Privacy Policy

Information regarding your personal data
The company under the name «S. AND Α. MAMADAS HOTEL AND TOURIST ENTERPRISES S.A.» and the distinctive title «HOTEL PORTO» (hereinafter the “Company”) having its seat in Thessaloniki, 65 26th October Street, tel.: +30 2310 504504/ +30 2310 504500, e-mail: info@portopalace.gr, is the Controller of your personal data (Data Controller). The Company undertakes to comply with the legislation regarding the protection of the rights and freedoms of individuals against the processing of personal data, in any capacity you cooperate or communicate with us (such as customers, prospective customers, visitors, employees, prospective employees, partners, suppliers, participants in conferences, BoD members, visitors to our website or in general private individuals and third parties who cooperate or communicate with our company), in accordance with the Regulation EU 2016/679 (GDPR), national legislation and the decisions of the Personal Data Protection Authority. By this statement, the company provides you with all relevant information regarding the use and processing of your personal data, as well as your rights as data subjects, according to Articles 12 to 14 GDPR.
I. What data the Data Controller collects and process and for what purposes.
Personal data include any information, in print or electronic media, relating to an identified or identifiable natural person, directly or indirectly, in combination with other information.
Processing of personal data means the collection, registration, organization, storage, adaptation, alteration, retrieval, use, transmission to third parties, dissemination, association, combination, limitation, deletion and destruction of Personal Data of natural persons.
The company “HOTEL PORTO” during its activities and transactions, collects and processes personal data, such as indicatively the following:
I.1. Employees/Prospective employees:
Regarding the employees of the Hotel: Information such as name and surname, father’s name, mother’s name, social security number (AMKA), gender, nationality, address, email, ID number, family status data, number and age of children, salary/benefits/bonus data, CVs, work experience, level of education, diplomas, licenses, as well as information related to employee payroll and taxation and other data required by labor or social security legislation. Processing of this data is necessary for the performance of the employment contract and the fulfillment of the company’s lawful obligations as employer. All employees of the company have been notified of a written statement for their detailed information regarding the processing of their data, the legal basis of the processing, the retention time of their data and their lawful rights.
Candidates: the company maintains the following information regarding its prospective employees: name, surname, contact information, education, work experience, CV, email, nationality, family status. The company collects and processes personal data of the candidates for the evaluation of their suitability for filling a specific job position. This data is collected from the candidate upon his consent, by submitting the relevant application. In case of non-recruitment, the CV of the prospective employee is kept for a period of 2 years to cover any future jobs, after which the data is destroyed. The legal basis of the processing is the legitimate interest of the company and the consent of the candidate employee.
Interns: The company collects and processes personal data of students doing their internship at the hotel, in cooperation with the educational institutions, as long as these are necessary for the performance of the internship contract and the fulfillment of the contractual and legal obligations of both parties. The legal basis of the processing is the performance of the contract and the compliance with a legal obligation of the company. The internship contract contains detailed information regarding the processing of interns’ data, the legal basis of the processing, the retention time of their data and their rights. When the internship ends, the data of the intern is deleted, except for those necessary for the defense of company’s rights before courts or in case of controls conducted by the competent bodies and authorities, in compliance with the labor legislation. Further retention and processing of the aforementioned data is only permitted if the intern expressly requests it and provides his/her consent for the purpose of future job search or for any use by him/her (for example in order to certify the completion of the internship).
I.2. Hotel Customers/ prospective customers:
For customers/residents of the hotel: name and surname, duration of stay (arrival and departure dates), room number and price, passport/ID number, country of origin, nationality, date of birth, contact details (landline or mobile phone), residential address (country , city, street, postal code), credit or debit card number, email, billing information (company’s name, VAT number, address, email), bank account details. The legal basis for the processing of the above data is the compliance with legal obligations of the company [Article 6 par. 1.c) GDPR], i.e. the company’s compliance with the provisions of the law, such as indicatively: Article 2 of No. 8/1999 of the Police Order concerning the customer books and the obligations of those in charge of tourist accommodation, as amended and in force by the Police Order 8A/2003 (Government Gazette 1674/B), or the tax legislation.
Additionally, the legal basis of the processing is the performance of the contract with the hotel’s customers [Article 6 par. 1.b) GDPR]. For this purpose, we may collect information about our customers to better fulfill our contractual obligations and improve our hotel services, for example information and requests regarding the customer’s stay, products and services used, special requests, comments about your preferences, information about your vehicles parked in the hotel parking lot, preferences related to dietary needs or health conditions that require special accommodation conditions or services. For the latter case, the sharing of this information can only be done voluntarily by you, and after giving your consent for its use and processing.
