for the resolution of any query you may have in relation tο the applicable legislation on personal data, you may communicate with our company as follows:

• through the electronic communication form at dpo@chandis.gr
• by means of a letter: Data Protection Officer, 377 Syggrou Avenue, 175 64 Palaio Faliro.
• The company CHANDRIS HOTELS (HELLAS) S.A. will respond to your request free of charge, without delay and, in any case, within one month from receiving the request, with the exception of extraordinary circumstances, in which cases the above deadline may be extended for two more months, if required, taking into account the complexity of the request or/and the number of the requests. The company will inform you about potential extension within one month from receiving the request, as well as about the reasons for the delay.
• If your request cannot be satisfied, the company will inform you without delay and within one month the latest from receiving the request, about the relevant reasons and the possibility to lodge a complaint with the Data Protection Authority, as well as about your right to seek redress before the competent judicial authorities.

L. Right to lodge a complaint

In case that you think that your rights related to the Protection of your Personal Data are breached, you are entitled to lodge a complaint with the Data Protection Authority (1-3 Kifisias Avenue, P.C. 115 23, Athens, tel.: +30 2106475600, email : contact@dpa.gr).

Moreover, you are entitled to a remedy before the competent judicial authorities for the protection of your personal data.

Μ. Security measures

The Company has taken appropriate technical and organizational measures so that the application of Legislation and the proper level of security of your personal data are observed and has trained its personnel and the entire network of its partners properly, by means of Personal Data Policies and Procedures, and it bounds all its partners, who act on its behalf in the capacity of Processors through contractual agreements that are guaranteed and safeguarded. If for any reason you think that the interaction between us is not safe, please let us know.

Ν. Newsletter

Our Company sends e-mails in order to advertise and directly promote our products or/and our services by means of a newsletter. In any such e-mail, we clearly and explicitly disclose our identity and allow you to object and request, in an easy manner and free of charge, termination of communication and erasure of your data from that database.

O.Cookies