GENERAL DATA PROTECTION POLICY

A. GENERAL

PREAMBLE

The protection of your personal data is very important to us. In that direction, we attach great importance on harmonizing our Company's practices with the legislation in force. This General Data Protection Policy (hereinafter referred to as the "Policy" or the “Data Protection Policy” or the “GDPR Policy”) concerns the conditions for collecting, storing, retaining, processing and using of your personal information by the Single-Member Private Capital Company under the name «PHAEDRA VILLAS DEFINITIONS

Website, the website (portal) www.casabotanica.gr

User/Visitor every website visitor.

Use the access, study, advice, storage, or other recording in memory or other magnetic or non-magnetic medium, installation, viewing in any way, mechanical or not, including printing, of the Data of the website.

The Βeneficiary or Content Owner the Single-Member Private Capital Company under the name «PAHEDRA VILLAS SMPCC», as the creator of the Website and all the Elements contained in it, or as the lawful user of those of the Elements that are not its original intellectual creations. Any other affiliated company or any other company who acts as a proxy of «PHAEDRA VILLAS SMPCC» in respect of the operation of the website is considered to act as a representative and the rights of «PHAEDRA VILLAS SMPCC» are not affected

The basic definitions of the terms and names to be used in this document, as referred to in Article 4 of the General Regulation on Personal Data Protection 2016/679 / EU (EU GDPR), are the following:

Personal Data: Any information or data relating to an identified or identifiable natural person ("data subject"). As intentifiable natural person is considered to be the natural person whose identity can be acertained, directly or indirectly, in particular by reference to an identifying element such as its’ name, identity card and/or passport number, tax information, location data, summarized identity, or one or more factors specific to physical, physiological, genetic, physical, economic, cultural or social identity of that natural person.

Personal data of special categories (sensitive): Personal data which are by nature very sensitive in relation to fundamental human rights and freedoms are considered sensitive and therefore require special protection as the context of their processing could pose significant risks to the fundamental human rights and freedoms. This personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, as well as the processing of genetic data, biometric data used for undisputed identification of a persons’ health status or data relating to its’ sexual life or its’ sexual orientation.

It is clarified that all personal data of minors -under the age of 16 - are by definition considered as sensitive and treated as such.

Controller: a natural person or legal entity, a public authority, a service or other entity that alone by itself or acting jointly with others determine the purposes and the manner in which personal data are processed.

Processor: a natural person or legal entity, a public authority, a service or other entity processing personal data on behalf of the controller.

Processing: any action or set of actions carried out with or without the use of automated means of collecting personal data or clusters of personal data (sensitive and non-sensitive) such as collection, registration, organization, structure, storage, adaptation or alteration, retrieval, search of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, erasure or destruction.

Authority: The Personal Data Protection Authority (PDPA)PCC», which resides in Pallini Attica, 9 Pythagora str. (P.O 15351) with VAT No 997085641 issued by the Tax Registry of Pallini and Commercial Chamber of Companies Registration No 144740903000, as legally represented, hereinafter referred to as the "Company"

The Company is designated as a controller and strictly complies to the Data Protection Principles set out in Article 5 of the General Data Protection Regulation.

B. SPECIFICS

1. WHAT IS THE COMPANYS’ PUPROSE/SCOPE

The purpose of the Company through the operation of the website www.casabotanica.gr is the rental of Tourist Furnished Houses / Apartments (Villas) as temporary tourist self-catering accommodation.

The properties/villas owned by the Company ARE NOT hotels or tourist residencies falling under any international categories. The villas reflect the local conditions and the aesthetics of the owning company both as regards the architectural style, the interior decoration and the furniture

2. WHAT IS PERSONAL DATA?

The term "personal data" or “private data” or «data" as used in this Policy refers to information belonging to natural persons (as for example the full name, the e-mail address, etc.), hereinafter "Personal Data or Private Data or Data".

3. WHAT PROCESSING OF PERSONAL DATA REFERS TO?

As Processing of Personal Data is considered any action or set of operations/actions carried out with or without the use of automated means for collecting data, either in an electronic form (soft copy) or in a hard copy, such as collection, registration, organization, classification, structure, storage, adaption, change, retrieval, search for information, use, transmission, dissemination, association, combination, restriction, deletion and destruction of Personal Data.

3. WHAT PROCESSING OF PERSONAL DATA REFERS TO?

4. WHICH DATA DO WE COLLECT

The Company collects all the necessary information from its contractors (either as a customer or as a supplier) for the preparation and performance of the service contract and/or for the communication between us following your explicit consent, in particular following your request for a reservation, acting as an individual client, we shall collect and process your data to provide you with the services that you require from us.

