Data Protection Policy

The Company EFTHIMIOS IAK. PANOURGIAS, CAMPING “ERODIOS”, (hereinafter called The «Company»), which is located at Gialova, Pylos, Messinias, 24001, in order to carry out effectively, everyday business functions and activities collects and processes personal data of the following data subjects: A) personnel’s, personal data B.) clients personal data and C.) external associates “third parties” (hereinafter categories A,B,C, referred to as “data subject/s”) in compliance with the applicable legislation as amended and/or replaced from time to time, the provisions of Regulation (EU) 2016/679 (hereinafter the “General Data Protection Regulation” or “GDPR”), in force from 25 May 2018, and other legal and/or regulatory requirements.

It is the Company’s Policy to provide data subject, with information about the processing of its personal data and to inform data subject about the data protection rights under the current legislative and regulatory framework.

The “Company’s” Data Protection Officer contact details are

Name: Efthimios
Surname: Panourgias
Telephone: 27230 23269
Email address: info@erodioss.gr
Address: Erodios Camping, 24001 Gialova, Pylos, Messinia

If you, as data subject, have any questions, or want more details about how the «Company» uses your personal information, you may contact at the above contact details in the manner set forth in this privacy policy.

A. BRIEF INTRODUCTION TO GDPR
GDPR applies mandatorily to the «Company» and therefore the related activities of the «Company» need to comply with the GDPR requirements.

A.1. DEFINITIONS
a) ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (‘data subject’);

b) ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

c) ‘Controller’ means the natural or legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. An entity that decides on the ‘why’ and the ‘how’ of data processing is considered a “controller”.
(the person that decides on the ‘why’ and the ‘how’ of data processing)
Where in text the word “controller” is referred, it means the person that process data (either “controller”, either “controller’s representative” (employees).

e) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the “controller”. If a “controller” engages a third party (e.g., service provider) to process personal data on the controller’s behalf, that third party will qualify as a “processor”.
There can be several “controllers” and “processors” that are involved in the same data processing activity.

(f) “Data subject” according to this privacy policy is the personnel of the «Company»(hereinafter referred to as “the personnel” or “data subject”), the clients of the «Company»(hereinafter referred to as “client” or “data subject”) and the external associates of the «Company»(hereinafter called “third parties” or “data subject”).
Where in text the words are referred in singular form, it is considered that they also apply in plural form.

A.2. ) DATA PROTECTION PRINCIPLES
The Personal Data of each “data subject” are processed according to the below principals:
(1) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(1.1.) Data Subjects must be aware
• that their data is being lawfully processed
• for what purpose it is being processed
• how to exercise their rights in relation to its data
There is no obligation to inform data subject of anything that is obvious from the context or from general knowledge: a typical example might be business contact lists.
(2) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(3) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(4) Personal data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(5) Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(6) Shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
It is the Company’s Policy to provide data subject, with information about the processing of its personal data from the Company and to inform data subject about the data protection rights under the current legislative and regulatory framework.
The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of the Company’s top priorities. The Company operates a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of its business.

B.) PERSONAL DATA WHICH THE «Company» MAINTAINS FOR THE “PERSONNEL”
The Personal Data that the «Company» maintains for the “Personnel” include not only those that the law requires for the conclusion of agreements, but also a number of other which are required and are used in the sector in order to achieve high-level services.
For the above reason the type of data that are held and the scope of data processing, depends on the requirements that requested, each time from the legislation and the legislation concerning the activities of this specific sector.
Without data processing the “Company”, cannot enter into or perform the terms of a contract with the “data subject”.
Indicatively and not limited to, the personal data that the «Company» processes for the personnel are:
name, e-mail, address, phone number, expertise, marital status, professional history, bank accounts, social security number, tax identification number, educational background, parents’ name, authentication data (e.g. signature), age, number of children, CVs, data from CCTV data ιn certain places where specific signs are installed.

