PRIVACY POLICY OF “TOXOTIS S.A. ” HOTELS

Last updated: 04/03/2025

Our company, “TOXOTIS AXE,” welcomes you to its hotels, “GOLDEN COAST HOTEL” and “NOVUS CITY HOTEL,” and thanks you for your continued preference and trust in our services.

Our company operates in accordance with Regulation 679/2016/EU on personal data protection, Law 4624/2019 and all relevant international and Greek legislation. We have taken all necessary measures to ensure the privacy, confidentiality, and security of your data, which is our top priority.

With this document, we would like to inform you about our Privacy Policy and kindly ask you to read it carefully before using our services to understand how we process your personal data.

This Policy applies to your use of our services at any of our hotels and relates to data processing occurring either during your physical presence or through electronic communication with us (phone, internet, etc.). Any reference in this Policy to our website or websites shall be understood as a reference to any of our websites: www.xenotel.gr, www.goldencoast.gr, and www.novushotel.gr.

PRIVACY POLICY

1. Data Controller

The Data Controller is “TOXOTIS S.A.” (trade name: “XENOTEL GROUP HOTELS”), headquartered at Marathon Beach, Attica (“GOLDEN COAST” Hotel). Contact phone: +30 22941 13000, email: [email protected].

2. Categories of Data We Collect and Process in Printed or Electronic Format

a) When visiting our websites:

We only collect your “IP” addresses, identifying your Internet Service Provider (ISP) exclusively for statistical traffic analysis.If you choose to access third-party websites through direct links on our websites, such as “Web Hotelier” for online bookings, you will be redirected at your own responsibility. These third-party sites act as independent “Data Controllers” according to the law and are responsible for lawful processing of personal data. Our company is not responsible for the content, privacy policies, or security measures followed by these third parties.

b) During your interaction with us (in-person or online) until your departure:

i) Mandatory and necessary data for service provision such as your full name, passport/ID number, postal and email address, contact details, check-in and check-out dates, names of accompanying persons, information about minors (full name, date of birth), room details, reservation number, travel agency or booking system details, package information (e.g. excursions), guest category (e.g., timeshare owner, repeater guest), nationality/language, accommodation package details (price, additional services), special preferences and requests (e.g. room type, bed type), payment method details (bank receipts of payment, advance payment, debit, prepaid, credit card details), and additional purchases during your stay (e.g., restaurant/bar services/use of telephone).

ii) Data required for issuing legal documents, such as Tax Identification Number and Tax Office details (for invoicing purposes), as well as receipts or invoices issued in your name.

iii) Medical data that you either disclose to us on your own initiative for reasons related to your stay and/or the facilitation of the provision of our services (e.g. allergies, mobility problems, special dietary habits for religious reasons, special requests/accommodations), or are required by applicable legislation (e.g. presentation of a vaccination certificate for a specific contagious disease, if required by applicable legislation), or are required for the use of specific services of ours.

iv) Correspondence related to your booking and stay (e.g. inquiries, feedback, satisfaction surveys, complaints), as well as your contact details.

v) Image data collected through CCTV image data that may be collected through a closed-circuit optical recording system in areas intended to control incoming and outgoing persons, where there is special signage (such as the entrances/exits of our hotels) in the context of protecting the life, physical integrity, health and property of all persons present at our premises (in particular customers, staff, third parties) and their goods and the property of our Company. We do not process audio data or biometric data.

vi) Social media data, such as account information, profile pictures, and other voluntarily disclosed relevant

vii) Any additional personal data you voluntarily disclose for specific purposes related to your stay.

3. Purposes and Legal Bases for Data Collection and Processing

a) Provision of hotel services (booking, confirmation, stay management, provision of services, payment processing, events, and conferences), management of your request at our hotel and fulfillment of our obligations to you to provide you with our hotel services in accordance with applicable legislation. Legal basis: compliance with Greek legislation (namely related to tourism and hospitality) and contract execution.

b) The organization, coordination of our activities, our communication on issues related to our services to you (e.g. suggestions, comments, special requests, customer satisfaction, questionnaires). Legal basis: the execution of the contract between us and the legitimate interest of our Company to inform you about its services, to respond to any of your suggestions/requests and to improve its services.

