Please read this document carefully. It contains the Privacy Policy for the protection of personal data of clients of “T & S TURISM” EPE, GREECE, 64011 KERAMOTI, V.A.T № EL800507163, as the owner of the SUNSET LUXURY APARTMENTS Complex, located in KERAMOTI, GREECE, 64011 (“Policy”) and aims to explain the practices related to the processing of personal data in the context of the provided services and activities performed.
This Policy has been prepared in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Regulation).
Privacy Policy for the protection of personal data of clients of “T & S TURISM” EPE, GREECE, 64011 KERAMOTI, V.A.T № EL800507163.
GENERAL PROVISIONS
Article 1. In connection with the provision of its services and the performance of its activities, “T & S TURISM” EPE processes personal data of its clients – natural persons, as well as the personal data of other natural persons listed below (“Data Subjects”/”You”), in accordance with the rules and principles outlined in this Policy.
Article 2. “T & S TURISM” EPE is a company with V.A.T № EL800507163, headquartered at GREECE, 64011 KERAMOTI, phone: +359 889 695 636, email address: info@sunsetluxury.com
DATA SUBJECTS
Article 3. (1) In connection with the services provided, “T & S TURISM” EPE processes information about the following Data Subjects:
(a) Natural persons visiting the website https://sunsetluxury.com (the Website);
(b) Natural persons making reservations on their own behalf or on behalf of another natural or legal entity via the Website;
(c) Natural persons using the services provided by “T & S TURISM” EPE, including, but not limited to, hotel accommodation services and the provision of facilities for organizing conferences or other events, as well as natural persons representing or otherwise acting on behalf of legal entities utilizing these services;
(d) Natural persons submitting inquiries (including, but not limited to, via email, fax, phone calls, or the Instant Messaging functionality of the Website), requests, alerts, complaints, or other correspondence to “T & S TURISM” EPE, either on their own behalf or on behalf of another individual they represent;
(e) Natural persons whose information is contained in inquiries (including through phone calls or the Instant Messaging functionality of the Website), requests, alerts, complaints, or other correspondence addressed to “T & S TURISM” EPE.
(2) The services of “T & S TURISM” EPE may only be requested by legally competent individuals who are at least 18 years of age.
CATEGORIES OF PERSONAL DATA
Article 4. The information (categories of personal data) processed by “T & S TURISM” EPE regarding Data Subjects in accordance with this Policy may include:
- In connection with the provision of hotel accommodation services:
(a) Identification data: Guest’s full name; date of birth; gender; nationality; national identification number (e.g., EGN for Bulgarian citizens) and/or personal identification document number; date of issue of the personal identification document; validity of the identification document; country of issuance of the identification document; signature.
(b) Contact details: Telephone number; email address; residential address.
(c) Information related to hotel accommodation: Building; type and number of the apartment; floor; stay dates (check-in and check-out dates); duration of stay (number of nights). - Data related to payments and invoice issuance:
Information about the method of payment (cash, bank transfer, credit card, etc.); information about due and completed payments; information about payment terms and overdue/unpaid obligations; banking information (bank name, IBAN, account holder); currency of the completed payment; credit/debit card number, validity, and cardholder name; CVC code; data contained in the payment authorization form (slip); legal entity name; legal entity address; VAT number and/or other identification, tax, or registration number (EGN for natural persons); signed authorization forms. - In cases where the Data Subject represents another individual or entity (e.g., a company): information about who the represented party is and in what capacity (including workplace, position), as well as information regarding the requested services/orders made in that capacity. Accordingly, in cases where services are requested by a party other than the Data Subject for the benefit of the Data Subject, details about the capacity in which the Data Subject will use the services, who requested them, who will make the payment, etc., are required (e.g., for accommodations organized by the Data Subject’s employer or business partner).
