Scope of this policy
This policy describes how Sveltos Estates Ltd collects, uses, consults or otherwise processes an individual's personal data in the context of the use of the websites and applications of our hotel brands/our loyalty programs (please indicate specific loyalty program)/reservations made with any of our hotels/ organizing a meeting or event/ subscription to our newsletter (hereafter the "Service").
This policy includes a description of your data protection rights, including a right to object to some of the processing activities we carry out.
We will process your personal data as a data controller.
This policy is to be read as consistent with the General Data Regulation as well as with the national laws enacted and the policies of the Controller relating to the provision of its Services.
For the purpose of this policy, the following term "Data Protection Legislation" shall mean the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), as well as any legislation and/or regulation implementing or created pursuant to the GDPR and the e-Privacy legislation, or which amends, replaces, re-enacts or consolidates any of them, and all other national applicable laws relating to processing of personal data and privacy that may exist under applicable law.
For this policy, "controller", "processor", "third party", "supervisory authority", "personal data", "processing", "data subject", shall have the meanings set out in the applicable Data Protection Legislation.
Who processes what personal data about you?
In the context of the Service, your personal data is processed by Sveltos Estates Ltd, as detailed hereafter and with any other organisation jointly as Joint Data Controllers.
Processed data categories
Source of data
Recipients of data
Transfers outside the EEA
Data is not transferred outside the EEA
Is your personal data used for direct marketing communications?
If you have explicitly consented, we may, from time to time, contact you with information about our Service.
If you no longer want to receive such communications, please let us know by sending an email to us at email@example.com. ADDITIONAL OPTION: You can also unsubscribe from our marketing emails by clicking on the unsubscribe link in the emails sent to you.
How long is your personal data stored?
We will retain your information only for the period necessary to fulfil the purposes outlined in this Privacy Statement unless a longer retention period is required by law. At the end of your contractual relation with the Hotel your data and more specifically details of your credit card, identity card and of your nationality will be retained for a period of six (6) years according to the national laws. In case legal reasons exist your data will be kept as long as the legal reasons will be completed and consequently will be then erased.
How is your personal data shared with third parties?
We only share or disclose information as described herein, including with third parties.
Your personal data will also be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of the data controller(s) legitimate interests in compliance with applicable laws.
Is your personal data transferred outside the EEA?
In the context of the provision of the Service and for the purposes described in this policy, your personal data will be kept within the EEA and transferred outside the EEA only to a country or countries which have been recognised by the European Commission to provide an adequate level of data protection.
If Third Parties process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage.
What security measures are put in place?
Appropriate technical and organisational measures are implemented in order to ensure an appropriate level of security of your personal data.
In the event personal information is compromised as a result of a security breach and where the breach is likely to result in a high risk to the rights and freedoms, we will make the necessary notifications, as required under the Data Protection Legislation.
What rules apply to children?
The Service is not intended for use by anyone under the age of 14.
We do not knowingly collect of solicit personal data from anyone under the age of 14 or knowingly allow such persons to register for the Service.
In the event we learn that we have collected personal data from a child under the age of 14 without verification of parental consent, steps will be taken promptly to remove that information. If you believe that we have or may have information from or about a child under 14 of age, please contact us at firstname.lastname@example.org .
Does this policy apply to third party websites?
You may configure your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us. However, it is important to remember that many of our services may not function properly if cookies are disabled. For example, we may not remember your language preferences. Please refer to your browser’s or mobile device’s technical documentation for instructions on how to delete and/or disable cookies.
For further information on cookies, how they are used and how they apply to the use of your personal data, please visit www.aboutcookies.org or www.allaboutcookies.org.
Changes to this policy
How can we be contacted?
Appointment of Data Protection Officer (DPO)
According to the provisions of the GDPR Regulation (2016/679, art.37) we inform you that the Data Protection Officer of Sveltos Estates Ltd appointed is P.L.P. DPO SERVICES LTD.
In case that at any time you consider that Sveltos Estates Ltd is not following or complying with the provisions outlined in the present policy or with any other matter related with the protection of personal data please contact the Data Protection Officer through:
Telephone: +357 24252584
Appendix – additional definitions to be included if deemed appropriate
• “You” (including "Your") or “User” means [complete]
• “Controller” shall have the meaning under the GDPR, i.e. “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
• “Processor” shall have the meaning under the GDPR, i.e. “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
• “Subprocessors” means a processor engaged by the Processor to carry out certain processing activities on behalf of the Controller.
• “Third Party” shall have the meaning under the GDPR, i.e. “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”.
• “Supervisory Authority” shall have the meaning under the GDPR, i.e. “an independent public authority which is established by a Member State pursuant to Article 51” of the GDPR.
Personal Data categories
• “Personal Data” shall have the meaning under the GDPR, i.e. “any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
• “Processing” shall have the meaning under the GDPR (i.e. “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”).
• “Data Processing Agreement” means a controller-processor agreement in accordance with Article 30 of the GDPR.
• “Privacy Shield” means the EU-U.S. Privacy Shield legal framework, designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
• “Standard Contractual Clauses” means sets of standard contractual clauses for transfers as adopted by the European Commission for the international transfer of personal data.