We may collect:

i) Your name, age, address, telephone number, email, ID or passport number, nationality and country of residence, necessary for the provision of our services to you.

ii) Information for the payment of our services, such as credit/ debit card number(s), including associated billing address(es) and expiration date(s), according to your explicit consent, as provided by you at a specific authorization form and as described below.

iii) Other information necessary to facilitate your travel or other services, including travel companion(s) names/ passport numbers/age, any dietary or other restrictions

– Use of products and services such as self-service devices, flight status notification and web check-in, necessary for the services required by us.

b) Payment Information

When you use our Payment Services, such as when booking accommodation or a travel-related experience through us or establishing a Supplier relationship via us, we require certain financial information (like your bank account or credit card information) to process payments and comply with applicable law. If you are a Supplier, we may require additional information such as your ID or tax ID (where permitted by applicable law), and other proof of identification or verification to verify your identity, provide the Payment Services to you, and comply with applicable law. If you are a Guest, we may retain your financial information to assist you with booking travel-related experiences with third parties. We only process such data according to your explicit consent and written authorization.

c) Advertising and Marketing Related Purposes

According to your explicit consent, we may process information such as your email address or your IP address, to:

i) Send you promotional messages, marketing, advertising, and other information that may be of interest to you, based on your communication preferences (including information about Casa Botanica or our partners’ campaigns and services).

ii) Administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by the Company or its third-party business partners.

iii) Carry out profiling on your characteristics and preferences (based on the information you provide to us, your interactions with our services, and your search and booking history) to send you promotional messages, marketing, advertising and other information that we think may be of interest to you.

d) Employee and Human Resource Related Purposes

i) We collect personal information from applicants to open positions within our company, including private contact details, CVs, professional qualifications and previous employment history, necessary to reach to employment decisions. Once employed, The Company collects information on staff for human resource, performance, payroll and tax purposes. The Company may process similar information relating to consultants contracted on a freelance basis.

ii) For security reasons in commonly used spaces within our offices, we have installed security cameras systems (CCTV). We ensure that any recording within the offices of our company is not directed to any of our employee’s office/working space. All our employees are officially informed of this security measure and of the processing of some of their data that may arise thereof, which does not aim to the recording of their performance.

e) Web visitors- IP addresses – Cookies

i) The Company collects named information about visitors to our website, www.casabotanica.gr where this is provided by them by filing our online contact form, for example where a client requests information on a service or where someone wants to apply for a vacant position with the Company. Through the use of cookie-based technologies, The Company may collect various data linked to virtual identities (IP addresses) allocated to visitors when they access our website. This data is used for various purposes, including site analytics and first-party or third-party marketing. In certain cases, these virtual identities are linked to the real-world identities of visitors only when they choose to provide their named information at the contact form, as described.

ii) Automatically Generated Data In the course of using the pages on our website, personal data may be automatically processed. Typically, this relates to the name of your internet provider, your IP address, your location, the time and date of access, the browser you are using, your operating system, the web pages you visited on our website and the website from which you accessed our website. This information is used to analyse trends, administer the website, track user’s movement, and gather broad demographic information for aggregate use.

B) When you visit and navigate on the Company's website, we ARE NOT collecting your Data, except from the ones automatically collected by the cookies you have authorized yourself by providing your consent to be used. Specifically, the only types of cookies used by our Site belong to the following categories:

(a) Absolutely Required Cookies and

b) Functionality Cookies and both are necessary for the proper operation of the site. The information they collect is anonymous and does not monitor the activity of browsing other sites.

For more information, please refer to the Company's cookie privacy policy posted on the Company's website www.casabotanica.gr

Furthermore, upon your explicit consent, and exclusively provided by you, information is collected through our website for the purpose of notifying and communicating our activities to you as detailed in our Privacy Policy posted on our website.

5. WHY ARE WE ARE PROCESSING YOUR DATA FOR?

We collect your Data solely for the purposes of:

(a) providing our services,

(b) for performing acts of communication between your and the Company, after your prior consent (for example via newsletter)

6. WHAT IS THE LEGAL BASE FOR DATA PROCESSING BY THE COMPANY?

Data Processing is performed for the execution of any contract between us for the provision of our services, for your information on the activities, events and promotions of the Company to you, as well as for the communication of the Company with you, only after your prior explicit consent, in writing or electronically.