Special categories of personal data are also included in the data which the «Company» collects and maintains. Indicatively and not limited to, these are: health data, medical certificates, cultural, religion, photos, nationality, gender.
Where data collection is optional, this is made clear at the point of collection.

B.1.) PROCESSING PURPOSE
The «Company» processes the “personnel’s” personal data for one or more of the following reasons:

-Contract of Employment.
Indicatively and not limited to, for:
– Assessment of candidate’s skills
– Preparation / signing of the contract
-Preparation for future staffing needs.
-Identification of employee.
-Company’s respect in different cultural and religious backgrounds.
-Facilitating of communication
– Compliance with the requirements of current legislative and regulatory framework.

For compliance with a legal obligation.
Indicatively and not limited to, for:
– Greek legislation
– European legislation.
– Support legal proceedings
For the performance of a task carried out in the public interest.
When are legally requested from public authorities.
For the purposes of safeguarding legitimate interests. Indicatively and not limited to, for:
Indicatively and without limitation, for:
-Safety and Security of the «Company»
-Safety and Security of the facilities
-Safety and Security of all the personnel
Based on the consent of the personnel
Any such consent granted may be revoked at any time by contacting the “Company”.

B.2. HOW LONG THE «Company» RETAINS THE DATA OF THE “PERSONNEL”
Hard copies and electronic files are retained for 5 years after signing off of “the personnel”.
If a candidate is not acceptable his/her personal data shall be disposed of immediately.
The Company may keep data for longer than the said period for legal and/or regulatory and/or technical reasons. In such cases, the Company shall ensure that privacy is protected, and the data is used only for the purposes stated in the previous paragraph (processing purpose).
In cases where the Company wishes to retain the data with a view to a further job opportunity, the data subject shall be informed accordingly and be given the possibility to object to such further processing. In such cases a notice shall be provided to the data subject, and the data subject’s consent to keep their personal data for assessing suitability for future employment possibilities shall be obtained. Such consent shall be renewed every three (3) years.
Data no longer required shall be deleted and disposed of.

B.3. WHO THE «Company»SHARES THE DATA OF THE “PERSONNEL” WITH
No information relating to data subject personal data is disclosed to anyone, other than in the cases permitted by the legal and regulatory framework in force from time to time and when it is needed for the fulfilment of the purposes of the employment. These are:
a.) When the «Company» (or any third party acting on “Company’s” behalf) is legally compelled to do so or where disclosure is required for purposes of compliance with the legal and regulatory framework governing the operation of the «Company» (public authorities etc.)
b.) Where the «Company» has contractual obligation to do so (with accountant companies, IT companies, travel agents etc.)
b) Where it is in “Company’s” legitimate interests to disclose information (lawyers, legal advisors etc.).
c). Where disclosure is made at data subject’s request or with data subject’s consent or to satisfy the Company’s contractual obligations towards the data subject.
d.) Companies or individuals that data subject asks the Company to share its data with.

C.) PERSONAL DATA WHICH THE “COMPANY” RETAINS FOR “CLIENTS”
The Personal Data retained by the “Company” for “Clients” include those required by the law for the provision of hotel services but also all the personal data required to achieve a high level of services.
For the above reason the type of data that are held and the scope of data processing, depends on the requirements that requested, each time from the legislation and the legislation concerning the activities of this specific sector.
Without data processing the “Company”, cannot enter into or perform the terms of a contract with the “data subject”.
Indicatively and not limited to, the personal data that the «Company» processes are:
name, e-mail address, address, telephone number, ID card number or passport number, number of children, car /motorcycle / self-propelled vehicle/ caravan /trailer number, CCTV data of them and of their children in certain places where specific signs are installed.
Special categories of personal data are also included in the data which the «Company» collects and maintains. Indicatively and not limited to, these are: health data, religion, nationality, gender.
Where data collection is optional, this is made clear at the point of collection.

