Privacy Policy

Privacy Policy

The Company under the name “G. TZARAKIS SOCIETE ANONYME TOURISM SERVICES AND HOLDINGS ” and bearing the distinctive title "TZARAKIS S.A.", located in Municipality of Ierapetra (Katharades area), with VAT Registration No.: 094491700, Tax Office Heraklion, with Hellenic Business Registry Registration No.: 125139941000, as Personal Data Processing Officer, hereafter referred to as the "Company", in the framework of the General Data Protection Regulation (EU) 2016/679, which enters into force on 25.05.2018 (hereinafter referred to as "GDPR"), as well as the national and Community legislation, as applicable, is bound to its customers, respecting their privacy and being vigilant to ensure the confidentiality and security of their personal data. Our Company operates the hotel under the name “Ostria Hotel Resort & Spa” in Ierapetra.

This information is addressed to any and all natural and legal persons who carry out any transaction with the Company, as indicatively to its customers who make use of the services offered by the Company.

The purpose of this privacy policy on personal data is to provide information about the type of personal data collected by “TZARAKIS S.A.”, the way used for their processing (collection, storage, use, transmission), their means of protection, and the rights of company’s customers in the face of such processing, which is, in any case, carried out in a reliable and transparent manner.

The processing of personal data consists in collecting, registering, organizing, structuring, storing, changing, retrieving, seeking information, using, transmitting, restricting, or deleting personal data that have or will come to the knowledge of the Company either within the context of your dealings with it or within the context of information received by the Company from a third natural or legal person or public sector entity in the exercise of a legal right therein or of the Company itself.

The Company, in compliance with the applicable legal framework, has taken all necessary actions by implementing the appropriate technical and organizational measures for lawful adherence and processing committed to keeping ensuring and protecting in every possible way the processing of your personal data from loss or leakage, alteration, transmission or otherwise unlawful processing thereof.

In order to make the collection, use, and exchange of personal data transparent and to disclose the purpose and means of processing, "TZARAKIS S.A." provides its customers with the following information:

  1. Which type of information do we collect and in which cases?

The Company processes personal data that you have or will notify to the Company, you, or your legal representatives, which are necessary for the initiation, maintenance, and execution of your business relations and dealings with the Company, existing or future depending on the product or service provided and its applicable procedures and policies.  Personal data that you provide to the Company shall be complete and accurate and up-to-date with your due diligence immediately, in every case of a change or whenever deemed necessary by the Company for the purpose of maintaining your business relationships or fulfilling an obligation of the Company deriving from the national law and the regulatory provisions in force.

In addition, the Company processes your personal data which it receives or comes to know from a third party, whether a natural or legal person or public body and which is necessary either to achieve the legitimate interests of the Company or a third person or the fulfillment of its tasks in the public interest (e.g. tax and insurance bodies).

In order to initiate and maintain/continue having a business relationship with its clients and/or in particular to start providing hotel services to you, our Company collects and processes the following minimum personal data: first name, surname, father's name, identity card/passport or other official identification documents, permanent residence, home address, correspondence address, business and work address, telephone (fixed and/or mobile), e-mail address. If necessary, you may be asked to provide additional information if this information is a prerequisite for initiating or maintaining our business relationship, targeting the best possible service provided to you.

The collection and processing of the above personal data by the Company is necessary for the commencement, execution, and maintenance of our business relationships [as defined in article 2 of the Regulation of the relations between hoteliers and their clients (article 8 of law 1652/30.10.1986, Greek Government Gazette 167 Α')]. Possible objection on your behalf to the provision or processing of your personal data - information may lead to the failure to initiate or maintain/continue your already existing partnership with the Company (for example, failure to provide the necessary data for booking a room will lead to inability to make the reservation). 

