1.What is your personal data?
Your personal data includes all information on paper or electronic media, which may lead, either directly or in combination with others, to your identification or identification as a natural person. This may include information such as your name, postal and e-mail addresses, your
mobile phone, your device or your web browsing history, and any other information that signifies your unique identification according to the provisions of the General Data Protection Regulation (GDPR 679 /2016), law 4624/2019, the current Greek legislation and the decisions of the Greek Data Protection Authority.
2. What data do we collect, for what purpose and on what legal basis?
Our principles for processing personal data are:
- Fairness and lawfulness. When we process personal data, the individual rights of the Data Subjects must be protected. All personal data must be collected and processed in a legal and fair manner.
- Restricted to a specific purpose. The personal data of Data Subject must be processed only for specific purposes.
- Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.
CRETAN PEAKS collects several different types of personal data for various purposes.
To be able to provide our services we collect data only for lawful processing purposes (according to articles 6 and 9 of the General Data Protection Regulation).
Registration Data for participation in the tour
· Gender (for rooms’ allocation)
· Food intolerance (Lactose, Gluten, Vegan, etc)
Applying and/or performing a contract or a pre-contractual relationship with the Company
Login to the website
· IP address, date and time of access
· Referrer URL, Access provider,
· Operating system
Providing services for proper connection creation, security, and system’s stability
Legal interest, in the context of making the Company’s website available to the public and providing services to it. Please read our Cookies’ Policy carefully to learn more about Cookies and how they are used.
3. Minimize, store, and delete data
The Company will always require the minimum necessary personal data for your participation in the trip.
The Company keeps your personal data stored only for as long as it is required by the contractual terms, in combination with the period required by the current legislation.
4. Data concerning underaged persons
Our Company does not process personal data of persons who have not reached the age of 18 and reserves the right in case it is found that any underaged person has provided his data to the Company, without the consent of his legal representative, to delete the specific data. If you notice that an underaged person has provided his / her data to us without the consent of his / her legal representative, please contact us.
5. Recipients of User data
As a rule, our Company does not transmit your personal data to third parties, besides it is required by law or for the performing our services.
More specifically, the personal data collected by the company in the context of the services provided are processed by:
- a) the authorized and properly trained staff of the Company which is bound by contracts and strict confidentiality clauses. Access is graded according to the role and responsibilities of each staff member.
- b) associates of our Company, to whom the Company according to art. 28 GDPR entrusts the execution of specific tasks on its behalf (performers of processing) and with which it has ensured the processing in accordance with GDPR for the protection of your data, by signing contracts and committing to comply with adequate measures, in accordance with the relevant provisions of GDPR(nos. 28, 32), such as, but not limited to, hosting service providers, legal, accounting, technical companies in the context of website management and service provision.
(c) public bodies and authorities, such as public services and bodies, independent authorities, regulators, police, competent authorities, prosecutors, other administrative services, etc., when required to do so by the applicable legal framework.
In addition, our Company does not transmit personal data to third countries or international organizations which do not ensure an adequate level of protection.
6. Communication with the website
The communication with our website is done by sending an e-mail to the address: firstname.lastname@example.org
Only the Managing Director has access to the messages we receive on our platform, who is contractually bound by confidentiality clauses.
We do not forward messages to third parties, which we receive on our platform, without the explicit consent of the sender.
Exceptions are the cases in which the forwarding to third parties or non-deletion of the electronic messages we receive is necessary for the fulfillment of our obligations deriving from the law or for the establishment, exercise, or support of legal claims and always in accordance with the Regulation for the Assurance of Confidentiality in Electronic Communications
7. Security of your personal data – Technical and Organizational measures
Our Company considers, among other things, to take adequate and appropriate technical and organizational measures in order to ensure the appropriate level of security against the risks during processing, especially from accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to personal data that transmitted, stored or otherwise processed as well as the preservation of both technical and physical safety in accordance with Article 32 of the GDPR. It applies relevant Policies and generally adheres to the principles of processing in accordance with the principles of GDPR (art. 5 GDPR), to ensure the availability, integrity, and confidentiality of your data.
8. Your rights
The Company applies the principles of processing of GDPR 2016/679 (legality, objectivity, transparency, limitation of purpose, data minimization, accuracy, limitation of storage time, integrity, confidentiality, and accountability). The Company protects and secures your Rights regarding the use of your Personal Data.
Specifically, you have the following rights regarding your personal data protection.
- Right to information
You have the right to be informed about the collection and use of your personal data.
- Right of access
You have the right to receive confirmation, whether your personal data is being processed and, if so, you have the right to access your personal data in a concise, comprehensible, transparent, and easily accessible form.
- Right of correction
You can request and we will ensure that without undue delay, we will correct inaccurate or incomplete personal data, including through a supplementary statement.
- Right to delete
You have the right to require the deletion of the personal data that concern you, without undue delay and we will proceed with the deletion, under the conditions set by law.
- Right to restrict processing
You have the right to require the restricted processing of data for limited and specific purposes only, under the conditions set by law.
- Right of objection
You have the right to object, at any time and for reasons related to your situation, to the processing of your personal data. We will then no longer process your personal data, unless there are compelling and legitimate reasons for processing that override your interests, rights and freedoms or the establishment, exercise or uphold of legal claims.
- Right to data portability
You have the right to receive your personal data, which you have provided to ‘’CRETAN PEAKS’’, in a structured, commonly used, and machine-readable format, as well as the right to request the transfer of such data to another processor without objection from the Company under the conditions set by law.
- Right to human intervention
The above applies non-discriminatory and is imposed on all processes carried out by the Company and for all services provided as well.
We will respond to your request within thirty (30) days of receipt. In the event that an extension of the above deadline is required in order to investigate and / or process your request, you will be informed about, explaining to you the reasons why it is necessary to extend the deadline.
In any case, if you feel that the protection of your personal data has been violated in any way, you have the right to file a complaint to the Hellenic Personal Data Protection Authority (www.dpa.gr).
9. Special statements of the Company:
The Company is not responsible for any damage direct, indirect, material, or consequential
that may be caused to the user due to the website or its use. The user is solely responsible for protecting his system from viruses and other malware.
In addition, the company is not creating a profile or making any decisions based on automated processing of your data.
Finally, it is clearly stated that no other use of the User’s personal data will be made for purposes other than those mentioned herein, without prior notice and, where required, his consent.
10. Useful information:
Company CRETAN PEAKS G.P.
Phone: +306949594691 – +306972377732
Details of the Hellenic Data Protection Authority:
Address: 1 – 3 Kifissias Avenue, PC 115 23, Athens
Call Center: +30 210 6475600
Fax: +30 210 6475628
11. Changes in policy and information
Effective protection of users’ personal data requires systematic monitoring of company’s policies and procedures. At the same time, the Company’s desire to provide better and up-to-date services means that it is constantly striving to improve practices and introduce new ones, always with respect for personal data.
12. Policy Validity
This Policy was published by the Company on 22 / 11 / 2021