- In cases where the Data Subject represents another individual or entity (e.g., a company): information about the represented party and in what capacity (including workplace, position), as well as information regarding the requested services/orders in that capacity. Similarly, in cases where services are requested by a party other than the Data Subject for the benefit of the Data Subject, details about the capacity in which the Data Subject will use the services, who requested them, who will make the payment, and other related information (e.g., for accommodations organized by the Data Subject’s employer or business partner).
- In connection with the issuance of customer discount cards:
(а) Identification data: names
(b) Information about the discount applicable with the respective customer card.
- In connection with the services and functionalities of the Website:
(a) Data processed in connection with hotel accommodation reservations: Names; email address; phone number; country; credit/debit card number, validity, and cardholder name; CVC code; number of rooms; number of guests, including adults and children; corporate code/access code; participant code for events or group accommodations; reservation number; special offers and guest preferences (explicitly indicated in the reservation form); package details (e.g., Honeymoon package, special occasion package, Explore Sofia weekend package, etc.).
(b) Data processed in connection with purchases made in the Website’s online store: Registration data (names; email address; phone number; fax; company name; address; city; postal code; region; country; password); order history; data related to purchased vouchers (voucher number; personalized message); payment history; credit/debit card number, validity, and cardholder name; CVC code; bank account details; order number.
(c) Unstructured content from conversations and inquiries with reservation agents through the Website’s Instant Messaging functionality.
- d) Information from login logs, server logs, and logs from security devices (Web Application Firewalls) and other similar devices: Date and time, IP address, URL, browser and device information.
(e) Cookies: The Website requires the use of cookies for proper functioning. A detailed description of the cookies used, their purposes, and the information processed through them can be found in the Cookie Policy of “T & S TURISM” EPE, available at: https://sunsetluxury.com.
Data related to complaints, applications, requests, and signals submitted by clients (including free text):Unstructured information contained in the respective complaints, applications, requests, and signals.
VIDEO SURVEILLANCE AND SECURITY
Article 5. (1) In accordance with the applicable legislation, “T & S TURISM” EPE implements security measures that include the following technical and organizational means for access control and ensuring physical security against intrusions into buildings and facilities, as well as protecting the life and health of individuals: physical security, alarm security systems, and a video surveillance system performing 24-hour video monitoring, consisting of recording and storage devices.
(2) Video surveillance and recording may be conducted in publicly accessible areas and premises within the buildings of “T & S TURISM” EPE, as well as in areas with special access control. No video surveillance is conducted in guest rooms, sanitary facilities, relaxation areas, or similar spaces. Data from video surveillance activities is stored in a monitoring room with restricted access and 24-hour security.
(3) Data Subjects and other visitors who may be recorded are informed of the use of technical surveillance and monitoring tools through informational boards placed in visible locations, providing relevant information about the monitoring conducted.
DIRECT MARKETING
Article 6. (1) With the explicit consent of the Data Subject, “T & S TURISM” EPE or other affiliated companies and partners of “T & S TURISM” EPE may process the following personal data: names, telephone number, address, email address, information about the type and volume of used and preferred services provided by “T & S TURISM” EPE, and other data explicitly mentioned in the respective consent, for the purposes of direct marketing. This includes offering other goods and services, including those provided by third parties, conducting surveys, and questionnaires to improve the quality of the services offered, in accordance with the scope of the specific consent given.
(2) When personal data is processed for direct marketing purposes, the Data Subject has the right to object to such processing at any time. In such cases, the processing of personal data for these purposes will cease.
(3) The Data Subject has the right to withdraw their consent for the processing of their personal data for direct marketing purposes at any time. In such cases, the processing of personal data based on the given consent will stop.
(4) Profiling for the purposes of direct marketing may only be carried out with the explicit consent of the Data Subject and must include at least the following additional safeguards for their rights and interests: the right to human intervention by the controller, the right to express their point of view, and the right to contest decisions based on profiling. At this time, “T & S TURISM” EPE does not perform such data processing activities.