  1. Processing of special categories of personal data (called "sensitive personal data")

The Company does not process “sensitive personal data” (data of specific and special categories), such as data related to your racial or ethnic origin, political opinions, religious or philosophical beliefs, or membership of a trade union, genetic or biometric data in order to identify you as a processing Subject, as well as health data or data related to your sexual life, sexuality or sexual orientation unless:

  • a) you have explicitly given consent to that effect for a specific purpose,
  • b) this information has been communicated to the Company by you or a third natural/legal person within the context of documentation and safeguarding of your legal interests and/or the Company’s ones, given its role as Process Manager and Officer (e.g. information about the subject placed under a judicial interdiction,
  • c) processing is necessary in order to protect your vital interests or the ones of another’s natural person,
  • d) the data are clearly disclosed by you,
  • e) processing is critical and essential for the foundation, exercise, or support of your own legal claims as well as the Company’s ones as Process Manager and Officer (e.g. legal incapacity to act),
  • f) processing is necessary for reasons of substantial public interest. The Company has in any case taken all needed technical and organizational measures to maintain safety and process appropriately your personal data which belong to the above specific categories.
  1. Data relating to minors

The processing of personal data of minors, which is necessary for the commencement, execution, and maintenance of our trading relationships (e.g. room reservation and stay-lodging of a minor in the hotel, etc.) is performed on the condition of the previous consent of parents or those who exercise parental responsibility unless otherwise specified by law. For this purpose, minors are considered to be those who have not reached the age of 18.

Additionally, when the processing of personal data is based on consent (in accordance with Article 6.1.a GDPR), in relation to the provision of information society services directly to a child, the consent provided by the minor and therefore processing is lawful if the minor is at least 16 years old. In the case where the minor is under 16 years of age, this processing - treatment is lawful only if and to the extent that such consent is granted or approved by the person having parental responsibility for the minor (as said in Article 8 of GDPR).

  1. The legal basis of the processing

The Company lawfully processes personal data if:

  • Processing is essential for servicing, supporting, and monitoring your trading relationships - dealings with the hotel unit, as well as for executing properly these dealings.
  • Processing is necessary for the Company to comply with its legal obligation or to pursue its legal interests arising from your trading relationships and dealings with the Company or other rights deriving from the law.
  • Processing is indispensable for the fulfillment of its duty performed in the public interest, within the context of the legislative and regulatory framework as applicable.
  • Processing is based on your prior information and consent, as long as the processing is not based on any of the above-mentioned legal processing bases.
  1. Processing purposes

The processing of your personal data concerns:

  • Service, support, and monitoring of your trading relationships - dealings with the Company, the proper execution of the contracts between you, the proper execution of any transaction between you, the consideration of requests for the provision of products/services of the Company, the fulfillment of the Company's obligations as Processing Officer or Executor and the exercise of its legal and contractual rights.
  • Upgrading the products and services provided by the Company and promoting the products and services of the Company and the Group companies, subject to your prior consent.
  • The satisfaction of all requests addressed to the Company or the consideration of your complaints regarding the products and services offered by the Company.
  • The fulfillment of legal obligations of the Company stemming from the legislative and regulatory framework, as applicable (e.g. insurance, tax audits, etc.).
  • Defending the legitimate interests of the Company, which include, but are not limited to:
  1. asserting its legal claims before the competent judicial authorities or other non-judicial/alternative dispute resolution bodies,
  2. evaluating and optimizing security procedures and information systems, 
  3. natural security and protection of persons and property (e.g. video surveillance).

The Company can, subject to your prior consent, process your personal data in order to inform you about its provided products and services. For this purpose, it processes information about the services you use targeting to present products, services or offers that best serve your needs.

In any case, you are given the right to oppose the processing of your personal data for the above purpose of direct commercial marketing of the Company's products/services, including profile training, by submitting your request to the Company in any convenient manner or by unsubscribing from newsletters.

  1. Data retention time

The Company, certainly, maintains your personal data for as long as it is provided for by the applicable legal and regulatory framework per case. Even if the applicable legal and regulatory framework provides a shorter period, the company will maintain your personal data, for the purposes of the legitimate interests it pursues (limitation of actions/claims), generally for a minimum of five (05) years to a maximum of twenty (20) years from the last calendar day of the year in which your (each time) business - trading relationship with the Company expires. In the event of litigation, personal data that concerns you will be respected, secured, and kept in any case until the end of the lis pendens, even if the above period of twenty (20) years is exceeded. In the event of any form of claim, your data will be kept to a minimum period of time, for as long as the claim is maintained.

