Privacy Policy

Scope of This Privacy Policy
This Privacy Policy shall be applicable to all Oniro Toroni Hotel’ premises and/or digital environments owned by Oniro Toroni Hotel or operated for Oniro Toroni Hotel, related to our activities. For any information regarding the terms and conditions governing the provision of hospitality services within all Oniro Toroni Hotel’ premises and/or digital environments owned by Oniro Toroni Hotel or operated for Oniro Toroni Hotel, please refer to the relevant Terms and Conditions available at https://oniro.me/terms-conditions/.

Where the terms “Oniro Toroni Hotel”, “Oniro”, “we”, “us”, or “our” are mentioned in this Privacy Policy, they shall refer to all Oniro Toroni Hotel.
Oniro Toroni Hotel is the Data Controller (except for specific cases mentioned in this Privacy Policy) and can be contacted at Toroni, Chalkidiki, PO 63072.
At Oniro Toroni Hotel, we guarantee our commitment to respecting and protecting your privacy, as well as safeguarding your personal data. Our vision and goal is the provision of services that exceed your highest expectations. Therefore, ONIRO with respect to the applicable national and European legal framework about data protection, especially the new European General Data Protection Regulation 2016/679 (GDPR) and the Greek Law Nr. 4624/2019, provides you hereby with a lawful, fair and transparent policy in order to inform you about the personal data we collect, how we use it, and how the use of this information can benefit your experience while visiting our premises and/or our online platforms.

We are dedicated to achieving transparency of the collection and use to your personal data, therefore we wish to provide you via this Privacy Policy with information about:

– what personal data we collect and how we use them;
– the purposes we process your personal data and the relevant legal basis under which we process your personal data;
– your rights related to your personal data.

This Privacy Policy aims to transparently inform you on the processing of your personal data, however it may not include all our processing activities as these constantly evolve. In case that a new processing activity is added, we shall endeavor to update this Privacy Policy and, in any case, we will provide you with the necessary information before you provide us with your data.
You can always find out more by contacting our Data Protection Officer at the contact details, as further described below (Your Rights).

What Personal Data we collect and how we use them
Α.Guests
A.1. Data collected for booking purposes

Online booking engine through our website:
If you decide to make a booking reservation through our website, we will collect your name and surname, address, city, country, telephone, email, any special requests you may have, preferred payment method, your credit card details (card type, card number, secure code, expiration date, card owner), arrival date and departure date as well as flight details in case of a transfer request.

Booking confirmation form:
If you contact us directly, to make a reservation, we will send you the booking confirmation form in order to provide us the necessary information, such as name and surname, address, telephone, email, preferred payment method, your credit card details (i.e. card type, card number, expiration date, card owner).

Third parties’ online booking engines and/or travel agents:
In this case, we receive an email confirming your booking, including information such as your name and surname,  country, preferred payment method, arrival date and departure date, flight details in case of transfer, any (family) members that will accompany you, any special requests (i.e. requirement for transportation, declaration of special preferences and/or allergies that we should be aware of).
Apart from the above, for the completion of your reservation, we may collect further information, such as your Tax Identification Number, Nationality, details of national identification documents (e.g. Identity, passport, driving license) etc.

A.1.1. Purposes of processing – legal basis
We collect your booking data in order to:

  • Process and complete your booking reservation:
    •    Process the payment of the relevant services, fees and charges. Our legal basis is that processing is necessary for the performance of a contract with you.
    •    Ensure the security of our financial transactions. Our legal basis is our legitimate interest.
    •    Collect and recover money owed to us. Our legal basis is our legitimate interest.
    •    Process your details in case of disputes. Our legal basis is our legitimate interest.
    •    Facilitate your booking and organize airport transfer, if you make a request for that. Our legal basis is that processing is necessary for the performance of a contract with you.
    •    Contact you to organize and facilitate your stay and your activities during your stay. Our legal basis is that processing is necessary for the performance of a contract with you.