PURPOSES OF PERSONAL DATA PROCESSING
Article 7. “T & S TURISM” EPE collects, stores, and processes the information described in Articles 4, 5, and 6 above for the purposes outlined in this Policy and in the general terms and conditions (contract) for the use of the respective services it provides. Depending on the legal basis for processing, these purposes may include:
(a) Compliance with legal obligations of “T & S TURISM” EPE;
(b) Purposes related to and/or necessary for the execution of contracts concluded with “T & S TURISM” EPE or for taking steps at the request of the Data Subject prior to the conclusion of a contract;
(c) Purposes related to the legitimate interests of “T & S TURISM” EPE or third parties.
Article 8. The purposes for which “T & S TURISM” EPE processes personal data to comply with legal obligations include:
- Maintaining a register of accommodated tourists and submitting information from it to the competent authorities as required by law;
- Address registration of foreign nationals in accordance with applicable legislation;
- Withholding and payment of tourism tax;
- Activities related to the development and implementation of counter-terrorism measures;
- Handling complaints, claims, requests for the exercise of rights, and similar matters, including responses to these;
- Accounting, invoicing, and reporting of received and made payments in compliance with current tax and accounting legislation;
- Other activities related to fulfilling legal obligations (tax, accounting, regulatory, licensing, etc.) of “T & S TURISM” EPE, including providing information to competent state and judicial authorities and assisting in inspections conducted by competent authorities.
Article 9. The purposes for which “T & S TURISM” EPE processes personal data related to and/or necessary for the performance of contracts or to take steps at the request of the Data Subject prior to entering into a contract with “T & S TURISM” EPE include:
- Accepting, managing, and processing reservations and cancellations;
- Customer service, including the provision of online services via the Website;
- Enabling profile registration and administering and maintaining registered profiles in the online store available on the Website;
- Administering, fulfilling, and delivering purchases made through the Website;
- Communication related to the provided services;
- Administering and receiving payments for the provided services, including remotely;
- Ensuring guarantees for made reservations and the payment of hotel accommodations and additional requested services;
- Financial and accounting activities, as well as administering, processing, and collecting payments due for provided services;
- Refunding incorrectly transferred amounts;
- Providing a personalized approach in delivering services tailored to users’ stated preferences.
Article 10. The purposes for which “T & S TURISM” EPE processes personal data based on the legitimate interests of “T & S TURISM” EPE or third parties include:
- Legitimate Interest – (1.1) exercising and protecting the legal rights and interests of “T & S TURISM” EPE; and (1.2) assisting in the exercise and protection of the legal rights and interests of clients, other individuals connected to “T & S TURISM” EPE, employees of “T & S TURISM” EPE, data processors acting on behalf of “T & S TURISM” EPE, and business partners of “T & S TURISM” EPE:
(a) establishing, exercising, or defending the legal claims of the individuals mentioned in (1.1) and (1.2), including through legal proceedings, filing complaints, and reporting to competent state and judicial authorities;
(b) video surveillance and access control to safeguard “T & S TURISM” EPE‘s property, ensure compliance with applicable requirements, provide physical security, and protect the life and health of citizens;
(c) taking measures to discontinue services in cases of non-payment, breaches of “T & S TURISM” EPE’s policies, or other violations;
(d) managing and handling complaints, signals, requests, and other communications;
(e) collecting outstanding debts owed to “T & S TURISM” EPE, including through enforcement or assignment to third parties, as well as transferring receivables to third parties under applicable laws;
(f) issuing notarial invitations.
- Legitimate Interest – analyzing, planning, and improving the quality of services provided by “T & S TURISM” EPE:
(a) maintaining a copy of internal system data related to the current state of the hotel (occupancy, debts, etc.) in case of an IT system failure;
(b) receiving, processing, and responding to requests unrelated to complaints or issues with the provided services;
(c) conducting customer satisfaction surveys;
(d) controlling, analyzing, and optimizing business processes to improve service quality.
- Legitimate Interest – ensuring the normal operation and use of the Website:
(a) maintaining and administering the Website;
(b) identifying and resolving technical issues with Website functionalities;
(c) taking measures against malicious actions affecting the security and functionality of the Website.
