Privacy Policy

1. General information and controller

The company “Gelasakis Tourism Hotel SA”, with head offices at 6 Aristidou Street, PC 18531 Piraeus, TIN 997570880 (Tax Office: FAE of PIRAEUS), as legally represented (hereinafter referred to as the “Company”), is the controller responsible for the collection, retention and general processing of the personal data of users, as such data are collected and retained through this website as well as the social media sites linked to our website.

2. Which personal data are collected and from where

We collect and process your personal data as follows:

- Information when you purchase tickets.

When you purchase tickets, you will be asked for your full name, sex, age, country of birth, your e-mail address, telephone number and payment details (bank card number and details). We need this information to complete the implementation of the contract between us and to comply with our legal obligations (PD 23/1999). In some cases, you may choose to provide us with other information, including health information, in order to secure the issue of discounted tickets (e.g. status of parent with three children or more, NAT insured status / disabled person status). These data are kept for a period of ten (10) years or as long as is necessary for the company’s legal protection.

- Information when contacting us.

If you visit our website and have a question or comment, you can submit it to the Company by completing the contact form available on our website. You will be asked to provide your e-mail address as well as information about your request, question or comment. We will only use this information to reply to your question or comment. We will record your requests, questions and comments and our respective responses and any other actions for the management of your request / communication. All information shall be kept for 36 months after your question or complaint has been settled or the case has been closed.

- Information when you have provided your e-mail so we can send you our newsletter.

We will use your e-mail address to inform you on the products, offers and services that we provide. You have the option to revoke the relevant consent at any time.

- Information when you participate in campaigns, prize draws and contests.

If you take part in contests, prize draws or other events or campaigns, you will be asked for your name, e-mail address, telephone number and the answers to any open questions of the contests. We need this information to process your participation and to be able to contact you about your prize. You may be asked for your residential address or other information that may be required to send you the prizes, tickets or products by post. All information related to your participation in our campaigns, prize draws and contests are kept by us for a maximum period of 12 months after the end of the contest. The information will not be used for other purposes unless you have been explicitly informed of such purposes and / or your consent has not been previously requested. We would to inform you that we also collect information from the Company’s social media (e.g. Instagram, Facebook, Twitter), (e.g. for participation in the Company’s contests) which are necessary for the registration or connection, for which you have given to the social media provider permission to share with us, such as your name and your e-mail address. The collection of other information may depend on the privacy settings you have set with the social media provider, so you are asked to please read the privacy statement or the privacy policy of the relevant service. Your personal data, collected in the context of social media contests shall be kept for 12 months.

- Information about your visit and use of our website

We collect certain information when you visit our website such as your IP address, device category, browser, and web browser program, clicks and views. The information about your use of our website and our services allows us to make categorizations, i.e. to form groups of visitors to the website or customers with certain common characteristics, such as age group, sex or region. We may add you to one of our categories. We use the categories to personalize the website and, for example, to change the order of the display of certain topics so that you are more likely to see them. We may also use the categories to promote online advertisements that we consider to be of interest to you and to send you commercial messages. We use these personal data as required in the context of our legitimate interests, in order to be able to promote our products and services to the consumers and visitors of our website, to be able to attract more consumers, and to improve the sales of our products and services. We retain personal data for a maximum period of five (5) years.

- Marketing

In some cases we combine information about your electronic searches (clicks and views), your settings on our website, your requests for customer service and your contact history. This information allows us to use different channels to manage the relationships and marketing of our products and services to you via e-mail, promotional emails, social media, telephone or online advertising, which may include the personalization of the content and website offers to suit your preferences. You can opt out of receiving newsletters, promotional emails, social media and telephone calls and you may object to us using your personal data for the purposes of direct commercial promotions (for more information on this procedure, please read the following paragraphs of this policy).

We use these personal data as required in the context of our legitimate interests, in order to be able to promote our products and services to the customers and visitors of our website, to be able to attract more customers, and to improve the sales of our products and services. We retain your personal data only for the time necessary to fulfill the purposes for which said data has been collected (e.g. when you visit our website to participate in prize draws). Personal data are deleted or made anonymous usually within a maximum period of 24 months.

