GDPR PRIVACY POLICY – OKEANOS BEACH HOTEL

Last Modified: June 2nd, 2019

Introduction
This privacy policy (“Policy”) applies to OKEANOS BEACH HOTEL, and its subsidiaries (hereinafter “we”, “us”, or “our”). We respect your privacy and are committed to protecting it through our compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”) and relevant local data protection laws and regulations. Please read this privacy policy carefully to understand our policies and practices regarding your personal data and how we will treat it. If you have any questions about our privacy practices, please refer to the end of this privacy policy for information on how to contact us.

We have developed this Policy to explain our practices regarding the personal data we collect from you if you register online with us, access and/or use our website, through written or verbal communications with us, when you visit our property, or from other sources.

Personal Data We Collect
“Personal Data” are data that identify you as an individual or relate to an identifiable individual. Throughout your stay, we collect Personal Data in accordance with the law, such as:

• Name
• Gender
• Home and/or work address
• Telephone number
• Email address
• Credit and debit card number or other payment data
• Language preference
• Date and place of birth
• Nationality, passport, visa or other government-issued identification data
• Important dates, such as birthdays, anniversaries and special occasions
• Membership or loyalty program data
• Employer details if you are an employ of a corporate account or a business partner
• Travel itinerary including arrival and departure days, tour group or activity data
• Prior guest stays or interactions, goods and services purchased, special service and amenity requests
• Telephone numbers dialled, faxes sent/received or receipt of telephone messages when connected to the telephone services we provide to guests during their stay
• Information about vehicles you may bring to our property
• Social media account ID, profile photo and other data publicly available, or data made available by linking your social media and loyalty accounts / applications
• Your reviews and opinions about our services
• Data about family members and companions, such as names and ages of children
• Images and video data via security cameras located in public areas, such as entrances, hallways and lobbies, in our property
• Guest preferences and personalized data (“Personal Preferences”), such as your interests, activities, hobbies, food and beverage choices, services and amenities of which you advise us or which we learn about during your visit
• Any other type of information which you may choose to provide to us or we may obtain about you through third parties with whom we do business (e.g. tour operators, travel agents or similar providers)
In case you will not provide your consent to our Hotel, to maintain your personal data, on the registration form upon arrival procedure, your personal data will be kept with the Hotel’s registry and/or electronic filing system for lawful use for a period of 90 (ninety) days after your checkout date.
If you submit any Personal Data about other people to us or our Service Providers (e.g., if you make a reservation for another individual), you represent that you have the authority to do so and you permit us to use the data in accordance with this Privacy Policy and/or the Registration Card which is provided at reception desks of our hotel and/or property.

How We Collect Personal Data
We and our service providers and/or agents and/or affiliates may collect Personal data, in a variety of ways, whether these are provided in writing or through verbal communication at every guest interaction and in providing any part of our services such as the following:

• Online Services
We collect Personal Data when you make a reservation, purchase goods and services from our Websites or Applications, communicate with us, or otherwise connect with us or post to social media pages, or sign up for a newsletter or participate in a survey, contest or promotional offer.

• Property Visits
We collect Personal Data when you visit our property or use on-property services and outlets, such as restaurants, concierge service, health club, child care services, and spa. We also collect Personal Data when you attend promotional events that we host or in which we participate, or when you provide your Personal Data to facilitate an event.

• Customer Care Centers
We collect Personal Data when you make a reservation over the phone, communicate with us by email, fax or via online chat services or contact customer service.

• Business Partners
We collect Personal Data from companies with whom we partner to provide you with goods, services or offers based upon your experiences at our property or that we believe will be of interest to you. Examples of Business Partners include travel and tour operator partners, travel booking platforms, on-property outlets and rental car providers.

