Tinos Beach Hotel - Tinos Beach | Stories unfold by the sea

Information on the Processing of Personal Data

Introduction

We would like to assure you that, for the company “ATTICA BLUE HOSPITALITY SINGLE-MEMBER SOCIÉTÉ ANONYME”, the protection of our customers’ personal data is of primary importance. For this reason, we take appropriate measures to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations set by the applicable legal framework, both by the Company itself and by third parties processing personal data on behalf of the Company.

Data Controller – Data Protection Officer (DPO)

The Company under the name “ATTICA BLUE HOSPITALITY SINGLE-MEMBER SOCIÉTÉ ANONYME”, with the distinctive title “ATTICA BLUE HOSPITALITY”, having its registered office in Kallithea, Attica, at 1–7 Lysikratous Street and Evripidou Street, 176 74, as owner/operator of the hotel “Tinos Beach”, tel: +30 22830 22626, email: reservations@tinosbeach.gr, website: www.tinosbeach.gr, hereinafter referred to as “the Company”, informs that, in the context of operating the Tinos Beach and carrying out its business activities, it processes personal data of customers, website visitors and other transacting parties, in accordance with applicable national legislation and Regulation (EU) 2016/679, as in force.

For any matter relating to the processing of personal data, please contact the Data Protection Officer (DPO) directly at, email: dpo@attica-group.com.

How do we collect your personal data?

We collect your data from the following sources:
1. Directly from you:
-while browsing the website
- in the context of your communication with the Hotel through our communication channels (email, telephone)
-in the context of your use of our website’s booking tool,
-through the completion of your subscription to receive newsletters.
-upon your arrival and during your stay at the hotel (e.g. during check-in / check-out)

2. Through partner booking platforms, such as Booking.com, with which we cooperate in the context of reservation management.

3. Through our other external partners, such as recruitment agencies or other cooperating service providers (e.g. travel agencies, affiliated companies).

Categories of data subjects

The processing may concern, indicatively, the following categories of data subjects:
• visitors of the website and users of electronic services,
• customers and customer representatives,
• job applicants,
• employees and associates of the Company,
• suppliers, cooperating entities and other business partners,
• persons communicating with the Company through any available communication channel.

The personal data we process are strictly necessary, adequate and appropriate for the achievement of our intended purposes and are summarized as follows:

What personal data we process

Personal data provided by you, such as:

Identification data (name, surname, date of birth, nationality and any other information that may appear on your passport or other official identification document).
• Contact details (telephone number, email address).
• Reservation, payment and other customer/visitor preference data.
• Data related to a contractual or cooperation relationship, such as contract details, signed annexes, details of subcontractors or legal representatives.
• Employment-related data, such as payroll or evaluation data, where required.
• CV and résumé data submitted in the context of expressing interest in a job position.
• Communication data provided through contact forms or other communication channels.
• Image data collected through video surveillance systems (CCTV), where relevant signage is in place.
• Website usage and electronic activity data, such as IP addresses, cookies, browsing information and technical data (logs). For more information, please refer to the Company’s Cookie Policy, available on this website under the section “Cookies Policy”.

In certain cases, special categories of personal data (e.g. health data) may be processed exclusively where this is strictly necessary for the provision of services or required by law, and always in accordance with the applicable legal framework.

Please note that you should inform the Company in a timely manner of any changes to your personal data that you have submitted to us on your own initiative and respond to any request for the updating of your information.

How and why do we process your personal data?

We process your personal data for the following purposes:
· For the provision of services and the management of our contractual relationship with you
We collect your personal data in order to provide you with our services following the conclusion of the relevant agreement. In order to communicate with you and generally fulfil our obligations towards you, we require your personal details as well as your contact information.

· To improve our services and protect our business interests
The business purposes for which we use your information help us improve the quality of our services and meet your expectations. For example, we may need to contact you by email or telephone in order to manage requests or complaints. In addition, during your visit to the Company’s website, you may complete the contact form in order to receive information or a response from our Company. We may also invite you to participate in satisfaction surveys or other research activities, participation in which is voluntary.
In this context, data may be used in aggregated and/or anonymised form for analysis and service improvement purposes.

