Skip to content
Zefyros Hotel
Zefyros Hotel
🇬🇧 EN 🇬🇷 EL 🇷🇸 SR 🇷🇴 RO 🇧🇬 BG 🇩🇪 DE
Book Now

GDPR Policy

Your data protection rights under EU law

Zefyros Seaside Hotel Apartments is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy explains your rights and our obligations under GDPR.

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It gives individuals in the European Union greater control over their personal data and places strict obligations on organizations that collect and process personal information.

2. Data Controller

Zefyros Seaside Hotel Apartments acts as the Data Controller for personal data collected through our website and during your stay. This means we determine the purposes and means of processing your personal data.

Data Controller

Zefyros Seaside Hotel Apartments
Siviri, Kassandra
Chalkidiki 63088, Greece

3. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

3.1 Right to Be Informed (Articles 13-14)

You have the right to know how your personal data is being collected and used. We provide this information through our Privacy Policy and this GDPR Policy.

3.2 Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will respond to your request within one month and provide the data in a commonly used electronic format.

3.3 Right to Rectification (Article 16)

If you believe any of your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it. We will respond within one month.

3.4 Right to Erasure / Right to Be Forgotten (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for its original purpose
  • You withdraw your consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may be legally required to retain certain data (e.g., guest registration records for 5 years under Greek law).

3.5 Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to our processing.

3.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON). You can also request that we transfer your data directly to another organization where technically feasible.

3.7 Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. If you object to marketing, we will stop processing your data for that purpose immediately.

3.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making processes.

4. Lawful Bases for Processing

We process your personal data under one or more of the following legal bases:

  • Contract: Processing is necessary to fulfill our booking and accommodation contract with you.
  • Legal Obligation: Processing is required to comply with Greek and EU laws (e.g., guest registration, tax records).
  • Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our services and ensuring security.
  • Consent: Where you have given clear consent for specific processing activities (e.g., marketing emails, analytics cookies).

5. Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Name, nationality, date of birth, passport/ID number
  • Contact Data: Email address, phone number, postal address
  • Booking Data: Reservation details, room preferences, special requests
  • Financial Data: Payment information (processed securely, not stored)
  • Technical Data: IP address, browser type, device information, cookies
  • Communication Data: Correspondence with our staff

6. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us using the following methods:

  • Email:
  • Write to us at the address above
  • Use our contact form on the website

We will respond to your request within one month. In complex cases, we may extend this by two additional months, but we will inform you of any delay within the first month.

6.1 Verification

To protect your data, we may need to verify your identity before processing your request. We will ask for information that allows us to confirm you are the person whose data we hold.

6.2 Fees

Exercising your GDPR rights is generally free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or if you request additional copies of your data.

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when introducing new technologies or processing activities that may pose a high risk to your rights and freedoms.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Hellenic Data Protection Authority within 72 hours of becoming aware of the breach
  • Inform you directly if the breach is likely to result in high risk to your rights
  • Document all breaches and the actions taken to address them

9. International Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). If we need to transfer data outside the EEA, we will ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection laws
  • Your explicit consent for specific transfers

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods include:

  • Guest Records: 5 years (required by Greek law)
  • Financial Records: 10 years (required by Greek tax law)
  • Marketing Preferences: Until you withdraw consent
  • Website Analytics: 26 months (Google Analytics default)

11. Cookies and Tracking

We use cookies and similar technologies on our website. You can manage your cookie preferences at any time using our cookie settings panel. For more details, please see our Privacy Policy.

12. Supervisory Authority

If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the supervisory authority:

Hellenic Data Protection Authority

Kifisias 1-3
115 23 Athens, Greece
Phone: +30 210 6475600
Fax: +30 210 6475628
Email: contact@dpa.gr
Website: www.dpa.gr

13. Updates to This Policy

We may update this GDPR Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on our website with the date of the last update.

14. Related Policies

For more information about how we handle your data, please also review:

Last updated: December 22, 2025