GENERAL DATA PROTECTION POLICY

Last updated: 28 April 2025

Welcome to our website www.lillyapts.gr. At Lilly Apartments (hereinafter referred to as Company), the respect for and the protection of your personal data is a commitment. Therefore, this Policy is provided as an explanation of the information we collect, how we use it, and how the use of this information can benefit your experience on our premises and your digital experience on our website. Our mission is to consistently meet our guests’ expectations in terms of the services we provide to our business and leisure travelers.

Given that the protection of personal data is an ongoing responsibility, we will update and amend the present policy from time to time in order to comply with the relevant rules of applicable Greek and European data protection law. Updated versions will be posted to our website and date stamped so that you are always aware of when the last time our Privacy Policy updated was. Please visit our website www.lillyapts.gr to make sure that you are aware of any possible future changes.

 Who will process your personal data :

Lilly Apartments, a private family-owned apartment rental company that was envisioned and founded in 2022, as a controller of the processing of personal data, will use your personal data in order to elevate luxury holidays to a whole new level of indulgence by introducing an innovative experience in the area of Vouliagmeni (aka the Athens Riviera).

The Apartments are located at 15 Iasonos Str. Vouliagmeni, Athens, Greece. Zip: 16671, VAT: 801799976, Tax office KEFODE Attikis.

You can contact us by post at the above addresses, by e-mail at info@lillyapts.gr or by telephone at +30 694 537 5010 (GR).

Which are the purposes of the collection of your data :

We process your personal in accordance with the relevant legal framework, for the following purposes :

  • The effective management of your reservation: processing your request and fulfilling your room reservations and/or other purchases, contacting you for booking confirmations and other relevant services;
  • The improvement of our service quality: e.g. providing you with the appropriate customer-care to facilitate and address inquiries, comments and complaints about any of our services;
  • Compliance with the applicable national and European law: e.g. client identification, tax obligations, responding to requests from public and government authorities, meeting national security or law enforcement requirements.
  • Protecting the rights, privacy, safety, or property of ours clients, guests, visitors and other relevant individuals.
  • Communication with you through email, letter, sms or by telephone for the needs of your reservation to conduct our agreement properly.
  • Evaluating employment applications.
  • Processing of personal data for marketing purposes

 

Which are our sources for the collection of your Personal Data :

We collect personal data from:

  • Our customers themselves through the information they provide us in the context of our agreement for their reservation.
  • Visitors/users of our website in instances where the user willingly submits his/her personal data for the purpose of processing a specific request. During the use of our website cookies will be saved on your device used. For more information about our “Cookies Policy”.
  • Data from social media.
  • Telephone calls placed on our calling center. Your call and telephone number will be saved.
  • Closed-circuit TV camera (CCTV) and other security measures or technologies in our premises that can capture or record customer and visitor images and sound as well as items related to your location (via key cards and other technologies), to the extent permitted by law.
  • The submission of CV from people interested in working with us.
  • For promotional purposes for the promotion of our services, conducting competitions and lottery draws.

Categories of personal data that we collect and process :

The personal data collected and processed by the Company may differ according to the purpose for which they are collected and the type of our personal relation and agreement.

The personal data may be :

  1. Identification data :
  • personal data of our customers necessary for their reservation, e.g. first and last name, father’s name, identification/passport number, date of birth, place of birth, TIN number.
  1. Communication data :
  • telephone number, home address, email address.
  1. Payment data :
  • billing data e.g. IBAN, credit/debit card number.
  1. Data in relation to your reservation :
  • data related to services rendered at our facilities, such as reception services, gyms, spa, various activities, childcare services and equipment rental.
  • date of arrival/departure and room number.
  • preferences and interests, e.g. preferred floor, non-smoking room, bed type, cultural interests.
  • medical data related to your health, e.g. allergies, pathological disease data, etc.
  • data that may be considered sensitive such as your cultural interests, any health problems, smoking habits. For this reason, we retain such data only if we are required by applicable law or after your expressly consent in the context of rendering our services and recommendations, e.g. on specific diet.
  1. Fellow Travelers’ Data:

When you make a reservation for someone else through your booking, we will ask for personal data and travel preferences for that person. You should be granted with the other person’s consent before providing us with his/her personal data, as access to viewing data or any changes to his or her data will only be feasible through your account.

Data about people under the age of 18 is limited to name, nationality and date of birth and is provided only by a person with parental supervision. Lilly Apartments does not seek to obtain, nor does it wish to receive personal data directly from minors (i.e. under the age of 15) without their parental or legal guardian’s consent; however, we cannot always determine the age of persons who access and use our websites. If a minor (as defined by applicable law) provides us with his/her data without parental or guardian consent, we will not proceed with any data processing, unless the parent or guardian contacts us for that purpose..

  1. Data from the use of our website:

Through the browser cookies you use when use our site, in order to respond, promote, and accurately route your request. In this case, we may collect data concerning the type of browser you use for the purpose of managing our system and compile aggregate information about visitors to our website of pure statistical reasons that do not identify any physical person.

Lawfulness of processing :

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Transfer of data :

Your personal data we collect for the above-mentioned purposes will be processed from the various departments of our Company, in order to achieve the expected level of hospitality and the highest service rendered.

Furthermore, and always under strict, legal, transparent and due care and diligence proceeding and only when this is required for the performance of our agreement, your personal data may be shared to the following :

  • lawyers, consultants and insurance companies in order to defend and exercise our rights,
  • public, governmental and judicial authorities, including authorities outside your country of residence, to respond to their requests or to comply with national security or law enforcement requirements.

