Information on the Processing of Personal Data

Introduction
We would like to assure you that for AHO Hotel Operations Monoprosopi A.E. and BHE Greece Monoprosopi IKE, managing the Dave Red Hotel, the protection of our customers’ personal data is of paramount importance. That is why we are taking appropriate steps to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations laid down by the legal framework, both by the companies themselves and by third parties who process personal data on behalf of the companies.

Data Controllers – Responsible for the Processing of Personal Data
AHO Hotel Operations Monoprosopi A.E having its registered office at 11, Marikas Kotopouli street, Athens 104 32, Greece, email:  [email protected], tel: +30 214 402 7660, website: www.brownhotels.com/athens/davered, hereinafter also referred to as the “Company”, and BHE Greece Monoprosopi IKE having its registered office at 28, Geraniou Str., Athens 10552, email:  [email protected], website: www.brownhotels.com, inform that, in the context of their business activities, they process personal data of their customers in accordance with the applicable national legislation and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”) as is currently in force. 
BHE Greece Monoprosopi IKE handles the management and the operation of the Hotel, as well as the execution of the activities. Thus, AHO Hotel Operations Monoprosopi A.E and BHE Greece Monoprosopi IKE process your personal data as joint controllers in the context of the performance of a contract to which AHO Hotel Operations Monoprosopi A.E and BHE Greece Monoprosopi IKE are parties. 
In addition, the AHO Hotel Operations Monoprosopi A.E uses external providers/processors for the purposes of registration, booking and sending newsletters about products, services and offers.
In the above cases, the company is the sole data controller and defines the specific elements of the processing. It also signs a contract with the third parties to whom it assigns the data processing, in order to ensure that the processing is always carried out in accordance with the current legal framework and that any natural person can freely and without hindrance exercise the rights conferred on him/her by the legal framework.

For any matter concerning the processing of personal data, please contact the Data Protection Officer (DPO) - Andersen Legal - directly, email: [email protected].

Which are the categories of personal data we process?
Your personal data we process are absolutely necessary and appropriate for the achievement of our business purposes. The personal data processed to achieve these purposes are indicatively the following and are divided into two categories:
A.    Simple Data
Personal data you provide to us, such as:
Identification Data (name, surname, date of birth, nationality and any other information which may appear in your passport or other piece of formal identification),
Contact details (phone number, email address),
Additional information, such as address, city and other information by responding to a communication from us or by filling in forms (both online and offline).
Please note that the data relating to your identification or your contact details are absolutely necessary for any transaction or contractual relationship with the company and that the type and number of other data depend in each case on the contract which either has been or will be concluded, and /or on the offered service.
We hereby inform you that it is your duty to inform the company on time of any changes to the data you have submitted at your own initiative, as well as to respond to any update request.
B.    Special Categories of Data (Sensitive Data)
We collect data as described in article 9 of the General Data Protection Regulation (“GDPR”) (EU) 2016/679. You provide us with such personal data via a Spa Consultation Form, when you want to receive body and face treatment. We are kindly asking you not to send us, unless specifically asked, any sensitive Personal Data (e.g. health data). In order to deliver the best possible treatment and ensure that the correct products are selected and we do not injure you, we request from you some categories of health data in order to provide you with the appropriate spa services taking into special consideration your health. 

How and why do we process your personal data?
We use your data for the following reasons:
•    To provide the services you request, to perform our contract and in general to fulfill our obligations towards you
We collect your personal data in order to provide you with our services after the conclusion of the relevant contract. In order to conclude a contact with you and in general to fulfill our obligations towards you, we need your personal identification data and your contact details.
•    To improve our services and protect our business interests
Our business purposes, for which we use your information, help us improve the quality of our services and meet your expectations. For example, we may need to contact you by email or telephone to handle requests or complaints about our services. Moreover, during your visit to our Company's website, you can fill in the contact form by filling in your name, phone number, email and anything you wish to be informed about and receive a reply from our company as soon as possible! We may also invite you to complete surveys that we use for research purposes, although you do not have to respond to them.
•    To inform you about our services and offers
If you have consented to this by subscribing to our Companys newsletter or you are part of our corporate customers, we will send you promotional material about our new services and offers.

