Follow us

Lindos Imperial Resort & Spa

Health & Safety Privacy Notice

Privacy Notice

 

on the Processing of Personal Data in the context of Declarations of Food Allergies and Intolerances

 

Privacy Notice on the Processing of Personal Data in the context of Declarations of Food Allergies and Intolerances

  1. Introduction

This Privacy Notice describes the processing of Personal Data carried out in the context of declarations of food allergies, intolerances or related dietary requirements of guests by the company IOANNIS MINETTOS S.A. which operates the hotel Lindos Imperial hereinafter referred to, for the sake of brevity, as the “COMPANY”, “we”, “us”, “our”.

This Privacy Notice concerns, in particular, the processing of Personal Data that takes place when a guest informs the hotel of a food allergy, intolerance or other related dietary requirement, for the purpose of safer organisation, preparation and provision of catering services during their stay.

This Privacy Notice is provided in accordance with Articles 13 and, where applicable, 14 of Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), as well as in accordance with the applicable national and EU legislation on the protection of personal data.

For the purposes of this Notice, “Data Protection Legislation” means all applicable national and EU provisions governing the processing of personal data, privacy and data security, including in particular the GDPR, Greek Law Law 4624/2019, as well as the applicable decisions, opinions, recommendations and guidelines of the competent national and European supervisory authorities.

  1. Data Controller

The Data Controller for the processing of Personal Data described in this Privacy Notice is the company:

IOANNIS MINETTOS S.A.
VAT No.: 094196409
Lindos Imperial
Kiotari, Rhodes, 85109, Greece
Tel.: +30 22440 29200 Hotel
Tel.: +30 22410 61786 Head Offices
Email: [email protected]
https://www.lindos-imperial.gr

The COMPANY acts as Data Controller for the processing of data relating to the receipt, recording, internal communication, use, retention and management of declarations of food allergies, intolerances or related dietary requirements of guests.

  1. Scope

This Privacy Notice concerns the processing of Personal Data carried out when a hotel guest declares a food allergy, intolerance or other related dietary requirement, so that the hotel may take, to the extent feasible, appropriate organisational and operational precautions when providing catering services.

This Privacy Notice applies in particular to:

  • guests staying at the hotel;
  • minor guests, where the declaration is made by a parent or legal guardian;
  • guests or visitors participating in meals, events or other catering services of the hotel;
  • any other natural person whose relevant dietary requirement is communicated to the hotel in the context of the provision of catering services.

This Privacy Notice does not concern the provision of medical services or the creation or maintenance of a medical file. The hotel does not carry out medical assessment, diagnosis or treatment and does not, as a standard practice, request medical documents, diagnoses or medical certificates.

  1. Personal Data we collect and process

In the context of declarations of food allergies or intolerances, the COMPANY may collect and process the following categories of Personal Data.

4.1 Identification details and connection with the stay

We may process basic identification and management details, such as:

  • full name;
  • room number;
  • date of submission of the declaration;
  • booking or stay details, only where necessary to link the declaration with the specific stay or service.

These details are used so that the declaration is associated with the correct person, room or booking and to avoid errors or confusion during the provision of catering services.

4.2 Information relating to food allergies or intolerances

We may process information that you choose to declare regarding food allergies, intolerances or related dietary requirements, such as, indicatively:

  • gluten;
  • dairy products;
  • eggs;
  • nuts;
  • fish;
  • shellfish;
  • soy;
  • any other food allergy or intolerance that you declare.

This information is collected in a limited form, preferably through predefined categories, in order to avoid excessive collection of medical or other sensitive information.

4.3 Additional information declared by the guest

In certain cases, you may provide us with additional information regarding your dietary requirement, where you consider this necessary for the safer management of your meals.

The COMPANY requests that only strictly necessary information be provided and not extensive medical history, diagnosis, medical certificate, medication or other information that is not necessary for the specific dietary management.

4.4 Special categories of data

Information relating to food allergies or intolerances may constitute health data and, therefore, a special category of Personal Data within the meaning of Article 9 GDPR.

For this reason, such processing is carried out only to the extent strictly necessary, for a specific purpose and with enhanced confidentiality and security measures.

  1. Purposes of processing and legal bases

The COMPANY processes your data in the context of declarations of food allergies or intolerances only for the purposes set out below.

5.1 Safer provision of catering services

We use the information you declare in order to be able, to the extent feasible, to organise, prepare and provide your meals with greater safety during your stay or your participation in the hotel’s catering services.

This processing includes, in particular, the receipt and recording of your declaration, its connection with your stay, room or booking, internal communication only to authorised staff members who need to know, and the taking of reasonable organisational measures to avoid the provision of foods that you have declared as being associated with an allergy or intolerance.

For basic identification and management details, such as name and room number, the processing is carried out on the basis of your consent and because it is necessary for the provision of the relevant service you request, namely performance of a contract under Article 6(1)(b) GDPR.

For information relating to food allergies or intolerances, the processing is based on your consent, which constitutes both the legal basis for the collection and use of the information and the necessary condition for processing it as a special category of data under Article 6(1)(a) and Article 9(2)(a) GDPR.

5.2 Management of complaint, incident, insurance matter or legal claim

If your declaration is connected with a complaint, incident, allegation, insurance investigation or potential legal claim, we may use the relevant data to investigate, manage and document the matter.