• Physical & Mobile Location-Based Services

We collect Personal Data if you download one of our Apps or choose to participate in certain programs. For example, we may collect the precise physical location of your device by using satellite, cell phone tower, WiFi signals, or other technologies. We will collect this data if you opt in through the App or other program (either during your initial login or later) to receive the special offers and to enable location-driven capabilities on your mobile device. If you have opted-in, the App or other program will continue to collect location data when you are in or near a participating property until you log off or close the application (the App or other program will collect this data if it is running in the background) or if you use your phone’s or other device’s setting to disable location capabilities for the NESTOR HOTEL Apps or other program.

• Other Sources
We collect Personal Data from other sources, such as public databases, joint marketing partners and other third parties. This may include information from your travel agent, airline, credit card, and other partners, and from social media platforms (including from people with whom you are friends or otherwise connected). For example, if you elect to login to, connect with or link to, the Online Services using your social media account, certain Personal data from your social media account will be shared with us, which may include Personal data that is part of your profile or your friends’ profiles.

In the event that we receive information from third parties, as opposed to directly from you, provided that they are lawfully entitled to share your data with us, we will use and share this information for the purposes described in this Policy. Also in the event that your Personal data is collected in this way, then we will bring to your attention the information included in this Policy along with the source from which the data originate, and if applicable, whether it came from publicly accessible sources. This information shall be provided to you within a reasonable period after obtaining the Personal data, but at the latest within 1 month, except where the Personal data are to be used for communication with you, in which case we will provide you with the above information at the latest at the time of the first communication with you. However, if the above information is envisaged to be disclosed to another recipient then the above information shall be disclosed the latest when the Personal data are first disclosed to the new recipient, despite the fact that none of the previous deadlines has passed. Of course, no such information would need to be provided: • where you already have this information; • where the provision of this information, for some reason, proves impossible or would involve disproportionate effort to obtain; • obtaining or disclosure is expressly laid down by Member State to which we are subject, and which provide measures to protect your legitimate interest;, or • in the event where the Personal data must remain confidential subject to an obligation of professional secrecy.

Collection of Other Data
“Other Data” are data that generally do not reveal your specific identity or do not directly relate to an individual. To the extent other Data reveal your specific identity or relate to an individual, we will treat other Data as Personal Data. Other Data include:

• Browser and device data
• App usage data
• Data collected through cookies, pixel tags and other technologies
• Demographic data and other data provided by you
• Aggregated data
How We Collect Other Data
We and our third party service providers may collect Other Data in a variety of ways including:

Your browser or device
We collect certain data through your browser or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, internet browser type and version and the name and version of the Online Services (such as the Apps) you are using. We use this data to ensure that the Online Services function properly.

Your use of the Apps
We collect certain data when you download and use an App, such as App usage data, the date and time the App on your device accesses our servers and what data and files have been downloaded to the App based on your device number.

Cookies
We collect certain data from cookies, which are pieces of data stored directly on the computer or mobile device that you are using. Cookies allow us to collect data such as browser type, time spent on the Online Services, pages visited, referring URL, language preferences, and other aggregated traffic data. We use the data for security purposes, to facilitate navigation, to display data more effectively, to collect statistical data, to personalize your experience while using the Online Services and to recognize your computer to assist your use of the Online Services. We also gather statistical data about use of the Online Services to continually improve design and functionality understand how they are used and assist us with resolving questions. Cookies further allow us to select which advertisements or offers are most likely to appeal to you and display them while you are using the Online Services or to send marketing emails. We also use cookies to track responses to online advertisements and marketing emails.

You can choose whether to accept cookies by changing the settings on your browser or by managing your tracking preferences. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Online Services. For example, we will not be able to recognize your computer, and you will need to log in every time you visit. You also will not receive advertising or other offers from us that are relevant to your interests and needs. You can find good and simple instructions on how to manage Cookies on the different types of web browsers at www.allaboutcookies.org. Pixel Tags and other similar technologies

We collect data from pixel tags (also known as web beacons and clear GIFs), which are used with some Online Services to, among other things, track the actions of users of the Online Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Online Services.

Your IP Address
We collect your IP address, a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP address is identified and logged automatically in our server log files when a user accesses the Online Services, along with the time of the visit and the pages that were visited. We use IP addresses to calculate usage levels, diagnose server problems and administer the Online Services. We also may derive your approximate location from your IP address.

