GDPR Privacy Statement
Effective Date: May 25, 2018
The General Data Protection Regulation (“GDPR”) aims to strengthen the protection of personal data in the European Union (“EU”). Coming into force on May 25, 2018, the GDPR replaces the current EU Data Protection Directive as well as its national implementations in EU member states. Crete Vacation Channel ("Cretevc") owns and operates this cretevc.com website business. All references to "we", "us", or "our" shall be construed to mean Crete Vacation Channel. Crete Vacation Channel will be acting as the "Controller" of the personal data you provide to us. This includes your personal contact information and the contact information of your affiliated organization. We only collect basic personal information about you which does not include any special types of information or location-based information (GPS data). If you are an employee or other personnel of one of our customers which have entered into an agreement with us for the provision of our products or services, we will be acting as the "Processor" of your personal data which will be governed by our Data Processing Agreement. For more information, visit our Trust and Compliance Page.
WHY WE NEED YOUR DATA
We need to know your basic personal data consisting of contact information for purposes of responding to your inquiry on our Contact Us web page and similar web pages. In addition, we need to know your personal data to send you emails for other specific purposes only if you have explicitly given your consent to receive these emails. CreteV.C. Technologies (“CreteV.C.”) builds its success on the trust its customers, partners, employees and other stakeholders place in our ability to provide premier location products and services. This includes a high level of protection and security regarding the personal data that our stakeholders entrust to us. As a controller and processor of personal data, CreteV.C. confirms that we have the required policies, processes and procedures in place to comply with the GDPR Over the past 18 months, CreteV.C. has worked to ensure that every part of our organization that comes into contact with personal data, from both internal and external sources, has implemented privacy practices that align with the GDPR. This work was driven by an executive-led GDPR steering group. We have also taken compliance a step further by fortifying data protection and privacy as a core component of CreteV.C.’s composition. We have achieved this by applying the same GDPR-compliant standards across our organization internationally, which allows us to provide our stakeholders with the same level of transparency and consistency.
WHAT WE DO WITH YOUR DATA
Your personal data is processed by our personnel located in Crete, Greece; however, for purposes of hosting and maintenance, your personal data may be archived on servers provided by Amazon Web Services. Except for these this sub-processor, we won't share your personal information with third parties outside our organization unless authorized by applicable law. If we are acquired by another party, we will share your personal data with the acquiring party. We maintain a data protection regime for the effective and secure processing of your personal data. For more information, visit our Trust and Compliance Page. Our commitment to this end is enshrined in our policies and Code of Conduct. In our work, we apply the following principles: We are accountable for ensuring our fair and lawful collection and processing of personal data, meaning we collect and process data honestly, ethically, with integrity and in a manner that is consistent with applicable laws and our values. We maintain evidence of compliance so we can demonstrate our commitment to these principles to interested parties, including data subjects, competent data protection supervisory authorities, internal stakeholders and regulators. We use privacy by design and by default approach, meaning that privacy is a key consideration in the creation, delivery and support of our products and services. We focus on transparency, choice and individual participation, meaning that we provide appropriate privacy notices and information about our collection and use of personal data. We provide fair and reasonable choices for the collection and use of personal data, and we allow individuals to access update and delete their personal data. We abide by collection and purpose limitation practices, meaning that we only collect and process personal data that is adequate and relevant to the specified, explicit and legitimate purposes for which it was collected. We apply responsible data management practices to govern the processing of personal data. We classify and catalogue information accordingly and in a systematic, holistic manner. We take measures to avoid extracting or copying personal data to unmanaged environments. We do not disclose personal data to law enforcement, governmental agencies or third parties unless required by law. We limit disclosures of personal data to our partners to what is described in our privacy notices, or to what has been authorized by our customers or end users. We implement appropriate security safeguards, including technical and organizational measures, to protect personal data against unauthorized access, use, modification or loss. We also require our partners to apply appropriate security and privacy safeguards. At CreteV.C. we welcome the GDPR as an opportunity to strengthen our commitment to data protection and privacy within our company for the benefit of all our stakeholders. We believe this commitment will be a significant part of the future success of CreteV.C., our partners and our customers. CreteV.C. GDPR FAQ At CreteV.C. Technologies, we welcome the GDPR as an opportunity to strengthen our commitment to data protection and privacy. Since the application of GDPR to a global business can be quite complex, we have provided answers to some common questions below: IS CRETEV.C. COMPLIANT WITH GDPR?
Data privacy is a global issue, hence CreteV.C. has applied the EU requirements for GDPR to our organization’s approach to data protection and privacy worldwide, unless otherwise required by applicable local law. HOW IS CRETEVACATIONCHANNEL ACCOUNTABLE FOR ENSURING FAIR AND LAWFUL PRACTICES IN THE COLLECTION AND PROCESSING OF PERSONAL DATA? CreteV.C. collects and processes data honestly, ethically, with integrity and in a manner that is always consistent with applicable laws and our values. We maintain evidence of compliance, so we can demonstrate our commitment to these principles to competent data protection supervisory authorities and regulators. HOW DOES CRETEV.C. REASSURE CUSTOMERS THAT THEIR PRIVACY IS PROTECTED?
