Privacy notice on the processing of personal data through a video surveillance system
This Privacy Notice applies to the processing of your personal data through the Video Surveillance system (hereinafter “Personal Data”), as a customer of the hotel or as a visitor or as an employee (hereinafter “Customer” or “Visitor” or “Employee” or “you” ), which is made by the company “NHKA SA” (hereinafter “Company” or “Hotel” or “Elysium Resort & Spa” or “we”).
For the safety and protection of its customers, staff, visitors, office premises, assets and information, as well as for logistical reasons, the Company protects its facilities with a video surveillance system through closed circuit television (CCTV). The video surveillance system records images of people and therefore processes personal data.
As a customer of the hotel or as a guest or as an employee you have the right to the protection of your Personal Data. The Hotel respects your privacy and your personal data and always acts in compliance with the Personal Data Protection Legislation. The hotel is also committed to acting transparently regarding how data is collected and used in the context of fulfilling its obligations.
By the term “Legislation on Personal Data Protection” (hereinafter “Legislation”) we mean all laws, regulations, directives, etc., Greek or European, concerning the processing of Personal Data, their privacy and security. For example, we mention the General Data Protection Regulation (EU) 2016/679 (GDPR), Greek Law 4624/2019, Directive 1/2011 “Use of video surveillance systems for the protection of persons and goods” of the Greek Personal Data Protection Authority (PDPA), as well also the Directives of the European Data Protection Board (EDPB) Guidelines 3/2019 regarding the processing of personal data through video devices.
It is important that you read carefully this notice which clearly explains to you how and why we collect your Personal Data through the Video Surveillance system, what we do with them, how long we keep them, with whom we share them, how we protect them, and the choices you may have about them. In this way you will always be fully aware of the ways and reasons for which we use these data as well as your rights under the Legislation.
The Hotel in accordance with the General Data Protection Regulation acts as “Data Controller”. This means that the Hotel is responsible for deciding on the ways and purposes for which it collects and uses (processes) your personal data.
Our contact details are:
Elysium Resort & Spa
Kallithea, Rhodes, 85100, Greece
Tel: +30 22410 45700
Principles of Processing
- We process your personal data in a fair, legal, fair, clear, objective and transparent manner.
- We collect your data only for specified, explicit and legitimate purposes that we deem appropriate and have been adequately explained to you. We also assure you that they will not be used in any other way except for those purposes.
- We collect and maintain the least possible data, which is appropriate, relevant and absolutely necessary for processing purposes.
- We confirm that the data is correct and kept up-to-date and accurate.
- We will retain your data only for as long as we need it to fulfill any processing goal.
- We will make sure that we store them with the appropriate security.
- We process it in a way that ensures that it will not be used unlawfully or contrary to your will.
Types of personal data collected
The hotel only collects image data and no voice is recorded.
Purpose of processing and legal basis
We use a surveillance system for the purpose of protecting people and property. The processing is necessary for the purposes of legitimate interests pursued by us as the controller (Article 6 p. 1. f GDPR).
- To control access to the premises and ensure the security of the buildings, the safety of its staff and visitors, and the assets and information located or stored on the premises.
- To prevent, deter and, if necessary, investigate unauthorized physical access, including unauthorized access to secure and protected areas, IT infrastructure or business information.
- To prevent, detect and investigate theft of equipment or property belonging to the Hotel, customers, visitors to staff or threats to the safety of customers, staff or third parties (eg fire, physical assault).
The data collected through the system is not used to monitor the work of employees or to evaluate their behavior and efficiency.
The system is also not used as an investigation tool or to gather evidence in internal investigations or disciplinary procedures, unless it is a security incident.
Analysis of legitimate interests
Our legitimate interest consists in the need to protect our site and the goods located in it from illegal acts, such as theft. The same applies to the safety of life, physical integrity, health and property of our customers, our staff and third parties who are legally present in the monitored area.
We limit the monitoring to places where we have assessed that there is an increased need without focusing on places where the privacy of the persons whose image is taken may be unduly restricted, including their right to respect for personal data.
The guarded material is only accessible by our competent / authorized personnel who are in charge of site security. This material is not passed on to third parties, with the exception of the following cases:
- to the competent judicial, prosecutorial and police authorities when it includes information necessary for the investigation of a criminal act, which concerns persons or goods of the data controller,
- to the competent judicial, prosecutorial and police authorities when they request data, legally, in the exercise of their duties, and
- to the victim or perpetrator of a criminal act, when it comes to data that may constitute evidence of the act.
Data retention time
We keep the data for fifteen (15) days, after which they are automatically deleted. In the event that we detect an incident during this period, we isolate part of the video and keep it for up to one (1) month, with the aim of investigating the incident and initiating legal proceedings to defend our legal interests, while if the incident concerns third we will keep the video for up to three (3) more months.
Protection of your personal data
The Hotel is committed to protecting the security of your personal data. Therefore, we have put in place a number of technical and organizational security measures to prevent the use or access of your personal data in an unauthorized or illegal manner, the accidental loss or damage of its integrity, its alteration or disclosure. We keep your data on computer systems with limited access and only in controlled facilities.
In addition, we limit access to your personal information to only those who have a business need to know. Your personal information will only be processed in accordance with our instructions and subject to an obligation of confidentiality. Your Personal Data will only be processed by a third-party Processor if he agrees to comply with the specific technical and organizational data security measures.
Rights of data subjects
Data subjects have the following rights:
- Right of access: you have the right to know whether we are processing your image and, if so, to receive a copy of it.
- Right to restriction: you have the right to ask us to restrict the processing, such as not to delete data that you consider necessary to establish, exercise or support legal claims.
- Right to object: you have the right to object to the processing.
- Right to deletion: you have the right to request that we delete your data.
You can exercise your rights by sending an e-mail to firstname.lastname@example.org or a letter to our postal address or by submitting the request to us in person at our address. In order to consider a request related to your image, you will need to tell us approximately when you came into range of the cameras and provide us with an image of you to help us identify your own data and mask the data of third parties depicted. Alternatively, we allow you to come to our premises to show you the images in which you appear. We also point out that the exercise of the right to object or delete does not imply the immediate deletion of data or modification of the processing. In any case, we will answer you in detail as soon as possible, within the deadlines set by the GDPR.
Right to file a complaint
If you believe that the processing of your data violates Regulation (EU) 2016/679, you have the right to file a complaint with a supervisory authority.
The competent supervisory authority for Greece is the Data Protection Authority, Kifisias 1-3, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.
Questions, Concerns or Complaints
If you have questions about this Privacy Notice, if you want to file a complaint about the way your personal data is processed by the Hotel or its partners, you have the right to contact us. Contact information can be found in the Data Controller section
Updates to this Privacy Notice
The Hotel reserves the right to modify this notice and its related practices at any time in order to respond to changes in the regulatory environment, business needs or to satisfy the needs of its subjects, properties, strategic partners and service providers without notice. Such changes, modifications, additions or deletions to this Privacy Notice will supersede previous releases and will be effective immediately upon posting.
Updated versions will be posted on the Hotel Website at the address below and will be dated.
Last updated: August 10, 2022