Τhe Company “CAYO CRETA LIMITED HOTEL AND TOURISM COMPANY” with the distinctive title «CAYO CRETA S.A.» (hereinafter referred as the Company) pays special attention to the importance of the legal collection, process, use, safety and protection of your personal data, regardless your identity when communicating or cooperating with us, indicatively as potential, present, former client, consumer, visitor of our website, employee, supplier, trader, individual or cooperating third party.
The Company is the Controller for the Personal Data that are processed in its website (https://www.cayoresort.com). And we remain at your disposal for any clarification. Our address is Plaka, Schisma Elounda, Agios Nikolaos of Crete, Greece P.C: 72053, phone number: +302841044700 and email address email@example.com.
1. The website
The domain https://www.cayoresort.com/ is the website of our Company and provides a wide range of information about the services of our Hotel, while it also provides you the opportunity to proceed to an online booking.
2. Which categories of personal data we process
During your visit to our website we process, indicatively, the following categories of your personal data:
We collect the above data when you complete the «Book Now» form, the registration form at the «Cayo Exclusive Resort & Spa - Loyalty Club» and also when you complete the registration form on our Newsletter list.
We do not collect special categories of personal data (racial or ethnic origin, political beliefs, religious or philosophical beliefs, membership in trade unions, as well as the processing of genetic data, biometric data for the purpose of unambiguously identification of a person, data concerning health or data concerning the sexual life of a person or the genetic orientation). Therefore, we strongly recommend you to refrain from sending data of this category and we inform you that in case of dispatch, our Company will immediately delete them.
3. Purpose of Personal Data’s Process
The Company and those acting under its instructions and on its behalf / processors of the data, process them exclusively for the following purposes:
The Data is processed exclusively for the above purposes or in certain occasions for the purpose of the legal/regulatory compliance of our Company or for supporting legal claims.
The process of your personal data is made with respect to the basic principles, that are imposed by the Regulation, for the protection of personal data, such as the lawfulness, the objectivity and the transparency, the restriction of the processing purpose, the minimization of the data, the accuracy, the restriction of the storage period, the integrity, the confidentiality and the accountability.
4. Legal basis for the process
Regarding your Personal Data received by the Company when you complete the «Book Now» form, processing is necessary for the performance of the concluded service agreement between as or in order to take steps at your request prior to entering into a service agreement.
When registering our Newsletter recipient list, we process your personal based on your explicit consent for this specific processing purpose.
By registering to the membership club 'Cayo Exclusive Resort & Spa - Loyalty Club', we process your personal data, regarding your previous reservations, based on your explicit consent.
As for the Personal Data we receive from cookies installed in our website, the processing is based on your expressed consent.
5. Who has access to the Personal Data?
Access to your Personal Data has exclusively the necessary, in each case, employees of the Company, which have received the required information for the safe process of your personal data.
Moreover, access to your personal data might have the companies and the individuals that cooperate with us (processors), when a specific processing has been assigned to them by the Company. Indicatively your personal data are processed by the IT company that supports our website and the marketing company that is assigned to manage and send our Newsletter. The processing of the personal data by the processors is made under the explicit instructions of the Company and after it is guaranteed that all the necessary technical and organizational measures have been received.
Third parties, who may have access to your data, are official government and supervising bodies (eg law enforcement and prosecuting authorities, supervising authorities, etc.), when we are obliged to comply with the law, when the transfer is deemed necessary for significant public interest reasons, as well as for the foundation, exercise, or support of legal claims.
6. Transmission of Personal Data outside to third countries
Your Personal Data are transferred outside the EAA. More specifically our Company transfers your personal data to the Revinate Inc, a company based in California, USA, which provides our Company marketing services.
Revinate Inc, in regard to this specific processing, falls within the EU-US Privacy Shield. Therefore, that processing is legal based on the adequacy decision of the European Commission, which stated that the EU-US Privacy Shield ensures an adequate level of protection for personal data of European citizens.
7. Do we make automated decisions/including profiling will processing your data?
By providing your explicit consent, you are participating in the «Cayo Exclusive Resort & Spa - Loyalty Club», in which case we process your personal data, regarding your previous reservations in our Hotel. This processing is made in order to provide you further privileges, such as discounts and additional benefits, depending on the category (silver, gold platinum) in which you are automatically classified, as a member of our Loyalty Club.
This processing constitutes an automated individual decision-making, including profiling based on your explicit consent, which can be withdrawn by sending an email to firstname.lastname@example.org.
8. The time period we keep your data
Your personal data is kept only for the reasonable time period that is required by the nature of their processing, the fulfillment of our legal obligating concerning the storage of your data and the potential support of our legal claims. In any case, your data are not kept for a time period longer than 20 years.
9. Connection with other websites
The potential interconnection of the present website with other third parties’ websites through links, hyperlinks, banners, does not entail any liability on behalf of the Company for the content of those websites, the quality of the products and services that might promote, or the policy that might use concerning the protection and the process of the personal data. The natural person should pay the necessary attention and be informed concerning the protection and processing of his/her personal data from the above websites by reading their respective data protection policies.
10. The safety of your Data
We commit to safeguard your Personal Data by taking all the appropriate organizational and technical measures to secure and protect them from any form of accidental or fraudulent processing. It has to be mentioned, that our specifically authorized employees, who process your personal data, have received the appropriate guidance and information.
The measures we receive are reviewed and amended when deemed necessary.
11. What are your rights?
As subject of the data you have the following rights:
1.You have the right to access your Personal Data
This means you have the right to be informed from us about whether we process your Data. If we process your Data you can request to be informed about the purpose of processing, the type of Information we keep, the recipients, the retention periods, whether we do automated decision making, as well as about your other rights, such as rectification, erasure, restriction of processing and to lodge a complaint with the Hellenic Data Protection Authority.
2. You have the right to rectify your inaccurate Personal Data
If you find that your Data is incorrect you can request us to correct it (correct a wrong or previous phone number/address etc.).
3. You have the right to erase your Information / right to be forgotten
You can request from us to delete your Personal Data if it is not necessary for the above-mentioned purposes or if you wish to withdraw your consent in case this is the only lawful basis for processing.
4. You have the right to Data portability
You can request form us to receive in a readable format your Personal Data that you have provided us or request from us to transfer your Information to another data controller.
5. You have the right to restrict the processing of your Personal Data
You can request from us to restrict the processing of your Personal Data for as long as the examination of your objections is pending.
6. You have the right to object to the processing of your Personal Data
You can object to the processing of your Personal Data, in case we process them upon the legal basis of our legitimate interest. In that case, we shall no longer process your Personal Data, unless we have compelling legitimate grounds for the processing which override your rights.
7. You have the right to withdraw your consent
You have the right to withdraw your consent at any time, in those cases that processing is based on that legal basis.
12. How can you exercise your rights?
13. Change of our Policy
We will update this Policy whenever deemed to be necessary. If there are any significant changes to the Policy or the way we use your personal data, we will notify you either by posting those changes on a visible place to our website, before the changes come into force, or in any other appropriate manner. We encourage you to read this Policy on a regular basis in order for you to be aware on the way your Information is protected. Τhe last change in our policy was made at 23/03/2020.