Aggregated Data
We may aggregate data that we collected and this aggregated data will not personally identify you or any other user. Use of Personal Data and other Data

We may use Personal data and other data for our legitimate business interests in a variety of ways including: • To provide the services you request from us, such as to facilitate reservations, send confirmations or pre-arrival messages, to assist you with meetings, events or celebrations, and provide you with other information about the area of the hotel and/or property at which you are scheduled to visit • To complete and fulfill your reservation and stay i.e. to process your payment, ensure that your room is available, and provide you with related customer service • To send you administrative information, direct marketing communications, newsletters, promotional and special offers, periodic customer satisfaction, market research or quality assurance surveys, and in order to respond to your requests and messages. This may be done in accordance to any communication preferences you have expressed. Such information may be provided through e-mail, postal mail, online advertising, social media, telephone, text messages, push notifications, in-app messaging, and other means including on –property messaging such as in-room television • To personalize the services you request and your experience when you stay in one of our hotel and/or property • To offer you the expected level of hospitality in-room and throughout our property • To allow you to participate in contests and other promotions and to administer these activities. Some of these activities have additional rules, which could contain additional information about how we use and disclose your Personal data. We suggest that you read any such rules carefully • For our business purposes, such as data analysis, audits, security and fraud monitoring and prevention (including through the use of closed circuit television, card keys, and other security systems), developing new products, enhancing, improving or modifying our Services to ensure that our site, products, and services are of interest to you, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities • To generate visit statistics of our website • To generate statistics in relation to the types and volumes of guests visiting our hotel and/or property during the year • To improve and personalize of our services to you during future stays through the use of information that you provide in relation to your preferences and experiences. For this purpose understand that the creation of a profile is necessary.

In the event that we decide to further process your Personal data for a purpose other than that for which the personal data were obtained, we shall provide you prior to further
processing with information on that other purpose and with any relevant further information which the General Data Protection Regulation requires.

Disclosure, Sharing and Transfer of Personal Data
To uphold a uniform level of hospitality and provide you with the best possible service in all our property and/or hotel, your Personal data may be shared with the below entities and/or people, which may involve cross-border transfer of information to third parties in countries outside the European Economic Area: • To authorized personnel at the applicable hotel and/or property in order to meet your reservation request. Upon your express consent, we retain your Personal data including details of your stay, preferences, room/accommodation type and amenities used. • To subsidiary and/or affiliate companies and/or business partners of OKEANOS BEACH HOTEL for the purpose of meeting your preferences and in order to offer personalized services in our property. • To Mail Chimp which is a marketing platform of The Rocket Science Group LLC used for the purposes of direct marketing and email campaigns. Mail Chimp is part of the Privacy Shield framework and has thus been recognized by the European Commission as offering an adequate level of data protection. Despite the agreements which are in place between OKEANOS BEACH HOTEL and Mail Chimp ensure that the processing of your Personal data is in accordance with the General Data Protection Regulation. • To our third party service providers, in order to offer products, services, or offers at our property and for our operation and improvement. For example, your Personal data may be transferred to service providers in the context of the provision of services such as rental of cars, spa and restaurants within our hotel, website hosting, data analysis, surveys, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services. Generally, our service providers are contractually obligated to protect your personal data and may not otherwise use or share your personal data, except as may be required by law. • To Authorized Licensees: We may disclose your Personal data to an Authorized Licensee in connection with the Services, including with respect to a reservation you book through us, in connection with offerings of Travel Related Services, or to enable an Authorized Licensee to market and operate the business that it licenses. • To sponsors of Contests and other Promotions. • To your friends associated with your social media account, to other website users and to your social media account provider, in connection with your social sharing activity, such as if you connect your social media account to your Online Services account or log-into your Online Services account from your social media account. By connecting your Online Services account and your social media account, you authorize us to share information with your social media account provider, and you understand that the use of the information we share will be governed by the social media site’s privacy policy. If you do not want your Personal data shared with other users or with your social media account provider, please do not connect your social media account with your Online Services account and do not participate in social sharing on the Online Services. In addition, when you elect to post information on message boards, chat, profile pages and blogs and other services to which you are able to post information and materials (including, without limitation, our Social Media Pages) any such information you post or disclose through these services will become public and may be available to other users and the general public. We urge you to be very careful when deciding to disclose any information on the Online Services. • In the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may share your Personal data to a third party for the purposes of the aforementioned event. • If you visit any of our property as part of a group event or meeting, then personal data collected for meeting and event planning may be shared with the organizers of those meetings and events, and, where appropriate, guests who organize or participate in the meeting or event. • Other circumstances in which the sharing of your Personal data may take place are in order to: – comply with applicable laws, – respond to governmental inquiries or requests from public authorities, – comply with valid legal process, – protect the rights, privacy, safety or property of OKEANOS BEACH HOTEL, site visitors, guests, employees, those of any of our affiliates or the public, – permit us to pursue available remedies or limit the damages that we may sustain, – enforce our websites’ terms and conditions, and – respond to an emergency – to allow us to pursue available remedies or limit the damages that we may sustain.