- Legitimate Interest – conducting hospitality and restaurant activities and ensuring high-quality hospitality and restaurant services:
(a) administering and managing the services provided by “T & S TURISM” EPE;
(b) managing and controlling the quality of the provided services;
(c) obtaining feedback on the provided services.
Article 11. The purposes for processing personal data based on the consent provided by the Data Subject include:
- Sending marketing and promotional messages about services, special offers, packages, events, and similar;
- Conducting surveys and collecting feedback on service quality;
- Sending newsletters;
- Other purposes for which specific consent has been given by the Data Subject.
PROVISION OF PERSONAL DATA AND CONSEQUENCES OF REFUSAL TO PROVIDE IT TO “T & S TURISM” EPE
Article 12.
- “T & S TURISM” EPE clearly indicates, where applicable and in an appropriate manner, whether providing specific data and/or documents is mandatory or a requirement necessary for the conclusion or performance of a contract, as well as the consequences of refusal to provide it.
- If additional clarification is needed, any Data Subject may request such clarification at the premises of “T & S TURISM” EPE or submit an inquiry to the contacts listed in Article 23 of this Policy.
- Refusal to provide the required data and documents may constitute an insurmountable obstacle to the provision of services by “T & S TURISM” EPE, or to the fulfillment and execution of submitted requests, applications, petitions, signals, and the like, thus exempting “T & S TURISM” EPE from liability for non-performance.
- Refusal to provide data and documents or providing false information may result in the inability to provide the respective services or suspension of access to services offered by “T & S TURISM” EPE.
- Data Subjects should not provide “T & S TURISM” EPE with any special categories of data as defined in Articles 9 and 10 of the Regulation (namely, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and personal data related to criminal convictions and offenses).
OTHER SOURCES OF PERSONAL DATA
Article 13.
- In some cases, the personal data processed by “T & S TURISM” EPE is not collected or received directly from the Data Subject to whom it pertains but from third parties such as:
- Individuals representing, working for, or otherwise collaborating with the Data Subject;
- Event organizers – regarding information about event participants;
- Business partners (e.g., booking websites like Booking.com; travel agents, other intermediaries facilitating reservations or requests for other services, and similar entities) of “T & S TURISM” EPE;
- Competent state and judicial authorities.
- The entities under points 1.1 to 1.3 are obligated to inform the Data Subjects whose data they provide and ensure that the data is shared based on valid legal grounds.
PROCESSING OF INFORMATION FROM THIRD PARTIES – DATA PROCESSORS
Article 14. Processing of Information by Third Parties – Data Processors
- For the purposes outlined in this Policy, “T & S TURISM” EPE may delegate personal data processing activities to third parties – Data Processors, in compliance with the requirements of the Regulation and other applicable personal data protection laws.
- When personal data is disclosed to and processed by Data Processors, this will be done only to the extent necessary for fulfilling the tasks assigned to them by “T & S TURISM” EPE.
- Data Processors act on behalf of “T & S TURISM” EPE and are required to process personal data strictly following the instructions of “T & S TURISM” EPE. They are prohibited from using or processing the information for purposes other than those specified in this Policy.
Categories of Recipients of Personal Data
Article 15. “T & S TURISM” EPE does not disclose personal data related to the Data Subject to third parties, except in cases where:
- It is necessary to comply with a legal obligation of “T & S TURISM” EPE:
(a) Competent state, municipal, or judicial authorities;
(b) Auditors. - It is explicitly provided for in this Policy and/or in the terms and conditions (contract) for the use of the services provided by “T & S TURISM” EPE:
(a) Data processors engaged by “T & S TURISM” EPE;
(b) Debt collection companies. - It is necessary for the provision of “T & S TURISM” EPE services:
(a) Banks and payment service providers;
(b) Postal and courier service providers;
(c) Business partners of “T & S TURISM” EPE, such as booking platforms, travel agencies, and other providers of travel-related or supplementary services like car rentals, taxi, and other transportation services. - The Data Subject has provided explicit consent – to the parties specified in the relevant consent (e.g., parties affiliated with “T & S TURISM” EPE, business partners, etc.).