c) The calculation of the use of our services, the issuance of legal tax documents, their submission to the competent authorities and our compliance with any audits/inspections by the competent authorities. Legal basis: the execution of the contract between us regarding the collection of the fee for our services and our compliance with our obligations in accordance with the applicable Greek legislation and in particular tax law.

d) Ensuring the life, safety, health and property of all persons present at our facilities (customers, employees, partners), as well as public health and the protection of the Company’s property and reputation. Legal basis: our compliance with our legal obligations to third parties under applicable legislation, our Company’s legitimate interest in ensuring the protection of the aforementioned persons and goods (its own and third parties’) and in preserving its reputation as a safe place to reside and provide services and, where applicable, your vital interest

e) Informing you about our activities, e.g. with newsletters via email or postal mail or via social networks. Legal basis: your explicit consent, which can be revoked at any time.

f) The legal support of the Company and/or its representatives for the satisfaction of all kinds of its rights and claims (including the collection of its remuneration for its services) and its defense against any third party and authority and its insurance coverage. Legal basis: the legitimate interest of the Company for its legal protection, the establishment, exercise and support of legal claims until the irrevocable judicial or extrajudicial resolution of disputes, its insurance coverage and the defense of its rights before the competent authorities.

g) The protection of the stability, functionality and security of our website. Legal basis: the legitimate interest of our Company to ensure the quality and effectiveness of its services and its reputation as a safe place to provide services.

4. Sources and Recipients of Data

• We receive the above data directly from you or possibly from third parties (e.g., tour operators, booking systems, event/conference organizing companies, partners) through whom you may have made a reservation or visited our hotel. We also receive from our partner Bank, to whose website you may be redirected for entering your card details, the necessary information confirming the payment or provision of a guarantee for our services.
• Our Company does not collect data from minors (persons under 15 years of age) without the consent of their legal guardians. If such data is provided by minors, we will not process it. However, we are not always able to determine the age of individuals using our website.
• Your data is collected and processed by our authorized and trusted staff, bound by confidentiality agreements, particularly from the reservations, sales, reception, accounting, IT, food & beverage (restaurants-bars), housekeeping, maintenance, and retail store departments within the hotel, in compliance with national and international legislation. The material from the image data is accessible only by the Company’s management and if the need arises to manage the material, this takes place following a special authorization from the Company’s management to our competent trusted personnel who are responsible for the security of the premises.
• Our Company does not conduct automated data processing or profiling.
• It is our fundamental principle and commitment that we do not share your information with third parties for their independent business or other purposes. However, we may share your data when required and to the extent necessary, adhering to the principle of proportionality, with: (a) companies or professionals we collaborate with, who act as independent “data controllers” responsible for the lawful processing of personal data as per their own privacy policies, such as the tour operator/booking system through which you made your reservation (e.g., for charge verification, reservation confirmation), our contracted security company responsible for safeguarding our hotel premises for your and our safety (e.g., confirming the arrival of a person with a scheduled reservation), courier services, taxi service providers, technology service providers (e.g., website hosting, email providers), the exchange company in the case of timeshare agreements, legal services-lawyers in the event of out-of-court or judicial claims, in which case your data may be used before a court to establish, exercise or support legal claims, our contracted insurance company solely in the event of an insurance risk, auditors, our suppliers (e.g., in case of issues related to our products/services); (b) Partner banks when required under circumstances or by law (e.g., random transaction audits, credit requests, refund cases); (c) Healthcare providers (doctors, hospitals, health centers, etc.), if necessary to protect your vital interests, i.e., your life and health, or to ensure public health; (d) Any public authority or legally supervised entity as required by law or to protect legal rights or public interest, including law enforcement, health authorities (e.g., EODY), financial crime units, Ombudsman institutions, consumer protection authorities, data protection authorities, judicial or prosecutorial authorities. The aforementioned entities may access your data to the extent required by circumstances, either for performing their duties or fulfilling their assignment from us, or as mandated by law, and are bound by confidentiality agreements or legal professional secrecy obligations.
• Specifically, visual data collected through a closed-circuit television (CCTV) system is not disclosed to third parties except in the following cases: (a) when transferred to judicial, prosecutorial, and police authorities for the investigation of a criminal act involving individuals or property of the data controller, or when legally requested by such authorities in the course of their duties; (b) when disclosed to the victim or perpetrator of a criminal act if such data constitutes evidence of the act.
• Our Company does not transfer your data outside the EEA. If, exceptionally, such a transfer is necessary (e.g., in the case of a reservation made through a tour operator or other entity outside the EEA), the transfer will only occur if adequate data protection guarantees are in place in the third country, in accordance with international law.

