Privacy policy and GDPR

At Nefeli Sunset Studios, we are taking your privacy very seriously and we are committed to protecting it. This summary contains important information about how we store and use your personal information.

Information & Consent

This Privace Policy and GDPR Notice details how Nefeli Sunset Studios collects, uses, processes, and discloses our your information, including personal data about you (hereafter, “Guest”), in relation with the access and use of our booking system and other information-related processes
By reading this Privace Policy and GDPR Notice, a Guest is hereby informed on how Nefeli Sunset Studios collects, uses, processes, and protects personal data furnished through the website that is used as a booking engine.
The Guest must carefully read this Privace Policy and GDPR Notice, to facilitate his/her understanding, and to freely determine whether they wish to provide some of their personal data, or those of third parties, to Nefeli Sunset Studios.
When this Privace Policy and GDPR Notice uses the words or the phrases “website”, “webpage”, “platform”, “booking system”, “booking engine”, “system”, “services”, or “online services”, it refers to all the web pages and functions under the world wide web uniform resource locator (URL) https://nefelisunsetstudios.reserve-online.net/ unless specified otherwise.
By accessing the webpage or providing information, the Guest is agreeing to Nefeli Sunset Studios’ privacy policy and practices described in this privacy statement. It is possible that Nefeli Sunset Studios will change this notice from time to time. A Guest should check this notice frequently to ensure he/she is aware of the most recent version.
When this Privace Policy and GDPR Notice refers to Nefeli Sunset Studios it uses the terms “data controller”, “data handler”, “we”, “us”, or “our”.

Data Controller

Nefeli Sunset Studios operates this booking system through a data processor (third party called WebHotelier), as explained below. In the framework of the General Data Protection Regulation (“GDPR”) (EU 2016/679), Nefeli Sunset Studios is the Data Controller. There is a contractual framework defining the relationship between the data controller and the data processor for the protection of your personal information. We are:

Nefeli Sunset Studios
(owned by S & M Diakakis OE*)
Apollonia 84800
Milos, Cyclades, Greece
*OE stands in Greek for General Partnership company)

Data Processor

WebHotelier operates this booking system on behalf of Nefeli Sunset Studios and is committed to protecting the privacy of the users of this system. WebHotelier is:

WebHotelier Technologies Limited
Mnasiadou 9 (Demokritos Building, Office 16)
1065 Nicosia
Cyprus

For the purposes of this Privacy Policy and GDPR Notice and GDPR (EU 2016/679), where WebHotelier processes your personal data on behalf of Nefeli Sunset Studios, WebHotelier is the Data Processor. When this notice refers to “WebHotelier”, “data processor,” or “processor,” it refers to WebHotelier Technologies Limited. WebHotelier is audited on a monthly basis by Trustwave and it is a certified PCI-DSS Level 2 Service Provider.

The Guest may contact WebHotelier’s Data Protection Officer at dpo@webhotelier.net.

Provision of data

The data requested in the forms accessible from the booking engine are, in general, mandatory (unless specified otherwise in the required field) to meet the stated purposes. If they are not provided or are provided incorrectly, the website will be unable to process the request.

Personal data we collect and process

Personal data will include:
1. personal information about the Guest (e.g. name, address, phone numbers and email address) when you make a booking from our booking engine;
2. details of financial nature in order to process your booking when we require pre-payment;
3. details of transactions you carry out through our booking engine and details of the fulfilment of your orders.
4. personal information about the Guest (e.g. name, address, phone numbers and email address) when he/she arrives at the Nefeli Sunset Studios premises, when Greek Government regulations require these information for various purposes including public health related issues.

The data processor may only collect and process personal data collected and/or processed on behalf of Nefeli Sunset Studios in accordance with Nefeli Sunset Studios instructions and contractual framework. WebHotelier cannot process it in any other way or for any other purpose. Webhotelier does not have access to the data provided in point 4 of the above list.

We grant permission to our data processor:

1. to use your personal information for reserving rooms and/or other services for you at Nefeli Sunset Studios;
2. to pass on your financial details to Nefeli Sunset Studios and/or appropriate third party (for example, credit card company) for the purpose of confirming or paying for a booking;
3. to use your information for marketing purposes (where you explicitly agree to this); and
4. to pre-complete forms and other details on our website to make your next visit to our booking engine easier (e.g. when amending or cancelling a booking).

Social Media Login

In the event of registration and/or access through a third-party account, we may collect and access certain information of the Guest’s profile from the corresponding social network, solely for internal administrative purposes and/or for the purposes indicated above.

Third-party data (e.g. when booking for a friend)

In the event that the Guest provides third-party data, they declare that they have the third party’s consent and undertake to provide the interested party -the data holder- with the information contained in this Privacy Policy and GDPR Notice, duly exonerating us and our data processor from any liability in this regard. However, we may carry out the necessary verifications to verify this fact, adopting the corresponding due diligence measures, in accordance with the data protection regulations.

