Privacy Policy

A. Object and Purpose of this Policy

Our company GRAND SARAI PRIVATE COMPANY respects your privacy and protects your personal data. For any issues related to this, you can contact us at the following details.



Business Registry No: 154095213000

Company Address: FOTOMARA K POTAMIANOU no. 3 P.C. 21100, Nafplio, Argolida


Phone: (+30) 2752022563

With this policy we aim to inform you about the personal data that we collect and process during our operations. The personal data concerning you are collected and kept for the necessary time, for defined, explicit and legal purposes described in detail below, are legally and fairly processed in a transparent manner always in accordance with the applicable legal framework and in a way that guarantees their integrity and confidentiality. This data is appropriate, relevant and not more than what is required in view of the above purposes, accurate and, if necessary, updated.

B. Concepts and Definitions

"Personal Data (PD)" means any information relating to an identified or identifiable natural person ("data subject"). Identifiable is a natural person whose identity can be ascertained, directly or indirectly, in particular by reference to an identity identifier, such as name, identity number, position data, online identity, or one or more factors that characterize the physical, physiological , genetic, psychological, economic, cultural or social identity of that natural person.

"Personal Data Processing" means any transaction or series of transactions performed with or without the use of automated means, in personal data or in personal data sets, such as collection, registration, organization, structure, storage, customization or alteration, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction of the data.

"Data Controller" is the natural or legal person, public authority, service or other body which, alone or in conjunction with others, determines the purposes and manner of processing personal data.

"Data Processor" means a natural or legal person, public authority, service or other entity that processes personal data on behalf of the controller.

"Consent" of the data subject: any indication of will, free, specific, explicit and fully aware, by which the data subject expresses his or her consent, by declaration or clear positive action, to the processing of personal data concern it

"Personal data breach" means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed

"Health data" means personal data relating to the physical or mental health of a natural person, including the provision of health care services, disclosing information relating to his or her state of health.

"Specific categories of personal data / Sensitive personal data" means personal data disclosing racial or ethnic origin, political beliefs, religious or philosophical beliefs or trade union affiliation, and the processing of genetic data, biometric data the indisputable identification of a person, data relating to health or data relating to the sexual life of a natural person or sexual orientation.

C. General Principles of Personal Data Processing

Our company GRAND SARAI IKE ensures that the personal data we process are:

  • PD are processed legally, fairly and transparently in relation to the Data Subject.
  • PD are collected for specific, clear and legitimate purposes.
  • PD are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
  • PD are accurate and, where necessary, up to date.
  • PD are maintained in a format that allows the Identification of Data Entities for a period not exceeding what is necessary for the purposes for which the PD are processed.
  • PD are processed in a way that ensures their proper safety.
  • PD are retained only for the period required for processing purposes. In some cases they can be stored for a longer period of time, especially if the processing of this data is deemed necessary for:

- the fulfillment of a legal obligation imposed by a provision of another law.

- the fulfillment of the duty of our company for the execution of a purpose of public interest.

- archiving for purposes of public interest, scientific or historical research

- for purposes relating to the protection of public health

- for statistical purposes

- to substantiate, rebut, exercise or support legal claims.

D. Legal Framework for the Protection of Personal Data

In addition to the General Regulation on the Protection of Personal Data of the European Parliament (2016/679) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, all applicable national laws concerning the processing and protection of personal data, but also the Instructions issued by the Authority for the Protection of Personal Data are implemented.

E. Purposes of Processing

According to the above legal framework, the personal data collected by the company GRAND SARAI PRIVATE COMPANY are used for the following processing purposes:

a) For the management of the room reservation as well as any other hosting service.

b) For the provision of accommodation services.

c) For the compliance of the Company with the Greek and European Law.

d) For the establishment, recognition, exercise or defense of a right and legal claims

(e) to comply with the health protocols under which tourism businesses operate in the context of measures taken against COVID-19 coronavirus.

F. Legal basis for processing personal data

The company GRAND SARAI PRIVATE COMPANY processes your personal data with transparency, according to the principles of legality, proportionality, confidentiality and integrity, limitation of purpose and accuracy, specific data retention time and data minimization.

The legal basis for the processing of your personal data may be:

a) the necessity of processing your data in the context of the execution of our contractual obligation or during the pre-contractual stage (GKPD art. 6§1b).

b) the need to process your data in the context of compliance with our legal obligation (GBP art. 6-1c)

c) the need to process your data in the context of safeguarding our legal interests (GBP art. 6§1f)

(d) the need for processing to comply with the health protocols under which tourism businesses operate in the context of measures against coronavirus COVID-19 (GBP art. 6-1c).


G.1 According to the above purposes, the company GRAND SARAI PRIVATE COMPANY collects and processes personal data, such as the following:

Personal data that are processed during the normal operation of the business: name, surname, father's and mother's name, age, date of birth, telephone, email, occupation, family details, ID card number, passport number, Tax Identification number, credit card number or IBAN.

Purposes / Legal basis of processing:

- Execution of a contract of which the subject is a contracting party (GDPR art. 6§1b).

- The need to process your data in the context of safeguarding the legal interests of the company GRAND SARAI PRIVATE COMPANY (GDPR art. 6§1f).

- Compliance with a legal obligation of the company GRAND SARAI PRIVATE COMPANY (GDPR art. 6§1c).

