Skip links

Cookie Policy

Personal Data Protection Policy

Scope of the Privacy Policy

The company under the name «ΚΑΣΤΡΙΝΟΣ ΒΑΣΙΛΕΙΟΣ ΤΟΥ ΔΗΜΗΤΡΙΟΥ», with headquarters at ΣΚ.ΠΟΤΑΜΙΑΣ, ΘΑΣΟ, (hereinafter referred to as the “Company”), with this Privacy Policy aims to inform users of this website «https://kastrinos-thassos.gr/» (hereinafter referred to as the “Website”) about the way and purpose of processing their personal data. The Company, as Data Controller, collects and processes personal data of the users of the Website, only if absolutely necessary, for explicit and legitimate purposes, in accordance with the existing legislation on personal data protection.

Definitions

For the purposes of this Policy, the following terms shall have the following meanings:

  • “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
  • “Special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of positive identification, data concerning health or data concerning the sex life of a natural person or sexual orientation.
  • “Processing”: means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law.
  • “Processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • “Data Subject”: the natural person whose personal data are processed. In this particular case, the data subject of the processing is considered to be each user of our Website.
  • “Consent” of the data subject: any freely given, specific, explicit and informed indication of the data subject’s wishes by which the data subject signifies his or her agreement, by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
  • “Anonymisation”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
  • “Pseudonymisation” means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of supplementary information, provided that such supplementary information is kept separately and subject to technical and organisational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
  • “Existing legislation”: the respective national and EU legislation on personal data protection, in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), Law 4624/2019 as well as the Decisions, Directives and Opinions of the Hellenic Data Protection Authority (hereinafter “Hellenic Data Protection Authority”).

General Principles of Personal Data Processing

The Company collects and processes the personal data of data subjects in accordance with the following processing principles:

  • Legitimacy, objectivity, transparency: The Company collects and processes these data lawfully, in a transparent manner in relation to the data subjects.
  • Limitation of purpose: The Company processes personal data only for specified, explicit and legitimate purposes.
  • Data minimization: The Company takes appropriate technical and organizational measures to ensure that the personal data processed are appropriate, relevant and limited to what is necessary for the purposes for which they are processed.
  • Accuracy: The Company ensures that the personal data it maintains and processes is always accurate and up-to-date.
  • Limitation of the storage period: The Company does not retain personal data for a period longer than the purposes for which they were collected and processed. However, it may retain it for a longer period if the processing of such data is necessary:
    • for compliance with a legal obligation requiring processing under a provision of law;
    • for the performance of a task carried out in the public interest;
    • for reasons of public interest;
    • for archiving purposes in the public interest, or for scientific or historical research purposes, or for statistical purposes, after appropriate technical and organisational measures, including pseudonymisation, have been taken, and only if these purposes cannot be served by anonymisation of the data;
    • for the establishment, exercise or maintenance of legal claims.
  • Integrity and confidentiality: The Company ensures that the collection and processing of personal data is carried out in a secure manner, using appropriate technical and organizational means to protect it from any unauthorized or unlawful processing and accidental loss, destruction or damage.

Personal Data collected and processed through the website – Purpose of processing and lawful basis

Personal data collected through the contact form

Through the contact form, the user has the opportunity to contact the Company for any questions, clarifications, complaints, etc. as well as to express interest in the services provided. In case the user wishes to use this service, he/she should fill in the relevant fields such as name, telephone number, email, subject and the relevant message.

Purpose of Processing and Lawful Basis

The purpose of the collection and processing of such personal data is the optimal communication and information of the user with the Company. The legal basis for the processing of personal data is the user’s consent (GDPR Article 6(1a)), which is provided by accepting this Privacy Policy before submitting the message. Such consent may, in accordance with existing legislation, be withdrawn at any time, without affecting the lawfulness of the processing until the moment of withdrawal.

Personal data collected through log data

Each time a user accesses the Company’s Website, personal data may be temporarily stored in a log file, such as information about the browser and operating system used, the internet protocol address (IP address), the date and time of the request on the server, the amount of data transferred and the resource requested.

Purpose of Processing and Lawful Basis

The purpose of collecting and processing such data is to provide the service for technical and security reasons. These data are not personalised and are kept for a maximum of 6 months. IP addresses from which malicious activity originates are permanently stored in the security system of the Website for security reasons and to prevent further attacks. The legitimate basis for processing personal data is the legitimate interest of the Company to improve and secure the services provided to the users of the Website [GDPR Article 6 §1 (f)].

Personal data collected from the use of cookies

When you browse our website, we may collect certain necessary information related to the traffic on the website in question, such as the Internet Protocol (IP) address and the type of browser used by the user, etc. For more information about the use of cookies on our Website, you can refer to (LINK) Cookies Policy.

Purpose of Processing and Lawful Basis

The purpose of the collection and processing of this data is to improve the functionality of the Website and the services provided, as well as to analyze the traffic. The legal basis for processing personal data is the user’s consent (GDPR Article 6(1a)), which is provided by accepting the cookies in question, with the exception of the strictly necessary cookies that are permanently installed and are absolutely necessary for the operation of the Website, for which the legal basis for processing is the legitimate interest of the Company (GDPR Article 6(1f)).

