The societe anonyme under the name "ECALI TOURISM AND HOTELS ENTERPRISES S.A." (hereinafter referred to as “Ecali Club” or the “Company”) sets as high priority the protection of privacy and is committed to provide appropriate guarantees for the protection of the collected personal data. This Data Protection Policy provides information about the nature of personal data collected through the Company’s official website, www.ecali-club.gr, (hereinafter referred to as "Website") or through the contact e-mails, the data processing purposes, the way of managing data as well as the rights of data owners according to the General Data Protection Regulation (GDPR) EU 2016/679, the current Greek legislation and the Regulatory Acts of the Hellenic Data Protection Authority.
• Who is the Data Controller?

The Data Controller is the societe anonyme under the trade name "ECALI TOURISM AND HOTELS ENTERPRISES S.A." and the distinctive title “ECALI S.A.”, owner of the trade mark “Ecali Club”, located in Ecali Attica, 15 Lofou Str., post code 14578.

• What personal data do we collect and from which sources?

Ecali Club collects personal details of Website users, membership applicants, members and customers, such as name, surname, father’s name, home address, email, phone number etc., directly from the data subjects, who act voluntary, rather than through partners or other third parties, and particularly in the following cases:

i) When you submit a membership application or contact Ecali Club through the Website’s online form or the e-mail addresses [email protected]  entering data such as your first name, e-mail address and/or postal address, contact phone number or through a social media account. Please note that the membership application includes specific text fields (where applicants enter their data and edit text only if necessary) in order to ensure that only necessary data are collected for the defined processing purpose.

ii) When you voluntarily subscribe to the newsletter: you fill in your e-mail address in order to receive updates about social events, sports activities, membership offers and news of Ecali Club through the online platform Mailchimp, which guarantees the protection of e-mail addresses and the personal data of subscribers and is a member of the EU- US Privacy Shield.

iii) When you participate in social events, sports or other activities of Ecali Club. Ecali Club does not collect any personal data of children and provides services to them only prior to written consent of their legal guardians.

iv) When you visit the Website we use Cookies and Google Analytics to collect data in order to improve user’s experience and monitor the Website’s traffic and the pages you visit. For more information about Cookies used by the Website, read the Terms of Use.

v) When you visit the Website, the server logs your IP address into a log file, which is deemed personal data, even if we are unable to identify the data subject. Log files help us record information about the type of browser you are using and other information, such as the date and time of your visit on Website. The above data is stored up to thirty (30) days in order to ensure the network security and safety of data from accidental events and illegal or malicious conduct which may risk the availability, authenticity, integrity and confidentiality of the stored data and the operation of the Website. During the thirty (30) days period, only the authorized server administrator has access to the files. At the expiration of the above retention time, the data are automatically deleted.

vi) When members sing up/in the "Members area" of the Website and fill in personal details, such as name, e-mail, etc. in order to have access to special services, i.e. to the Ecali Club's monthly event program, members photo albums, participation in sports activities (e.g. tennis tournament) and also information about exclusive offers from Ecali Club's business partners.

The following data is stored in Members Area:

• Member ID (unique user ID)
• Password
• E-mail address
• Name
• Surname
• Telephone number
• Interests (options list of Business events, Exclusive events, Social events)
• Language and Time zone (mandatory fields for the system but not used or displayed)

In order to register in Members Area, the member fills in personal details, such as name, surname, e-mail address and phone number. The system administrator receives notice of the new registration and activates the user by entering the corresponding member number. The new user is informed about his/her account activation and the necessary credentials to log in to the system with his/her membership number and password.

• For what purposes do we collect your personal data?
Ecali Club collects personal data only to the extent that is necessary in relation to the processing purposes and these data are not subject to further processing in any incompatible way with the purpose originally collected. Ecali Club does not transmit or disclose in any way subject’s personal data to third parties except for specific cases and always in relation to the purpose for which were initially collected. These specific cases are mentioned in the following section.
We process your personal data for the following purposes:
i. In order to grant a member’s account for the applicant (member) so as to provide to him the agreed contractual services.

ii. In order to contact you upon your request or question or in case of comments through the Website and the social media accounts.

iii. In order to send you updates about Ecali Club’s events, new programs as well as its activities in general upon newsletter registration.

iv. In order to provide special services through the online Members Area upon the explicit consent of members.

v. In order to conduct reports about Ecali Club’s activities, provide financial reports, fulfill purposes of internal operations, financial auditing and commercial development, we process your data in non-identifiable form.

vi. In order to collect requests and receive feedback and suggestions from members and customers to optimize the quality of services provided in all Ecali Club’s action areas (membership service, catering, sports, social events, commercial activity, etc.).

vii. In order to retain historical archive and conduct statistical data about Ecali Club’s operations.

viii. In order to promote commercial activities to members, visitors and third parties in any way, by printed or electronic promotional material and marketing campaigns in social media.

ix. For public security purposes, Ecali Club has installed a closed-circuit television camera system (CCTV) in order to secure the entrance and ensure members and visitors safety in tis premises. Warning signs are used to inform the visitors about the cameras in the area while the records are retained only for safety reason and are deleted after fourteen (14) days.

x. In order to protect the legitimate interests of Ecali Club and its members, as well as to fulfill contractual or statutory obligations.

• Who are the recipients of your personal data?