A.2. Registration Data – Check-in procedure
Pre – Check-in procedure:
Ahead of your arrival at Oniro Toroni Hotel, you may provide us with the necessary information for your registration via our website. More specifically, during the pre-check – in procedure we collect personal data such as your name, surname, document information (type of document, document number, place and date of issue, date of expiry) as well as your contact data (e-mail, address data).

Check-in procedure:
During your arrival at Oniro Toroni Hotel, you will provide us with the necessary information for the check-in procedure. More specifically, we collect personal data such as your title, your first and last name, your language, your address (street, postcode, city, country), your nationality, Tax Identification Number, your telephone number, your email address, names of any (family) members that will accompany you and their date of  birth, your date of birth, passport/ID number, car plate, preferred payment method, your credit card details, arrival date and departure date as well room number.

Allergies/Special Preferences Declaration:
Allergies and special preferences may constitute in some cases sensitive personal data. We may collect such data only if you voluntarily provide us, or when we ask you to do so and you provide us your explicit consent.
If you wish to share with us your allergies or other preferences, in order to register this information in our systems and inform the relevant departments during your stay at our premises, we will ask you to provide us your consent to keep this data and subsequently inform adequately our a la carte restaurants and/or housekeeping department for your safety, convenience and esteemed personalized services. In such case, we will collect your name, surname, date of birth, arrival and departure date and room number, as well as any allergy or any preference request.

Communication channels (E-concierge services)
Moreover, upon your arrival at our premises, you may wish to benefit from our E-concierge services to contact us for any requests you may have during your stay and to have timely and easy access to useful information about our premises and services. In case you wish to contact us through communication platforms, we may collect your (as well as any further guests you add in the communication channel) phone number, name and room number, as well as any further information you provide us to facilitate your stay and serve your needs.

A.2.1. Purposes of processing – legal basis
We collect your registration data for:
•     Completion of the pre-check-in / check – in procedure. Our legal basis is that processing is necessary for the performance of a contract with you.
•    Completion of the registration procedure. Identification data is necessary in order to comply with our legal obligations
•     Serving your stay. Our legal basis is our legitimate interest. In case you wish to record your allergies/preferences information, we will proceed to relevant processing if you provide us your consent.
•     Facilitating administration. Our legal basis is our legitimate interest.
•    Facilitating payment procedure. Payment information is necessary in order to issue your invoice and comply with fiscal obligations.
•     Εnsuring the security of our financial transactions. Our legal basis is our legitimate interest.
•     Improving our services to offer you memorable stays. Our legal basis is our legitimate interest.
•     Offering you personalized services (regarding preferences etc.). Our legal basis is your prior consent, if provided.
•     For communication and marketing purposes including analyzing your travel and accommodation preferences in order to offer you tailor-made services. Our legal basis is your prior consent, if provided.
•     Promoting our special offers and goods, services or forthcoming events or promotions which may interest you. Our legal basis is your prior consent, if provided.
•     For communication with you, in the context of providing you useful information about our premises and services, as well as to meet any of your needs and requests. Our legal basis is the fulfillment of our contract and our legitimate interest.
•     Protection of the health of our guests and our employees. The processing of such information is necessary for reasons of public interest in the area of public health.

A.3. Room Service
In case you wish to submit an “In room Dinning” request, then your order (including food preferences and any allergies, if reported) along with your name and your room number will be collected. This information will be properly destroyed upon your departure.
If you submit any vocal room service order/request, the relevant department shall only keep your personal information for the execution of your request, which is properly destroyed onwards.

A.3.1. Purposes of processing – legal basis
We collect data you provide us via room service for:
•    Serving your stay. Our legal basis is the fulfillment of our contract and our legitimate interest. In case you wish to record your allergies/preferences information, we will proceed to relevant processing if you provide us your consent.

A.4. Restaurants’ Reservations Data
Reservation via our call center:
In case you wish to make a restaurant reservation through the reservations’ call center, we collect your name, surname, room number and any other special request you may have.