7. DO WE USE THE DATA FOR OTHER PURPOSES I.E PROMOTING GOODS AND / OR SERVICES?

The Company does not use the Data for purposes other than those mentioned in paragraph 6 above, which relate to the proper provision of our services, in view of high-quality standards and the compliance of our company with the applicable legislation.

The Company may use the Affiliates and Customer Information on its website for publicity/promotional or other purposes related to the Company's professional visibility and publicity.

8. WHO ARE THE DATA RECIPIENTS?

The recipients of the Data are:

(a) the Company and its strictly necessary staff committed and bound to confidentiality.

(b) All employees, with an indefinite or fixed-term relationship, as well as all subcontractors, assistants, employees who work on behalf of the Company are bound by this Policy.

Our website includes hyperlinks to, and information from, third party sites. We cannot control and are not responsible for the protection policies and practices of third parties. We may disclose your personal information to trusted third party service providers as necessary for them to perform services on our behalf. Examples of data sharing include cookies, your IP address, your email address, and your name. Your email address and name are used only in trusted services that we use to create newsletters. We disclose only the minimum necessary information, and third parties are not allowed to use your information for any other purpose, as stated in our Privacy Policy. Every third party we use also complies with the GDRP set of regulations. The site may provide links that redirect the user to third-party sites. The Company does not control these third-party websites and is not responsible for the content posted on them or any further links that appear on them. The Company is not responsible for the privacy practices of third parties or for the content of third-party websites.

9. HOW DO WE SECURE THAT YOUR DATA ARE RESPECTED

The Data Processors have agreed and contracted with the Company:

• to be bound by confidentiality/non-disclosure agreements,

• not to disclose any data to third parties without the prior provided permission by the Company,

• to take all appropriate security measures

• to comply with the legal framework for the protection of personal data, and in particular the EU GDPR Regulation.

The Company takes all appropriate technical and organizational security measures to ensure that processed personal data are accurate and, where necessary, accordingly updated.

The Company takes all necessary measures to ensure that inaccurate or incomplete data will be erased or accordingly corrected. Personal data processed are appropriate, proportionate and relevant to the needs of the service rendered to the customer, meet the contractual obligations undertaken by each contract party and are collected only for defined, explicit and legitimate purposes, as above mentioned as well as in the relevant contracts.

The personal data process is conducted by the Company in a manner that ensures their confidentiality and follows rules and other procedures to protect them against unauthorized access, misuse, alteration, forbidden dissemination, disclosure, loss or accidental / unlawful destruction and any other form of unfair processing. The Company applies technical and organizational security policies, routines, and procedures to protect the personal data it collects from potential security breach, loss, misuse, alteration, or destruction.

Internal audits on the processing of personal data are routinely conducted by the Company to review the effectiveness of the applicable data protection measures.

Specially authorized individuals have access to data processing systems through which personal data is processed or used only in accordance with the Company's instructions. Data processing systems cannot be used by unauthorized persons. Persons authorized to use data processing systems have specific and targeted access only to the data for which they have been authorized. Personal data may not, during the processing or use or after, be recorded, read, copied, modified, or shifted by unauthorized persons of the Company.

Access to personal data is limited only to those who have authority in the course of their duties appointed to them by the Company, provided they need to be aware of them. People who have access to the data are required to keep the data confidential.

10. FOR HOW LONG DATA WILL BE STORED?

As a rule, all personal data are deleted/destroyed by the termination of our contractual relationship.

The duration of the retention of the Data is also determined by the retention obligation imposed by the applicable legislation governing the Company's contractual and tax obligations.

Exceptionally, it is possible to extrapolate the length of retention of the Data for purposes of proofing before the courts in regards of the compliance of contractual obligations by the Company or in case it is required by a rule of law or due to compliance with instructions from Public or Independent Authorities.

11. ARE YOUR DATA SECURE?

The Company is committed in safeguarding your Personal Data.

We have received appropriate organizational and technical measures for the security and protection of Data from any form of accidental or fraudulent processing. Security measures shall be reviewed and amended whenever necessary to meet the conditions and standards set forth in the applicable legislation.

Indicatively, and not restrictively, the following rules describe how, and in which space the data are safekept. The data stored in hard-copy files are kept to a point where unauthorized persons have no access. The same applies to files that are kept electronically, but for some reason they have been printed-out.

Important points are:

• Envelopes and scanned data are kept in a locked cabinet.

• Employees are confident that printouts are not left unattended where unauthorized people could access them, such as for example in or near the printer.