Use and Disclosure of Other Data
We may use and disclose Other Data for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Data with Personal data (such as combining your name with your location). If we do, we will treat the combined information as Personal data as long as it is combined.

• Third Party Services: This Privacy Policy does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including any third party operating any site or service to which the Services link, third party payment services, or any third-party website that is the landing page of the high-speed Internet providers at our hotel. The inclusion of a link on the Online Services does not imply endorsement of the linked site or service by us or by our affiliates. We have no control over, and are not responsible for, this third party’s collection, use and disclosure of your Personal data. In addition, we are not responsible for the information collection, use, disclosure or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, LinkedIn or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including with respect to any Personal data you disclose to other organizations through or in connection with the Apps or our Social Media Pages. • Third Party Advertisers: We may use third-party advertising companies to serve advertisements regarding goods and services that may be of interest to you when you access and use the Online Services and other websites or online services, based on information relating to your access to and use of the Online Services and other websites or online services. To do so, these companies may place or recognize a unique cookie on your browser (including through use of pixel tags).

Special category of Personal data “Special Category of Personal data” amount to such information the processing of which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not generally collect Special Category information unless it is volunteered by you. We may use health data provided by you to meet your particular needs (for example, the provision of disability access). Despite that, we ask that, unless there is a serious need for you or another guest, you do not send us, and you do not disclose, any Special Category Personal data to us.

Minors We do not knowingly collect personal data from individuals who are under 18 years of age. As a parent or legal guardian, please do not allow your children to submit personal data without your permission.

How We Store Your Personal data
The information that we collect about you, including Personal data, will be stored and processed in Cyprus and/or in remote cases in the Countries in which we and the third parties mentioned above operate. If you are located in the European Union or other regions with laws governing data collection and use that may differ from European data protection laws, please note that in the course of providing you with the service you requested we may transfer Personal data to some of these countries and jurisdictions that have data protection laws that do not provide the exact same level of protection as in your jurisdiction, however we make every effort possible to verify and audit that the processor and sub processors provide the best level of protection of personal data.

Retention of Personal data
We keep your Personal data for as long as needed to provide you with our respective services and in compliance with relevant laws of Cyprus. The period for which we keep your Personal data that is necessary for compliance and legal enforcement purposes varies and depends on the nature of our legal obligations and claims in the individual case. Personal data shall be destroyed as early as practicable, from both our short-term system and our back-ups so that restoration and/or reconstruction of the data is no longer possible. This also involves the secure destruction of any printed paper through methods such as cross shredding or incinerating the paper documents. For further information regarding specific retention period please contact us at info@okeanoshotel.com.cy.

Legal Bases for Collection, Use and Disclosure of Your Personal data
There are different legal bases that we rely on to collect, use and disclose your Personal data namely: • Performance of contract: The use of your Personal data for purposes of providing the services, customer management and functionality and security as described above is necessary to perform the services provided to you under our term and conditions and any other contract that you have with us.

