1. Scope

This Privacy Policy describes how the AJAX HOTEL and its Affiliates (“we” or “us”) collects, uses, consults or otherwise processes an individual’s Personal Data.

For the purposes of GDPR, depending on the type of Personal Data processing described in this Privacy Policy, AJAX HOTEL may be operating as a sole or joint Controller. If operating as joint Controllers, both entities jointly determine the means and purposes of the processing of your Personal Data. What this means for you is that you can exercise your rights against either of the joint Controllers by contacting either company as set out below.

In some of the situations described in this Privacy Policy, the AJAX HOTEL in which you made a booking and/or stay will also process your data as a (joint or sole) Controller. The hotel will be solely responsible for the processing activities for which it is the sole Controller.

NICOLAOU BROS TOURIST ENTERPRISES LTD is a company incorporated under the laws of Cyprus, having its registered office at Ayias Zonis & Thessalonikis 1, NICOLAOU PENTADROMOS CENTER, floor 9, office 902, 3305 Limassol, Cyprus and is the owner of AJAX HOTEL.

We are committed to protecting the privacy of our customers and as well as the privacy of any other subjects we collaborate with.

This Privacy Policy is intended to inform you how we gather, define, and use Personal Data that you provide to us when using our website, when relying on our hospitality services, when you work or collaborate with us.

2. Guests

2.1 Hotel Booking Process

In the context of the hotel booking process we process your Personal Data for:

  • (i) enabling you to reserve a room of your choice in the hotel;
  • (ii) verifying the availability of the hotel and to administer the booking;
  • (iii) sending you a booking confirmation

The tables below provide details of the personal processed for the purposes stated above:

Processed data categories Source of data Ground for processing Recipients of data Retention period
Mandatory:
First name & Last name,
Email Address,
Date of arrival and departure, Payment card type, number and expiration date, Telephone number
Optional: Purpose of stay, Special requirements
  • From a direct booking with our hotel
  • Directly from you through our web site
  • Through the online booking channel, you used to make the booking Expedia, Booking, Hotelbeds, Bookcyprus, HRS, and other third-party online systems (affiliates of the above)
  • From your travel agent
  • From our call center
Processing is necessary in order to provide the services required by our guests, to improve the quality of our services and to ensure an easy communication with our guests due to the relation created.
  • Hotel Departments
  • Authorities (e.g police) if any legal obligations
  • 4 years from the booking date
  • Card details are deleted after the completion of the payment
2.2 Guest satisfaction surveys

We may send you guest satisfaction surveys by email during or after your stay to enable us to measure the performance of our hotels.

Processed data categories Source of data Ground for processing Recipients of data Retention period
Country of residence, Date of arrival and departure,

Email address, First name / Last name,

Room Type/ Terms Purpose of stay

Aging Group
  • During Check in process
Subject has consented to hotel for processing their data in order to follow up on the good performance /surveys.
  • Hotel usage only
  • 4 years from the date of the conduction of the survey
2.3 Hotel check-in and check-out

When staying at the hotel, we will collect and process your Personal Data for the purposes of:

  • (i) registering your arrival and departure at the hotel;
  • (ii) assigning you a key card to your room
  • (iii) obtaining a credit card guarantee or hotel deposit to ensure payment of your stay;
  • (iv) managing (and archiving) your hotel registration card;
  • (v) creating or updating your profile in our hotel management system;
  • (vi) assessing your eligibility for a room upgrade and managing this if applicable;
  • (vii) managing payment of your stay;
  • (viii) establishing, printing or sending an invoice for your stay;
  • (ix) Performance Survey
  • (x) Marketing purposes
  • (xi) Informing relevant departments accommodating all your needs and requirements during your stay

In the event you have booked a room in our hotel but do not show up – without cancelling – on the date of arrival communicated, we will process your Personal Data for the purposes of (i) cancelling your stay and any other reservation you may have made; and (ii) managing, processing and settling any outstanding payment that may be due.