C.1. PROCESSING PURPOSE
The «Company» processes the “client’s” personal data for one or more of the following reasons:

For the provision of hotel services
– Τo meet and satisfy customer requirements hotel services.
– Preparation to provide the client with hotel services
– Preparation for covering clients future needs.
-Recognition and identification of clients.
-Company’s Respect” to different clients cultural and religious background.
-Facilitating communication

To comply with legal obligations according to:
– Greek legislation
-European legislation.
-To support legal procedures

For the performance of a duty performed in the public interest.
If data are lawfully requested from public authorities

For protecting legitimate interests. Indicatively and not exclusively, for:
-Safety and Protection of the “Company”.
-Security and protection of the facilities.
-Safety and protection of the client.

Based on client’s consent
Any such consent granted may be revoked at any time by contacting us.

C.2. FOR HOW LONG THE «Company»RETAINS THE DATA OF THE “CLIENT”
Hard copies and electronic records are kept for one year.
In case that a client is not acceptable, their personal data is immediately destroyed without leaving traces.
The «Company» may maintain personal data for a longer period than the above- mentioned period for the purpose of securing its legal and financial interests.
In the above case, the «Company» has ensured that the appropriate technical and organizational measures have been taken to maintain the client’s personal data safely.

In any case, where there is no longer any reason to retain the data, the data shall be deleted – to the extent in which it is technologically feasible – and the data kept in paper shall be destroyed in such a way as not to leave any remnants which could lead to the identification of the ‘data subject”

C.3.) WITH WHOM SHARES THE «COMPANY»THE PERSONAL DATA OF THE “CLIENTS”
No information regarding client’s personal data is revealed to anyone except in the cases permitted by the applicable legal framework and when required for the fulfilment of the purposes of the employment.
These cases are:
a.) When the «Company» (or any third party acting on “Company’s” behalf) is legally compelled to do so or where disclosure is required for purposes of compliance with the legal and regulatory framework governing the operation of the «Company» (public authorities etc.)
b.) Where the «Company» has contractual obligation to do so (with accountant companies, IT companies, travel agents etc.)
b) Where it is in “Company’s” legitimate interests to disclose information (lawyers, legal advisors etc.).
c). Where disclosure is made at data subject’s request or with data subject’s consent or to satisfy the Company’s contractual obligations towards the data subject.
d.) Companies or individuals that data subject asks the Company to share its data with.

D. PERSONAL DATA WHICH THE «COMPANY» RETAINS FOR “THIRD PARTIES”
Personal data of third parties may include: Name, Surname, Parents Name, offices, address, TIN number.
Without data processing, the Company cannot enter into or perform the terms of a contract with data subject.
Where data collection is optional, this shall be made clear at the point of collection.

D.1.) PURPOSE OF PROCESSING
The «Company» processes the personal data of “third parties” for one or more of the following reasons:
For the performance of a contract in which “the data subject” represents another legal entity or is itself the contracting party.
To comply with a legal obligation.
For the performance of a duty performed in the public interest
Based on the “third party’s” consent
Any such consent granted may be revoked at any time by contacting us.

D.2) HOW LONG THE «Company» RETAINS DATA FOR “THIRD PARTIES”
Hard copies and electronic files are retained for 5 years after the termination of the contracts/cooperation.
Company may keep data for longer than the said period for legal and/or regulatory and/or technical reasons.
If the Company do so, will ensure that privacy is protected and the data is used only for the purposes stated in the previous paragraph (processing purpose).
In cases where the Company wishes to retain the data with a view to a further cooperation, the data subject shall be informed accordingly and be given the possibility to object to such further processing. In such cases a notice shall be provided to the data subject, and the data subject’s consent to keep their personal data for assessing suitability for future employment possibilities shall be obtained. Such consent shall be periodically renewed.
Data no longer required shall be deleted and disposed of.