CreteVacationChannel follows a “privacy by design and by default” methodology, making privacy a key consideration in the creation, delivery and support of our products and services. This also means that our default approach to collection and use of personal data is to focus on transparency, choice and individual participation. HOW DOES CRETEV.C. ENSURE THAT DATA IS ONLY USED FOR THE PURPOSE IT WAS INTENDED? At CreteVacationChannel, we abide by the principle of collection and purpose limitation, meaning that we only collect and process personal data that is adequate and relevant to the specified, explicit and legitimate purposes for which it was collected. We apply responsible data management practices to govern the processing of personal data. We classify and catalogue information accordingly and in a systematic, holistic manner. We take measures to avoid extracting or copying personal data to unmanaged environments. WHAT IS CRETEV.C.’S POLICY ON DISCLOSURE TO AUTHORITIES OR THIRD PARTIES?
CreteVacationChannel does not disclose personal data to law enforcement, or governmental agencies unless required by law. We limit disclosures of personal data to our partners and any other third parties to what is described in our privacy notices, or to what has been authorized by our customers or end users. WHAT SAFEGUARDS DOES CRETEV.C. HAVE IN PLACE TO PROTECT PERSONAL DATA?
CreteVacationChannel implements appropriate security safeguards, including technical and organizational measures, to protect personal data against unauthorized access, use, modification or loss. We also require our partners to apply appropriate security and privacy safeguards. CreteVacationChannel maintains an ISO 27001:2013 certification as proof of its commitment to ensuring the security of the data it collects and maintains. UNDER GDPR, IS CRETEV.C. CONSIDERED A DATA CONTROLLER AND/OR A DATA PROCESSOR AND WHAT ARE THE IMPLICATIONS? CreteVacationChannel can be either a controller or a processor, depending on the product or service concerned. Where CreteV.C. acts as a controller, we will only process personal data for the limited purposes as described in our privacy policies or relevant notices or consents. Depending on the product or service concerned, CreteV.C. either establishes its legal basis for processing personal data as a controller independently, or we flow this requirement down to our customers through a requirement to provide our applicable terms to relevant data subjects. If CreteVacationChannel is a processor, we only process the data on the instructions of the relevant controller (i.e. the customer), or as required by law. As a processor, we are legally required to enter into data processing agreements with our customers and we have created agreements for all cases where this is required. HOW DOES CRETEVACATIONCHANNEL ENSURE GDPR COMPLIANCE ON DATA THAT TRAVELS OUTSIDE EUROPE?
CreteV.C. develops global products and services and so it makes sense that we apply the highest common denominator (i.e., the GDPR) when it comes to standards. International data transfers from the EU to 3rd countries that have not been deemed to provide an adequate level of data protection by the European Commission are protected through standard contractual clauses or other approved transfer mechanisms. Internally, CreteV.C. has implemented standard contractual clauses between each of its legal entities to ensure that all data transfers within the CreteV.C. organization are conducted pursuant to a legally sufficient transfer mechanism. HOW WILL CRETEVACATIONCHANNEL SECURE VALID CONSENT IN FUTURE AND HOW DOES THIS DIFFER FROM PAST PRACTICE? Securing valid consent has been changed to an affirmative action as required by the GDPR. Where CreteV.C. processes personal data based on consent, all ‘opt-out’ consents have been changed to ‘opt-in’. Where required, CreteVacationsChannel workflows and technical implementations have been changed accordingly. WHAT HAS CRETEVACATIONCHANNEL DONE TO ENSURE PARTNERS COMPLY WITH THE GDPR REGULATIONS?
In general, CreteV.C. does not share personal data with third parties except to assist CreteV.C. in providing services, or to comply with relevant laws. Where CreteV.C. engages data processors, CreteVacationChannel has included relevant safeguards into its contracts. CreteV.c. also conducts diligence in the vendor selection phase to ensure its data processors provide sufficient privacy and security protections. CreteV.C. monitors compliance of its vendors on an ongoing basis e.g. by conducting relevant audits or compliance evaluations. WHAT DOES CRETEVACATIONCHANNEL DO TO UNDERSTAND THE PRIVACY CONCERNS OF CITIZENS?
This year CreteV.C. Technologies commissioned an international study about people’s attitudes towards location data sharing. The results show that people have serious concerns over how their location data is collected and used by apps and service providers, and while this is already problematic today, we believe this raises even more challenges down the road as new services requiring ever faster communication emerge. What our study reinforces is the idea that companies and organizations must devise new ways to increase transparency and boost controls for consumers to manage their data – this is important for the public to accept and embrace important new technologies. And this is why Cretevacationchannel has embraced the GDPR as part of its corporate DNA going forward. HOW LONG WE KEEP YOUR DATA
We will not retain your personal data for longer than required. This means that we will keep your personal information: (i) for as long as required by law, (ii) until we no longer have a valid reason for keeping it, or (iii) until you request us to stop using it. When we delete your personal data from our databases, it will remain in our backup system until it cycles out. We will delete your personal data that you provide for purposes of responding to your inquiry on our Contact Us web page and similar web pages after 365 days, unless you are continuing to request information from us. WHAT ARE YOUR RIGHTS
You have right to: (i) request access to and rectification or erasure of your personal data, (ii) request restriction of processing your personal data, and (iii) withdraw your consent at any time. If you provide a notice to us regarding your exercise any of the above rights, we will forward your notice to other authorized parties which are holding and processing your personal data, where appropriate. If you wish to raise a complaint regarding how we have processed your personal data, you can contact us with the Contact Us information below, and we will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you may complain to the data protection officer in the country in which you reside. HOW TO CONTACT US Crete Vacations Channel Phone: 0030-694-279-6159 Email: firstname.lastname@example.org