DATA PROTECTION POLICY

INTRODUCTION

This Data Protection Policy is a single legal document governing all uses of personal data within the company, as well as all information systems and procedures related to the processing of personal data.

Its style and content are legal but entirely clear, so as not to pose difficulties in comprehension or implementation. It avoids specialized technical terms and references that might complicate application or tie it to specific technological choices. Beyond its regular updates, the security policy may be modified if significant changes occur in at least one of the following: a) the organizational structure of the data controller, b) information systems, c) security requirements, d) technological developments, or e) the type and/or processing of personal data. The content may also change following internal or external audit results indicating inadequate or ineffective security measures, or in response to a security breach incident.

Despite its clear tone and content, the policy is generalizable—that is, it can be applied easily to future systems that may be added to the company’s information infrastructure without major revisions on short notice.

Finally, the security policy is public, binding on all staff handling personal data in any manner, and compliant with applicable law.

PURPOSE

The purpose of this document is to define the company’s obligations and policy concerning the protection of data subjects’ privacy and to establish appropriate measures to prevent personal data leakage.

Management commits to meeting the requirements of the EU General Data Protection Regulation (GDPR) and recognizes the protection of personal data as a priority. Ultimately, the document aims to ensure a secure processing environment and cultivate an organizational culture and awareness around safe use of personal data, for which all necessary resources are made available.

SCOPE

This policy covers the processing of personal data, in both physical and digital form, collected by any means by the company in order to protect its legitimate interests.

RESPONSIBILITIES

The responsibility for compliance with this policy lies with the company’s management and those executing data processing under the supervision of the Data Protection Officer.

PRINCIPLES RELATING TO PROCESSING

The company ensures compliance with the fundamental principles of the GDPR for processing currently carried out and when introducing new methods or systems.

These principles include:

Lawfulness, fairness and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

DATA SUBJECTS’ RIGHTS

Data subjects’ rights are supported by appropriate procedures allowing for necessary actions within the timeframes specified by the GDPR.

These rights include:

The right to be informed
The right of access
The right to rectification
The right to erasure (“right to be forgotten”)
The right to restrict processing
The right to data portability
The right to object
The right to object in cases of profiling

Requests can be submitted to the hotel reception or via email to gkantaras@uth.gr. If one believes their personal data processing violates applicable data protection law, a complaint can be filed with the Hellenic Data Protection Authority (postal address: Kifisias 1-3, 115 23 Athens, tel. 210‑6475600, email contact@dpa.gr).

LAWFULNESS OF PROCESSING

It is the company’s primary compliance duty to identify and document the appropriate legal basis for each processing activity (both special category and non-sensitive data), invoking the relevant Articles (6 & 9) of the GDPR. The legal basis and other relevant features of each processing operation are recorded in the Controller’s and Processor’s Records of Processing Activities.

PRIVACY BY DESIGN

The company adopts the principle of data protection by design and ensures that the planning and design of all new or significantly modified systems handling personal data undergo appropriate privacy impact review.

When processing is likely to result in a high risk to individuals’ rights and freedoms, a Data Protection Impact Assessment (DPIA) is conducted.

Where feasible and appropriate, techniques such as data minimization, pseudonymization, anonymization and encryption are applied.

COOKIE POLICY

8.1 What are cookies?

Cookies are small text files stored in the user’s browser when visiting a website. They may contain details such as visited pages, date and time of visit, and a unique random user identifier. This enables the site to store and read useful navigation information for a unified browsing experience.

8.2 Which cookies do we use on our website?

We use cookies to manage login sessions, deliver personalized pages, and tailor advertising or other content to your needs and interests. Cookies may also compile anonymous, aggregated statistics to help us understand usage and improve the site’s structure and content. Personal identity cannot be determined from this information. You may adjust your browser settings to reject some or all cookies except strictly necessary ones. Some functionality may be unavailable if cookies are blocked. Our cookie names include ASP.NET_SessionId and __RequestVerificationToken (session cookies created during site visits).

8.3 How to control cookies

You may withdraw your consent or oppose cookie usage on your device at any time, and review or delete cookies.

8.5 Where to find more information

Information on data protection and cookie-related rights is available in our Privacy Policy. General cookie usage and blocking methods can be found at cookiepedia.co.uk/all-about-cookies and allaboutcookies.org.

8.7 Changes to the Cookie Policy

This Cookie Policy may be modified at any time. It was put into effect on June 23, 2020. If updated, the new effective date will be indicated, and the most recent version is always valid.

8.8 How to disable cookies

To enable or disable cookies via browser settings, refer to your browser’s support pages (e.g., Internet Explorer, Firefox, Chrome, Opera, Safari, etc.).

CONTRACTS INVOLVING PERSONAL DATA PROCESSING

The company ensures that all activities involving processing of personal data of customers, employees, or external partners are governed by documented agreements containing mandatory information and terms required by GDPR and applicable law.

All employees sign a Code of Ethics and Confidentiality binding them to lawful data processing. Data processors sign a separate confidentiality agreement under Article 28 GDPR, specifying processing scope, duration, purpose, documentation, authorization protocols, compliance evidence, and breach notification obligations.

Access rights of personnel or third parties are revoked or reviewed upon termination of contract or reassignment.

DATA TRANSFER TO THIRD COUNTRIES

Any transfers of personal data outside the EU are carefully evaluated to ensure compliance with GDPR and applicable law, depending on the European Commission’s adequacy decisions, which may change over time.

Transfers within the EU, if any, are governed by legally binding corporate rules that provide enforceable data subject rights.

DATA PROTECTION OFFICER

For 2020, the Data Protection Officer is Mr. Giannis Gantaras (phone: 6995663325; email: gkantaras@uth.gr).

REGULAR INTERNAL AUDITS

Periodic audits review policy compliance and security measure effectiveness. Data Protection Impact Assessments are also conducted to assess risks and impacts, and organizational measures are taken accordingly.

PERSONAL DATA BREACH NOTIFICATION

The company will notify the supervisory authority of any significant data breach within 72 hours of becoming aware, unless it can demonstrate the breach is unlikely to risk individuals’ rights, per the accountability principle. The full incident response procedure is defined in the entity’s Security, Disaster Recovery & Data Recovery Plan.

GDPR COMPLIANCE MEASURES

Measures in place and reviewed regularly to ensure accountability compliance:

Clear, indisputable legal basis for processing, documented in the company’s Records of Activities.
All personnel and external collaborators handling personal data understand and are legally bound by the Code of Ethics and Confidentiality Agreement.
Regular data protection training for all staff.
Consent rules for processing special data categories.
Available channels for data subjects to exercise their rights; all requests handled promptly.
Periodic reviews of personal data processes.
Privacy by design for new or changed systems.
Detailed documentation of processing activities, recipients, third‑country transfers, retention plans, and technical and organizational controls.
Regular Data Protection Impact Assessments to mitigate risk.
Every reasonable technical and organizational measure is taken to preserve confidentiality, legal compliance, and data subject rights.

SANCTIONS

Any employee or collaborator who breaches this policy is subject to disciplinary action, up to contract termination.

It is clarified that O.S.L. maintains and applies separate data collection, usage, and processing policies for each category of stakeholders, including specific notifications where needed. If you haven’t received or desire more detailed information, you may send a request to gkantaras@uth.gr with your name, role, contact details, and request.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.