D.3.) WITH WHOM SHARES THE «COMPANY»THE PERSONAL DATA OF THE “THIRD PARTIES”
Nothing relating to data subject’s personal data is disclosed to anyone, other than in the cases permitted by the legal and regulatory framework in force from time to time. These are:
Where the Company (or any third party acting on Company’s behalf) is legally compelled to do so or where disclosure is required for purposes of compliance with the legal and regulatory framework governing shipping industry
Where the Company has contractual obligation to do so
Where it is in Company’s legitimate interests to disclose information (e.g. to protect the Company’s interest (in claims etc.).
Where disclosure is made at data subject/(your) request or with your consent or to satisfy Company’s contractual obligations towards data subject. (Third parties as agents, Travel agents etc.)
Where data subject asks our Company to share its data with other Companies or Individual.

E. PERSONAL DATA RECORDING ΙΝ ACTIVITY FILES
The Controller in each department maintain in hard copies as well as electronically the records of processing activities under its responsibility.
In these records must be documented what personal data is held, where it came from and whom it is shared with, where is held, in what format is held, where it is obtained from, basis for holding it (consent/legal basis).
From the records, conclusion can be drawn if personal data are processed fairly, lawfully, in transparent manner, for limited purposes (collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes), if they are minimized (adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed), if they are accurate (and, where necessary, kept up to date), not kept for longer period than is necessary, in line with the data subjects’ rights, secured, and in case of transfer to other countries if there is adequate protection.
The controller shall ensure compliance of the processing with the above principles.

F. DATA TRANSFER
The Company may transfer data subject personal data in and outside of European Union in the following cases:
Where the data subject has explicitly consented to the proposed transfer
Where the transfer is necessary for the execution of a contract,
Where such transfer is necessary to establish, exercise, support legal claims or defend Company’s rights.
Where there is an obligation under a legal provision or a transnational or international convention.
Where the European Committee has issued delegated acts for the adequate protection of the personal data in the specific country or to an international organization.
Where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
Where the transfer is necessary for important reasons of public interest,
Where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

G. MAIN RIGHTS OF “DATA SUBJECT”
The following are the rights that data subject has pursuant to the provisions of the GDPR as well as any other legislation in relation to data protection:
Information and access right to personal data
Data subject has the right to request access to its personal data.
This enables data subject to have incomplete or inaccurate data held by the Company corrected, though the Company may request to verify the accuracy of the new data that the data subject provides.
Data subject’s access requests must be in writing.
A standard request form will be available through the Company’s website.
Where the person managing the access (DPO) does not know the individual personally, the identity of this individual shall be checked and verified before handing over any information.
Right to rectification
Data subject has the right to request correction of the personal data that are hold from the “Company”. With this right, the data subject may request any incomplete or inaccurate data be corrected and the Company may need to verify the accuracy of the new data provided.
Right to erasure
Data subject has the right to request erasure of the personal data that are hold from the Company where there is no valid reason for the Company to continue processing it.
In such cases the Company may be entitled to keep the data if it still has legitimate grounds to process the personal data.
Right to restrict processing of personal data
Data subjects shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
Data subjects can demand that their personal data be ported to them or to a new provider (transmitted directly to another organization where technically feasible) in a structured, commonly used, and machine-readable format, and to the extent this will not undermine the rights of others. The request must be made within one month (with extensions for some cases) and any intention not to comply must be explained to the individual.
The case that data relates to more than one data subject and how to address the difficulties this creates must be considered.
The Controller, in coordination with the external IT consultant, shall ensure that formatting capabilities are developed to meet access requests for providing portable data.
Right to object and automated individual decision making
The Company does not make decisions on the basis of automated processing.
Right to withdraw consent
Data Subjects may, at any time and free of charge, withdraw any consent they previously provided regarding the processing of their Personal Data.
This will not affect the lawfulness of the Processing before the consent withdrawal.
Right to lodge a complaint
Data subject has the right to lodge a complaint to the Company on how its personal information has been used or to the Data Protection Authority in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

