Personal data protection statement

This Personal Data Protection Statement by Kiriacoulis Mediterranean shall apply from 25 May 2018, and it is based on the General Data Protection Regulation. This policy refers to all the Kiriacoulis Mediterranean group companies which may act as data collector.

Kiriacoulis Mediterranean shall process your personal data in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and national laws based on the said Regulation, with the application of appropriate technical and security measures for the protection of personal data against unauthorized access, misuse, detection, loss or destruction.

1. General information

This Statement describes what data we collect, how we process them, and for which purposes we use them, as well as your rights associated with your data.

In charge of data processing:

Kiriacoulis Mediterranean Cruises Shipping S.A., 7 Alimou Ave, 174 55, Alimos, Greece, VAT Nr: 094108579

Contact e-mail: [email protected]

If we use the services of external providers to process your personal data, this is processing (of personal data) by order, in which case we are also in charge of protecting your personal data.

2. Types of personal data we process

We use the following personal data:

Master data: Forename and surname, date of birth, country of birth, nationality, personal identification number, Tax number.

Address and contact information data: city, e-mail address, mobile phone number.

Other data: type of identity document, number of identity document, date of boarding, port of boarding, name of yacht or boat, number of skipper license, number of VHF license, credit card number, booking number, GPS coordinates of navigation.

3. Legal basis and purposes of personal data processing

All types of your personal data are processed based on:

a) Legal obligations – We process your personal data in accordance with the regulations in force, as well as for the purposes of notification and registration which we are obliged to perform in accordance with the regulations in force (e.g. the Ordinance on the conditions for conducting the activity of chartering of vessels with or without crew and the provision of guest accommodation services on vessels, concluding an agreement on the provision of chartering of vessels).

b) Fulfillment of agreement – We process your personal data for the purpose of fulfilling the agreement and contractual obligations we have concluded.

c) Consent – You have given us to process your personal data for purposes of sending promotional offers and other business related information, for the purpose of assessing satisfaction after the charter period, and for the purpose of contacting you.

d) Legitimate Interest of the Controller – All your data is processed for the purpose of meeting the obligations of the legislative body (e.g. Ordinance on the conditions for conducting the activity of chartering of vessels with or without crew and the provision of guest accommodation services on vessels) or for fulfilling contractual obligations and concluding agreements, e.g. Agreement on the provision of vessel chartering.

We collect personal data from our customers in person, at fairs, via websites, e-mails and by phone or we receive them from other chartering agencies.

4. Retention period

In principle, we shall delete your personal data upon termination of the contractual relationship and no later than the expiration of any legal requirements related to the retention of personal data.

5. Consent management

You can revoke your consent at any time. You can also, at any time, object to our processing of your personal data.

You can change your consent via a written request at the following address: Kiriacoulis Mediterranean Cruises Shipping S.A., 7 Alimou Ave, 174 55, Alimos, Greece or by e-mail at [email protected]. If you revoke the given consent, we will no longer use your data for the said purposes. If you wish to give your consent again, you are able to do so.

In the case of processing of your personal data that does not require your consent and that is necessary for the conclusion of an agreement with us or the fulfilment of the concluded agreement, or due to obligations we have under the law, if you do not provide us with these data, we will not be able to fulfil our contractual obligations towards you, nor will we be able to conclude an agreement with you.

6. Rights of data subjects

a) Right of access to data and information on processing personal data: i.e. does the controller process personal data of data subjects or not and if the data is processed, what is the purpose of this processing, categories of personal data in question etc.

b) Right to rectification: If we process your personal data that are incomplete or inaccurate, you may ask us to correct or complete them at any time.

c) Right to erasure: You may ask us to delete your personal data if we have processed them illegally or if that processing represents disproportionate interference with your protected interests. Please note that for some reasons immediate deletion is not possible. For example, due to the archiving obligations laid down by law.

d) Right to data portability: You may ask us to provide you the data you have entrusted to us in a structured form, in a standard machine-readable format: • If we process these data on the basis of consent you have given us and which you may revoke or for the fulfillment of our agreement and • if the processing is done using automated processes.

e) Right to object: If we distribute your information for the purpose of performing a public interest task or a task of public bodies, or when upon the processing of your information we invoke our legitimate interests, you may file an objection against such data processing if there is an interest in protecting your data.

f) Right to object to competent authority: If you believe that upon processing your data we have violated Greek or European data protection regulations, please contact us to resolve any issues. You are certainly entitled to file a complaint with the Greek Data Protection Agency, or in the event of a change of the applicable regulations, with another body that will assume its jurisdiction, and starting from 25 May 2018 with the supervisory body within the EU.

h) Exercise of rights: If you wish to exercise any of the aforementioned rights, contact us using our contact information referred to in Article 1 of this Statement.

i) Identity confirmation: In case of doubt we can request additional information to verify your identity. This serves to protect your rights and private spheres.

j) Misuse of rights: If you execute any of these rights too often and with obvious intent of misuse, we may charge you an administrative fee or decline to process your request.

k) Right of limitation of processing: You may request a limitation on processing your data:

– If you dispute the accuracy of your data during a period that allows us to verify these data.

– If the processing of your data was unlawful, but you refuse the deletion and instead ask for a limitation of use of this data.

– If we no longer need the data for the foreseen purposes, but you still need them for the realization of legal requirements or if an objection has been filed for processing these data.

7. Transfer of data to third parties

We shall keep your personal data and shall not disclose them or make them available to third parties except in the following cases:

– If you explicitly and in writing agree to disclose certain confidential data for a particular purpose or to a particular person.

– If the Ministry of the Interior or the competent State Attorney requires the data for the purposes of carrying out the tasks within their competence.

– If a court, attorneys or a notary public require the data for their proceedings, where the submission of such data is required in writing.

– If the Tax Administration, the Greek Pension Insurance Institute, and Greek Health Insurance Fund require the data on the basis of the legal obligations that the controller has towards them.

– If we are obliged to submit data to the Ministry of Maritime Affairs, Transport and Infrastructure.

8. Transfer of data to third countries

Transfer of data to third countries (countries outside the EU) is performed only:

– if there is a statutory obligation

– if the transfer is necessary for the fulfillment of contractual obligations

– if you have given your explicit consent

9. Use of digital services (website, applications)

We collect only those personal data that visitors of our official website voluntarily make available to us when submitting contact information, applying for jobs, using call back services, and filing complaint forms. These personal data are used confidentially and only for a specific purpose. The transfer of these personal data to third parties is not carried out, unless there is a statutory obligation or an order of the official body when such personal data may be forwarded to the competent authority. Access to the website is protocoled and technical data such as website traffic, the operating system used, display resolution, time of visit, and the size of the transferred data are recorded on that occasion.

To improve our offer, the websites contain “cookies” that are stored on computers of the website visitors. The “cookie” storage can be prevented, but this can limit the offerings of the website. “Cookies” provide the ability to store typical preferences of website visitors, optimize technical processes, and continually improve the offering.

We have taken all technical and organizational measures to protect your data against loss, alteration, or access by third parties. In case you have any questions, please feel free to contact us and we will respond as soon as possible to your requests and queries and help you in exercising your rights.

Any changes to our policy on the protection of personal data shall be disclosed in our Personal Data Protection Statement and on our website, and you will be adequately informed about them.

10. Security statement

We have taken all reasonable steps to have in place appropriate security measures to protect your information.

11. Changes to this policy

Any changes to this Policy will be either posted on our website, brochure and/or made available upon request.