Sensitive Data Policy

Unless specifically requested, we ask that you not send us, and you not disclose, on or through the Services or otherwise to us, any Sensitive Personal Data (including: social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics, criminal background, trade union membership, or administrative or criminal proceedings and sanctions).

Use of Services by Minors

The Services are not directed to individuals under the age of sixteen (16), and we request that they not provide Personal Data through the Services.

Purpose of processing personal data

Depending on the Guest’s requests, the personal data collected will be processed in accordance with the following purposes:

1. To manage the bookings made, including payment management (where applicable) and the management of the user’s requests and preferences.
2. To manage registration in loyalty or membership programs, as well as obtaining and redeeming points.
3. To manage the Guest’s contact requests with us through the channels provided to this end.
4. To manage the sending of personalized commercial communications from us, by electronic and/or conventional means, in cases in which the Guest expressly consents.
5. To manage the provision of the contracted accommodation service, as well as additional services.
6. To manage surveys and/or evaluations regarding the quality of the services provided by us and/or the perception of its image as a company.

In addition, the personal data collected as a requirement under law (i.e. Greek Government Regulations) may be used for public health purposes.

Data Retention

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law or if the Guests requests their withdrawal from us, opposes or revokes their consent. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services or if you have a booking that has not yet been fulfilled).

• Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them or keep data related to public health in case of epidemics).

• Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations)

• Legitimate interest for processing your data

• The data processing required in fulfillment of the aforementioned purposes that require the Guest’s consent cannot be undertaken without said consent.

Likewise, in the event that the Guest withdraws their consent to any of the processing, this will not affect the legality of the processing carried out previously. To revoke such consent, the Guest may contact us through the appropriate channels.

By the same token, in those cases in which it is necessary to process the Guest’s data for the fulfillment of a legal obligation or for the execution of the existing contractual relationship between us and the Guest, the processing would be legitimized as it is necessary for compliance with said purposes.

Data Disclosure

We will use and disclose Personal Data as we believe to be necessary or appropriate:

i. to comply with applicable law, including laws outside your country of residence;
ii. to comply with legal process;
iii. to respond to requests from public and government authorities, including authorities outside your country of residence and to meet national security or law enforcement requirements;
iv. to enforce our terms and conditions;
v. to protect our operations;
vi. to protect the rights, privacy, safety or property of our own, you or others; and
vii. to allow us to pursue available remedies or limit the damages that we may sustain.

We may use and disclose Other Data for any purpose, except where we are not allowed to under applicable law. In some instances, we may combine Other Data with Personal Data (such as combining your name with your location). If we do, we will treat the combined data as Personal Data as long as it is combined.

International transfers of personal data

We may transfer your personal information to our data processor(s) or/and sub-processor(s) based outside of the EEA for the purposes described in this notice. If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘ Privacy Shield’ scheme).

Our data is stored in the cloud using Amazon Web Services in N. Virginia, USA and in Frankfurt, Germany. If you are accessing any of our systems from outside the USA, you acknowledge that your personal information may be transferred to the USA, a jurisdiction which may have different privacy and data security protections from those of your own jurisdiction, to be processed and stored.

Guest’s Responsibility

The Guest:

i. Guarantees that he/she is of legal age, where applicable, fully capable, and that the information furnished to us is true, accurate, complete, and up-to-date. For these purposes, the Guest is responsible for the truthfulness of all the data communicated and will keep the information updated, so that said data reflects their actual situation.
ii. Guarantees that he/she has informed third parties on whose behalf he/she has provided data, where applicable, of the aspects contained in this document. Also, guarantees that he/she has obtained the third party’s authorization to provide their data to us for the purposes indicated.
iii. Remains responsible for false or inaccurate information provided through the website and for damages, whether direct or indirect, that this may cause to us or third parties.

Guest Rights

The Guest may contact Nefeli Sunset Studios at any time free of charge, to:

i. To access their personal details.
ii. To rectify any inaccurate or incomplete data
iii. To obtain confirmation about whether or not personal data concerning the Guest are being processed by us.
iv. To request the deletion of their personal data when, among other reasons, the data are no longer necessary for the purposes for which they were collected.
v. To confirm the revocation of consent.
vi. To obtain from us the limitation of data processing when any of the conditions provided in the data protection regulations are met.
vii. To request the portability of your data.
viii. Likewise, the guest is informed that at any time he/she may file a complaint regarding the protection of their personal data before the competent Data Protection Authority.

Security Measures

We will process the Guest’s data in an absolutely confidential way, by maintaining the mandatory duty to secrecy with regard to the data in question, in accordance with the provisions set out in applicable regulations. To this end, Nefeli Sunset Studios adopts the measures of a technical and organizational nature required to guarantee the security of their data and prevent them from being altered, lost, processed or accessed illegally, depending on the state of the technology, the nature of the stored data and the risks to which they are exposed.