A.4.1. Purposes of processing – legal basis
We collect the data you provide us for Restaurant Reservations for:
•    The management of your reservations through the call center. Our legal basis is the fulfillment of our contract and our legitimate interest.

A.5. Personal Data when you visit our Spa/Gym Facilities
When you visit our Spa/ Gym facilities, we collect personal information which is necessary for the provision of our services.
•    During your registration we collect your name, surname, email address, signature and room number.
•    If you wish to enjoy our Spa treatments, then you need to provide us with all the above-mentioned data and necessary health information, through the completion of the treatment questionnaire (such as medication, allergies, possible pregnancies etc.), as it is included in our Consultation Form.
•    Moreover, if you buy products from us, we will process your retail sales data.

A.5.1. Purposes of processing – legal basis
We collect the data you provide us when you visit our Spa/Gym facilities for:
•    Completion of the registration procedure. Identification data is necessary for our legitimate interest to keep safe our guests and premises.
•    The provision of our services, via the completion of the treatment questionnaire in our Consultation Form. These data are necessary in order to maintain all safety and security measures during the provision of our services, for the protection of your, as well as our staff’s health. Such processing is based on your consent, if provided.
•    The completion of a transaction and invoicing. Our legal basis is that processing is necessary for the performance of a contract with you.
•    In order to send you newsletters, e-mails and news on our latest spa products and related offers. We will proceed to relevant processing if you provide us your consent.
•    Transferring your email address to our business cosmetics partners to receive communication about their news, latest product launches and offers. We will transfer your data, if you provide us your consent.

A.6. Personal data you provide in the course of Children/Sport Activities.

We collect and process minors’ (i.e. under the age of 18) personal data for their participation in different Children or Sport Activities as they are occasionally organized and held at Oniro Toroni Hotel. We do not collect these data directly from the minors, but from their legal guardians. In the context of Children/Sport Activities, personal data are being collected, indicatively, in the following cases:

Little Guests Services
If you provide us your and your children’s data during the provision of our Little Guests Services, we will use this information only for the purposes and under the legal bases that are analyzed below:
We collect personal data such as full name, parent/guardian’ s name, room number, date of arrival, date of departure, signature, age, to complete the booking for our childcare services, to appoint the child to the appropriate age group, to add the fee of childcare services to your hotel room account, to be able to contact the parent/legal guardian if needed, to monitor your child’s arrival and departure to and for the childcare premises or when your child does not attend two consecutive sessions. Our legal basis for processing all the information above is the performance of the contract among with us so that you enjoy our services as well as achieving compliance with our legal obligations, such as invoicing.
We may also collect special categories of personal data such as health information, particularly with regard to allergies or additional needs if stated about the child, for its’ own health and safety. Furthermore, we may collect information, such as if a child has any preexisting injuries, any kind of ongoing illness, treatment, medical treatments, limitations in movement or specific exercises etc, prior to the child’s participation. Our legal basis for processing this data is the parent’s/legal guardian’s prior explicit consent.

A.6.1. Purposes of processing – legal basis
We collect the data you provide us when your child is registered in our football academy for:
•   The completion of a transaction and invoicing purposes. Our legal basis is that processing is necessary for the performance of a contract with you.
•   Ensuring security. Our legal basis is the legitimate interest.

A.7. Children Consultancy services
We always endeavor to work with the best professionals to meet even the most difficult demands. In this respect, we work with “Carol Mae Consulting” to offer our guests baby and toddler advice program. If you wish to use this service, which helps families adjust their children’s sleep and behavioral routines to the holiday setting, we will not receive any personal information about you and your child. All personal data are shared directly to the Consultant by you. However, data that is absolutely necessary for invoicing purposes (i.e. your name, surname, room number and costs of the Consulting Services) shall be transferred by the Consultant to us. In any case, if you wish to express a request regarding relevant personal data, you can always address to our DPO contact details below and we will forward your request to Carol Mae Consulting.