- It is necessary to protect the rights or legitimate interests of “T & S TURISM” EPE, third parties, or the Data Subject:
(a) State, municipal, and judicial authorities;
(b) Private and public enforcement agents;
(c) Attorneys;
(d) Notaries. - Other cases as provided by law.
Article 16.
- “T & S TURISM” EPE processes and stores information related to the Data Subject until the relevant purposes for which the information was collected and processed are achieved.
- In accordance with its internal rules and procedures and applicable legislation, “T & S TURISM” EPE processes and stores information related to the Data Subject for the following periods:
Type of Data | Retention Period | ||
Data from the register of accommodated tourists, including identification data and data related to hotel accommodation. | According to the provisions of the law and applicable regulations. | ||
Information related to requests and used hotel accommodation services, events, and restaurant services, including cancellations and refund requests. | From the completion of the corresponding reservation/request for up to 5 (five) years after the service is provided/the agreement is terminated. For services with ongoing execution, the period starts from the final execution and/or termination of the agreement. | ||
Financial and accounting documents; invoices; authorization forms; and other data related to tax and social security compliance. | Up to 10 (ten) years, starting from the beginning of the year following the year in which the payment obligation arose. | ||
Unstructured communication, correspondence, complaints, and signals. | 5 years. If the correspondence relates to an agreement with ongoing execution, the period starts from the final execution and/or termination of the agreement. | ||
Data related to registered profiles in the online store on the Website. | For the entire registration period and up to 5 (five) years after termination (if applicable). | ||
Data related to restaurant service reservations made via phone. | Up to 1 year. | ||
System logs related to security, technical support, etc. (may include information such as date and time, IP address, URL, browser and device information). | 1 year. | ||
Data regarding actions on profile registration or product purchases, with or without a registered profile on the Website (includes action/content of the request, date and time, IP address, etc.). | For the entire period of maintaining the profile and up to 5 (five) years after its termination (if applicable). For up to 5 (five) years from the execution of the purchase request (if performed without a registered profile). | ||
Video recordings. | 2 months. | ||
Data contained in feedback cards. | The information from feedback cards is entered in anonymized form (only feedback and recommendations are recorded) without any personal information of the individual who provided it. Cards are destroyed immediately after the feedback is entered into the internal systems of “T & S TURISM” EPE. | ||
Data processed based on the explicit consent of the Data Subject. |
|
||
Data described in this Policy for protecting the rights and/or legal interests of “T & S TURISM” EPE. | The data may be processed for a longer period as specified above, if it is necessary to achieve the objectives described in the Policy or to ensure compliance with applicable legislation.
|
||
The personal data specified in this Policy may be processed for a longer period than those outlined above if necessary to achieve the objectives stated herein or to protect the rights and/or legitimate interests (including in legal proceedings) of “T & S TURISM” EPE, or if the applicable legislation requires the data to be processed for a longer period. |
RIGHTS OF DATA SUBJECTS REGARDING THEIR PERSONAL DATA
Article 17.(1) Regarding the processing of their personal data, every Data Subject has the following rights:
- Right to Information – To receive information about the processing of their personal data by “T & S TURISM” EPE.
- Right of Access:
(a) To obtain confirmation of whether their personal data is being processed.
(b) To access the processed personal data and detailed information about the processing and their rights. - Right to Rectification – To request the correction or completion of their personal data if it is inaccurate or incomplete.
- Right to Erasure (“Right to be Forgotten”) – To request the deletion of their personal data if the grounds provided in the Regulation are met.
- Right to Restriction of Processing – To request that “T & S TURISM” EPE restricts the processing of their personal data within the limits established by the Regulation, if the conditions provided in the Regulation are met.