Processed data categories Source of data Ground for processing Recipients of data Retention period
First name / Last name, of adult and co-guest(s),

DOB of all guests , passport numbers Nationality

Payment card type, cardholders name, number and expiration date,

Telephone number,

Email address,

Date of arrival and departure,

Occupation,

Purpose of visit

Special celebration
  • Directly from the guests during registering process
Processing is necessary to perform the agreed terms and conditions
  • Authorized hotel personnel to full fill the specific service
  • 4 years from the booking date
  • Card details are deleted after the completion of the payment
2.4 Hotel additional services and facilities to external guests

In our hotel you can benefit from additional services and facilities, such as banqueting (weddings, birthdays, christenings etc) conference facilities, spa services.

In the event you make use of additional services, your Personal Data may be processed to:

  • (i) in order to provide the chosen service
Processed data categories Source of data Ground for processing Recipients of data Retention period
First name / Last name, of adult and co-guest(s),

Telephone number,

Email address,

Date of function
  • Directly from guests
Processing is necessary to perform the agreed terms and conditions
  • Authorized hotel personnel to full fill the specific service
  • Based on guests authorization when completing relevant document

3. Social Media

3.1 Social Media and Online Reviews

We may process your Personal Data obtained through social media platforms (including Facebook, Instagram, LinkedIn and Twitter) or online reviews including TripAdvisor, Expedia, Booking.com, Hotelbeds, Bookcyprus, HRS, hotels.com and other third party online systems (affiliates of the above) concerning our hotel for the purposes of (i) addressing your questions or complaints; (ii) monitoring our online reputation; and (iii) improving our services and identifying opportunities on which we can focus.

Some of our social media pages allow users to submit their own content. Please remember that any content submitted to one of our social media pages can be viewed by the public, and you should be cautious about providing certain personal information (e.g., financial information or address details) via these platforms. We are not responsible for any actions taken by other individuals if you post personal information on one of our social media platforms (e.g., Facebook or Instagram). Please also refer to the respective privacy and cookie policies of the social media platforms you are using.

Processed data categories Source of data Ground for processing Recipients of data Retention period
Any Personal Data you may decide to share with us or publish on social media or in other online reviews about us
  • Directly from you through publicly accessible social media pages, online booking channels or other (review) websites
Subject has consented to Third Parties for processing their data
  • Other hotel entities involved
  • Online reputation monitoring service provider
  • Until subject opts out from the social media platform
3.2 Social media contests

From time to time, we may organize a contest on one of our social media pages. If you choose to participate in such contest, we will process your Personal Data for organizing and managing the social media contest and picking the winner(s).

Processed data categories Source of data Ground for processing Recipients of data Retention period
This depends on the data fields in the contest concerned, but almost always includes the following categories of data:

Address, Email address, First name / Last name, Telephone number
  • Directly from you through our social media pages
Processing is necessary to take steps to enter into and perform a contract (ie participate in contest) as you accept the terms and conditions of the contest.
  • Other hotel entities involved
  • Digital marketing agency
  • Until subject opts out from the contest

4. Subscription to Our Newsletters and marketing communications

4.1 Newsletters and marketing communications

If you have explicitly consented to receive our newsletters or marketing communications, we may, from time to time, contact you with information about our services and latest offers and process your Personal Data for this purpose.

If you no longer want to receive our newsletters or marketing communications, please let us know by sending us an email at administration@ajaxhotel.com. You can also unsubscribe from our marketing emails by clicking on the unsubscribe link in the emails sent to you.

Processed data categories Source of data Ground for processing Recipients of data Retention period
Name, Surname, Email Address, IP Address Directly from you when subscribing to our newsletter or later when completing your account Consent obtained during the subscription to our newsletter
  • IT service providers
  • Email communications service provider
  • Digital marketing agency
Until subject opts out from the subscription

5. Contractors

If you are a contractor or you provide us with any product or services, we will actively review the information we hold for you and delete it securely when are no longer need and after the termination of our engagement contract.

Processed data categories Source of data Ground for processing Recipients of data Retention period
Address, Email address, First name / Last name, Telephone number, Email address.