A.7.1. Purposes of processing – legal basis
We collect data you provide via Kid’s Consultancy services for:
The completion of a transaction and invoicing purposes. Our legal basis is that processing is necessary for the performance of a contract with you.

A.8. Personal Data collected via Guests’ Questionnaires
For us, your feedback is valuable, as it helps us improve our services to you. You may at any point provide us with your feedback, by completing our Guest Questionnaires, at the booking reservation stage, during your stay as well as after your departure. If you wish to complete such Questionnaires we will collect and process the following information:  your name, surname, room number email, address, country, profession, arrival data, length of stay, data of birth.

A.8.1. Purposes of processing – legal basis
We collect the data you provide us through our Guests Questionnaires for:
Evaluating your experience, improving our services, as well as to further contact you (by any lawful means of communication, such us email, phone call, at the contact details you have provided us with) to discuss your experiences during your stay at our premises, handle with any complaints and improve and enhance services rendered to you in the future. Our legal basis is our legitimate interest.

A.9. Personal Data collected for Security reasons
Images/video
We collect, process and store images through our video- surveillance systems (“CCTV systems”), where installed, for security reasons, pursuant to the requirements and standards set by the national and union law for the retention of data, sound and images.
Security Reports/Forms
Reports or forms including personal data are being prepared by our Security department and whereupon are being completed and signed by you, for security reasons (i.e. incident reports, object lost reports, open safe list reports, forms concerning finding an object or authorizing you to open a safe box, etc.). Such reports or forms may include personal information, such as name, surname, room number, signature and passport or ID number and will be recorded only for security purposes.
Accident form
In case that an accident occurs in our premises, you will be requested to provide information such as your name, surname, date of birth, room number, duration of stay, as well as some additional information about the accident, such as the location of the incident, date and time of incident, it’s nature and any further relevant details.
A.9.1. Purposes of processing – legal basis
Our Security department collects data for:

  •  The operation of the CCTV system in order to guarantee the security of our employees, establishments and equipment. Our legal basis is the legitimate interest to protect the safety of our guests, employees and premises.
    ●    The creation of security reports or forms. Our legal basis is the legitimate interest to protect the safety of our guests, employees and premises.
    ●    To assess and investigate an accident/incident according to relevant internal procedures, for the proper handling of any legal issues arising onwards:
    ●   Transferring data to our insurance company. Our legal basis is your explicit consent, if provided.
    ●    Handling of the incident. Our legal basis is that processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.

A.10. Profiling
We may use your information in order to evaluate certain personal aspects relating to you as a client. However, we do not proceed to any decision on you, based solely on automated processing, including profiling, which may produce legal effects concerning you or which may similarly significantly affect you.
When we use profiling for the provision of tailor made offers and services (not wholly automated decision making), you always have the right to object to such processing (including profiling) that is related to direct marketing at any time by submitting your request to our DPO contact details, as further described below (Your Rights).
A.10.1. Purposes of processing – legal basis
We may use your personal data to:
●    Analyze aspects concerning your personal travelling preferences and interests. Our legal basis is the legitimate interest to provide services of higher quality to our guests.
●    Customize tailor made services ahead of, during or after your stay with us. Our legal basis is the legitimate interest to provide services of higher quality to our guests.
●    Provide you with direct marketing services. We will proceed to relevant processing if you provide us your consent.

  1. Data collected through our website or online platforms

B.1. Personal Data Collected via your registration to our Newsletter
When you register for receiving our newsletter, we collect and store your email address and if you wish you can submit your name, surname and country.

B.1.1. Purposes of processing – legal basis
We use data you provide us when you register to our Newsletter for:
●   Communication with you and sending you newsletters about our services, products and offers. We will proceed to relevant processing if you provide us with your consent.

B.2. Online Technologies
On the Oniro website, we may use cookies, invisible pixels, and web beacons to obtain information about you while visiting our websites. For more information on our use of cookies, please read our Website’s Cookies Policy.