- Information on the maintenance and optimization of our website

Your personal data is also used for the maintenance and analysis of our website, in order to resolve performance issues, improve availability and the user’s experience. We record every use of our website. The use by us of your personal data for these purposes is necessary in the context of our legitimate interests and the information is retained for a maximum period of 24 months. Records of the use of the website will be deleted within 24 months of their creation.

3. Processing purposes

a. Provision of the Company’s services: We collect and use your personal data mainly to provide you with our services (sale of ferry tickets) and to execute the relevant contract you wish. Without processing your data the performance of this contract is not possible.

Legal basis of the processing: the performance of the contract between us, which you wish.

In case you voluntarily choose to provide health data or other data (e.g. status of parent with three children or more, NAT insured status) that concerns you in order to be included in the respective discount category, the legal basis of the processing of your health data is your explicit consent. You have the right to withdraw your consent to the further processing of your personal data by sending an e-mail to [email protected] however the withdrawal of your consent does not affect the lawfulness of the processing prior to such withdrawal.

b. Support for information systems / improvement of services provided: We use your personal data in order to detect problems in the server and ensure the proper functioning of our website. The Company uses the personal data of users, collected by it through the website, in order to offer new services through the website or improve the services already provided.

Legal basis of processing: The legitimate interest of the Company to ensure smooth operation of its website and to improve the services provided by it.

c. Compliance with our legal obligations: When we receive respective orders from courts or public authorities, we may process your personal data in order to respond to such requests. Also, it is provided by the

Legal basis of processing: Compliance with our legal obligations.

d. Conducting company contests: We process the personal data that you submit through the website and social networking sites for your participation in contests of the company.

Legal basis of processing: Performance of contract (by participating in the contest you accept the contest terms and you conclude a contract with the Company).

e. Promotion of the Company's products and services: The information on the use of the website and our services enables us to create sections, which group our website visitors and consumers with common characteristics such as age, gender and region. The sections are then used to customize our website and change e.g. the order of the results of your search or an advertisement that we think is relevant to you. We also have the ability to process your data that you have posted on social media (if you participate in a corporate contest via a social network), provided that you have given the social media provider permission to share it with us.

Legal basis of processing: Legitimate interests of the Company.

f. Legal protection of the company: Ensure application of the terms of use of our website and protection of our legal rights.

Legal basis of processing: Legitimate interests of the Company.

g. Sending newsletters: We will send you our newsletter when you have given your relevant consent or when there has been a previous transaction with us in accordance with the provisions of Article 11 par. 3 of Law 3471/2006.

Legal basis of processing: Your consent (when you complete the relevant form on our website) or our legitimate interests (when you are already customers of ours). In any case, you will have the right at any time to declare that you no longer wish to receive our newsletter and your decision will be fully respected.

4. Cookies

Much of the information in this Privacy Policy is collected through the use of cookies and similar technologies. Cookies are small text files that contain small amounts of information, which are downloaded and can be stored on your user device, e.g. your computer, smartphone or tablet. The technologies we use and may be similar to cookies are tracking icons, Java scripts, tags and web beacons. These cookies and similar technologies are sometimes required to store your account, language and country settings, but they also allow us to measure and to analyze your behavior on our website and to display personalized ads on our website or on third party websites. In any case, your consent to the use of cookies will be requested. To see more information about the cookies we use and how we use them, please refer to the separate Cookies Policy.

5. Right of access, right to rectification, right to erasure, right to restriction of processing and right to data portability

You have the right to request the review of your personal data processed by us or on our behalf. You have the right to rectify, erase or restrict the processing (as appropriate) of your personal data. You can exercise these rights by contacting us via email at [email protected] and submitting a respective request.

Please note that requests that do not meet the requirements set by the applicable legislation or the Company’s guidelines may be required to be re-drafted or may be rejected and that certain personal data may be exempted from such requests for access, rectification and erasure, in accordance with applicable data protection laws and other laws and regulations. You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and in some cases we will transfer your data, at your request, to another controller, if this is technically feasible.