G.2. Special Categories of personal data

Customers: GRAND SARAI PRIVATE COMPANY may process data belonging to specific categories of personal data ("sensitive data"), such as data relating to eating habits, allergies, diseases, etc. GRAND SARAI PRIVATE COMPANY may also process health data in within the obligation to comply with National Legislation and the implementation of the Health Protocols, as they apply each time.

Purposes / Legal basis of processing in the above case:

- For the provision of accommodation services (GDPR art. 6§1b)

- Compliance with the health protocols under which tourism businesses operate in the context of taking measures against coronavirus COVID-19 (GDPR art. 6-1c)

G.3 Processing of personal data through a video surveillance system

The company GRAND SARAI PRIVATE COMPANY uses a video surveillance system for the purpose of protection of persons and goods. The processing is necessary for the purposes of legal interests pursued by the company as a Data Controller (article 6 par. 1 sub-paragraph f of the General Data Protection Regulation).

This processing is carried out for the purpose of protection of persons and goods and is justified by the legal interest and the legal obligation of the company, on the one hand to protect the space and the material goods located in the hotel area from illegal acts, and on the other for the safety of the lives and physical integrity of customers and employees, most commonly in the event of assault or theft. Furthermore, the company has an obligation to protect the property of the hotel customers (article 834 Greek Civil Code), as well as a legal interest to preserve its reputation as a safe place of accommodation. Therefore, the image data collected is about preventing illegal acts, protecting the property of the company and its customers, and safeguarding the safety of hotel employees and customers. In no case is the data collected used for the processing of third party data or the monitoring of third parties or the evaluation of the behavior or efficiency of employees.

H. Data Transmission

The entire workforce employed by the company GRAND SARAI PRIVATE COMPANY and processes your personal data is contractually bound by clauses of confidentiality and protection of the privacy of such data. At GRAND SARAI PRIVATE COMPANY it is part of our philosophy and our basic principle that we will not disclose your information to third parties for their own independent business or marketing purposes without your consent. 

However, we may disclose your information to the following entities:

  • Service providers and / or any third party that may perform the processing on our behalf. We may also disclose your information to companies that provide services on our behalf or on our behalf, such as accounting and tax companies, law firms, IT companies, etc.
  • For processors, such as booking providers (eg Booking, Expedia) or travel agents, they are contractually bound by the company to comply with security standards in accordance with applicable law, but may in this context transmit data outside the EU, in accordance with their posted Privacy Policies.
  • Public Bodies (eg National Public Health Organization), when explicitly provided by National Legislation.

Exceptionally, access to your personal data is allowed:

(a) to the judicial and prosecutorial authorities in the performance of their duties of their own motion or at the request of a third party invoking a legitimate interest and in accordance with legal procedures;

b) to other bodies of the Hellenic State, which based on their statutory provisions have such a right and competence.

I. Data Retention Time

We take reasonable steps to ensure that your personal data will only be retained for as long as necessary and for the purpose for which it was collected or for as long as required by contract or applicable law.

Tax records are maintained in accordance with tax legislation.

The data that are subject to processing through a video surveillance system are kept for fourteen (14) days, during which they are automatically deleted. In the event that during this period we find an incident, we isolate part of the video and keep it for another (1) month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident thirdly we will keep the video for up to three (3) more months.

J. Rights of Data Subjects

The company GRAND SARAI PRIVATE COMPANY ensures that data subjects can at any time exercise the rights recognized by law regarding the collection and processing of personal data. These rights are as follows:

  • The right of access to the data.
  • The right to rectification of the data.
  • The right to erasure ("right to be forgotten").
  • The right to restriction of processing.
  • The right to data portability.
  • The right to object to the processing of data.

Every request of any person / data subject shall be submitted to the company GRAND SARAI PRIVATE COMPANY, at the email address:

GRAND SARAI PRIVATE COMPANY will respond to your request free of charge, without delay and in any case within one month of receipt of the request, except in exceptional cases, whereas the above deadline may be extended by two more months, if required, taking into account its complexity of the request and / or the number of requests received. GRAND SARAI PRIVATE COMPANY will inform you of any extension within one month of receiving the request, as well as the reasons for the delay. 

In case the satisfaction of your request is impossible, the company will inform you within one month from the receipt of the request, for the relevant reasons and for the possibility to submit a complaint to the Personal Data Protection Authority, as well as for your right to appeal to the competent judicial authorities.

If your request is judged by GRAND SARAI PRIVATE COMPANY as manifestly unfounded or excessive, it may impose a reasonable and proportionate fee, taking into account the administrative costs for its satisfaction or refuse to follow up on your request.

JΑ. Data Controller Details

For any request regarding the processing of your personal data, according to the above, please contact us at:

JΒ. Right of complaint to the competent Authority.

In case you consider that the protection of personal data is affected in any way, you can appeal to the Personal Data Protection Authority (, 1-3 Kifissias Avenue, 115 23, Athens, +30 210 6475600, +30 210 6475628,

JC. Changes to this Policy

The company GRAND SARAI PRIVATE COMPANY may be solely revise at any time this Policy for reasons of compliance with regulatory changes or for operational purposes.

We urge you to refer regularly to this Policy in order to be informed about the way we manage and process your personal data.

This Policy was posted on 13.1.2022.