I-Ban number for payment
Directly from you when starting our collaboration Processing is necessary to take steps to enter into and perform a contract agreement
  • Authorized hotel personnel to full fill the specific service
  • 7 years after the termination of engagement contract

6. Employees

As your employer, AJAX HOTEL needs to keep and process information about you for normal employment purposes. The information we hold, and process will be used for management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment is terminated ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of AJAX HOTEL and protect our legal position in the event of legal proceedings.

*More information about the practices we use can be found on our Employee Privacy policy.

7. Closed Circuit Security System

AJAX HOTEL uses surveillance systems (both internally and externally) to protect the AJAX HOTEL property and to provide a safe and secure environment for clients, staff and visitors.

CCTV systems are installed (both internally and externally) in premises for the purpose of Company enhancing security of the building and its associated equipment as well as creating a mindfulness among the occupants, at any one time, that a surveillance security system is in operation within and/or in the external environments of the premises during both the daylight and night hours each day.

The processing of personal data occurs where living individuals are identifiable from recordings and the AJAX HOTEL ensures that this processing is compliant with the GDPR. The AJAX HOTEL takes into account the effect of surveillance systems on individuals and their privacy, with regular reviews to ensure their use remains justified.

Our CCTV and live surveillance monitors collect images of individuals who are within their range. Signs are placed at the entrance to the system’s zone and within each surveillance area.

The signs designate that:

These premises are under 24/7 CCTV surveillance for the purpose of crime prevention, safety and property security.

For communication: dpo@ajaxhotel.com or +357 25 590 000

Processed data categories Source of data Ground for processing Recipients of data Retention period
Images of employees and visitors Directly from you when you are entering each surveillance area. To prevent and deter crime

Assist in the prevention and detection of crime

Assist with the identification, apprehension and prosecution of criminal offenders

Monitor the security of the Company buildings and property
Access to the footage is restricted and will only be used to fulfil the purposes as stated above.

3rd parties: Police and other law enforcement agencies where the recordings will assist in a criminal investigation and or the prevention of terrorism and disorder after a written request
30 days

Installation of Cameras

The cameras are installed based on the guidelines provided from the office of the commissionaire of Personal Data Protection.

Disclosures of images to data subjects and to third parties

Disclosures of recordings are consistent with the purposes for which they were originally collected. Judgements about disclosures are made by the AJAX HOTEL and we have discretion to refuse any request without an overriding legal obligation, such as a court order or Data Subject Access Request. Disclosures include viewing recording or obtaining a copy of a recording. All viewings take place in a secure, restricted area to ensure that they are confidential.

An internal disclosure is a disclosure made to a member of staff who is not authorized to operate the equipment. In these instances, staff operating the systems are required to keep an internal disclosures log which will be reviewed by the Data Protection Officer.

An external disclosure is a disclosure made to a third party not employed by the Company. Third party requesters must complete a third-party request form and provide identification at the time of viewing or collection. The disclosure must be approved by the Data Protection Officer or another appointed staff member in their absence. These disclosures will only be made in instances where there is a legitimate emergency relating to a natural or man-made disaster or a violent crime. Third parties to whom we may disclose data include:

  • • Police and other law enforcement agencies where the recordings will assist in a criminal investigation and or the prevention of terrorism and disorder after a written request.

8. Your Rights – Under EU Privacy Law

GDPR grants specific rights, summarized below, which you can in principle exercise free of charge, subject to statutory exceptions. These rights may be limited, for example if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. To exercise any of your rights, you can file a request via email at dpo@ajaxhotel.com or by phone +357 25 590 000.

▪ Right to withdraw consent
Wherever we rely on your consent, you will be able to withdraw that consent at any time you choose and at your own initiative by logging in to your account on our website (if you have one) or by contacting us at dpo@ajaxhotel.com. The withdrawal of your consent will not affect the lawfulness of the collection and processing of your data based on your consent up until the moment where you withdraw your consent. Please note that we may have other legal grounds for processing your data for other purposes, such as those set out in this Privacy Policy.

