Privacy Policy

Our company WAVE SA. is the owner of the THIRTY NINE HOTEL, located in Salonica, Greece, at 39 Egnatias Str. Thessaloniki, tel: +30 2312313939, email: info@thirtynine.gr. Acting as Data Controller WAVE respects privacy and protects the personal data of data subjects (customers, employees, visitors, etc.) according to the European General Data Protection Regulation (GDPR 2016/679), and its Greek implementing legislation (Law 4624/2019) following the instructions of the Hellenic Personal Data Protection Authority (HDPA).

What personal data we collect about you

We collect only the minimum personal data about you and keep them for the minimum legal period

necessary for the execution of the contract (reservation/room rental agreement, labor/supplier contract, technical support, reservation, promotional activity etc.) that we collect directly from you or via a booking platform/ travel agency or by filling in a paper or electronic reservation form as indicatively:
a) your contact details such as name, surname, gender, date of birth, ID/ passport number, nationality, postal or email address, phone number etc.

b) your payment information (cash, credit, debit cards or other means).
c) occasionally your health data about any special dietary requirements, allergies (e.g. breakfast), requirements by people with special needs (e.g. room location, accessibility of premises, etc.)
d) your facial images collected through our CCTV system at hotel reception, lobby, corridors or business center, which we retain for fifteen (15) days for the protection of persons and goods, which we subsequently destroy, except in cases of illegal actions that justify additional retention time.
e) cookies collected via our hotel website (See our separate Cookie Policy).

Purposes of collection and processing

We legally collect (according to article 6 of the GDPR), and process your personal data, according to the principles of legality, objectivity, transparency, proportionality and accountability. We also take all appropriate technical and organizational measures to protect your data (pseudonymization, anonymization, encryption, etc.). Each type of data processing by our company is legal. As the case may be it is based either a) on your express consent (for website cookies, publicity and marketing), b) on our existing contract (for hospitality, work, promotion etc), c) on our legitimate interest (for the installation of cameras for the safety of persons, prevention of theft and other illegal actions, protection of persons and goods), d) for our compliance with legal obligations (tax, social insurance, audit, etc.), in order to serve you and to constantly improve our services, with actions such as: a) the provision of telephone

answers to your questions, recommendations, complaints and observations b the advertising promotion of our services to our customers c) the defense of rights in courts and authorities and compliance with legal obligations, regulatory orders, court decisions etc.

Personal data transfers to third parties

For the above purposes, respecting the principles of proportionality and data minimization, we may exceptionally transmit, disclose, grant access to your personal data, to legally authorized third parties, in Greece and, exceptionally, within the European Economic Area (EEA), such as: a) to ministries, public services, social security, judicial and police authorities, etc., as long as this is required by law b) to our partners, such as travel agencies, booking websites, hotel software companies, camera installation companies, transport companies, data storage services (cloud providers, data centers), etc. c) to banks and financial institutions to settle our financial transactions. We assure you that our third-party partners are bound by us with Data Processing Agreements guaranteeing confidentiality and data protection in accordance with the GDPR. In addition, we do not use fully automated decision-making processes or process data of minors, other than those required for the execution of the room rental contract.

Your rights as a data subject

In accordance with the GDPR, you have the following rights:
a) to access and obtain copy of your personal data
b) to rectification or any inaccurate data
c) to object to the processing which may entail termination of our contractual relationship, as long as your consent is necessary for its continuation.

d) to erasure of your data, if they are no longer necessary for the execution of the contract, either they were processed illegally, or the deletion is required by law and they are not required to be kept for legal purposes (such as pending legal claims, labor, insurance, tax obligations, etc.)
e) to restrict processing

f) to data portability,
g) not to be subject to a decision based solely on automated decision.
h) to file a complaint to our company Data Protection Officer dpo@wave.gr and eventually to the Greek Data Protection Authority.

Information security

All your personal information stored in our database is protected by adequate technical and organizational measures as per the Infosec ISO 27001 standards. We will report to the competent Privacy Authority any unlawful violation of our database or any third-party data processing database to all relevant stakeholders as well as authorities within 72 hours of the violation.

Policy Changes

We reserve the right to modify this Privacy and Privacy Policy and our related practices at any time in light of any legislative or technological changes. In any case, we will inform you appropriately by publishing on our website any revised personal data protection statement. Last Change: 10.10.2024.

Back To Top