The recipients of your personal data are the authorized employees who have access to your data and/or authorized external partners of Ecali Club, acting on behalf of Ecali Club, while all the aforementioned natural persons or legal entities are bound by confidentiality and protection of the personal data statements for the data they may receive and/or process in any way, always in accordance with the purpose for which the data were collected. As a rule, collected data are not disclosed to third parties under no circumstances, not made public and not be exploited in any way, except for specific third parties who are strictly mentioned in this Policy.

Ecali Club may transmit collected personal data, being processed according to the purposes of this Policy, to third parties in the following exceptional cases:

i. When it has obtained explicit consent from the data subjects to disclose their personal data.

ii. When transmitted to third parties, who process your personal data solely for the fulfillment of their obligations arising from their contractual relationship with Ecali Club, and from their capacity as Processors, provide guarantees regarding their compliance with the appropriate security measures enforced by the current legislation. Third-party providers may be natural persons or legal entities that provide consulting or applications development and maintenance services.

iii. When it complies with current legislation or orders of a Public or an Independent Administrative Authority.

iv. When it defends legitimate interests and the rights of Ecali Club and its members.

• Where and for how long do we keep your data?

Your data is stored in Ecali Club’s electronic system, hosted on a server within a specially configured and predefined computing center (hereinafter referred to as «Data Center»), which is located in the Greek territory. Server management is carried out by a service provider company bounded to apply all the appropriate methods and international best practices, ensuring that only its authorized personnel has access to the data collected by undertaking an explicit obligation of confidentiality and protection of personal data.

As a general principle, Ecali Club holds the subject's personal data in an identifiable form only for the absolute necessary period required. That is defined by the purposes of the processing for which they are collected, as well as the fulfillment of tax and other legal or contractual obligations of the Company. Each category of personal data has a different retention period. For instance, data processed under a contractual relationship are retained for a longer period, even after the fulfillment of the contract, in order to protect the Company’s and its members’ legitimate interests. In other cases, Ecali Club retains non-identifiable personal data for statistical and research purposes.

Retention periods are in compliance with the current legislation about Personal Data Protection, international best practices and the Ecali Club’s Retention Policy in order to minimize and erase the personal data collected.

• What guarantees do we take to protect your data?

Ecali Club is implementing the necessary technical and organizational security measures providing technical protection mechanisms of content in order to ensure as much as possible a safe environment for your data, according to the relevant legislative provisions. In this scope, the Company regularly monitors security systems and restricts access to the subject's personal data only to the authorized

personnel, who need to be aware of those data and are committed with confidentiality and personal data protection statements.

• What are your rights regarding the protection of your personal data and how can you exercise them?

In accordance with the General Data Protection Regulation (GDPR) EE 2016/679 (hereinafter “the Regulation”), you have the following rights regarding the personal data collected and processed by Ecali Club:

a. Right to Access: you are entitled to ask for access to your data being processed, the recipients of your data, the purpose of processing etc.

b. Right to Erasure (“the right to be forgotten”): you have the right to ask for rectification of inaccurate data or erasure of your data, under certain conditions according to the Regulation.

c. Right to Restriction of Processing: you have the right to ask from Ecali Club restriction of processing of your personal data in particular cases explicitly mentioned in the Regulation.

d. Right to Data Portability: you have the right to obtain your personal data provided to Ecali Club, in a structured commonly used and machine-readable format, according to the Hellenic Data Protection Security Guidelines.

e. Right to Object: you are entitled to object to the processing of your data any time.

f. Right to Lodge a Complaint: you have the right to lodge a complaint with the supervisory authority in case of unlawful processing of your data.

 

It is hereby clarified that Ecali Club can refuse the restriction or erasure of personal data processed in case it is necessary for the establishment, exercise or defense of its legitimate interests or the fulfillment of its obligations.

Ecali Club can provide you with a single copy of the personal data retained and being processed without charge, while it charges a reasonable fee for administrative costs in case the data subjects requires more copies. Additionally, exercising the right to data portability does not imply the erasure of your data, which is applied only in relation to the above paragraph and the specific requirements of the Regulation.

If you wish to exercise any of your rights above, or you have any questions in relation to our Privacy Policy, or you need assistance concerning the management of your personal data, you can contact directly our Data Protection Officer (DPO). Ecali Club will correspond to your requests within thirty (30) days from the date of submission. This period may be extended to sixty (60) additional days, upon your

prompt notice, if it is deemed necessary in Company’s sole discretion, taking into account the complexity and the amount of other relative requests.

• Data Protection Officer (DPO)

Ecali Club has appointed a DPO who is responsible for the implementation of the present Privacy Policy, the sub-policies and procedures applied by Ecali Club and the compliance with the current European and national legislation.

For any matter relating to the management of your personal data or in case you wish to exercise any of your rights above you can contact our DPO by sending an email to [email protected] or at the address 15, Lofou st.,14578, Ecali phone: +30 2103500016.

• Data Protection Supervisory Authority

The Greek supervisory authority monitoring the application of the Regulation is the Hellenic Data Protection Authority. You can directly contact the above authority, for personal data management issues through the following contact details:

by post: 1-3 Kifisias Av.,11523, Athens by phone: +30 2106475600
by e-mail: [email protected] Website: www.dpa.gr

• Amendments to Data Protection Policy

The present Policy, published on the Company’s Website (www.ecali-club.gr), aims at the protection of your privacy in the most effective way. Being respectful and dedicated to personal data protection, we thoroughly monitor the implementation and update our policies and procedures, aiming at continuous improvement of our operations as well as the development of new, best internationally recognized practices. This Policy may be modified at any time without prior notice of data subjects.
You are, therefore, advised to review it regularly in order to ensure you are aware of any modifications.