Privacy Policy of the "CapTour" Project Website

You are here:

1. Scope of the Privacy Policy

This Privacy Policy aims to inform you in a transparent manner about the collection and further processing of personal data when you visit the CapTour – An initiative on Capitalising Tourism’s prospects of the region” (hereinafter referred to as the “Project”) project website, in compliance with the applicable national and EU legal framework governing the protection of personal data, in particular the EU General Data Protection Regulation [Regulation 2016/679 (GDPR), Laws 4623/2019 (A’134) and 4624/2019 (A’137)].


The full details of the Data Controller for the operation of this website are:

Hellenic Hoteliers Federation

Address: Stadiou 24, 105 64, Athens, Greece

Contact number:  210-33125356




2. Definitions


For the purposes of the Privacy Policy, the following terms are defined as following:
  • personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • special categories of personal data (or “sensitive personal data”): personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership as well as genetic data, biometric data which allows to uniquely identify a natural person, health data and/or data regarding sexual orientation.
  • processing: any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • anonymization: the processing of personal data in such a way that data can no longer be attributed to a particular data subject.
  • pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
  • consent: of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • applicable legislation: The provisions of the existing Greek, EU or other legislation which is applicable to the beneficiaries and regulate matters of data protection and privacy, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation-GDPR) and any implementing laws, such as the Greek law 4624/2019, and Greek law 4623/2019.


3. Personal Data Collected – Purpose and legal basis of processing


By using this Website, only certain necessary information related to the traffic on the Website is collected, such as information contained in server log files (e.g. IP address), screen analysis, data about the browser used, the operating system and its settings, access time, as well as the user’s URL reference, data about the use of any mobile device, data identifying the device, its settings and the user’s location and cookies.

The purpose of the data processing is the proper and secure operation and management of the website, as well as the improvement of the services provided. The legal basis for such processing is the legitimate interest of the Data Controller, as the administrator of the Website within the framework of the Project (Article 6 par.1(f) GDPR).



4. Disclaimer for third-party websites

The Website may provide links that redirect the user to third-party websites. The administrators of the Website does not control these third-party websites and is not responsible for the content posted on them or any further links appearing on them, nor bear responsibility for the privacy practices of third parties or the content of third-party websites.



5. Transfer of personal data

No personal data and information of users/visitors is transferred in any way and for any reason to third parties not related to the project.


6. Data retention


Personal data collected and subject to further processing are stored only for as long as necessary in accordance with the purpose of the processing, after which they are deleted, unless a different retention period is provided or permitted by the applicable legislation.



7. Data Subjects’ rights

The users of the Website, as data subjects, may exercise the rights granted to them by law with regard to the collection and processing of their personal data. In particular, each data subject is entitled:

(1) to be informed about the processing of his/her personal data (i.e. the right of access) and to request and receive further information about the processing,

(2) to request the correction of inaccurate personal data,

(3) to request the deletion of his/her personal information, unless this is not permitted by law,

(4) to request restriction of the processing,

(5) to request portability of his or her personal data and

(6) to object to further processing of his/her personal data.

In order to exercise your rights you may contact us by email:

The Data Controller may refuse to fulfill, in whole or in part, a relevant request received from a data subject, only when this possibility is provided for by the applicable legislation.

In case you exercise any of the above rights, you will receive a detailed reply as soon as possible, and within the time limits set by the GDPR, i.e. one (1) month from the receipt of the request. This period may exceptionally be extended by two (2) more months if the request is complex or if there is a large number of requests pending.

For any complaint regarding this Privacy Policy or any privacy issue, in case you believe that we have not met your request, you may contact the Hellenic Data Protection Authority via the following link: .



8. Updates to the Privacy Policy

This Privacy Policy may be amended occasionally in order to comply with regulatory changes, and/or to optimize the functions and services provided. Updated versions will be posted with a relevant date indication.


Last update: September 2022