Privacy Policy
Table of Contents
- Introduction
- Personal Data Collection
- The Legal Basis for Processing your Personal Data
- Consent
- Data Use
- Transfer of Personal Data
- Security Safeguards
- Minors
- Personal Data Retention and Deletion
- Rights of Data Subjects
- Individual's Right of Access or Rectification
- Individual's Right to Erasure
- Individual's Right to Restrict Processing
- Individual's Right to Object
- Individual's Right to Data Portability
- Links to Other Websites
- Amendments
- Our Details
1. Introduction
This Website Privacy Policy (hereinafter referred to as the "Policy") pertains to Wavemaker Hospitality Limited, located at Stymfalidon Str., Wavemaker Hotel, Germasogeia River, 4046 Limassol, Cyprus (hereinafter referred to as "Wavemaker," "we," or "us"). At Wavemaker, safeguarding your privacy and protecting your personally identifiable information (hereinafter referred to as "Personal Data") is paramount. Our mission is to consistently surpass the expectations of our guests, both business and leisure travelers, by providing exceptional products and services. We are committed to tailoring our services to meet the individual needs of our guests while responsibly managing the Personal Data entrusted to us. Moreover, Wavemaker is dedicated to upholding your privacy rights and complying with the principles outlined in relevant data protection and privacy laws.
Additionally, Wavemaker is committed to safeguarding the Personal Data collected during your visits to our website and its utilization for our services, including booking and registration services. This Policy specifically addresses Wavemaker 's approach to protecting Personal Data and delineates our procedures for its collection, utilization, transfer, and retention concerning the Atlantica Hotels & Resorts website.
By consenting to this Policy and/or utilizing any of our products or services (such as registering for any of our offerings), you acknowledge and understand that we will collect and utilize your Personal Data as outlined in this Policy.
2. Personal Data Collection
Wavemaker gathers Personal Data from both our guests and website visitors to ensure we deliver an experience tailored to their expected preferences and requirements. This Personal Data may be acquired through various means, including:
- Meeting reservation or information requests,
- Enrolling in program memberships,
- Subscribing to newsletters,
- Applying for employment opportunities, or
- Responding to communications initiated by us (such as surveys, promotional offers, or reservation confirmations).
Reservations: During the reservation process, we may collect various types of Personal Data from you. This may encompass your complete name, residential and professional addresses, email address, telephone and fax numbers, date of birth, gender, as well as lifestyle details such as room preferences and leisure activities. Additionally, we may gather other appropriate information required to accommodate special occasions and fulfill specific requests. This could include details concerning health conditions necessitating special room arrangements, as well as any dietary preferences(religious or health related).
This information is required for us to meet your specific needs, preferences, and any special requests you may have during your stay with us. Rest assured, we handle this data with the utmost care and in compliance with applicable privacy laws and regulations.
To comply with legal requirements as well as to fulfill legitimate purposes, hotel will request from guests to provide ID or passport details upon their arrival. This is essential for ensuring the safety and security of guests and adhering to local regulations and facilitating necessary record-keeping procedures. Your cooperation in providing accurate identification and passport information is greatly appreciated and helps us maintain a safe and welcoming environment for all guests.
During the reservation process, you may also furnish Wavemaker with Personal Data, including the full names and dates of birth of other individuals, such as your companions. By supplying this information, you affirm and guarantee to us that you have obtained explicit permission from these individuals to do so. Furthermore, you confirm that these individuals are fully informed about, comprehend, and consent to the terms outlined in this Policy.
We typically do not collect what are referred to as "special categories of personal data," which includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual orientation, genetic data, or biometric data, unless it is voluntarily provided by you or unless we are obligated to do so by applicable laws or regulations. However, should you provide health-related data, we may utilize it to enhance our services and cater to your specific needs and requests.
For further insights into how your Personal Data is processed throughout the duration of your reservation or stay at a hotel managed by Wavemaker, please refer to our Privacy Notice to Guests.
Wavemaker may also collect non-personally identifiable information about you, such as your use of our websites, communication preferences, travel habits, aggregated data relative to your stays, and responses to promotional offers and surveys.