· To inform you about our services and offers
Provided that you have given your consent (e.g. through subscription to a newsletter, where such option is available), we will send you updates regarding our services and offers.

· To comply with our legal obligations
We process your personal data in order to comply with obligations arising from applicable legislation, including, indicatively, tax, insurance and other regulatory obligations, as well as compliance with decisions of judicial or administrative authorities. In addition, we may process data for the investigation of complaints, the prevention and suppression of fraud, as well as for addressing security-related issues.

· To safeguard our legitimate interests and protect individuals, property and facilities through the installation and operation of CCTV systems.
It is clarified that the processing of your personal data for the above purposes does not include decision-making based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR.

What are the legal bases for processing your personal data?

We process the personal data you provide to us only where we have a lawful basis to do so.

The legal bases for processing your personal data are:

(a) the proper performance of the contract between us and the provision of the services you wish to receive from us under the existing contractual relationship, as well as taking steps at your request prior to entering into a contract (pre-contractual stage).

(b) the safeguarding and protection of legitimate interests, both yours and ours. Thus, we process your personal data in order to ensure the protection of individuals, property and facilities, network security, the proper operation of the Company’s IT systems, their protection against malicious software, the performance of IT support activities, the establishment, exercise and defence of our legal claims, as well as the overall organisation and development of our business activities, including marketing directed to our corporate clients. In all cases, we ensure that our legitimate interests do not override your rights and freedoms.

(c) our compliance with obligations imposed by law, such as obligations arising from labour and tax legislation or social security provisions.

(d) the consent you provide under the specific conditions set by the applicable legal framework for certain processing purposes, such as, indicatively, the sending of updates regarding the Company’s services, news and offers.

You have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal.

Where do we transfer your data?

The Company transfers personal data to the following categories of recipients:

• Company personnel

Your data may be accessed by authorised employees of the Company, within the scope of their responsibilities, for the assessment and fulfilment of your requests and the management of the contractual relationship.Your personal data are treated with the highest degree of confidentiality, as employees are bound by confidentiality obligations and/or subject to appropriate statutory confidentiality obligations.

• Public authorities and law enforcement authorities, within the scope of their duties

Competent public authorities may gain access to your personal data in the context of exercising their duties, where this is necessary and permitted by law, particularly for the purposes of compliance with legal obligations or the prevention and suppression of unlawful acts.

• Processors: Third-party partners who process data on behalf of the Company, such as, indicatively, providers of reservation systems, technical support services, website hosting services or professional advisors.

In such cases, the Company ensures that these partners act only on its instructions and are bound by appropriate contractual obligations, in accordance with Article 28 of the GDPR.

• Independent controllers: Third parties who process data for their own purposes, such as public authorities, insurance organisations or other entities, within the scope of their responsibilities and in accordance with the applicable legislation. In such cases, these entities act as independent data controllers and bear sole responsibility for the processing of your data.

Data Retention Period

The retention period of personal data is determined based on the following specific criteria, depending on the case:

• Where processing is required as an obligation under the applicable legal framework, your personal data will be stored for as long as required by the relevant provisions (e.g. tax legislation, which may require retention for up to ten (10) years).

• Where processing is carried out on the basis of a contract, your personal data will be stored for as long as necessary for the performance of the contract and thereafter for as long as required for the establishment, exercise and/or defence of legal claims. Indicatively, data related to your reservation are retained for the duration of the cooperation and for a reasonable period following its termination, which may extend up to five (5) years, unless otherwise required by law.

• Where processing is based on consent (e.g. marketing), the data are retained until such consent is withdrawn. Consent may be withdrawn at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal. To withdraw your consent, you may contact the Data Protection Officer (DPO) at: dpo@attica-group.com or use the unsubscribe link included in electronic communications.

