DATA PROTECTION POLICY

INTRODUCTION

The Protection Policy is a comprehensive legal document that governs any use of the company’s personal data
and all information systems and procedures related to the processing of personal data.
Its style and content are strictly legal and unambiguous in order to be easily understood and applied, it is free of
specialized technical terms and references and independent on any on specific technological options. The particular
document, in addition to its regular revisions, may be modified in case significant changes occur in one of the
following characteristics: a) the organizational structure of the controller, b) the information systems, c) the security
requirements, d) the technological requirements. developments, e) in the type and / or processing of personal data.
The content of the Data Protection Policy may also be changed after an internal or external audit, which
demonstrates inadequate and / or ineffective security measures, or in the event of a security breach.
Despite the clear style and content, the policy is intrinsically general, in the sense that its application in future
systems that may be part of the company’s information system is possible without requiring major modifications at
short intervals.
As a result, the Data Protection Policy is public and binding on all personnel who handle personal data in any way
and comply with applicable law.

1. AIM & OBJECTIVES

The main purpose of this document is to define the obligations and policy of the company for the protection of
the privacy of the data subjects and to establish appropriate measures to avoid any leakage of personal data.
The Company’s Management is highly committed to the requirements of the new European General Data
Protection Regulation (GDPR) and the protection of the personal data and confidentiality of its customers and
employees. The ultimate goal of this document is to confine the processing environment and to create the required
professional culture and awareness, effectively utilizing all available resources.

2. APPLICABILITY

The policy governs the processing of personal data, in physical and digital form, collected by any means by the
company in order to serve its legitimate interests.

3. LEGAL RESPONSIBILITIES

The management and employees of the company (Data Controller) and all the subcontractors (Data Processors)
are primarily responsible for complying with this policy, under the supervision of the Data Protection Officer.

4. PRINCIPLES THAT CONCERN THE PROCESSING

The Company ensures compliance with the fundamental principles of the Personal Data Protection Regulation
both in the processing that are currently being carried out and in the context of the introduction of new processing
methods, such as new information systems.
Specifically, the Principles relating to processing of personal data are the following:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness,
fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that
is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance
with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose
limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure
that personal data that are inaccurate, having regard to the purposes for which they are processed,
are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed; personal data may be stored for longer
periods insofar as the personal data will be processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in accordance with Article
89(1) subject to implementation of the appropriate technical and organisational measures required
by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage
limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures (‘integrity and confidentiality’).

5. THE RIGHTS OF INDIVIDUALS

The privacy rights of the data subjects are supported by appropriate procedures that allow for the undertaking of
the required actions within the time limits set out in the General Data Protection Regulation, are the following:
1. The right to be informed – all organisations must be completely transparent in how they are using
personal data (personal data may include data such as a work email and work mobile if they are
specific to an individual).
2. The right of access – individuals will have the right to know exactly what information is held about
them and how it is processed.
3. The right of rectification – individuals will be entitled to have personal data rectified if it is
inaccurate or incomplete.
4. The right to erasure – also known as ‘the right to be forgotten’, this refers to an individual’s right to
having their personal data deleted or removed without the need for a specific reason as to why
they wish to discontinue.
5. The right to restrict processing – an individual’s right to block or suppress processing of their
personal data.
6. The right to data portability – this allows individuals to retain and reuse their personal data for their
own purpose.
7. The right to object – in certain circumstances, individuals are entitled to object to their personal
data being used. This includes, if a company uses personal data for the purpose of direct marketing,
scientific and historical research, or for the performance of a task in the public interest.
8. Rights of automated decision making and profiling – the GDPR has put in place safeguards to protect
individuals against the risk that a potentially damaging decision is made without human
intervention. For example, individuals can choose not to be the subject of a decision where the
consequence has a legal bearing on them, or is based on automated processing.

In order to exercise the above rights you can submit your request to the hotel reception or to the e-mail address
gkantaras@uth.gr as well as submit, in case you consider that the processing of your personal data violates the
applicable law for the protection of personal data, a complaint to the Personal Data Protection Authority (postal
address of Kifissias 1-3, PC 115 23 23, Athens, tel. 210. 6475600, e-mail address contact@dpa.gr).

6. LEGALITY OF PROCESSING

It is the primary duty of the company to comply with the appropriate legal basis for any processing (of sensitive
data and not) and to substantiate it by invoking the appropriate Articles (6 & 9), in accordance with the Personal
Data Protection Regulation. The legal basis and other features of each processing are listed in the Documents of
Processing Activities of the Controller and the Processors.