5. Data Retention Period

We retain your data for the duration required by law (especially in the hospitality and tax sectors) to fulfill our legal obligations, as well as for the period necessary for contract execution and for establishing, exercising, or defending legal claims. Personal information essential for concluding or executing our contract is retained throughout the contract duration and for five years after its termination. In the event of claims, these data are kept until an irrevocable decision is issued and/or in the event of a settlement, for twenty years from the execution of the terms of the settlement, provided that there is an unfulfilled benefit. Visual data collected via CCTV is retained for the strictly necessary period and is automatically deleted after 15 days unless an incident occurs within this timeframe, in which case it is retained for up to one additional month to investigate the incident and initiate legal proceedings to protect our legitimate interests. If the incident involves a third party, the video may be kept for an additional three (3) months. The material is further retained as necessary on a case-by-case basis to support or counter legal claims. All the aforementioned retention periods may be subject to change due to legislative amendments and specific guidelines issued by the Data Protection Authority, in which case this Privacy Policy will be updated accordingly.

6. Information Security

Our Company has already implemented the necessary technical and organizational measures and, if needed, is willing to take any additional reasonable measures to: (a) protect personal information from unauthorized access, disclosure, alteration, or destruction; and (b) ensure personal information remains accurate and up to date, as applicable. All websites and servers owned by our Company have security measures in place to help protect your personal data from loss, misuse, and alteration while under our control. Although “guaranteed security” does not exist either online or offline, we safeguard your information using procedural and technical safeguards, including password controls and firewalls.

7. Your Rights as a Data Subject

• You have the right to access your information, requesting details about the personal data we hold, obtaining copies, and understanding how we process it.
• You have the right to request correction or completion of any inaccurate/incomplete personal data.
• You have the right to request data portability for information processed based on a contract, allowing direct transfer to another Data Controller where technically feasible.
• You have the right to request the deletion of your data, provided its retention is not required for legal, contractual, or public interest purposes.
• You have the right to request the restriction of processing for data you have asked us to delete or correct, as well as when we are required to delete your data, but you wish to retain it exclusively for your own use for a specific reason.
• You have the right to object to data processing unless there are compelling and lawful reasons for processing that override your rights or if processing is necessary for establishing, exercising, or defending legal claims in court or out-of-court, in which case our legitimate interest in processing prevails, and your data may be shared with third parties for judicial use.
• You have the right to object to the processing of your data unless there are compelling and legitimate reasons for processing that override your rights, or if processing is necessary for the establishment, exercise, or defense of legal claims in court or out of court, in which case our legitimate interest in processing prevails, and your data may be transferred to third parties for judicial use. You also have the right to object to receiving updates via regular mail, email, or SMS by sending a relevant electronic request to our email address: [email protected] or by calling our contact number +30 22941 13000. In this case, we will cease sending you updates.
• You have the right to freely withdraw your consent to the processing of personal data at any time, in which case the processing of personal data based on this consent will cease. In this case, the processing that took place before the withdrawal of consent will not be affected.
• You have the right to appeal to the Personal Data Protection Authority (www.dpa.gr) in accordance with the legislation if you believe that your rights have been violated. However, we would be happy if you would give us the opportunity to resolve any complaint you may have as soon as possible before you appeal to the Authority.

8. Contact Information – Updates

For any questions regarding this Policy or data protection and security in general, or to exercise your legal rights, you may contact us as follows:

TOXOTIS S.A.

Attn: Data Protection Officer (D.P.O.)
Paralia Marathonos, Attica (Hotel “GOLDEN COAST”), 19007 Marathon, Attica, Greece.
Tel.: +30 22941 13000, Fax: +30 22941 13001, Email: [email protected]

This “Privacy Policy” was drafted on May 21, 2018, and was last modified on March 4, 2025. It is updated periodically as necessary. Before making any changes, we will update this “Privacy Policy” accordingly and post it on our websites so that you are informed. For this reason, we kindly ask you either to check the “Privacy Policy” section of our websites before browsing or using our services, or to request a printed version at our hotel reception, or to submit a request at [email protected] to receive a copy of the “Privacy Policy.”