Information requests: To effectively address and manage your inquiries and requests, we may gather and retain your full name, email address, phone number, and any additional details you choose to share with us. This Personal Data is exclusively utilized to ensure thorough responses to your inquiries or requests and will not be shared with third parties, except as outlined in this Policy or when disclosure is mandated or permitted by law.
Membership Registration: When you register to become a member, we gather various types of Personal Data, including your full name, email address, date of birth, country, city, address, postal code, phone number, and mobile phone number. Through this registration process, website visitors also have the option to subscribe to our newsletter.
Subscribe to Newsletter: When you opt to subscribe to our newsletter, we collect specific types of Personal Data, including your full name, email address, and country.
Submit a Job Application: If you decide to apply for career opportunities at Wavemaker through our website, we encourage you to review our Applicant Privacy Notice (Job applicants Privacy Notice)
Surveys: From time to time, we may conduct customer surveys in which we may request demographic data or other personal information to enhance our services.
Social Media: If you opt to engage in Wavemaker -sponsored social media activities or offerings, we may gather certain information from your social media account, adhering to applicable privacy guidelines.
Your settings within the social media service, such as location, check-ins, activities, interests, photos, status updates and friend list. We may also allow you to enter into contests to provide photos, such as of your stay with us, which you may share with your connections on social media for votes, shared offers or other promotions.
3. The Legal Basis for Processing your Personal Data
We are dedicated to collecting and handling your Personal Data in strict compliance with applicable data protection regulations.
Wavemaker adheres to a strict policy where personal data processing is concerned. We only engage in processing personal data when a legal basis has been identified, ensuring that at least one of the following criteria is met:
- The individual/data subject has provided explicit consent for the processing of their personal data for one or more specific purposes.
- Processing is essential for the execution of a contract to which the individual is a party, or to take pre-contractual steps at the individual's request.
- Processing is necessary to comply with a legal obligation imposed on the data controller.
- Processing is necessary to protect the vital interests of the individual or another natural person.
- Processing is necessitated for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights and freedoms of the individual, particularly when the individual is a minor.
4. Consent
In our commitment to keeping you informed, we may reach out through various channels such as mail, email, telephone, or other means to provide updates on news, events, activities, new Wavemaker products and services, as well as upcoming special offers, enhancements, or other relevant information that may interest you. Additionally, you may receive communications from carefully selected third parties. We always provide the option to opt out of any or all of these communications by following the instructions included in our emails or other correspondences, or by directly contacting Wavemaker.
If you are a member of the Wavemaker loyalty card club, you can also adjust your communication preferences by updating your email settings within your individual membership profile.
Our aim is to ensure all our guests and visitors remain informed and have equal access to the benefits provided by Wavemaker and its strategic marketing partners.
Wavemaker includes, in any case, provisions for:
Wavemaker incorporates specific provisions to ensure:
- Clear determination of disclosures required to obtain valid consent.
- Presentation of consent requests in a manner distinct from other matters, in easily understandable and accessible formats, employing clear and straightforward language.
- Ensuring that consent is freely given, meaning it is not based on a contract that necessitates the processing of personal data beyond what is essential for contract performance.
- Documentation of the date, method, and content of disclosures made, along with the validity, scope, and voluntariness of consents provided.
- Provision of a straightforward method for data subjects to withdraw their consent at any time.
If you wish to gain further insight into the legal grounds upon which we process personal information, please do not hesitate to reach out to us. Additionally, if you have previously consented to our processing of your information and would like to withdraw this consent, you can easily do so by contacting us through the details provided in the "Our Details" section.
5. Data Use
Wavemaker is genuinely committed to transparency regarding the collection and utilization of personal data obtained from you or while interacting with our website, products, and services. We adhere to the principle of only requesting information when necessary and for specific purposes. Some of the primary reasons for collecting your Personal Data include:
- Providing essential services, such as processing transactions (e.g., making reservations, fulfilling information requests, or completing product orders).
- Engaging in marketing and communications activities related to Wavemaker 's products and services, as well as those offered by our strategic marketing partners and other trusted third parties.
- Conducting market research through surveys to enhance our services, improve website effectiveness, optimize your hotel experience, refine various communications, advertising campaigns, and promotional activities.
- Fulfilling obligations mandated by laws or regulations.