6. Right to object

You also have the right, in certain cases, to request from us to stop processing your personal data, but if there are compelling legal reasons, we shall continue to process your personal data. In any case, you have the right to object to the use of your personal data by us for the purposes of direct marketing, including profiling, and if you do so, we shall satisfy your request.

In case you have given to us your consent to use your personal data, you have the right to withdraw your consent, without this affecting the lawfulness of processing such data prior to the withdrawal of your consent.

Requests regarding the exercise of the above rights can be sent to the Data Protection Officer ("DPO") of the Company at [email protected]. You can also lodge complaints with the Hellenic Data Protection Authority regarding the exercise of your rights (www.dpa.gr). According to the Authority’s website, complainants must first submit their complaint to the Controller or Data Protection Officer (DPO).

7. Data retention

The personal data of users are retained only for the time necessary to fulfill the purposes for which said data was collected, in full compliance with applicable legislation. When the purpose of processing your personal data is completed, they are deleted. The specific data retention periods for each of the relevant processing purposes are given above.

8. How and with whom we share your personal data (recipients of personal data)

We may need to share your personal data with third parties to help us provide you with services and products and to manage our website. Such third parties are:

  • Shared information systems within the group;
  • Service providers, when required, to provide us with a service and to provide data analysis services (e.g. website hosting, provision and maintenance of accounting software, ferry companies, ticket agents, certified auditors);
  • Service providers to help us organize campaigns and promotions;
  • Advertising companies;
  • Media agencies for purposes of commercial promotion and research;
  • In case Gelasakis Tourism Hotel SA sells to third parties all or part of the assets or shares of a group company to which personal data have been sent, your personal data may be provided to those third parties.

In those cases where the Company, as the controller, transfers your data to third party processors, on the one hand the Company itself determines the individual elements of the processing (manner, means, retention period, etc.) and on the other hand it signs a special contract with the processors in order to ensure that the processing is carried out in accordance with the applicable legal framework; that appropriate measures are taken to protect the confidentiality and security of personal data and that any natural person can freely and unrestrictedly exercise his rights.

Such third parties may have their registered office in the European Union or in other countries of the European Economic Area or in other parts of the world. When we store personal data outside the EEA, we ensure an adequate level of protection of the transferred data. If we are going to transfer your personal data to a third country, i.e. to a country outside the EEA or to an international organization, you will be informed before their transfer, in accordance with the provisions of Article 13 par. 1(f) of the GDPR.

Finally, we may need to provide personal data to law enforcement agencies in order to comply with a legal obligation or court order.

9. Data security

The Company assures the users that it takes all appropriate technical and organizational measures for the security of their personal data, for ensuring confidentiality of their processing and protection against accidental or unlawful destruction/loss/alteration, prohibited dissemination or access and any other form of unlawful processing.

Your personal data related to payments goes through SSL 128bit encryption. While processing a reservations page you will notice that the page is “secure” - the padlock at the bottom of the browser window appears locked, unlike simple site visits where it appears unlocked. Our Company has an SSL certificate from Thawte, a leading global certification authority for the protection of transactions and personal data.

Although every effort is made to protect personal data, the Company cannot guarantee the security of the data transmitted through its website, as the transmission of information via the Internet can never be completely secure.

Our website may contain links to other websites. We are not responsible for the personal data protection practices, content and security of other websites that are not governed by this Personal Data Protection Policy and we therefore advise you to always carefully study the personal data protection policies in such websites. In addition, if you choose to share information from the website via social media, we advise you to read carefully the personal data protection policies of social media.

11. Applicable Law

Any dispute arising from the use of this website shall be subject to the exclusive jurisdiction of the Greek Courts.

12. Amendments

This Personal Data Protection Policy has been drafted pursuant to the provisions of the General Data Protection Regulation No. 2016/679/ΕU. In case of an update, all changes shall be posted on this website and shall bear a revision date.

13. Data Protection Officer

You can contact the Company’s Data Protection Officer for any issues relating to the processing of your personal data at: [email protected]