•    To comply with our legal obligations
We process your personal data in order to comply with our legal obligations, and in particular with labor, insurance and tax legislation, judgements or administrative authorities’ decisions. We also process your personal data in order to investigate complaints, identify and prevent fraud, evaluate the accuracy of pricing and assess situations relating to possible threats to the security of any person or violations of our policies or terms.

•    To safeguard our legitimate interests and protect individuals, materials and facilities with the settlement and operation of CCTV systems. 

Which are the legitimate grounds for processing your personal data?
We process the personal data you provide us only when we have a legitimate interest to do so.
Legal grounds for processing your personal data are:
(a) the proper performance of the services you wish to receive from us in accordance with our contractual obligation between us under an existing contract, or the necessity to process personal data at the pre-contractual stage at your request to provide you with our services in the context of our partnership,
(b) the safeguarding and the protection of our legitimate interests, both yours and ours. Therefore, we may process personal data in order to ensure security of individuals, materials and facilities, network security and smooth operation of the company's information systems and their protection against malware, IT support, the establishment, exercise and defense of our legal claims as well as the overall organization and development of our business activities, including marketing towards our corporate clients,
(c) compliance with an obligation imposed by law, which may consist of obligations arising from the provisions of labor, tax and social security legislation,
(d) the consent you provide us with under the specific conditions set out by the legal framework, for instance in order to receive information on our services, offers etc.

To whom do we transfer personal data?
AHO Hotel Operations Monoprosopi A.E. transfers your personal data to the following categories of recipients:
•    Company’ s employees
Your data may be transferred to our company’s employees in charge of assessing and satisfying your requests, managing and performing your contract(s) with the company, meeting the obligations arising from the contract(s) or imposed by law.
Your personal data are dealt with the highest degree of confidentiality, as those employees who process your personal data have a sufficient and significant level of awareness to protect them and are bound by a confidentiality clause or are subject to the appropriate regulatory obligation to observe the confidentiality clause.
•    BHE Greece Monoprosopi IKE
BHE Greece Monoprosopi IKE, as a joint controller and Hotel Manager of AHO Hotel Operations Monoprosopi A.E. uses your data, to provide you with information about the Dave Red Hotel services which may be of interest to you via email, post or telephone. BHE Greece Monoprosopi IKE promotes, monitors, and checks the management, the marketing and the whole operation of Dave Red Hotel, as well as the performing of activities. It also has all the powers it needs for providing services and facilities.     
•    State Authorities, law enforcement authorities in the exercise of their duties
We may share your information with the competent state authorities, law enforcement authorities as long as this is necessary and permitted by law, in order to identify or prevent criminal acts, unlawful activities and situations relating to potential security threats of any person or violation of our policies or terms. 
•    External partners, legal consultants, auditors, advertising companies etc.
The company, in the course of managing court proceedings and for the purposes of establishing, exercising and defending its legal claims against third parties, may transfer your data to external lawyers in the event that their assistance is considered necessary for the management of the case and the defense of the company’s rights. 
Furthermore, the company may also transfer your personal data to third cooperating companies for the purpose of sending newsletters about products, services and offers.
In the above cases, the company remains data controller and defines the specific elements of the processing. It also signs a contract with the third parties to whom it assigns the data processing, in order to ensure that the processing is always carried out in accordance with the current legal framework and that any natural person can freely and without hindrance exercise the rights conferred on him/her by the legal framework.
Furthermore, the company ensures that the processors it engages fulfill the requirements and provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will ensure the protection of your rights.

Storage Time
The data storage time is decided based on the following specific criteria, as appropriate on each case:
When the processing is necessary for compliance with legal obligations under the applicable legal framework, your personal data will be stored for as long as required by the relevant provisions.
When the processing is based on a contractual relationship, your personal data are stored for as long as is necessary to perform the contract and for the establishment, exercise or defense of legal claims in accordance with the contract.
For marketing purposes, your personal data are stored until their withdrawal. You have the right to withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of the processing based on consent before its withdrawal.
In all the above cases, the personal data processed by the company are stored in a hard copy and/or soft copy. We undertake all efforts so that your data is stored for a period no longer than is necessary for the purposes for which they have been obtained.