  1. Job Applicants & Employees

C.1. Job Applicants
If you wish to apply for a job vacancy, we will collect and further process only the personal information which is necessary for the assessment of your suitability to the job position (e.g. name, surname, contact details, education, working experience etc.). We collect these data when you submit an application by any means (e.g. by sending an email to the Company’s email address, using recruitment platforms, accessing through the Company’s website), as well as through the documents you enclose with your application (e.g. CV, certifications, certificates etc.). Moreover, during the assessment of your application, we may use further questionnaires or personality tests which reveal information about you, in order to further evaluate your suitability for a particular job position, ensuring having obtained your prior consent. When you include into your application the contact details of your previous employers, we may contact them, so as to provide us with information about your position, collaboration with them and their evaluation for you.

C.1.1. Purposes of processing – legal basis
We collect your data in order to:
●    Assess your application. Our legal basis is our legitimate interest.
●    Maintain your CV and assess its suitability for relevant vacancies in AMEDION GROUP. Our legal basis is our legitimate interest.
●    Learn more about your personality. We will proceed to relevant processing if you provide us your consent.
●   Contact with your previous employers, so as to provide us with information about your position, collaboration with them and their evaluation for you. Our legal basis is our legitimate interest.
●   Send you communication on AMEDION GROUP educational seminars, programs and actions. We will proceed to relevant processing if you provide us your consent.

C.2. Employees
We collect and process personal information related to the employment relationship and the performance of your job requirements, as defined in the relevant agreement. Indicatively, such data may include the name, surname, forenames, date of birth, place of birth, gender, nationality, home address, e-mail address, contact telephone numbers, ID number, Tax Identification Number, Social Security Number and other insurance registry numbers, health booklet, criminal record (if required by the relevant position), work permit, bank account number (IBAN), CV, education diploma, health, marital status and data of depending members of the family, data on your education and training, on your working experience, as applicable for the exercise of our statutory obligations.
We always provide you with a relevant privacy notice as an Annex to our Agreement, respecting your privacy and your respective rights.

C.2.1. Purposes of processing – legal basis
We collect your data in order to:
●   Handle our contractual agreements. Our legal basis is the need to process your data in the context of our contractual obligation or during the pre-contractual stage.
●   Fulfill our legal obligations as employers. Our legal basis is the need to process your data in compliance with a legal obligation.
●   Use your photos to upload them to the website. We will proceed to relevant processing if you provide us your consent.
●   Comply with our legal obligations, as necessary for the protection of the public interest in the area of public health.

D.1. Personal Data of our business partners
If you are cooperating with us, we may process only the necessary data to fulfill our contractual agreement and serve our business relationship.  We shall only collect Company’s data and/or Company’s contact persons’ data which are not considered as personal data or information. We may use the email address that you voluntarily provide us to inform your company about our business news as part of our cooperation. However, you can always choose to unsubscribe from this business communication by clicking the unsubscribe button which is available in our communications.

D.1.1. Purposes of processing – legal basis
We may collect and process personal data of our business partners for the performance of our contractual agreements, compliance with our legal obligations, as well as protection of our legitimate interests (for more information, please read carefully our Terms and Conditions). We may use data you provide us as our business partners for:
●    Serving our business relationship. These data do not constitute personal data, in any case if personal data are being processed. Our legal basis is our legitimate interest.
●    Informing you and your company about our business news in the context of our cooperation. Our legal basis is our legitimate interest.

Special Categories of Personal Data – Sensitive Personal Data
When referring to the notions of “special categories of personal data” or “sensitive personal data”, they reflect the kind of personal information that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data which allows to uniquely identify a natural person, health data and/or data regarding sexual orientation. We may collect such data only if you voluntarily provide us, or when we ask you to do so and you provide us your explicit consent.
Minors Data
We do not seek or obtain personal data directly from minors (i.e. under the age of 18), instead we endeavor to collect such data from their legal guardian and when necessary we obtain relevant consent. However, as it is impossible to always determine the age of persons who access and use our websites, we encourage parents or guardians to contact us if they notice any case of unauthorized data provision by minors in order to exercise accordingly their rights such as deletion of their data.