• Compliance with legal obligation: We are permitted to use your Personal data to the extent this is required to comply with a legal obligation to which we are subject.

• Protection of your interests: When use of your data is necessary in order to protect your vital interests or those of other individuals.

• Consent: We will rely on your consent to use (i) your Personal data for marketing and advertising purposes; (ii) your Personal data for other purposes when we ask for your consent separately from this privacy policy and for which the purpose of the process does not relate to the services we offer to you.

How We Protect the Security of Your Personal data
We take appropriate security measures (including physical, electronic and procedural measures) to safeguard your Personal data from unauthorized access, disclosure, alteration or destruction. We also carry out checks to ensure that our affiliates and service providers with whom we share personal data, have reasonable measures in place to provide an adequate level of data protection and to maintain the confidentiality of your Personal data.

Our property has put in place controls in line with ISO 27001. Only authorized employees are permitted to access Personal data, and they may do so only for permitted business functions. In addition we have trained our employees on how to handle, manage and process personal data, applied upgraded technical measures and transformed our policies and procedures in a way that will comply with the General Data Protection Regulation.

For your protection, we may only implement requests with respect to the Personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Users should also take care with how they handle and disclose their Personal data and should avoid sending Personal data through insecure email. We are not responsible for circumventions of any privacy settings or security measures contained on the Website.

We will not contact you by mobile/text messaging or email to ask for your confidential personal data or payment card details. If you receive this type of request, you should not respond to it. We will only ask for payment card details by telephone when you are booking a reservation or promotional package. We also ask that you please notify us at dpo@nestorhotel.com. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contact Us” section below.

Choices about how we Collect, use and Disclose your Personal data
We strive to provide you with choices regarding the Personal data you provide to us.

• You can choose not to provide us with certain Personal data, but that may result in you being unable to use certain services.
• When you register with us, you may be given a choice as to whether you want to receive email messages, newsletters or advertising material about updates, improvements, special offers, or containing special distributions of content by us. If consented yet later on you decide you no longer want to receive commercial or promotional emails or newsletters from us, you will need to avail yourself of the unsubscribe mechanism set out in the applicable communication. It may take up to seven days for us to process an opt-out request. We may send you other types of transactional and relationship e-mail communications, such as service announcements, administrative notices, and surveys, without offering you the opportunity to opt out of receiving them as these will relate directly to your relationship with us.

• If you provided Personal data, you may terminate your relationship with us at any time as per the provision of the between us agreement or engagement. If you choose to do so, your Personal data will be deleted in accordance with our retention policy. Your Rights Related to Your Personal data

Subject to the provisions of the General Data Protection Regulation, you have certain rights regarding the Personal data we collect, use or disclose and that is related to you, including the right
• to receive information on the Personal data concerning we hold about you and how such Personal data is used (right to access);
• to rectify inaccurate Personal data concerning you (right to data rectification);
• to delete/erase your Personal data (right to erasure/deletion, “right to be forgotten”);
• to receive the Personal data provided by you in a structured, commonly used and machine-readable format and to transmit those Personal data to another data controller (right to data portability)
• to object to the use of your Personal data where such use is based on our legitimate interests or on public interests (right to object); and
• in some cases, to restrict our use of your Personal data (right to restriction of processing).
If we ask for your consent to use your Personal data, you can withdraw your consent at any time.
You may, at any time, send us an e-mail to info@okeanoshotel.com.cy.com to exercise your above rights in accordance with the applicable legal requirements and limitations. If you are located in the European Economic Area, you have a right to lodge a complaint with your local data protection authority.
Note that some requests to delete certain Personal data will require the deletion of your user account as the provision of user accounts are inextricable linked to the use of certain Personal data (e.g., your e-mail address). Also note that it is possible that we require additional information from you in order to verify your authorization to make the request and to honor your request.