▪ Right to access and rectify your data
You have the right to access, review, and rectify your Personal Data. You may be entitled to ask us for a copy of your information, to review or correct it if you wish to rectify any information like your name, email address, passwords and/or any other preferences, you can easily do so by logging in to your account on our website (if you have one) or by contacting us at dpo@ajaxhotel.com. You may also request a copy of the Personal Data processed as described in this Privacy Policy.

▪ Right to erasure
In accordance with EU Privacy Law, you have the right to erasure of your Personal Data processed by us as described in this Privacy Policy in case it is no longer needed for the purposes for which the Personal Data was initially collected or processed or in the event you have withdrawn your consent or objected to processing as described in this Privacy Policy and no other legal ground for processing applies. Should you wish to have your Personal Data erased, please file a request via email at dpo@ajaxhotel.com.

▪ Right to restriction of processing
Under certain circumstances described in EU Privacy Law, you may ask us to restrict the processing of your Personal Data. This is for example the case when you contest the accuracy of your Personal Data. In such event, we will restrict the processing until we can verify the accuracy of your data.

▪ Right to object to processing
Under certain circumstances described in EU Privacy Law, you may object to the processing of your Personal Data, including where your Personal Data is processed for direct marketing purposes.

▪ Right to data portability
Where you have provided your data directly to us and where the processing is carried out by automated means and based on your consent or the performance of a contract between you and us, you have the right to receive the Personal Data processed about you in a structured, commonly used and machine-readable format, and to transmit this data to another service provider.

9. Security Measures

Appropriate technical and organizational measures are implemented in order to ensure an appropriate level of security of your Personal Data, including but not limited to encryption techniques, physical and IT system access controls, obligations of confidentiality, etc.

In the event Personal Data is compromised as a result of a Personal Data Breach we will make the necessary notifications, as required under applicable laws.

10. What Rules Apply to Children?

Where physible, we do not knowingly collect or solicit Personal Data from anyone under the age of 18 or knowingly allow such persons to book a room in one of our hotels. Ajax hotel does not gather or process personal data of minors without prior consent from his or her parents or legal guardian.

11. How Is Your Personal Data Shared with Third Parties?

We only share or disclose information as described in this policy, including with Third Parties.

Your Personal Data will also be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of the Controller(s) legitimate interests in compliance with applicable laws.

How Long Will We Keep Your Personal Data?

Over and above of the retention periods mentioned on paragraphs (under section 2) we retain your Personal Data for as long as is required to fulfil the activities set out in this Privacy Policy, for as long as otherwise communicated to you or for as long as is permitted by applicable law. For example, we may retain your Personal Data if it is reasonably necessary to comply with any legal obligations, meet any regulatory requirements, resolve any disputes or litigation, or as otherwise needed to enforce this Privacy Policy and prevent fraud and abuse.

To determine the appropriate retention period for the information we collect from you, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

12. Does This Privacy Policy Apply to Third Party Websites?

If you click on a link to a Third-Party website, you will be taken to a website we do not control, and our Privacy Policy will no longer be in effect. You’re browsing and interaction on any other website is subject to the terms of use and privacy and other policies of such Third-Party website. Read the privacy policies of other websites carefully. We are not responsible or liable for the information or content on such Third-Party websites.

13. What Happens If We Make Modifications to This Policy?

We reserve the right to modify and update this Privacy Policy from time to time. We will bring these changes to your attention should they be indicative of a fundamental change to the processing or be relevant to the nature of the processing or be relevant to you and impact your data protection rights.

14. Feedback/Complains/Contact Us

Questions, comments, remarks, requests or complaints regarding AJAX HOTEL and this Privacy Policy, are welcome and should be addressed to:

AJAX HOTEL
Tel: 25 590 000
Email: info@ajaxhotel.com

In most cases, we will ask that you put a complaint in writing. We will investigate your complaint and will generally respond to you in writing within 30 days of receipt. If we fail to respond or if you are otherwise dissatisfied with the response that you receive from us, you may have the right to make a complaint to the Supervisory Authority at:

Office address: Kypranoros 15, 1061 Nicosia
Postal address: P.O.Box 23378, 1682 Nicosia
Telephone: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy