Confidentialité

General

This Privacy Notice sets out how St. George Hotel Enterprises (hereinafter referred to as the “Company”, “We”, “Our”, “Us”) processes data, whether on individuals (including personal data in respect of individuals who are clients, intermediaries or other third parties that We interact with, or any individual who is connected to those parties) or otherwise. Where the data held are on individuals, this document also sets out the rights of those individuals in respect of that personal data.

This Privacy Notice has been prepared in accordance with the provisions of the EU General Data Protection Regulation (“GDPR”).

Any questions relating to this Privacy Notice or requests in respect of personal data should be directed to Our Data Protection Officer (DPO) at GDPR@stgeorge-hotel.com.

Who We are

St. George is a category 4 star hotel located on the beach of Chlolarakas, Paphos. It possesses 260 rooms including; 211 twin rooms, 25 superior rooms, 6 suites and 3 rooms suitable for guests with disabilities. In the food & beverage scope, the hotel manages five bars and three restaurants. In addition it operates a Wellness Centre with a fully equipped gym, indoor pools as well as a wide-ranging a la carte treatment menu.

Our aim is to provide friendly and hospitable service to our guest in order to create a unique experience, hence, our motto is the hotel is “Where pleasure…is served with pleasure”. Our vision is to establish the hotel as one of the greatest 4 star hotel in the island.

Our main offices are located at SAINT GEORGE HOTEL, Chloraka, Paphos, Cyprus.

We strive to protect personal data and apply high standards of conduct when it comes to privacy issues. We ensure that Our employees are provided with the appropriate training in order to handle personal data promptly and in accordance with the laws. Furthermore, We endeavor to ensure that any parties with whom We co-operate apply the same high standards when it comes to data protection and privacy as We do.

What data do We hold?

We process data in the context of providing Our services to the clients. The categories of data We may collect and process, according to each case, include:
•contact details (including names, postal addresses, email addresses and telephone numbers);
•Passport numbers, ID card numbers, driving licenses;
•information required by Us to meet legal and regulatory requirements, in particular in respect of anti-money laundering legislation, including information on source of funds and source of wealth;
•financial information, such as payment related information and credit/debit card information;
•meetings attended and visits to Our offices;
•CCTV footage;
•any other information you may provide to Us.

Important notice on Special Category Data

In certain instances, the personal data that We process may include "Special Category Data" (which includes information on a person's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data processed for the purpose of uniquely identifying a natural person, health data, data on a person's sex life or sexual orientation or data relating to a person's criminal record or alleged criminal activity). In such instances, legal bases for processing that data may include explicit consent (where the Special Category Data has been provided to Us by the data subject for any of the below-listed purposes) or the processing is being necessary for compliance with a legal obligation.

Why do We need them?

We ensure that the data collected and processed is relevant to one or more processing activities and that we do not collect or process more or less data than what is reasonably required for achieving the purpose of each processing activity. Furthermore, for each purpose of processing, there is always at least one lawful basis to secure that the rights of individuals are safeguarded by all means. The purposes of processing and the lawful basis of each processing activity are the following:

Sources and Recipients of data

The sources of data may include clients, intermediaries, data subjects directly, third parties connected to the data subject (for example, another service provider who provides services to the data subject such as an agent, website or application used for the purpose of making reservations with Us) or open-source material.

We use third party service providers to store and process personal data in certain ways which are useful for the purposes of our business. We may appoint sub-contractor data processors as required to deliver the Services, such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, payroll services, IT Support service providers, document and information storage providers, who will process personal information on our behalf and at our direction.

Reasonable endeavours are made to ensure that data is only accessible by those with a need for access to fulfil the purposes set out above. Requests for access to be restricted in any particular manner should be made to GDPR@stgeorge-hotel.com and will be considered and, where possible with reference to legal and regulatory obligations, actioned.

The following is a list of potential recipients of data (in each case including respective employees, directors and officers):
•employees of the Company who are acquainted with the GDPR
•any sub-contractors, agents or service providers of the Company;
•third parties with whom We engage;
•regulators or other governmental or supervisory bodies with a legal right to the material or a legitimate interest in any material;
•any other recipient whom We have communicated to you in writing.

Unless expressly declared in this Privacy Policy or with the prior consent of the individual, personal data collected from an individual will not be disclosed to any third party other than the above-named parties.

Where We are entering into an engagement with a third party pursuant to which data may be processed by that third party, We will seek to enter into an agreement with that third party setting out the respective obligations of each party and We will seek to be reasonably satisfied that the third party has measures in place equal to Ours to protect data against unauthorised or accidental use, access, disclosure, damage, loss or destruction.

In the event that any such third party is outside of the European Union and where the data being transferred would include personal data which would be protected under applicable Data Protection regulation, We will ensure that We meet the relevant requirements of that Data Protection regulation prior to carrying out any such transfer. This may include only transferring the data where We are satisfied that:
•the non-European Union country has Data Protection laws similar to the laws in the European Union;
•the recipient has agreed through contract to protect the information in the same Data Protection standards as the European Union;
•We have obtained consent from relevant data subjects to the transfer;
•if transferred to the United States of America, the transfer will be to organizations that are part of the Privacy Shield.