In the event that any request for your cooperation with the Company is not accepted and the conclusion of the contract is not completed, the data will be kept for a maximum of five (5) years, in order to safeguard the interests of the Company in the event of a claim being made, after this period of time, will be erased in a non-recoverable way.

The company may also keep your personal data for longer if it has a legal obligation to act so.

  1. The recipients of personal data

Access to your personal data is provided to the employees of the Company's business and operating units, within the scope of their responsibilities, and within the context of the proper execution and fulfillment of their contractual, legal and regulatory obligations.

The Company does not transmit or disclose your personal data to third parties unless it concerns:

  • Legal persons - entities (domestic and foreign) to whom the Company has entrusted, in whole or in part, the execution on its behalf of the processing of your personal data (those Performing the Processing), who have undertaken a confidentiality commitment towards the Company and with whom the Company is bound by a contract that ensures the protection of personal data on their behalf, in accordance with article 28.3 of the GDPR, either: a) within the context of a contractual relationship between them, specifying the object, purpose, duration of the processing, the type of personal data processed and the rights of the Company, or: b) within the context of their obligation to respect and maintain confidentiality.


  • Collaborating companies undertaking the use and management of its IT systems.
  • Payment and payment processing companies/organizations (e.g. DIAS, VISA, MasterCard).
  • Courier companies.
  • Collaborating travel agencies in Greece or abroad.

You can learn more about the names of our associates, upon your request.

The Company has legally ensured that the Performers of the Processing on its behalf meet the prerequisites and provide sufficient assurances that appropriate technical and organizational measures will be in place to ensure that your personal data processing will keep their rights protected.

  • Transmission or disclosure - notification required by the applicable legislative and in general regulatory framework or court decision (such as transmission to judicial authorities, tax authorities, supervisors, intermediaries), in compliance with the confidentiality provisions.
  • Judicial Authorities and public bodies within the extent of the exercise of their responsibilities.
  1. International transfers – transmissions of your data

“TZARAKIS S.A.” does not transmit your personal data directly to third (non-EU) countries or international organizations, unless the transmission is required by the applicable regulatory or legislative framework or you have been informed of this and consented in advance and explicitly to such transmission (in cases in which this is required).

  1. Your rights

In any case, you have control over the processing of your personal data. In particular, you have the following rights:

  • Right of transparent information, announcement and arrangements for the exercise of rights (Articles 12, 13, 14 GDPR), i.e. your right to know how your personal data is used (as detailed in this Privacy Policy of Personal Data).
  • Right of access (Article 15 GDPR) to personal data collected by you.
  • Right of rectification (Article 16 GDPR) of any inaccurate personal information.
  • Right of erasure ("right to be forgotten" - Article 17 GDPR) of your data. The right of erasure - the right to be forgotten cannot be applied to the extent that processing is necessary to comply with a legal obligation or to establish, exercise or support legal claims on behalf of our company.
  • Right to restrict the processing of your personal data (Article 18 GDPR).
  • Right to oppose (Article 21 GDPR) the processing of your personal data.
  • Right to withdraw your consent already given (Article 7 GDPR) depending on whether the processing is based on the legal basis of consent, i.e. to withdraw your consent at any time for consent-based processing. The lawfulness of processing your data is not affected by the withdrawal of consent until the time you requested the withdrawal.
  • Right to file a complaint with the competent supervisory Greek authority, Hellenic Data Protection Authority (1-3, Kifisias Avenue, Athens, PC 115 23, +30 210 6475600,, or with the competent supervisory authority of your state.
  1. How do you exercise your rights?

For the exercise of the above rights you can address in writing to the Company's address at “Ostria Hotel Resort & Spa” in Ierapetra, or you can contact the e-mail address  or by phone at +30 28420 25711  

Download exercise of rights form

Please let your relevant requests be accompanied by the appropriate proof of identification of your person, with the explicit reservation of the Company to request the provision of additional details to identify and confirm your information.

