Safe Hotels Protocol
PV_0001_Family Room Sharing Pool Garden View

CCTV Policy

CCTV Policy

Update on personal data processing through a video surveillance system


  1. Controller


The Controller shall be the société anonyme bearing the name “TOURIST ENTERPRISES OF THE SOUTH S.A.”, which is based in Kallithea, Rhodes, 6th kilometer, under GEMI no. 071289120000 and registered under VAT Reg. No. EL094038296 in the Tax Office of Rhodes, telephone number (+30) 22410 54400 and e-mail address


  1. Data Protection Officer


The Data Protection Officer shall be Maria Bouziou, daughter of Spyridonas, Athens lawyer (Athens Bar Association Reg. No. 39902


  1. Purpose of processing


The surveillance of the premises of the hotel unit aims at the protection of the facilities and the equipment contained therein (protection of property) as well as the protection of the individuals living or working within the premises thereof or just occasionally use some of the services offered within such facilities by the Controller (protection of individuals).


  1. Legal basis for the processing


The personal data processing through the video surveillance system is necessary for the purposes of legal interests pursued by the Controller (article 6 par. 1 point f of the General Data Protection Regulation 2016/679/EU).


  1. Legal interests of Controller


The legal interest of the Controller consists in the need to protect the premises of the hotel unit, managed by them, including the property located therein, against any unlawful acts, such as theft, non-authorized entry and vandalism, as well as against natural phenomena that are capable of causing damages, such as fire. Also, the Controller seeks to ensure through video surveillance the security, physical integrity, health and property of individuals who are within the premises of the hotel unit (employees, customers, associates, visitors).


The installation of a video surveillance system in entrances is a necessary means for the protection of the customers and premises of the hotel unit as the individuals and vehicles entering the hotel premises are recorded and checked. Based on the foregoing, in case of a suspicious or harmful event, the recourse to the recorded visual material is deemed necessary in order to prevent the occurrence of danger or find the persons who are liable.


The Controller collects image data exclusively from the premises, which are justifiably estimated to have an increased likelihood for commitment of illegal activities (data minimisation). Furthermore, the Controller declares that the data processing on their behalf through the video surveillance system does not extend to premises, where it may overly restrict the privacy of individuals, whose image is recorded.


  1. Recipients


The material recorded by the video surveillance system is accessible only from the personnel of the Controller that is authorized for that purpose. The Controller shall take all appropriate measures to ensure the security of the place where the material is stored. The material kept is not disclosed, communicated or transferred to any third party, except in the following exhaustive list of cases:


(a) to the competent judicial, prosecuting and police authorities where it includes data that is necessary for the investigation of an offence,

(b) to the competent judicial, prosecuting and police authorities where they lawfully request the data in performing their duties and

(c) to the victim or the perpetrator of an offence, where the data may constitute evidence of such offence.


  1. Period of storage


The Controller shall retain the personal data collected only for the time required to achieve the purpose of the processing (storage limitation). The video recordings shall be stored for a seven-day (7) period from the moment of the capture. Upon expiry of the above period, the video recordings shall be automatically deleted.


In the event that during the retention of personal data recorded (seven days from the moment of capture) an incident is identified or disclosed, the Controller shall isolate the part of the video, during which the incident in question takes place, and shall keep it (a) for thirty (30) business days, if the incident affects the legal interests of the Controller and (b) three (3) months, if the incident concerns the legal interests of a third-party.


  1. Rights of data subjects


The Controller ensures and enables the exercise of rights of the data subjects. In particular, as data subjects you have the right:


(a) to receive a notification from the Controller on whether your personal data is processed and, if so, access it (right of access);

(b) to request the deletion of personal data concerning you (right to erasure);

(c) to oppose at any time to the processing of the personal data concerning you (right to object);

(d) to request from the Controller to restrict the processing of the personal data concerning you (for example, you may request the erasure of all your data, except for the data you consider necessary to give rise or enforce your legal claims) (right to restriction).


As data subjects, you are entitled to exercise the above rights, by sending an e-mail to the address or a letter to our postal address indicated above.


In order to examine your requests effectively, you are asked to specify how long you have been in the range of the video surveillance system and to provide an image of yourself, to enable the detection of your own data and the concealment of the data of third parties shown in the videos. Alternatively, the Controller provides you the opportunity to visit their site, where the latter will show you images (photos or videos) in which you appear.


The Controller undertakes to satisfy the requests submitted according to the foregoing without any delay and, in any case, within a thirty-day (30) period from their submission. The Controller may extend the above period in order to satisfy the requests by sixty (60) more days, if the latter takes into account the complexity and number of requests to be processed. In any case, the Controller undertakes, within thirty (30) days from the receipt of the requests, to notify the data subjects of any given extension, as well as the specific reasons for the delay in the satisfaction of the respective rights.


  1. Right to file a complaint to a supervisory authority


In the event that you find that the processing of the personal data concerning you infringes the provisions of the General Data Protection Regulation (EU) 2016/679 of Law 4624/2019 and the implementing legislation thereof, you have the right to file a complaint to the competent Greek supervisory authority: Hellenic Data Protection Authority (1-3, Kifissias Ave. PC: 115 23, Athens,