What are your rights with respect to your personal data?
Any natural person whose data are being processed by AHO Hotel Operations Monoprosopi A.E. and BHE Greece Monoprosopi IKE enjoys the following rights:
Right of Access:
You have the right to be aware and verify the legitimacy of the processing. So, you have the right to access the data and get additional information about how your date are processed.
Right to Rectification:
You have the right to study, correct, update or modify your personal data by contacting the person in charge for the processing of personal data with the above-mentioned contact details.
Right to Erasure (“Right to be forgotten”):
You have the right to request the erasure of your personal data when we process them based on your consent or in order to protect our legitimate interests. In all other cases (for example, when there is a contract, or an obligation to process personal data required by law or for public interest reasons), this right is subject to specific restrictions or may not apply, depending on the case.
Right to Restriction of Processing:
You have the right to obtain from us restriction on the processing of your personal data where one of the following applies:
(a) the accuracy of the personal data is contested and until such accuracy is verified;
(b) you oppose the erasure of your personal data and request (instead of erasure) the restriction of their use;
(c) personal data are not needed for the purposes of processing, but they are, however, required for the establishment, exercise or defense of legal claims; and
(d) you object the processing pending the verification whether our legitimate grounds override those of yours.
Right to Object:
You have the right to object at any time the processing of your personal data where, as described above, such processing is necessary for the purposes of legitimate interests we seek as controllers, as well as to the processing for direct marketing purposes, including profiling related to such direct marketing.
Right to Data Portability:
You have the right to receive your personal data free of charge in a format that allows you to access, use, and edit them, using commonly used editing methods. You also have the right to ask us, if technically feasible, to transmit the data directly to another controller. This right concerns the data you have provided to us and their processing is carried out in a commonly used format based on your consent or in order to perform a contract.
Right to withdraw consent:
Where processing is based on your consent, you have the right to withdraw it. The withdrawal of your consent shall not affect the lawfulness of the processing based on consent before its withdrawal.
In order to exercise any of the above-mentioned rights please contact the Data Protection Officer (DPO) - Andersen Legal - directly, email: [email protected].
In all the above cases, we will do our best to respond to your request within thirty (30) days of its submission. This deadline may be extended for up to sixty (60) additional days, if necessary, considering the complexity of the request and the number of requests. Therefore, we will notify you within thirty (30) days.
Right to lodge a complaint with the Hellenic Data Protection Authority
You have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr) electronically through the portal  https://eservices.dpa.gr/. 

Personal Data Security
AHO Hotel Operations A.E. and BHE Greece Monoprosopi IKE implement appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and/or unauthorized access to, use, modification or disclosure thereof. In any case, the way in which the internet operates and the fact that it is free to anyone cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and/or unfair purposes. Several security measures are in place so that AHO Hotel Operations A.E. and BHE Greece Monoprosopi IKE can safeguard the integrity of their communications and computing infrastructure, including authentication methods, monitoring, auditing, and encryption technology. We seek to use reasonable organizational, technical and administrative measures to protect your personal data.  

Transfers of personal data to third countries or International Organizations
Personal Data processed by AHO Hotel Operations Monoprosopi A.E. and BHE Greece Monoprosopi IKE may be transferred to third countries outside the EU, such as Israel. Transfer of personal data hereunder may take place on specific grounds such as compliance with regulatory obligations, execution or performance of a contract, protection of a legitimate interest of AHO Hotel Operations Monoprosopi A.E. and BHE Greece Monoprosopi IKE. In any case AHO Hotel Operations Monoprosopi A.E. and BHE Greece Monoprosopi IKE ensure that such data transfer is compatible with the legal obligations of secrecy and in line with protection standards and requirements set by the GDPR legal framework.

Links to other websites
Our website may include links to other websites that are beyond our control, and other websites beyond our control may be linked to this website. While we try to ensure that our website is only linked to websites sharing the same privacy and security criteria, the company is not responsible for the privacy practices or the content of other websites. Therefore, we suggest that you carefully read the privacy policy on the relevant website.

Changes to this Privacy Notice
Information about privacy on our site reflects the current state of the data processing. In case of changes in the data processing, this information will be updated accordingly. There will be always the latest version of this data protection information on our site so that you are informed via our site about the data processing.
We recommend that you always be aware of how we process and protect your personal information. All changes in respect of this Privacy Notice will become known in time, before these changes take effect.
The above information is provided in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council as well as with the relevant provisions of the national legislation on the protection of personal data applying the Regulation.