Retention Period of Personal Data :

The Company collects and processes personal data, both in paper and digital form, for the following periods:

  • the period during which our agreement/contract is in force. When the duration of the contract is completed, or the contract is for whatever reason terminated, the Company is obliged to retain the personal data until the statute of limitations for claims arising from the specific contractual relationship is reached, as provided for and regulated by the applicable legislative and regulatory framework, with a maximum period of twenty (20) years from the completion of the contract.
  • if for any reason the purpose for which the data was collected was not achieved, the Company will retain the personal data for up to three (3) years.
  • Recorded phone calls will be retained in archive for a period of six (6) months and CCTV material for up to twenty (20) days.
  • If a legal dispute is pending between the Company and the data subject, the data will be retained beyond the above processing periods and until the conclusion of the legal dispute with an irrevocable court decision.

Once the retention period is over, we will destroy your personal so it cannot be be restored or reconstructed. If printed on paper, personal data will be destroyed in a secure manner, for example by using a document destroyer or by incinerating the printed documents or otherwise and, if stored in digital form, the personal data will be destroyed by technical means in order to ensure that data cannot be restored or rebuilt later.

 

Your Rights :

         1. Under the current privacy protection legislation, you have the following rights:

i.Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients to whom the personal data have been or will be disclosed,

ii.Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and also have the right to have incomplete personal data completed.

iii. Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her when  the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

iv.Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject.

v.Right to data portability

The data subject shall have the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

vi.Right to object

The data subject shall have the right to object at any time to processing of personal data concerning him or her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  1. In cases where the data subject objects or questions the personal data processed, he/she can contact the Company for providing explanations and or clarifications as to the data processed. For the exercise of your rights, you can contact the DPO of the Company via email at dpo@lillyapts.gr
  2. We want to clarify that at any time you can withdraw your consent to the process of your personal data that have been collected for the performance of the contract. Withdrawal of consent does not affect the legality of consent-based processing performed in the period before its revocation.
  3. In cases where your consent is the legal basis for the personal data process, withdrawal of your consent might result in the immediate termination of our contractual relationship and obligations, since we will no longer be able to process your personal data and provide you our services. If the withdrawal of your consent takes place before the contract is entered, the Company may decline to enter into the proposed agreement.
  4. Should you decide to exercise any of your above-mentioned rights (link), Lilly Apartments will take every necessary step to comply with your request within thirty (30) days of receipt of the request and respond to you in writing, informing you whether your request was met or there were reasons that hindered its application.
  5. In addition, in the event of exercising one or more of the above-mentioned rights of correction, deletion and restriction of your data, these requests shall also be forwarded to any third-party recipient to whom the personal information may have been disclosed in the scope of pursuance of the afore-mentioned processing purposes.

Processing of personal data for marketing purposes :

Subject to your express consent, the Company may collect, store and process data for the purpose of conducting marketing or promotional activities, sending you informational letters, advertisements and suggested special offers and benefits, invitations to events, optional participation in surveys, competitions and featured items, for research purposes regarding the quality of the services provided by it, for searches, statistical or demographic analysis. In order to achieve the above purpose, and always subject to your express consent, your data may be transferred to cooperating research and promotional companies. At any time, you have the right to object to the processing of your personal data for direct marketing purposes and consumer profiling and withdraw your consent.

Online technologies :

When you share your personal data with us, we take steps for their entire safety. For the purpose of the protection of  your personal data, we take physical, technical and organizational protection measures. We update and review the security technology we use on a sustained basis. We allow access to your personal data only to those employees who need to know this data in order to provide benefits or services to you. In addition, we are training our employees regarding the importance of confidentiality and of maintaining the privacy and security of your personal data. Among other things, we have implemented the following technical and organizational measures and procedures in order to protect your personal data from any loss, distortion, tampering or alteration:

  • encryption
  • detecting and managing security breaches
  • use of servers located in rooms with restricted access and subject to regular checks
  • use of information systems and programs for computers that are installed in such a manner that minimizes the use of personal data and/or user authentication data
  • adoption of individual procedures for the retention of personal data and their secure deletion/destruction
  • access to systems and databases on a need-to-know principle

 

Information Security :

Lilly apartments has already applied the necessary technical and organizational measures and if needed we are willing to take any further reasonable measure to: (i) protect personal information from unauthorized access, disclosure, alteration or destruction, and (ii) keep personal information accurate and up to date, as appropriate. Lilly Apartments owned website, and servers have security measures in place to help protect your personal data against loss, misuse, and alteration while under our control. Although “guaranteed security” does not exist either on or off the Internet, we safeguard your information using both procedural and technical safety measures including password controls and “firewalls”.

 

How can you submit a complaint or inform about the procession of your personal data :

For any matter concerning the processing of your data and in case you consider your personal data affected in any way, you may contact our Company DPO via telephone 694 537 5010, email to dpo@lillyapts.gr or by post to the Company’s address, 15 Iasonos Str. 16671 Vouliagmeni.

You can also contact the Greek national Personal Data Protection Authority, as follows:

Website: www.dpa.gr

Postal Address: 1-3 Kifissias Avenue, PC 115 23, Athens

Call Center: +30 210 6475600

Fax: +30 210 6475628

E-mail: contact@dpa.gr

Contact with us :

Please let us know if you have any questions, clarifications or concerns about this policy or our processing of your data. You can send us an email to dpo@lillyapts.gr or call (+30) 694 537 5010.