PRIVACY POLICY

CUSTOMER NOTIFICATION OF PERSONAL DATA PROCESSING

THEOFILOS CHALKIADAKIS Societe Anonyme (CACTUS HOTELS)

Regarding the Processing of Personal Data

1. Data Controller Information

THEOFILOS CHALKIADAKIS SA (operating under the trade name CACTUS HOTELS), located in Malia (Stalida Mochou, P.C. 70007, tel. 2897031319, email: info@cactushotels.gr ), (hereinafter referred to as the "Company"), hereby informs you, as the data subject, in its capacity as the data controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR") and relevant Greek data protection laws, about the types of personal data collected, their source, the purpose and legal basis for their processing, any recipients of the data, the retention period, the possible transfer of data outside the EU, as well as your rights in relation to your personal data as customers of the Company and how you can exercise them.

1. Types of Data and Sources

The Company collects and processes personal data relating to its customers, both adults and minors. The types of personal data collected and processed are as follows:

1. Identification and billing information, including full name, father's name, gender, date of birth, Tax Identification Number, identification card/passport number.
2. Contact information, including postal and email address, telephone number (landline, mobile).
3. Payment information, such as credit card details, payments/debts.
4. Reservation details, including dates, type of reservation, any special preferences, etc.
5. Health data (e.g., allergies, disabilities) and preferences (e.g., dietary preferences), on a case-by-case basis.

The personal data under points 1-4 are provided directly to the Company by our customers (you) as data subjects. The provision of your data is a requirement for the conclusion and performance of the contract between us, and refusal to provide them would make it impossible to enter such a contract. Information regarding your payments and debts arises during your transactional relationship with the Company and is retained by the Company. The provision of data under point 5 above is optional, and any refusal to provide such data will result in the non-provision of specialized services (e.g., special dietary requirements).

1. Purposes and legal basis of processing

The Company collects and processes the personal data that concern you for the following purposes and legal bases:

1. Provision of hotel and tourism services

The above-mentioned personal data are processed for the purpose of providing hospitality services to you, including your identification, communication with you, etc. The legal basis for processing identification, communication, and reservation data is the performance of our contract with you, according to Article 6(1)(b) of the GDPR. If you provide us with special categories of data, such as health data (e.g., allergies, disabilities, dietary preferences, etc.), the legal basis for processing such data is your consent, according to Article 9(2)(a) of the GDPR.

2. Invoicing of services

The data under points 1, 2, and 3 mentioned above in Section B, which relate to your payments, are additionally processed for the purpose of invoicing the Company's services. The legal basis for processing these data is the fulfillment of the Company's legal obligations arising from tax legislation, according to Article 6(1)(c) of the GDPR.

3. Direct electronic marketing

Your electronic communication details are used for the purpose of promoting similar services of ours through electronic means (email/sms), based on our legitimate commercial interest in direct marketing of our services (Article 6(1)(f) of the GDPR and Article 11(3) of Law 3471/2006).

1. D. Disclosure of data - Recipients

For the Company to fulfill the aforementioned functions and its related obligations, it discloses the personal data of its customers to categories of individuals or entities (recipients). The recipients have access only to the Personal Data that are absolutely necessary for the performance of their duties or the provision of services they have undertaken for the Company. These categories are as follows:

1. Data processors: The Company collaborates with the following data processors on its behalf to assist it in fulfilling its legal or contractual obligations:

• Accounting service providers: Grant Thornton Greece, SoftOne , Epsilon.
• IT system support service providers: Eurotel, Ι.Βαλασσόπουλος, ΘΕ.ΜΑ ΠΛΗΡΟΦΟΡΙΚΗ.ΙΚΕ.
• Hosting and cloud providers: Eyewide Digital Marketing, Microsoft
• Product and service promotion service providers: Eyewide Digital Marketing Physical security service providers: ΜΑΚΑΤΟΥΝΑΚΗΣ ΕΠΕ

while maintaining the confidentiality of your data.

2. Financial institutions, to the extent necessary for transaction execution.
3. Tax authorities, in accordance with applicable tax legislation.
4. Lawyers, where necessary for the exercise of the Company's rights and the defense of its legal interests.
5. Judicial bailiffs, notaries, judicial, prosecutorial, and law enforcement authorities, as well as supervisory authorities, when required by legislative provisions, judicial decisions, or upon relevant lawful requests in the exercise of their duties.

Ε. Data retention time

Your data is kept by the Company throughout the period of provision of its services to you and until the completion of the service provided by each of the above mentioned providers.

If by the end of the above periods there are ongoing legal proceedings in which the Company is involved and which concern you directly or indirectly, the retention time for your data will be extended until the issuance of an irrevocable court decision.

After the expiration of the time periods above, as the case may be, your personal data will be deleted/destroyed based on the Company's destruction policy.

1. Transfer of data outside the EU

The Company does not transmit your personal data to third countries outside the EU.

1. What rights you have in relation to your data and how you can exercise them

As customers of the Company, you have a series of rights, in accordance with the provisions of articles 15-22 of the GDPR, regarding your personal data, which are processed by the Company.

The table below lists your rights by processing purpose and corresponding legal basis. In this table you will find detailed information (meaning, method and deadlines for exercising) and a form for exercising each right. General information on exercising your rights is available here. If you wish to exercise any of your rights, please fill out the corresponding form and send it to the email address dpo@cactushotels.gr  or in writing [Stalida Mochou, P.O. 70007, Malia / Attention Data Protection Officer]. We note that in case there are reasonable doubts about the identity of the data subject we may request the provision of additional information to confirm the identity.

It is pointed out that the Company has in any case the right to partially or fully refuse to satisfy your request for restriction of processing or deletion of your data, if the processing or keeping of the personal data concerning you is necessary for the establishment, exercise or support of its legal rights or the fulfillment of its legal obligations.

The Company must respond to your request within one month of receiving it. The aforementioned deadline may be extended by two more months, if required at the discretion of the Company taking into account the complexity of the request and the number of requests and in this case the Company will inform you within one month of receipt of said extension, as well as the reasons for the delay.

If the Company does not act on your request when exercising the above rights or after its response you consider that your above mentioned rights are being violated, you have the option of submitting a complaint to the Personal Data Protection Authority, Kifissias Street 1-3, 115 23, Athens, https://www.dpa.gr/ , tel. 2106475600.

For any issue regarding the protection of your personal data, you can contact our Company's Data Protection Officer, at: tel. 6936988100 and/or e-mail: dpo@cactushotels.gr