H. OBLIGATIONS RELATING TO THE PROCESSING OF PERSONAL DATA
H.1.) LIMITING PHYSICAL ACCESS TO THE “COMPANY’S” PERSONNEL TO VIEW/ EDIT SUBJECT’S DATA. INTEGRITY/CONFIDENTIALITY
According to the principle of integrity/confidentiality, data are processed in a manner that ensure appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Therefore, data information is accessed only by the departmental personnel that will use them for the completion of their duties. Access in this case means not just by staff, but also by people outside the Company.
Data are not shared with the other departments informally.
Personal data transferred to the Company are transmitted only to the competent employees and not to an uncontrolled group of personnel or any other recipients.
Personal data are not disclosed to unauthorized people either within the company or externally.
Staff members who have access to personal data are subject to a confidentiality obligation (e.g. via a clause in the employment agreement) and also a Confidential Disclosure Agreement (CDA) shall be signed with third parties to protect private or confidential information from becoming public or more widely known.
For each confidentiality level it may be worth setting out the broad security measures to be followed, such as password protection, clear desk policy, entry control.
This principle may be relaxed in the case of information which poses a low risk: for example, a list of business contacts may be made generally available, even if this means people having access who don’t strictly need it.
The Company’s personnel are periodically trained in order to understand the responsibilities when handling data.

H.2 STORAGE SAFETY/SECURITY GUIDELINES FOR HARD COPIES AND ELECTRONIC FILES
COMMUNICATION OF DATA AND SENSITIVE DATA
Hard files are secured in locked cupboards.
Keys/ access to the cupboards are provided only to personnel whose duties are directly involved with the respective documents/ records.
Appropriate digital security/ organizational measures are established for controlling the access to the electronic filing system, including backup procedures and emergency planning.
Strong passwords are used for accessing electronic files/ user accounts.
These passwords shall never be shared with other persons either within the Company or externally.
The access to the server room is prohibited. The door is always locked, and digital security measures are established by the Company
All employees implement the “Clear and lock” policy which means to “keep the desk clear” and “the computer screen locked” practice when the controller is away from his desk.
Employees keep all data secured, by taking sensible precautions and following the guidelines below:
Encryption tools are used when the controller communicates sensitive data via email.
Implementation of technical and organizational measures to ensure that data compliance measures are considered and integrated in the data processing activities (privacy by design) (i.e. email accounts: To use official email addresses – not unofficial, private, or any other non-secured email accounts or non-licensed programs).
For online services, it must be ensured that there is an automated way for privacy notices and policies to ensure that individuals are told about their right to object, clearly and separately, at the point of ‘first communication’.
The controller respects and treats everyone’s personal data with the same respect he/she would wish for his/her own. For that reasons the following are considered:
Minimizing the generation of personal data by email and on paper – the less personal data are being created and circulated, the easier it is to protect. Only send information which is necessary for the handling of the case.
Cybersecurity – Ensure that computer systems are secured and make use of security measures such as password protection and secured email servers when transferring attachments containing passports, medical reports, contracts of employment etc.
Anonymization – Aim to use identifiers for individuals, instead of names.
Start afresh – if the controller cannot avoid identifying an individual, do so once and then start a new email so that the same personal data is not repeated in the email chain.
Before using “reply all”, check that it is appropriate that everyone in the circulation list should actually receive the e-mail you are about to send.
It may be worth setting out special precautions to be taken when information is in particularly risky situations, such as being worked from home, from personal mobile phones etc.
Common situations which may be worth mentioning include whether staff contact details may be given over the phone This principal may be relaxed in the case of information which poses a low risk: for example, a list of business contacts may be made generally available, even if this means people having access who don’t strictly need it.
When access to data or sensitive data is required between Company’s personnel department a request must be send to DPO of the Company. In that case there will always be cases where the organisation feels it is right to break confidentiality, and the DPO will decide on a case-by-case basis whether this is appropriate.

I. Communication with Data Subjects
The Company’s ” Privacy Policy is available on the “Company’s ” website.
Any modification will be posted on it.
Company’s recommendation that data subject review Companies website periodically so as to be always informed as to how Company protect and process its personal information.