Information regarding our customers may also be collected from the hotel website, when making an online reservation. For the management of the electronic reservation system, our company contracts with a third party – data processor. The legal basis of the processing is the performance of the contract with the hotel’s clients and the compliance with the legal obligations of the hotel. Also, in case you contact us electronically through the contact form on our website, you will be asked for your consent to send the relevant message and your details, which are necessary to process the communication with you regarding your request. Especially, regarding services offered within the hotel (for example personal trainer, spa facilities), the company collaborates with third-party external partners and keeps data related only to the products and services used by you.
Regarding your personal data related to your image, we inform you that our company has installed a video surveillance system in the hotel facilities. Information regarding the video surveillance system can be found immediately below in the relevant section of this Policy (Annex I).
For promotional or advertising actions of our company, your data are collected only upon your consent, which is provided through the customer form, at your arrival at the hotel reception. For this purpose, the company may use the personal contact data of visitors for informational purposes and promotional actions regarding contests, gifts, discounts on hotel products and services, upon your express consent.
Generally, the provision of personal data to the company may be necessary to achieve the purposes specified in this Policy or may be optional. If you refuse to provide the data required, the company will inform you if without them it is possible to achieve the basic purpose of collecting these data, for example, it may be impossible for the company to provide the services available on its website or at its facilities, if you refuse to provide the required data.
I.3. Organizers and participants in conferences, workshops, and events
In regard to organizers of conferences, events, workshops, e.t.c., it is necessary to maintain and process the following information: name and surname, postal address, status, profession, organization/company that may represent, email and phone number, billing information, bank account number. The aforementioned data are held for the provision of our services and the successful management and organization of the actions and purposes of the organizer.
For participants/guests, our company does not process personal data.
Βe aware that, in the event that you are photographed and/or videotaped during the above activities, the respective event organizer must inform you of these initiatives and/or take any additional necessary measures.
I.4. Suppliers and partners: name and surname, VAT number, IBAN, contact number, address, email, entity/company that the natural person is representing, billing and bank account information. The legal basis for processing is the performance of a contract to which the subject is a contracting party. It is noted that the Data Protection Regulation only applies to professionals/natural persons or sole proprietorships and not to legal entities/ companies.
II. Processing of special categories of personal data
Generally, we do not collect or have access in any way to special categories of personal data, except for special statutory obligations, due to COVID 19 pandemic. The legal basis of the above processing is public interest in the area of public health (article 9 par. 2g) GDPR). The company may collect and process special categories personal data, such as data related to the health of employees, in order to meet its insurance obligations, as well as to comply with health legislation and safety at work or data concerning previous criminal convictions, if this is considered necessary in the context of the employment relationship, respecting the principle of proportionality (Article 9 par. 2b) and h) GDPR). All employees of the company have been notified of a statement for their detailed information in relation to the processing of their special categories data.
Especially for customers of the hotel, visitors and participants in events organized in our facilities, the company may process data belonging to special categories, such as information concerning eating habits, allergies, religious preferences, illnesses, etc. The legal basis for the processing of the above data is the express consent of the subject (Article 9 para. 2a) GDPR) by filling the relevant form and the explicit disclosure by the subject of the data (Article 9 para. 2e). The company will ensure that it always complies with the national or EU legislation that requires the processing of health data of its visitors, in the context of the implementation of health protocols, as in force.
III. Data Retention Time
We take all reasonable steps to ensure that your personal data is only retained for as long as is necessary and for the purpose for which it was collected or for as long it is required contractually or by applicable law. The company will retaion your Personal Data:
(i)    In the event that processing is necessary to comply with a legal obligation of the controller for as long as the legal obligation exists on the part of our company or, if specifically defined in the legislation, for as long such an obligation is provided by law, e.g. tax or labor law.
(ii)    In case processing is necessary for the execution of a contract to which the data subject is a contracting party, the company retains your data throughout the duration of the contractual relationship between us, as well as for a period of five (5) years from the last calendar day of the year of the end of your respective relationship with our company, for the possibility of our future cooperation/contact and for proof purposes against the authorities and public services. Exceptionally, the company may retain your data beyond the above-mentioned period if it has a legitimate interest or legal obligation to do so or when it is required to claim or defend its rights against legal claims.
(iii)    In case your data is processed upon your consent, until you withdraw your consent. You have the right to withdraw your consent at any time. However, the withdrawal of consent does not affect the lawfulness of the processing that was based on the consent before its withdrawal.
IV. Personal Data transfer
All employees, partners and processors who collaborate with our company and may process your personal data are contractually bound by clauses of confidentiality. As a rule, we will not share your information with third parties for their own independent business or marketing purposes, without your consent. However, we may share your information with third parties only under the terms of this privacy policy and in particular:

•    When required or approved by law (e.g., transmission of data to the information system of the Ministry of Labour, Social Security and Social Solidarity “ERGANI”) or in the context of controls by any public authority (e.g., control by police or other authorities) or to judicial and prosecutorial authorities in the exercise of their duties.

•    If it is necessary, to provide you with services that you have requested from us (e.g., to a transport company), if you give your consent or ask for it.

•    to our partners and third-party service providers who provide services on our behalf, who assist the company in fulfilling its obligations (e.g., insurance companies, software support and maintenance companies, lawyers, website management companies, management of newsletters, etc.).

V. Principles relating to processing of personal data
Our company and its specially trained personnel ensure that your personal data are processed lawfully, fairly and in a transparent manner, are collected for specified, explicit and legitimate purposes, and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Our company generally adheres to the processing principles set out in the General Regulation on the Protection of Personal Data 679/2016 (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability) and Law 4624 /2019. In any case, we take appropriate organizational and technical measures to ensure that your personal information is transferred, stored and processed in accordance with the security standards and procedures, the terms of this Policy and applicable law. For this purpose, we use appropriate technical and operational tools, such as anonymization, pseudonymization, data encryption, use of firewalls, limited -authorized access to employees, staff training, periodic checks.
VI. Rights of the data subject
Our company is committed to maintaining the confidentiality of your personal data and ensuring that you can easily exercise your rights. Regardless of the purpose or legal basis on which we process your data, you have the following rights:

•    You may ask us for access and information about your personal data (right of access).

•    You have the right to correct your data, so that it is true and accurate (right to rectification).

•    You have the right, also known as the “right to be forgotten” to request the erasure or removal of your personal data. The right to erasure is not an absolute right. The Company may have the right or obligation to retain the information, in cases it has a specific legal obligation or another legal reason to retain it.

•    You may ask us to restrict the processing of your personal data (right to restriction).

•    You may request to receive your personal data in a structured, widely used and machine-readable format in order to transmit it directly to another legal entity without hindrance on our part (right to portability).

•    You have the right to object to the processing of your data, in particular if your data is collected for direct marketing purposes (right to object).

•    You can exercise your rights by sending an email to the address privacy@portopalace.gr
The Company will respond to you within one (1) month from the receipt of the request or in case of complexity or other difficulty and upon relevant notification within a period of three (3) months, either by its completion or by the reasoned refusal to perform what you requested for legitimate reasons, which are expressly specified in the General Data Protection Regulation (EU) 2016/679 - GDPR, (“Regulation”), in accordance with the relevant internal procedure. If your requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the company may impose a reasonable fee, taking into account the administrative costs of providing the information or carrying out the requested action.
VII.  Right to lodge a complaint with a supervisory authority
In case you feel that the protection of personal data is infringed in any way, you can file a complaint to the Hellenic Data Protection Authority (www.dpa.gr, Kifissias Avenue 1-3, P.C. 115 23, Athens, tel: +30 210 6475600 and fax, +30 210 6475628, email: contact@dpa.gr)

VIII.  Amendments to this Policy
This Privacy Policy may be amended unilaterally at any time to comply with regulatory changes or for operational purposes. You should check this page from time to time to ensure that you are aware of those changes and to be informed about the way in which our company manages and processes your personal data.
LAST UPDATED: JUNE 2023

