Scope of the Privacy Policy

“Grivalia Hospitality- Greek Branch”, based on Athens (Marousi, 117, Kifisias Ave and 59-61, Ag. Konstantinou Str, Building B’ with tax number 997009080), hereinafter referred to as “Grivalia Hospitality” or “the Company”, guarantees the safety and protection of your personal data, which are collected through its website (hereinafter “Website”). The Company publishes the present lawful, fair and transparent Privacy Policy, in order to provide sufficient information on the personal data it collects and further processes in the context of the operation of its Website. The Company, in its capacity as Data Controller, collects and processes personal data only to the extent necessary for specific and lawful purposes in compliance with the European and National Data Protection Legislation.


For the purposes of this Policy, the following definitions should apply:

Personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special categories of personal data’: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

Processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Data Subject’: the natural person whose personal data are processed. The data subjects this Policy refers to are the users of our website.

Consent’: of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Anonymization': the processing of personal data in such a way that data can no longer be attributed to a particular data subject;

Pseudonymization’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Existing legislation’: The provisions of the existing Greek, EU or other legislation which is applicable to Grivalia Hospitality which regulates matters of data protection, such as the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Greek Law 4624/2019, the Decisions, Directives and Opinions of the Hellenic Data Protection Authority (HDPA) as well as any further applicable laws regulating data privacy matters.

Principles relating to the processing of personal data

Grivalia Hospitality collects and processes personal data based on the following principles:

1. Lawfulness, fairness and transparency: Grivalia Hospitality ensures that personal data are collected and processed lawfully, fairly and in a transparent manner in relation to the data subject.

2. Purpose limitation: Grivalia Hospitality ensures that personal data are collected only for specified, explicit and legitimate purposes.

3. Data minimization: Grivalia Hospitality takes relevant technical and organizational measures so that personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accuracy: Grivalia Hospitality shall take all necessary steps to ensure that the personal data it collects and processes are always accurate and, where necessary, kept up-to-date.

5. Storage limitation: Grivalia Hospitality does not store the personal data it collects for longer than is necessary for the purposes for which the personal data were collected and set under process. However, the Company may further retain personal data when necessary for:

a) compliance with its legal obligations;

b) the performance of a task carried out in the public interest;

c) purposes of the legitimate interests pursued by the Company;

d) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

e) the establishment, exercise or defense of its legal claims

6. Integrity and confidentiality: Grivalia Hospitality ensures that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Data collected and processed through our Website, Purposes of processing and legal basis

Grivalia Hospitality collects personal data in the following cases:

Α.1.1. Data collected through the communication (Contact) form

When you choose to contact us through the electronic contact form available in the Website, you will need to provide certain information, such as your name, surname, e-mail address, as well as any further information you include in your message to us.

Α.1.2. Purpose of processing and legal basis

We collect and process the information you will provide through the communication form with the sole purpose of serving and contacting you in order to satisfy your request, response your question etc. The legal basis of processing is the Company’s legitimate interest to improve its services and satisfy any requests submitted to the [GDPR art. 6 (1f)].

Α.2.1. Data collected through the Careers form

When you choose to contact us to express your interest for future collaboration with our Company, we will collect and process personal data included in your email and your CV, such as name, surname, email address, phone number, certificates, working experience, knowledge of foreign languages etc.

Α.2.2. Purpose of processing and legal basis

We collect and process the information you will provide us only for recruitment purposes. The legal basis of processing is your prior consent [GDPR art. 6 (1a)] as well as the Company’s legitimate interest to assess your suitability for new job openings [GDPR art. 6 (1f)]. The consent can under specific legal conditions be withdrawn at any time, bearing in mind that such a withdrawal does not affect the lawfulness of the processing performed until then.

Β.2.1. Online technologies

While browsing our site, we may collect some essential information related to the traffic to our Website, such as the web address (IP address) and the type of browser used by the user etc. For more information on by using the cookies on our Website, you can refer to

The cookies used by the website are the essential for the proper functionality of the website, they allow you to navigate and use its functionalities, as accessing safe locations.

Β.2.2. Purpose of processing and legal basis

The purpose of collecting and processing these data is to improve the functionality and enhance the safety of the Website and the services provided as well as the analysis of its traffic. These data are kept only for 6 months, unless there is legal obligation for their further retention. IP addresses that are linked to malicious actions are saved permanently to the security system of the Website for safety reasons as well as to hinder potential attacks. The legal basis for the processing of personal data is the consent of the user, with the exception of the strictly essential cookies which are permanently deselected and are essential for the operation of the Website. Legal basis of processing for the strictly essential cookies is the legitimate interest of Grivalia Hospitality to ensure the optimal functionality of the Website.

