Τhe Company “CAYO CRETA LIMITED HOTEL AND TOURISM COMPANY” with the distinctive title «CAYO CRETA S.A.» (hereinafter referred as the Company) pays special attention to the importance of the legal collection, process, use, safety and protection of your personal data, regardless your identity when communicating or cooperating with us, indicatively as potential, present, former client, consumer, visitor of our website, employee, supplier, trader, individual or cooperating third party.
The Company is the Controller for the Personal Data that are processed in its website (https://www.cayoresort.com). And we remain at your disposal for any clarification. Our address is address is Asterousion 54, Heraclion of Crete, Greece P.C: 71305, phone number: +30 28410 4470 and email address firstname.lastname@example.org
The domain https://www.cayoresort.com/ is the website of our Company and provides a wide range of information about the services of our Hotel, while it also provides you the opportunity to proceed to an online booking.
Which categories of personal data we process
During your visit to our website we process, indicatively, the following categories of your personal data:
- Basic data of natural person: full name, email, phone number, home address, etc.
- Family status data: existence of minor children, number of children
- Business data: company / work organization, business purpose of the trip
- Financial Data: debit card number, beneficiary details
- Preferences and comments, you send as part of your online booking
- Booking and visiting data at our Hotel
- Data collected through cookies that are installed on our website and for which you can be informed here
We collect the above data when you complete the «Book Now» form, the registration form at the «Cayo Exclusive Resort & Spa – Loyalty Club» and also when you complete the registration form on our Newsletter list.
We do not collect special categories of personal data (racial or ethnic origin, political beliefs, religious or philosophical beliefs, membership in trade unions, as well as the processing of genetic data, biometric data for the purpose of unambiguously identification of a person, data concerning health or data concerning the sexual life of a person or the genetic orientation). Therefore, we strongly recommend you to refrain from sending data of this category and we inform you that in case of dispatch, our Company will immediately delete them.
Purpose of Personal Data’s Process
The Company and those acting under its instructions and on its behalf / processors of the data, process them exclusively for the following purposes:
- to complete the online booking process, via the «Book now form» or
- to manage “Cayo Exclusive Resort & Spa – Loyalty Club” and the provision of the privileges that follows your registering to it or
- to send you our Newsletter, which provides information concerning our Hotel’s services or
The Data is processed exclusively for the above purposes or in certain occasions for the purpose of the legal/regulatory compliance of our Company or for supporting legal claims.
The process of your personal data is made with respect to the basic principles, that are imposed by the Regulation, for the protection of personal data, such as the lawfulness, the objectivity and the transparency, the restriction of the processing purpose, the minimization of the data, the accuracy, the restriction of the storage period, the integrity, the confidentiality and the accountability.
Legal basis for the process
Regarding your Personal Data received by the Company when you complete the «Book Now» form, processing is necessary for the performance of the concluded service agreement between as or in order to take steps at your request prior to entering into a service agreement.
When registering our Newsletter recipient list, we process your personal based on your explicit consent for this specific processing purpose.
By registering to the membership club ‘Cayo Exclusive Resort & Spa – Loyalty Club’, we process your personal data, regarding your previous reservations, based on your explicit consent.
As for the Personal Data we receive from cookies installed in our website, the processing is based on your expressed consent.
Who has access to the Personal Data?
Access to your Personal Data has exclusively the necessary, in each case, employees of the Company, which have received the required information for the safe process of your personal data.
Moreover, access to your personal data might have the companies and the individuals that cooperate with us (processors), when a specific processing has been assigned to them by the Company. Indicatively your personal data are processed by the IT company that supports our website and the marketing company that is assigned to manage and send our Newsletter. The processing of the personal data by the processors is made under the explicit instructions of the Company and after it is guaranteed that all the necessary technical and organizational measures have been received.
Third parties, who may have access to your data, are official government and supervising bodies (eg law enforcement and prosecuting authorities, supervising authorities, etc.), when we are obliged to comply with the law, when the transfer is deemed necessary for significant public interest reasons, as well as for the foundation, exercise, or support of legal claims.
Transmission of Personal Data outside to third countries
Your Personal Data are transferred outside the EAA. More specifically our Company transfers your personal data to the Revinate Inc, a company based in California, USA, which provides our Company marketing services.
Revinate Inc, in regard to this specific processing, falls within the EU-US Privacy Shield. Therefore, that processing is legal based on the adequacy decision of the European Commission, which stated that the EU-US Privacy Shield ensures an adequate level of protection for personal data of European citizens.