Rights of Data subjects

Data subjects in the European Union (or any jurisdiction with equivalent legislation to the European Union General Data Protection Regulation) have certain rights in respect of their personal data. Any such data subject wishing to exercise any rights under applicable data protection laws (including the right to withdraw any consent to processing previously given; the right of access to data; or to have data corrected, updated, rectified or erased; or for access to data to be restricted or provided to any third party; or to object to any particular processing; or to lodge a complaint with the relevant supervisory authority; or the right of data portability) should send the request in the first instance to GDPR@stgeorge-hotel.com

In response to such requests, We reserve the right to require the individual making the request to provide certain details about himself/herself so that We can validate that the individual is indeed the person whom the data refers to. We are required to respond to the request of the individual within 40 days and We will endeavour to do so wherever possible. We reserve the right to charge a reasonable fee to cover any expenses that may arise from the request.

In any case in which a data subject chooses not to provide any personal data, or where any of the rights set out above are exercised to limit the processing of personal data, We may be unable to provide relevant services, or there may be restrictions on the services which can be provided.

Retention of data

We retain personal data in accordance with the Data Retention Policy. Any personal data provided to Us is retained to fulfil the purposes for which the data was collected. After the fulfilment of the purposes for which the personal data was collected, such data will be destroyed, and a Destruction Certificate will be retained in Our records, unless destruction is prohibited for legal, regulatory or technical reasons.

Any requests for further information in relation to the continued processing of specific data and requests for destruction of data should be made to GDPR@stgeorge-hotel.com.

For further information on the retention and destruction processes of the Company, request Our Data Retention Policy at GDPR@stgeorge-hotel.com.

Use of Personal Data in Legal Proceedings

If it becomes necessary that We take action against you for any reason whatsoever, including but not limited to recovering from you any money you owe to Us, you expressly agree that the personal data provided by you can be relied upon in identifying and taking legal action against you.

Changes to this Privacy Notice

We keep this Privacy Notice under review in order to ensure that it is in line with any changes to the laws relating to privacy and personal data. Any updates will appear on the Firm’s website at www.stgeorge-hotel.com.

This Privacy Notice was last updated on 25 May 2018.

Contact Us

We have a Data Protection Officer and all enquiries in respect of this Privacy Notice or any requests to exercise any of the rights set out above should be directed to the Data Protection Officer via email at GDPR@stgeorge-hotel.com or by post at:

Data Protection Officer at St. George Hotels, 8063 Chlorakas, Paphos, Cyprus, P. O. Box 62372

Purpose	Lawful basis of processing
To enter into client relationship and for providing Our services	In cases where an individual has been provided with Our Privacy Notice and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to GDPR@stgeorge-hotel.com It is in Our legitimate interests to collect and process certain personal data in the context of providing Our services To perform and fulfill the contract with the individual for the provision of Our services
For identity verification and record and for maintaining lists for correspondence	Processing is necessary for compliance with a legal obligation to which We are subject
To ensure the security of Our system, staff and premises (including the use of CCTV equipment in the public areas of the premises)	It is in Our legitimate interests to protect Our business environment, staff and premises from being misused or victimized in any way and to ensure that business operations run smoothly without unauthorized interruption By entering Our premises, any individual automatically consents to the use of CCTV for monitoring purposes and to abide by Our internal health and safety procedures
To meet all legal, regulatory and ethical obligations applicable to Us	Processing is necessary for compliance with a legal obligation to which We are subject or for the exercise of functions of public authorities It is in Our legitimate interests to process data to the extent necessary to ensure that We meet all legal, regulatory and ethical obligations applicable to Us
For the purposes of internal know-how and training	It is in Our legitimate interests to process data for internal know how and staff training.
To follow up on comments, enquiries and complaints	In cases where an individual has been provided with Our Privacy Notice and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to GDPR@stgeorge-hotel.com It is in Our legitimate interests to collect and process certain personal data to enable Us follow up on comments, enquiries and complains in order to enhance client/user experience with Our services To perform and fulfill the contract with the individual for the provision of Our services
To promote, improve and further the provision of Our services	In cases where an individual has been provided with Our Privacy Notice nd provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to GDPR@stgeorge-hotel.com It is in Our legitimate interests to collect and process certain personal data to enable Us follow up on comments, enquiries and complains in order to enhance client/user experience with Our services
For marketing purposes including sending updates on important developments and opportunities, news about Our work and invitations to educational seminars and events	In cases where an individual has been provided with Our Privacy Policy and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to GDPR@stgeorge-hotel.com or by unsubscribing by following the appropriate procedure which can be found in the relevant marketing material (e.g. by selecting the “unsubscribe” option in the email sent to you) It is in Our legitimate interests to process personal data to communicate with persons on topics and events which may be of interest to those individuals
Any other purpose(s) which has been agreed by or notified to you