Transfer of Personal Data
The personal information you provide us is being kept secured and safeguarded. We may share your information within our group – companies and public services for the above described purposes.
Furthermore, we may disclose your personal data to third parties (legal entities or individuals) which process your personal data under our written order and clarifications (Data Processors). We always guarantee that these third parties imply the same measures for the protection of your personal data and act only under our written orders with respect to your personal data.
More specifically, in the context of pursuance of the processing purposes, personal data may be transferred to:
• Third companies which provide us relevant services (e.g. hosting services, finance, legal or technical support, payroll, etc). In any case, all these companies are contractually bound with us in order to ensure the observance of confidentiality, as well as commitment to the data protection legislation.
• Companies in our Group, to the extent that this transfer is necessary for the pursuance of our purposes.
• Public authorities (Police, prosecuting authorities, tax authorities etc.) in the context of issuance of fines, or upon relevant request.
When information is transferred as afore-mentioned, we limit the extend of information that is being disclosed, to the strictly necessary for the performance of the specific purpose. In addition, given that some of our activities are processed by third-parties, we endeavor to ensure by contractual assurances that personal data processing is secure and fully compatible with this privacy policy.
When the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), we always check whether:
• The Commission has issued an adequacy decision on the third country to which the transfer is addressed to.
• Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data.
In any other case, the transfer to a third country is not allowed and we may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).

Third-Party Websites’ Disclaimer
We may provide hyperlinks to third-party websites as a convenience to our users; Oniro Toroni Hotel does not control third-party websites and is not responsible for the content of any linked-to third-party websites or any hyperlink in a linked-to website. We are not responsible for the privacy practices or the content of third-party websites.

Your Rights
At Oniro Toroni Hotel, we endeavor to protect and respect your rights, as set forth by General Data Protection Regulation, including more specifically:
(i) your right to be informed on the processing of your personal information (i.e. right of access) and to request and obtain further information on the processing applied;
(ii) your right to request for correction of their inaccurate personal data;
(iii) your right to request for deletion of personal information provided, unless prohibited by legitimate reasons;
(iv) your right to request for limitation of processing;
(v) your right to request for portability of your personal information; and
(vi) your right to objection/opposition to further processing thereof.
In these cases, ONIRO  will respond in writing within 30 days upon receipt and identification of the request.
In addition, in the event of exercising one or more of the above-mentioned rights of correction, deletion and restriction of your data, these requests shall also be forwarded to any third-party recipient to whom the personal information may have been disclosed in the scope of pursuance of the aforementioned processing purposes.

Data Protection Officer
In order to ensure that your personal information is being efficiently protected, Oniro Toroni Hotel have appointed a Data Protection Officer to whom data subjects may address their requests and questions in relation to this privacy policy, as follows:
Oniro Toroni Hotel,
Toroni, 63072 ,
tel: +30 2375051526,
email: [email protected]
In case you consider that we have not properly responded to your request, you can always contact the relevant Greek Data Protection Authority (www.dpa.gr).

Information Security
Although, no method of transmission over the Internet or method of electronic storage is 100 percent secure, at ONIRO we have taken all commercially reasonable measures and precautions in order to maintain your data accuracy and to ensure the appropriate use of information we collect about you, as well as to secure and protect your personal information from unauthorized access, while you enjoy products and services we provide you during your physical presence in our premises or your digital visits in our online environment, respectively.
Retention Period of Personal Data
Your personal data is retained for a predetermined and limited period depending on the purpose of processing, after the end of which, these personal data is being deleted from our files unless another retention period is required or permitted by applicable law.
Updates to the Privacy Policy
Oniro Toroni Hotel may amend this Privacy Policy from time to time in order to meet changes in the regulatory environment, business needs, or to satisfy the needs of our guests, properties, strategic marketing partners, and service providers. Updated versions will be uploaded to our website and date stamped so that you are always aware of when our Privacy Policy was last updated.
Revised: February 2024