7. PROTECTION BY DESIGN & BY DEFAULT

The Company fully adopts the principle of data protection from the design and ensures that the selection and
incorporation of any modern or significantly modified system that collect or process personal data, will be subject to
appropriate review of privacy issues.
When the processing operations may result in a high risk for the rights and freedoms of the individuals, an Data
Protection Impact Assessment of will be regularly performed.
The use of techniques such as data minimization, pseudonymization, anonymization and encryption are taken
into account and may be applied when required.

8. CONTRACTS THAT CONTAIN PROCESSING OF DATA PROSECUTOR CHARACTER

The Company will ensure that all activities it introduces in the context of developing partnerships and related to
the processing of personal data of customers, employees and outsiders. partners / suppliers, are subject to a
documented contract that includes the specific information and terms required by the General Data Protection
Regulation and the current legislation.
Every employee of the company has to sign the Code of Conduct and Confidentiality and is legally committed to
the lawful processing of all personal data.
Each Data Processor signs a Confidentiality Agreement according to the Article 28 of the GDPR, which states,
among other:
– the scope and duration
– the purpose
– documentation of forms and scope of processing,
– previous authorization in case another processor is used,
– the provision of any documentation proving compliance with the General Data Protection Regulation and
existing legislation.
– immediate notification of any data breach or assistance in this regard.
The rights of the employees, contractors and other third parties when they no longer have access to the premises
or resources or when their employment contract expires and the rights are adjusted, and access may be revoked or
re-evaluated and re-checked in any case.

9. DATA TRANSFR TO THIRD COUNTRIES

In the event of personal data transfers outside the European Union, all appropriate actions are taken in order to
ensure that they comply with the limitations set by the General Data Protection Regulation and the local legislations.
This depends in part on the European Commission’s decision on the adequacy of personal data security in the host
country and which may change over time. Data transfers to third countries within the Union, will be subject to
legally binding agreements referred to as binding rules and which provide executive rights for data subjects.

10. DATA PROTECTION OFFICER

Ioannis Gadaras has been appointed to the specific role for the year 2021-2022, whom you can contact for any
clarification, 6944649919, gkantaras@uth.gr.

11. TACTICAL INTERIOR CONTROLS

Regular reviews are held for the proper implementation of the Policy and to assess the effectiveness of security
measures. The Company also conducts periodic Data Protection Assessment studies where the risk of a leak, its
probability and impact on the business and the data subjects are calculated, and the necessary organizational
measures are taken to minimize it.

12. DECLARATION OF PRODUCTION OF DATA PROSECUTOR CHARACTERS

The company’s policy is fair and proportionate and the notification of any significant leak to the supervisory
authority shall be made within 72 hours of the administration becoming aware of the fact, unless the controller can
prove, according to the accounting authority, that Violation of personal data may not endanger the rights and
freedoms of individuals. This procedure is described in more detail in the Safety, Disaster Recovery and Data
Recovery Plan, which sets out the overall safety process and is a separate document.

13. CONCLUSION MEASURES IN GDPR

The following actions are taken and reviewed to ensure that the Company complies at all times with the
accounting authority of the General Data Protection Regulation:
– The legal basis for the processing of personal data is clear and unquestionable and is included, among other
things, in the Company’s Activity Files.
– All staff and external partners who manage personal data understand their responsibilities and are legally
committed to complying with the Code of Conduct and the Confidentiality Agreement respectively.
– Data protection training is provided to all staff and at regular intervals.
– Rules apply to the collection and management of consent required for the processing of specific categories of
data.
– There are channels available for data subjects who wish to exercise their rights regarding personal data and all
requests are handled effectively.
– Procedures involving personal data are reviewed at regular intervals.
– The principle of privacy in design is adopted for all new or changing systems and processes.
– The following documentation of the processing activities is recorded: name and location of the file and related
details such as the purpose of processing the personal data, the categories of individuals and processed personal
data, the categories of accepted personal data, the agreements and mechanisms for the transmission of personal
data in countries outside the EU, including the details of the controls applied, personal data retention programs,
relevant technical and organizational controls have been put in place.
– Regular Data Security Assessment studies are conducted to minimize risk.
– The Company takes every possible and reasonable organizational and technological measure in order to
safeguard the confidentiality of personal data, the principles of legislation and the rights of its subjects.

14. IMPOSITION OF PENALTIES

If a member, employee or associate violates this policy is subject to disciplinary action and even termination of
the employment contract.

Finally, we certify that Olympos Touristiki Ependitiki SA – Sirios Travel maintains and implements separate policies for the collection, use and
processing of personal data for each category of its traders (customers, employees, external partners) or for
different processing categories, which need special regulation (data of special categories) and has made relevant
notifications to the interested parties. In case you have not received information or wish a more detailed
information, you can submit a relevant request to the e-mail address gkantaras@uth.gr, stating your name, title,
contact details and exact request.

English