ΑΝΝΕΧ Ι: 2nd Level Notification on the processing of personal data through a video surveillance system
1.    Controller Details: The private company under the name «S. AND Α. MAMADAS HOTEL AND TOURIST ENTERPRISES S.A.» and the distinctive title «HOTEL PORTO» having its seat in Thessaloniki, 65 26th October Street, tel.: +30 2310 504504/ +30 2310 504500, e-mail: info@portopalace.gr.
2.    Purpose of processing and legal basis: We use a surveillance system for the purpose of protecting people and assets at our hotel. The processing is necessary for the purpose of the legitimate interests that we pursue as Controller, according to Article 6 paragraph 1 (f) GDPR.
3.    Analysis of legitimate interests: Our legitimate interest consists in the need to protect our premises and our goods, or the goods of our customers from illegal acts, including, for example, theft, vandalism, damage, etc. As a hotel, we have a legal obligation to protect the property of our customers (see articles 834 et seq. of the Civil Code), and the installation of a video surveillance system in our premises is aimed at this.
In addition, there is a legitimate interest in the protection and safety of the life, physical integrity, health and property of our staff, our customers and any third party who enters our premises. For these purposes, the video surveillance system aims to protect and secure the hotel’s facilities and infrastructure critical to its operation. Please note that we only collect image data, not audio data, and we do not use cameras with rotation (pan-and-focus cameras).
Regarding the installation of the cameras in the hotel premises, an assessment was carried out, during which the interests and fundamental rights of the data subjects and the legal interest of our hotel were weighed, limiting the placement of the cameras only to the areas and points where we assessed that there is an increased possibility of illegal acts or increased expectation of safety and protection of persons and property.
In accordance with article 17 paragraph 1) of Directive 1/2011, the installation of cameras in our hotel is limited to the areas intended to control incoming/outgoing traffic, such as the central entrance of the hotel, the reception area, the entrances/exits of the elevators and staircases and the entrance to the parking. Also, in the money storage areas (cash registers), in the property storage areas, in the equipment facilities and in the electromechanical facilities. Also, cameras have been placed in the entrance/exit areas of the elevators on the floors, but without taking an image from the corridors of the hotel or the entrances of the individual rooms. Toilet areas and vestibules, as well as common areas (gym, swimming pool) and catering areas, such as lounge area, breakfast area, restaurant, are not videotaped. Finally, cameras have been placed on the external perimeter of the building and this to the extent necessary for security and control of the hotel’s perimeter.
4.    Recipients: The material stored is accessible only by our competent/authorised personnel who are charged with the security of the space. This material shall not be transmitted to third parties, save in the following cases: a) to the competent judicial, prosecution and police authorities when it includes information necessary to investigate a criminal act involving persons or goods relating to the controller; b) to the competent judicial, prosecution and police authorities when legitimately requesting data in the performance of their duties; and c) to the victim or the perpetrator of a criminal offence, in cases of data which may constitute evidence of the act.
5.    Retention period: We retain the data referred to in this Notification for seven (7) days and, after this period has elapsed, the data are automatically deleted. If an incident comes to our attention during this period, we will isolate part of the video and retain it for one (1) further month, for the purpose of investigating the incident and institute legal proceedings to protect our legitimate interests; if the incident concerns a third party, we will retain the video for a further period of up to (3) months.

6.  Rights of Data Subjects: Data Subjects have the following rights:

•    Right of access: You have the right to be informed whether we process your image and, if so, to receive a copy of it.

•    Right to restrict processing: You have the right to request that we restrict processing, such as, for example, not to delete data which you consider necessary to establish, exercise or defend legal claims.

•    Right to object: You have the right to object to processing.

•    Right to erasure: You have the right to request the erasure of your data.

You can exercise your rights by sending an email to the address privacy@portopalace.gr or a letter to our postal address, 65 26th October Street, Thessaloniki, or by filing a request in person at our offices. In order for us to examine a request related to your image, you will need to advise us approximately when you were within reach of our cameras and provide us with an image of yours to enable us to locate your data and withhold the data which portray third parties. Alternatively, you may visit our premises in order for us to display the images in which you appear. Please note , that the exercise of your right to object or right to erasure does not entail the immediate deletion of your data or the modification of the processing. In any event we will respond in detail as soon as possible, within the time limits set forth in the GDPR.
7.    Right to lodge a complaint: Should you believe that the processing of your data infringes Regulation (EU) 2016/679, you have the right to lodge a complaint with the supervisory authority.  The competent supervisory authority for Greece is the Hellenic Data Protection Authority, 1-3 Kifisias Street, PC GR-11523, Athens, https://www.dpa.gr, tel: 2106475600.