Minors’ Data

Requesting or receiving minors’ personal data is not a part of our Policy (i.e. from individuals that have not reached the age of 18 years old), either directly or indirectly through third parties. However, given that it is impossible to always control the age of individuals entering or using the Website of Grivalia Hospitality, parents and legal guardians are advised to contact directly Grivalia Hospitality in case they observe any unauthorized disclosure of data on behalf of the minors for whom they are responsible, in order to exercise their rights accordingly, as e.g. the erasure of their data.

Transfer of Personal Data

Grivalia Hospitality may transfer personal data to third parties, to whom it has entrusted the processing of personal data on its behalf (such as service companies, website developers etc.). In any case, such third parties are contractually bound to Grivalia Hospitality in order to ensure the obligation of confidentiality as well as the obligations provided by the Existing Legislation.
At the same time, the personal data of the users may be transferred to public authorities, independent authorities, etc. (eg Police, prosecuting authorities, tax authorities etc.) during the exercise of their duties ex officio or at the request of a third party invoked legal interest and in accordance with legal procedures.

When the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), we always check whether:

In any other case, the transfer to a third country is not allowed and we may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).

Data retention period

All personal data collected and processed by Grivalia Hospitality are retained for a pre-determined and specified period of time, depending of the purpose of processing. When this time period expires, the personal data are safely deleted and/or destroyed, unless their further retention is permitted or required by law. When the processing is required by the law, your personal data are kept as long as the applicable law previews. If your personal data are processed for the performance of a contract, they are retained as long as it is necessary for the performance of the contract and the establishment, exercise or defense of legal claims based on the contract. The personal data processed for commercial purposes on the grounds of the user’s prior consent are retained until the withdrawal of the consent whereas such withdrawal does not affect the lawfulness of the processing until the withdrawal.

Data Privacy and Security

Taking into account the latest updates, implementation costs and nature, scope and purposes of processing, as well as the risks of different probability of occurrence and seriousness of the rights and freedoms of users from processing, Grivalia Hospitality takes the necessary technical and organizational measures to protect users' personal data. However, it is noted that no electronic data transfer or storage method is 100% secure. Nevertheless, the Company takes all necessary security measures (antivirus, firewall).

Disclaimer for Third Party Websites

The Website may include links, which redirect to third-parties’ websites, as well as widgets of social media Facebook, Twitter and Google +. Grivalia Hospitality neither controls those websites, nor is responsible for the content posted on them or any further links appearing on them as well as for any processing of the user’s personal data. Grivalia Hospitality is not responsible for third-parties’ privacy practices or for their websites’ content.

Data Protection Officer

Grivalia Hospitality in order to secure sufficiently the privacy and integrity of the personal data processed, has appointed a Data Protection Officer (DPO) to which the data subjects can make their requests and their questions about the privacy of their personal data and the current Privacy Policy as well as to perform their rights hereinafter. The contact details are as follows: Email:

Data Subject Rights

Grivalia Hospitality shall ensure and take the appropriate measures for the data subjects to be able to exercise their rights, as provided by national and EU legislation regarding the collection and processing of personal data concerning them. Each data subject has the following rights:

  1. The Right of Access and Information.
  2. The Right of rectification.
  3. The right to erasure ("the right to be forgotten").
  4. The right to restriction of processing.
  5. The right to data portability.
  6. The right to object to the processing and the right to object to automated individual decision-making, including profiling.
  7. Right to withdraw his/her consent. In cases where the processing is based solely on your prior consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed based on consent before its withdrawal.

Grivalia Hospitality may refuse to fully or partially satisfy a data subject’s request only when this possibility is provided for by the Regulation or by national law.

Grivalia Hospitality provides the data subjects with information on the processing operations within one (1) month from the submission of the data subject’s relevant request and following the data subject’s identification. This period provided can be extended by two (2) more months, if necessary, if the request is complex or in case of numerous requests. In this case, Grivalia Hospitality is obliged, within one month of the receipt of that request, to inform the data subject about the delay and the reasons of the delay. Within that period, Grivalia Hospitality shall also inform the data subject of possible refusal to fully or partially satisfy the request as well as for the motives of the refusal.

If the data subject submits the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests differently.

If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive character, Grivalia Hospitality may charge a reasonable fee in order to satisfy the request or refuse to respond to the request.

To exercise any of the above rights, you can contact the Data Protection Officer of Grivalia Hospitality ( ).

Right to Lodge a complaint with the Hellenic Data Protection Authority

Data subjects have the right lodge a complaint with the Hellenic Data Protection Authority (DPA) for issues concerning the processing of their personal data. For the Authority's competence and the means of filing a complaint, detailed information is provided on the website of the DPA "My Rights Submitting a Complaint").

Updates to the Privacy Policy

Grivalia Hospitality may update this Privacy Policy from time to time for compliance reasons or to meet its operational needs and legal obligations. Updated versions will be uploaded to our website, with data reference, so that you are always aware of when our Privacy Policy was last updated.

Update: December 2021