Do we make automated decisions/including profiling will processing your data?
By providing your explicit consent, you are participating in the «Cayo Exclusive Resort & Spa – Loyalty Club», in which case we process your personal data, regarding your previous reservations in our Hotel. This processing is made in order to provide you further privileges, such as discounts and additional benefits, depending on the category (silver, gold platinum) in which you are automatically classified, as a member of our Loyalty Club.
This processing constitutes an automated individual decision-making, including profiling based on your explicit consent, which can be withdrawn here.
The time period we keep your data
Your personal data is kept only for the reasonable time period that is required by the nature of their processing, the fulfillment of our legal obligating concerning the storage of your data and the potential support of our legal claims. In any case, your data are not kept for a time period longer than 2 (two) years.
Connection with other websites
The potential interconnection of the present website with other third parties’ websites through links, hyperlinks, banners, does not entail any liability on behalf of the Company for the content of those websites, the quality of the products and services that might promote, or the policy that might use concerning the protection and the process of the personal data. The natural person should pay the necessary attention and be informed concerning the protection and processing of his/her personal data from the above websites by reading their respective data protection policies.
The safety of your Data
We commit to safeguard your Personal Data by taking all the appropriate organizational and technical measures to secure and protect them from any form of accidental or fraudulent processing. It has to be mentioned, that our specifically authorized employees, who process your personal data, have received the appropriate guidance and information.
The measures we receive are reviewed and amended when deemed necessary.
What are your rights?
As subject of the data you have the following rights:
- You have the right to access your Personal Data
This means you have the right to be informed from us about whether we process your Data. If we process your Data you can request to be informed about the purpose of processing, the type of Information we keep, the recipients, the retention periods, whether we do automated decision making, as well as about your other rights, such as rectification, erasure, restriction of processing and to lodge a complaint with the Hellenic Data Protection Authority.
- You have the right to rectify your inaccurate Personal Data
If you find that your Data is incorrect you can request us to correct it (correct a wrong or previous phone number/address etc.).
- You have the right to erase your Information / right to be forgotten
You can request from us to delete your Personal Data if it is not necessary for the above-mentioned purposes or if you wish to withdraw your consent in case this is the only lawful basis for processing.
- You have the right to Data portability
You can request form us to receive in a readable format your Personal Data that you have provided us or request from us to transfer your Information to another data controller.
- You have the right to restrict the processing of your Personal Data
You can request from us to restrict the processing of your Personal Data for as long as the examination of your objections is pending.
- You have the right to object to the processing of your Personal Data
You can object to the processing of your Personal Data, in case we process them upon the legal basis of our legitimate interest. In that case, we shall no longer process your Personal Data, unless we have compelling legitimate grounds for the processing which override your rights.
- You have the right to withdraw your consent
You have the right to withdraw your consent at any time, in those cases that processing is based on that legal basis.
How can you exercise your rights?
- If you wish to receive further information or exercise your rights, revoke your provided consent, concerning the process of your personal data, you can communicate with the Company to the email email@example.com or send a letter to the above mentioned mailing address (Plaka, Schisma Elounda, Crete, Postal Code 72053) stating ” For the Personal Data Protection Officer” with a description of your Request and we will investigate and respond to it as soon as possible.
- We will reply to your request without delay, within (1) one month after receiving it and without any cost for you. The above time-period might be extended for two (2) more months, due to the complexity or the number of the requests. In such a case you will be informed for the time extension and the reasons for it, as soon as possible and in any case within (1) one month since receiving your request.
- If your requests are obviously unfounded or excessive particularly because of their recurring nature, the Company may impose a reasonable fee, taking into account the administrative costs for providing information or performing the requested action, or refuse to respond to the request justifying the answer to you.
- In case you believe that: a. your request has not been satisfied sufficiently and legally or b. your right in protecting your personal data has been violated by our process, you have the right to lodge a complaint with the supervisory authority (address: Kifissias 1-3, Athens, Greece, Postal Code: 115 23, phone number: 210 6475600 ,email address: firstname.lastname@example.org)
Change of our Policy
We will update this Policy whenever deemed to be necessary. If there are any significant changes to the Policy or the way we use your personal data, we will notify you either by posting those changes on a visible place to our website, before the changes come into force, or in any other appropriate manner. We encourage you to read this Policy on a regular basis in order for you to be aware on the way your Information is protected. Τhe last change in our policy was made at 28-07-2020