Changes to Our Privacy Policy
We may modify or revise our privacy policy from time to time. Although we may attempt to notify you when major changes are made to this privacy policy, you are expected to periodically review the most up-to-date version found at our website www.netorhotel.com aware of any changes, as they are binding on you.

If we change anything in our privacy policy, the date of change will be reflected in the “last modified date”. You agree that you will periodically review this privacy policy and refresh the page when doing so. You agree to note the date of the last revision to our privacy policy. If the “last modified” date is unchanged from the last time you reviewed our privacy policy, then it is unchanged. On the other hand, if the date has changed, then there have been changes, and you agree to re-review our privacy policy, and you agree to the new ones. By continuing to use the Website and receive information subsequent to us making available an amended version of our privacy policy in a way that you can easily take notice of it, you thereby consent to such amendment.

Enforcement; Cooperation
We regularly review our compliance with this privacy policy. Please feel free to direct any questions or concerns regarding this privacy policy or our treatment of Personal data by contacting us through the Data Protection Officer at info@okeanoshotel.com.cy. It is our policy to contact the complaining party regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the collection, use and disclosure of Personal data that cannot be resolved by an individual and us.

No Rights of Third Parties
This privacy policy does not create rights enforceable by third parties or require disclosure of any Personal data relating to users of the Website.

No Error Free Performance
We do not guarantee error-free performance under this privacy policy. We will use reasonable efforts to comply with this privacy policy and will take prompt corrective action when we learn of any failure to comply with our privacy policy. We shall not be liable for any incidental, consequential or punitive damages relating to this privacy policy

Contact Us
If you have any questions about this privacy policy or you want to exercise any of your rights regarding your Personal data, please contact us at : dpo@nestorhotel.co.cy
You may also contact us at:
OKEANOS BEACH HOTEL, PO Box 30624, Ayia Napa– Cyprus
Tel.: 00357 23 724440, Fax: 00357 23 724441

CHILDREN’S PRIVACY POLICY- OKEANOS BEACH HOTEL

Last Modified: June 2nd, 2019

Under the UN Convention of the Rights of the Child (CRC) which outlines the fundamental human right of children (defined as a person under the age of 18), we here at the Okeanos Beach Hotel are aware and responsible for actively safeguarding children from any form of abuse which may include neglect, physical, sexual or emotional abuse, hunger, mistreatment or exploitation in any form. It is duly our responsibility to protect 
children from all of the above as they have the same rights as adults.

Our management and staff employee’s, are aware that the issue of child protection is of impeccable importance. They are alert, responsive & trained to handle any situation that may arise on premises for the protection of children as such. Furthermore, as a family orientated establishment, Okeanos Beach Hotel fosters close links and collaboration with the national authority for children’s protection in Cyprus where by employees are spoken to and trained on how to be alert and how to act in instances which they identify as abuse or are suspicious of it.

If such a case were to arise, procedures are in place to manage any situation whereby a child’s wellbeing may be at risk. By appointment of responsibility Public Relations Officer will be the final point of contact who in collaboration with our team will manage such a case, notifying local law enforcement, authority’s, and child protection organizations to act accordingly and prohibiting their enforcement on premises. Children and minors are vulnerable members of our society.

They are unfortunately still all too often victims of sexual exploitation. Protecting them is our collective responsibility.Be a responsible traveler. If you are witness to any behavior on premises or externally, that infringes on the human right of any minor, please act responsibly and notify the reception desk where our trained staff will handle the matter accordingly. Your and our actions count collectively to stop child abuse and protect our younger members of society.

Code Of Conduct:
The Code of Conduct criteria that Okeanos Beach Hotel undertakes to implement the protection of children:1. To establish a clear procedures to stop the sexual exploitation of children.2. To train personnel in children’s rights, preventing sexual exploitation and reporting suspected cases.3. To enforce the rejection and zero-tolerance policy with regard to the exploitation ofchildren.4. To provide tourists with information concerning children’s rights, and how to report suspected cases of exploitation of children.5. To support, cooperate with and assist organizations in fighting the sexual exploitation of children.