You will always have the option to decline the submission of your Personal Data or to specify your communication preferences. However, opting out may impact certain transactions. For instance, omitting your name will prevent the reservation process.
6. Transfer of Personal Data
Wavemaker reserves the right to disclose or share your Personal Data with various parties, including hotel owners of properties under our management, affiliated companies, external service providers, third-party vendors, tour operators, and travel agents. These disclosures are made as necessary to facilitate transactions with you, provide our services, manage our business operations, and address your inquiries or requests. Such sharing of data will adhere to appropriate safeguards, such as contractual agreements, data processing contracts, or intra-group disclosures, to ensure your privacy and data protection. Furthermore, we may disclose Personal Data when required to comply with legal obligations.
If you have provided consent for the use of your Personal Data for advertising and/or marketing purposes, we may share this information with third-party online service providers, which could be located outside of the EU.
It's important to note that as a general practice, Wavemaker does not engage in the sale, rental, or physical transfer of your Personal Data to others. However, there are specific situations in which Wavemaker may share or disclose your information with third parties. These situations include:
- With your explicit consent.
- When sharing or disclosing your information is necessary to provide you with desired products or services (e.g., a vacation package).
- When third-party companies or service providers engaged in business activities on behalf of Wavemaker require access to such information (e.g., credit card processing, customer support services, market research administration, or database management services).
- If a hotel previously managed by Wavemaker transitions to new management, and access to your Personal Data is required to ensure smooth business operations or fulfill contractual or legal obligations.
- If Wavemaker undergoes a merger or acquisition by another entity.
- To adhere to legal or regulatory requirements or obligations as mandated by applicable law or court orders.
- In emergency situations where immediate action is necessary to protect the life, health, or property of an individual.
When sharing information as described above, we strive to restrict the extent of information provided to only what is essential for fulfilling the specific purpose. Unless prohibited by legal requirements, we mandate third parties to safeguard your Personal Data and adhere to relevant privacy laws and regulations.
7. Security Safeguards
Wavemaker 's employees ensure that all polices are complied with and security measures are not circumvented. Any failings in information security should be reported to Our Details section.
Wavemaker places utmost importance on information security and continuously enhances our technical, physical, and organizational security protocols. Our owned websites and servers are equipped with comprehensive security measures to safeguard your personally identifiable information from loss, misuse, and unauthorized alteration while under our control.
While absolute security guarantees are unattainable, we employ a combination of organizational and technical safeguards to protect your information. These include the use of advanced encryption technologies, Palo Alto Firewalls (NGFWs), Prisma Access which will allow network traffic protection and secure hosts, containers, and functions across the application development lifecycle and software deployment to detect and respond to any potential threats. Wavemaker 's employees are required to adhere to all security policies and protocols, and any lapses in information security should be promptly reported to our designated contact in the "Our Details" section. Regular training is provided on cyber security matters.
8. Minors
Our website is designed for adult use, and we do not knowingly solicit or gather personal data from individuals under the age of 18. If we become aware of or are notified about the improper collection of a minor's personal information, we will take all commercially reasonable steps to promptly delete that information. However, in rare cases where we have campaigns or programs targeted towards children, information about data practices will be clearly outlined in the terms and conditions of the respective program or campaign.
9. Personal Data Retention and Deletion
Wavemaker is dedicated to retaining Personal Data only for the duration necessary to fulfil the intended purposes for which the data was obtained, and to meet any applicable legal and regulatory requirements. Once this period expires, we are committed to promptly erasing the Personal Data. However, in instances where there is a legitimate need for the continued use of Personal Data beyond this timeframe, such as for statistical, analytical, historical, or legitimate business purposes, we will implement appropriate measures to anonymize the data, ensuring that individual identities remain protected. This commitment reflects our ongoing dedication to responsible and transparent data management practices.
For further details on retention and deletion periods, you may contact us, contact details may be found hereafter, in section 19 ''our details''.
10. Rights of Data Subjects
This section of our policy covers the rights granted by Regulation (EU) 2016/679 and provides guidance on how data subjects can exercise these rights. For further clarification, please refer to the "Our Details" section.
11. Individual's Right of Access or Rectification
Wavemaker maintains the expectation that Personal Data collected directly from individuals will be accurate and comprehensive. Individuals can easily access and update their own Personal Data by utilizing the Data Subject Request Form.