Personal Data of Minor Users

This Website is not addressed to minors and does not wish to collect and process personal data of minors (i.e. persons under the age of 18). However, since it is impossible to cross-check and verify the age of the users of our Website, we request the parents/guardians of minors, in case they find any unauthorized data disclosure on behalf of minors, to immediately notify the Company, as to take the necessary protective measures (e.g. deletion of their data). If the Company becomes aware that personal data of a minor have been collected, it undertakes to delete them immediately and to take all necessary measures to protect such data.

Transfer of Personal Data

The Company may transfer the above personal data to third parties to whom it has entrusted the processing of personal data on its behalf (such as service providers, website developers, etc.). In any case, the third parties to which user data may be transmitted are contractually bound to the Company in order to ensure the confidentiality obligation and all obligations provided for by the Existing Legislation. At the same time, users’ personal data may be transmitted to public authorities, independent authorities, etc. (e.g. Police Departments, Prosecutor’s Court, Tax, Customs Authorities, the DPAA, etc.) in the exercise of their duties on their own initiative or at the request of a third party claiming a legitimate interest and in accordance with the legal procedures.

In the event of the transfer of users’ personal data collected through this Website to a country outside the European Union (EU) or the European Economic Area (EEA), the Company shall first check whether:

  • The Commission has issued an adequacy decision for the third country to which the transfer is to be made.
  • Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data.

Otherwise, the transfer to a third country is prohibited and the Company will not transfer users’ personal data to that country, unless one of the special exceptions provided by the Existing Legislation applies (e.g. the express consent of the user and informing him/her about the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the user and so on).

Data Retention Period

The personal data of users collected are kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted from our files. Where processing is imposed as an obligation by provisions of the applicable legal framework or a specific retention period is provided, your personal data will be stored for as long as the relevant provisions require. Personal data of users collected and processed for the performance of a contract will be kept for as long as necessary for the performance of the contract and for the establishment, exercise, and/or support of legal claims based on the contract. Personal data of users processed for marketing purposes with the consent of the users shall be kept until the consent is withdrawn, without such withdrawal affecting the lawfulness of the processing carried out until then.

Security of Personal Data

Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of users from processing, the Company takes the necessary technical and organizational measures to protect the personal data of users. Although no method of transmission over the Internet or method of electronic storage is completely secure, the Company takes all necessary digital data security measures (antivirus, firewall, etc.).

Data Protection Officer (DPO)

In order to ensure adequate protection of personal data, the Company has appointed a Data Protection Officer to whom data subjects may address their requests and questions regarding the protection of their personal data and this Policy, at the following contact details: at dpo@kastrinos-thassos.gr or by telephone: +30 6947404373.

Rights of Personal Data Subjects

The Company shall ensure that it is able to respond immediately to the requests of users for the exercise of their rights in accordance with the existing legislation.

In particular, each user has the following rights:

  • Request information on the processing of his/her personal data by the Company.
  • Request access to his/her personal data held by the Company. More specifically, he/she may request to receive a copy of his/her personal data held and to check the lawfulness of the processing.
  • To request the correction of his/her personal data in case of incorrect or incomplete registration by the Company.
  • Request the deletion of his/her personal data if their retention is not based on any legitimate basis or legitimate interest.
  • Request restriction of the processing of his/her personal data, under certain conditions.
  • Request the portability/transmission of his/her personal data either to himself/herself or to third parties.
  • To withdraw at any time the consent given for the processing of his/her personal data, without this withdrawal affecting the lawfulness of the processing up to that time.
  • To object to the processing of his/her personal data by the Company.
  • To oppose a decision concerning him or her taken solely on the basis of automated processing, including profiling.

To exercise your rights, you can contact the contact details of the Data Protection Officer. In the event of exercising any of the above rights, the Company shall provide the data subject with information on the processing operations upon the relevant request submitted within one (1) month from the receipt of the request and the identification of the data subject. This period may be extended by two (2) more months, if necessary, if the request is complex or there is a large number of requests. In this case, the Company shall, within one month of receiving the request, inform the data subject of the delay and the reasons for it. Within the aforementioned period, it shall also inform the data subject of any refusal to comply with all or part of the request submitted and of the reasons for the refusal.

For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request, you may contact the Hellenic Data Protection Authority www.dpa.gr, 1-3 Kifissias Street, P.O. Box 115 23, Athens.

Disclaimer for Third Party Websites

In the event that our Website contains links that redirect users to third party websites, we inform you that the Company does not control or is not responsible for the content, actions or policies of these websites, nor for the way in which they process the personal data of users.

Updates to the Privacy Policy

This Privacy Policy may be amended/revised in the future, in the context of the Company’s regulatory compliance as well as the optimization and upgrading of our Website services. We therefore recommend that you refer to the updated version of this Policy each time for your adequate information.

Second edition: 2024-09-02