TZARAKIS S.A. will make every effort to respond to your request(s) within thirty (30) days of submission of the relevant request or requests. The Company's denial or unjustified delay in meeting your claims in the exercise of your rights entitles you to appeal to the Data Protection Authority, as the competent supervisory authority for implementing the GDPR.

Please be advised that the Company uses cookies on its website to improve your online experience.

The Company may revise or modify this current update, on the basis of its applicable data protection policy and in accordance with the applicable laws and regulations. The updated information will always be available on the Company's website

  1. Technical and organizational measures

The Company is taking care to enforce adequate and necessary technical and organizational measures to safeguard both technological and natural security according to article 32 GDPR (indicatively: encryption and regular testing, restricted accesses, special codes given to authorized persons for access to its databases, etc.) and observes the principles of the processing according to the GDPR, meaning the principle of legality, the principle of objectivity and transparency, the principle of purpose limitation, the principle of data minimization, the principle of accuracy, the principle of storage limitation and the principle of integrity and confidentiality (Article 5 of the GDPR).  

With a view to safeguarding your privacy, we apply the best practices possible to safeguard and secure your personal data, by implementing the necessary technical and organizational measures set out in the GDPR. Data is secured by the loss of availability, integrity and confidentiality of information.

The Company is in constant harmonization and compliance with the terms of General Regulation (EU) 2016/679 on the protection of individuals - natural persons against and with regard to the processing of personal data and on the purpose of the free movement of data, and is constantly making every effort to comply with the above Regulation.

  1. What happens in a case of data breach?

Although the Company has due diligence in relation to the processing of your personal data, it is on hand to deal promptly and in time with any potential violation (of it) for the best possible assurance, while in the event of a violation of your personal data that may put your rights and freedoms at high risk, the company will take all appropriate technical and organizational measures and, if required by law, will inform you immediately.

In case you realize the violation of your personal data, you shall without delay contact and inform TZARAKIS S.A. as soon as you become aware of such a possible violation of personal data, by notifying us of the nature of the violation of personal data. Indicative examples:

  • 1) Loss of mail or relevant reading by an unauthorized recipient,
  • 2) Hacking,
  • 3) Malicious software (e.g. virus, ransomware) 
  • 4) Phishing email,
  • 5) Accidental data publishing/disclosure,
  • 6) Demonstration/ granting/transmission of faulty person data,
  • 7) Oral data dissemination by mistake.

Check whether the breach occurred on your own responsibility and collect all necessary information that TZARAKIS S.A. will use to deal with the incident.

  1. Special pronouncements of TZARAKIS S.A.

It declares that it is not responsible for any damage (direct, indirect, positive, depreciation losses) possibly caused to the visitor because of the website or its use. The visitor is solely responsible for protecting his system from viruses and malware in general.

It Indicates that it does not make decisions or profiles, based on the automated processing of your data.

It declares that, based on its applicable data protection policy and within the framework of the applicable laws and regulations, it may revise or modify this Update, which will always be available at The Information Policy is always in place, as it was shaped by the most recent amendment.

We inform you that TZARAKIS S.A. uses cookies on its website to improve your online experience. For details related to cookies, you can check and be briefed by the relevant Cookies Policy, for which click here.

The user/visitor of the site, by reading this, is aware of the above processing in accordance with Regulation 2016/679 and its recitals, solely for the purposes stated above and for purposes compatible with them.

  1. Contact Information

Useful Phone Numbers and Contact Information:

I. Data Processing Officer: TZARAKIS S.A.

Address of the Company's Head Office: “Ostria Hotel Resort & Spa”, Municipality of Ierapetra (Katharades area)

Telephone: +30 28420 25711 


II. Hellenic Data Protection Authority (HDPA, competent national Supervisory Authority):

Address: Kifisias Avenue (street), No 01 – 03, Athens Greece, PC 115 23,

Athens Call Center: +30 2106475600

Fax: +30 2106475628



Request info