- Notification to Third Parties – The right to request that “T & S TURISM” EPE notifies third parties to whom their personal data has been disclosed about any corrections, deletions, or restrictions on processing, unless this is impossible or requires disproportionate effort from “T & S TURISM” EPE.
- Right to Data Portability – To receive the personal data concerning them, which they have provided to “T & S TURISM” EPE, in a structured, commonly used, and machine-readable format, and to transfer those data to another controller without hindrance from “T & S TURISM” EPE.
The right to data portability applies when both of the following conditions are met:
(a) The processing is based on consent or a contractual obligation; and
(b) The processing is carried out by automated means.
If technically feasible, the Data Subject has the right to request a direct transfer of personal data from “T & S TURISM” EPE to another controller. The exercise of the right to data portability must not adversely affect the rights and freedoms of others. - Rights Regarding Automated Decision-Making, Including Profiling – To not be subject to a decision based solely on automated processing (i.e., processing without human intervention), including profiling as defined by the Regulation, which produces legal effects concerning the Data Subject or similarly significantly affects them, except where the grounds provided in the Regulation are met and appropriate safeguards are in place to protect the Data Subject’s rights, freedoms, and legitimate interests.
Such safeguards include, at a minimum, the right to human intervention by “T & S TURISM” EPE, the right to express their point of view, and the right to contest the decision.
If such a decision, including profiling, is made regarding the Data Subject, they have the right to receive substantial information from “T & S TURISM” EPE about the logic used, the significance, and the consequences of this processing for them, as well as how to exercise their rights under this point. - Right to Withdraw Consent – Where the processing of personal data is based solely on the Data Subject’s consent, they may withdraw their consent at any time. Such withdrawal does not affect the lawfulness of processing based on the consent before its withdrawal.
Right to Object
Article 18.The Data Subject has the right, at any time and on grounds related to their particular situation, to object to the processing of their personal data, including profiling within the meaning of the Regulation, based on public interest, the exercise of official authority, or the legitimate interests of “T & S TURISM” EPE or a third party. In such cases, “T & S TURISM” EPE shall cease processing the personal data unless it demonstrates compelling legal grounds for processing that override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.
Article 19. (1) The Data Subject may exercise their rights related to the protection of personal data by submitting a written request directly to “T & S TURISM” EPE – either in person at the address specified in Article 23 of this Policy or through a notarized request sent by mail.
(2) The request under paragraph 1 may also be submitted electronically, provided that it is signed by the Data Subject with a qualified electronic signature as defined in the Electronic Document and Electronic Certification Services Act and Article 3, Item 12 of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. The request should be sent to the email address of “T & S TURISM” EPE as specified in Article 23 of this Policy.
(3) The Data Subject may exercise their rights related to their personal data either personally or through an expressly authorized representative (with a notarized power of attorney).
(4) Some rights may also be exercised through the functionalities available on the Website.
Right to File a Complaint with a Supervisory Authority
Article 20.Every Data Subject has the right to file a complaint with a data protection supervisory authority, particularly in the Member State (of the EU/EEA) of their habitual residence, workplace, or the place of the alleged violation, if they believe that the processing of their personal data violates the provisions of the Regulation or other applicable data protection requirements.
Restrictions of Rights
Article 21.The scope of the Data Subjects’ rights and the obligations of “T & S TURISM” EPE in connection with these rights may be restricted by a legislative measure under EU law or the law of a Member State applicable to “T & S TURISM” EPE.
Clarifications and Additional Information
Article 22.The Data Subject may obtain clarifications regarding the content and grounds for data processing, the procedure for exercising the rights outlined in this Policy, and any additional information concerning their rights when their personal data is processed by “T & S TURISM” EPE at:
- Address: GREECE, 64011 KERAMOTI
- Email: info@sunsetluxury.com
- Phone: +359 889 695 636
This Privacy Policy has been drafted by “T & S TURISM” EPE, in its capacity as a personal data controller, in compliance with its obligation to provide information to data subjects under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
This Privacy Policy is effective as of January 1, 2025.