Following the expiry of the above retention periods, the data are securely and properly deleted and/or anonymised, unless their further retention is required or permitted under the applicable legal framework.

What are your rights with respect to your personal data?

Every natural person whose data are processed by the Company enjoys the following rights:

Right of access
You have the right to be informed about and verify the lawfulness of the processing. Therefore, you have the right to access your data and obtain supplementary information regarding their processing.

Right to rectification
You have the right to review, correct, update or amend your personal data by contacting the competent representative of the Company using the contact details provided above.

Right to erasure
You have the right to request the erasure of your personal data where we process them based on your consent or in order to protect our legitimate interests. In all other cases (such as, indicatively, where there is a contract, a legal obligation to process personal data, or reasons of public interest), this right is subject to specific restrictions or may not apply, depending on the circumstances.

Right to restriction of processing
You have the right to request the restriction of the processing of your personal data in the following cases: (a) where the accuracy of the personal data is contested, until verification takes place, (b) where you object to the erasure of personal data and request instead the restriction of their use, (c) where the personal data are no longer needed for the purposes of processing, but are required by you for the establishment, exercise or defence of legal claims, and (d) where you object to the processing and pending verification as to whether legitimate grounds pursued by us override the grounds for your objection.

Right to object to processing
You have the right to object at any time to the processing of your personal data in cases where, as described above, such processing is necessary for the purposes of legitimate interests pursued by us as data controller, as well as to processing for direct marketing purposes and consumer profiling.

Right to data portability
You have the right to receive your personal data free of charge in a format that allows you to access, use and process them using commonly used processing methods. You also have the right to request that we transmit such data directly to another controller, where technically feasible. This right applies to data that you have provided to us and where the processing is carried out by automated means based on your consent or for the performance of a relevant contract.

Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw such consent. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of the above rights, you may contact the Data Protection Officer (DPO),email: dpo@attica-group.com.

In the above cases, we will make every effort to respond to your request within thirty (30) days from its submission. This period may be extended by an additional sixty (60) days, where deemed necessary, taking into account the complexity of the request and the number of requests, in which case you will be informed accordingly within the aforementioned thirty (30)-day period.

Right to lodge a complaint
You have the right to lodge a complaint if you believe that we have not adequately addressed your request or that the protection of your personal data has been infringed in any way, through a dedicated online portal (https://eservices.dpa.gr/) to the Hellenic Data Protection Authority (1-3 Kifisias Avenue, Athens 115 23 | tel.: +30 210 6475600). Detailed instructions for submitting a complaint are available on the Authority’s website (www.dpa.gr).

Security of Personal Data
The Company implements appropriate technical and organisational measures aimed at the secure processing of personal data and the prevention of accidental loss or destruction, as well as unauthorised and/or unlawful access, use, modification or disclosure thereof. In any case, the operation of the internet itself does not allow guarantees to be provided that unauthorised third parties will never be able to breach the implemented technical and organisational measures.

Transfers of personal data to third countries or international organisations
As a general rule, personal data are not transferred to third countries outside the European Economic Area (EEA).
In the event that such a transfer is required, “ATTICA BLUE HOSPITALITY SINGLE-MEMBER SOCIÉTÉ ANONYME” ensures that the transfer is carried out in accordance with the applicable legal framework and with the implementation of appropriate safeguards, such as, indicatively, adequacy decisions of the European Commission or other approved mechanisms.

Links to other websites
Our website may contain links to third-party websites. The Company bears no responsibility for the privacy practices or content of such websites. Consequently, we recommend that you carefully read the privacy statements of every website you visit.

Other policies and compliance mechanisms
The Company maintains a whistleblowing reporting system through which named or anonymous reports may be submitted, in accordance with the applicable legal framework. For more information, please refer to the relevant Whistleblowing Policy.

Changes to this Privacy Notice
The information regarding this Privacy Notice reflects the current status of data processing by the Company. In the event of changes, this Notice will be updated accordingly.
The most recent version will always be available on our website so that you may remain informed about the manner and scope of the processing of your personal data.

Last updated: May 2026