• Printed-out data that are not in use are usually destroyed. In the event that the data are stored electronically (soft copies), they are protected against unauthorized access, accidental destruction and spyware.

Specifically:

Data are protected by strong passwords that are frequently changed and are not disclosed to employees who are not authorized.
If the data are stored on portable media (such as aCD-ROM, an usb stick etc.), they are stored securely when not in use
All servers and computers containing data are protected by an approved software and firewall.

Your Data may only be processed by specifically authorized persons, employees, and partners solely for the purposes stated above.

The Company carries out regular audits and routine inspections to verify that the data are secure and that the present Policy is implemented.

12. WHAT ARE YOUR RIGHTS?

You have the right to access your personal data.

This means that you have the right to be informed by us whether we process your Data. If we process your Data, you can ask to be informed about the purpose of the processing, the kind of Data we process, who we give it, for how long we store it, whether we use automated collecting tools, but also about your other rights, such as correcting, deleting data, limiting the extend of processing and submitting a complaint to the Data Protection Authority.

You have the right to correct inaccurate personal data.

If you find that there is an error in your Data, you can apply for us to correct it (for example, a name correction or an update of an address change).

You have the right to delete / the right to oblivion.

You may ask us to delete your data if they are no longer necessary for the processing purposes.

You have the right to transfer your Data.

You may ask us to receive the Data you have provided in a readable form or ask us to forward it to another controller.

You have the right to restrict your processing.

You may ask us to restrict the processing of your Data for as long as your filed objection on procession is pending.

You have a right to object to the process of your Data.

You may oppose to the process of your Data or withdraw your consent and we will cease processing your Data, unless of course there are other compelling and legitimate reasons that prevail over your right.

13. HOW CAN YOU PERFORM YOUR RIGHTS?

In order for you to exercise your rights you can send us a written request, describing the right you wish to exercise, either at the postal address «PHAEDRA VILLAS SMPCC», , 9 Pythagora str., P.O 15351, Pallini Attica), under the title/subject "Exercise of a right of access/correction/deletion/restriction/challenge", or via e-mail to the address admin@casabotanica.gr under the title/subject "Exercise of the right of access/rectification/deletion/restriction/opposition", describing your request, We will review it and revert as soon as possible.

14. WHEN DO WE REPLY TO YOUR REQUESTS?

We will respond to your requests free of charge, without any delay, and in any case within (1) one month from the date of receipt of your request. However, if your request is complicated or there are a large number of requests (clustered requests) by you, we will inform you within one (1) month whether we will be needing an additional two (2) month extension, within which we will respond to you.

If your claims are manifestly unfounded or excessive due in particular to their recurrence, the Company may impose a reasonable fee, taking into account the administrative costs of providing the information or executing the requested action or refusing to follow up the request.

15. HOW TO FOLLOW UP THE DEVELOPMENT OF YOUR REQUESTS

For more information, you can directly contact us via e-mail address admin@casabotanica.gr using the title: "Request Progress".

16. DO WE USE AUTOMATIC DECISION-MAKING TOOLS / INCLUDING CREATING A PROFILE WHEN YOUR DATA PROCESSING?

NO, we do not make decisions, nor do we create a profile based on our automated data processing.

17. WHAT IS THE LAW APPLICABLE FOR PROCESSING OF YOUR DATA BY THE COMPANY?

We process your Data in accordance and compliance with the General Personal Data Protection Regulation 2016/679 / EU and in general the current national and European legal and regulatory framework for the protection of personal data.

18. TO WHOM SHOULD YOU SUBMIT ANY COMPLAINTS IN CASE OF INFRINGEMENT OF THE APPLICABLE LAW FOR PROTECTION OF PERSONAL DATA?

You have the right to lodge a complaint addressed to the Personal Data Protection Authority (1-3 Kifisias Avenue, Athens/ www.dpa.gr ) if you believe that processing of your Personal Data violates the current national and regulatory framework for the protection of private data

19. HOW WILL YOU BE INFORMED FOR ANY MODIFICATION OF THIS POLICY?

We will update this Policy whenever deemed necessary to comply with the applicable national and European laws and regulations on the protection of personal data. If there are any significant changes to the Policy or the way we use your Personal Data, we will post in a prominent place on our website.

We encourage you to review this policy regularly in order to monitor how your Data are protected from time to time.

The Company is the controller of the process of the private data of natural persons or individual businesses it receives.

If you wish to contact any matter relating to the processing of your Data and the exercise of your rights, you may contact the Company’s Data Controller, mr Pericles Voultsos, by using the e-mail address admin@casabotanica.gr