12. Individual's Right to Erasure
The data subject has the right to request the deletion or removal of any information held about them. In such instances, any third parties processing or using that data must also adhere to the request. An erasure request can only be declined if an exemption is applicable. The Right to Erasure can be exercised through the Data Subject Request Form.
Wavemaker is required to erase personal data in the following circumstances:
- When the personal data is no longer necessary for the purposes for which it was collected or processed.
- If the data subject withdraws consent and there are no other legal grounds for processing.
- When the data subject objects to processing based on the Data Controller's legitimate interests, and there are no overriding legitimate grounds for processing.
- If the personal data has been unlawfully processed.
Upon receipt of a request to erase Personal Data from a data subject, after confirming the identity and ensuring that the request aligns with one of the aforementioned criteria without any opposing legal grounds for processing, Wavemaker must promptly delete the relevant data in its entirety. This request will be meticulously recorded in the Data Subject Request Log.
- If Wavemaker is unable to delete personal data, the company will take the following measures:
- Ensure that the personal data is not used to inform any decision regarding individuals or in any way that affects them.
- Restrict access to personal data, preventing any other organization from accessing it.
- Safeguard personal data with suitable technical and organizational security measures.
- Commit to permanently deleting the information if or when it becomes feasible to do so.
13. Individual's Right to Restrict Processing
The data subject can exercise the right to restrict the controller from processing by submitting a request through the Data Subject Request Form.
14. Individual's Right to Object
Individuals have the right to object at any time to processing of their personal data using the Data Subject Request Form.
15. Individual's Right to Data Portability
Upon request and provided that the relevant requirements stipulated in Article 20 of GDPR are met, a data subject should have the right to receive a copy of their Personal Data in a structured format using the Data Subject Request Form.
These requests are to be processed within one month, provided there is no undue burden, and it does not compromise the privacy of other individuals. A data subject may also request that their data be transferred directly to another system. This must be done for free.
If Wavemaker cannot respond fully to the request within 30 days, the DPO shall nevertheless provide the following information to the Data Subject, or its authorized legal representative within the specified time:
- An acknowledgement of receipt of the request.
- Any information located to date.
- Details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision.
- An estimated date by which any remaining responses will be provided.
- An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature).
- The name and contact information of the contact person.
16. Links to Other Websites
To better serve your needs, Wavemaker offers links to other websites for your convenience and information. It's important to note that Wavemaker bears no responsibility or liability for any content provided by or contained within independent websites, including advertising claims or marketing practices. While we ensure the protection of your information on Wavemaker -owned and operated websites, we cannot oversee the privacy policies of third-party websites. This includes websites owned or controlled by independent partners, third-party owners of hotel, resort, interval ownership, or residence properties bearing the Wavemaker brand name, or unauthorized websites. Third-party websites accessed through links on our platforms maintain separate privacy and data collection practices, as well as security measures, for which we hold no responsibility or liability. We strongly encourage you to reach out to the administrators of such websites to inquire about their privacy practices, policies, and security measures before divulging any personally identifiable information. It is advisable to review the privacy statements and policies of linked websites to understand how they collect, use, and store information.
17. Amendments
Should Wavemaker choose to amend this Privacy Policy to accommodate changes in regulatory requirements, business demands, or to address the needs of our guests, properties, strategic marketing partners, and service providers, we will communicate these changes here. Updated versions will be published on our website and clearly dated, ensuring you are always aware of the latest version. In cases where the alterations are significant, we may also send email notifications to relevant users with the updated details. Furthermore, where necessary by law, we will seek your consent before implementing these changes.
The latest update of this policy was on: 01.11.2024
18. Our Details
- If you wish to update your information, customize your communication preferences, or unsubscribe from future marketing communications from Wavemaker, please feel free to contact the Wavemaker Hospitality Ltd DPO at any time:
- by e-mail: privacy@wavemakerhospitality.com
- by telephone: +357 25 883 516
- by fax: +357 25 883 566
- by writing to us at: Wavemaker Hospitality Limited, Stymfalidon 15, Potamos Yermasoyias, 4060 Limassol, Cyprus