In such case, the data may be included in a separate complaint, incident, insurance or legal management file, with restricted access and a specific retention period.

This processing is carried out because the COMPANY has a legitimate and reasonable interest in managing complaints, incidents, disputes and claims and in protecting its rights and interests. Where the relevant information concerns special categories of data, the processing is carried out only to the extent necessary for the establishment, exercise or defence of legal claims: legitimate interest under Article 6(1)(f) GDPR and legal claims under Article 9(2)(f) GDPR.

  1. Optional nature of the declaration and consequences of non-provision

The declaration of a food allergy, intolerance or related dietary requirement is optional.

However, if you choose not to provide us with relevant information, or if you withdraw your consent for its processing, the COMPANY may not be able to take special precautions or specifically manage your meals in relation to the particular allergy or intolerance.

The non-provision of such information does not, in principle, affect your stay at the hotel, but it may affect the hotel’s ability to provide you with personalised or special dietary management.

  1. Explicit consent and right to withdraw consent

To the extent that the information you declare regarding food allergies or intolerances constitutes health data, its processing for the purpose of the safer provision of catering services is based on your explicit consent.

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Following withdrawal, the COMPANY will cease to process the relevant information for the purpose of special dietary management, unless there is another lawful basis for its retention or use, such as the management of a complaint, incident, insurance matter or legal claim.

  1. Sources and methods of data collection

The COMPANY collects the data described in this Privacy Notice primarily directly from you, through the relevant food allergy or intolerance declaration form or another dedicated notification mechanism.

Where applicable, the data may also be collected:

  • from a parent or legal guardian, where the declaration concerns a minor;
  • from a person acting on your behalf, where this is reasonable and necessary;
  • from a companion or member of the same booking, where the information is communicated in the context of the stay;
  • from a travel agent, tour operator or organiser, only where such communication is necessary and lawful;
  • from you orally, where you inform the competent staff directly.

Preferably, such information is collected directly from the data subject through a specific and separate procedure.

  1. Who has access to your data

Access to data concerning food allergies or intolerances is granted only to authorised persons who have a genuine need to know for the performance of their duties and only to the extent necessary for the relevant processing purpose.

Indicatively, access may be granted to:

  • reception staff
  • kitchen staff;
  • F&B staff;
  • restaurant staff;
  • room service staff;
  • competent operations or management personnel;
  • staff supporting the relevant booking or stay, only to the extent necessary;
  • competent persons responsible for managing complaints, incidents, insurance or legal matters, where required.

Access and internal communication are limited to the strictly necessary information and take place exclusively for the safer management of your meals or, where required, for the management of a complaint, incident, insurance matter or legal claim.

No more information is disclosed than is necessary for the specific purpose.

  1. Disclosure to third parties

The COMPANY does not disclose your information to third parties, unless this is necessary, lawful and proportionate in relation to the specific purpose.

Where applicable, your data may be disclosed to:

  • external partners or catering service providers acting on behalf of the COMPANY;
  • providers of information systems or support services;
  • insurance consultants or insurance companies, where there is a relevant incident or claim;
  • legal advisers or other professional advisers;
  • competent public, administrative, judicial or supervisory authorities, where this is required by law or is necessary for the protection of the COMPANY’s rights.

Where third-party providers process data on behalf of the COMPANY, they act as processors and are bound by appropriate contractual obligations of confidentiality, security and data protection.

  1. Where your Personal Data is stored

Your data may be stored:

  • in physical records;
  • in internal files of the competent department;
  • in protected electronic systems of the COMPANY;
  • in reservation, F&B or guest management systems, where this is necessary;
  • in communication or email records, only where necessary.

The COMPANY takes measures to ensure that data is stored securely, in a controlled manner and with access restricted only to persons who need access.

  1. Transfers to third countries outside the EU / EEA

As a rule, the processing of the data described in this Privacy Notice takes place within the European Union or the European Economic Area.

If a transfer of data to a third country or international organisation outside the EU/EEA is required, the transfer will take place only where the conditions of the GDPR are met, such as, in particular:

  • the existence of an adequacy decision by the European Commission;
  • the use of standard contractual clauses;
  • the application of binding corporate rules;
  • or another lawful transfer mechanism.
  1. Data security

The COMPANY applies appropriate technical and organisational measures to protect your data against unauthorised or unlawful access, use, disclosure, alteration, loss or destruction.

Indicatively, these measures may include:

  • access restrictions based on role and need to know;
  • classification of the information as confidential;
  • use of protected electronic systems;
  • secure storage of physical documents;
  • passwords and authentication mechanisms;
  • secure internal transmission;
  • clean desk and secure printing policies;
  • staff training;
  • confidentiality clauses;
  • secure deletion or destruction procedures;
  • security incident management procedures.

Given that information relating to food allergies or intolerances may constitute health data, the COMPANY takes enhanced care to ensure confidentiality and restriction of access to such information.

  1. Data retention period

The COMPANY retains the data included in the declaration of food allergies or intolerances only for as long as necessary for the purposes for which it was collected.

After the end of the stay or the relevant service, declarations of food allergies or intolerances are retained for a period of up to [five (5) years], exclusively for the purposes of documenting, investigating or managing any subsequent complaint, incident, insurance matter or claim, as well as for the establishment, exercise or defence of the COMPANY’s rights and legitimate interests.

The COMPANY is not in a position to know in advance whether and when the data subject or a third party will submit a related complaint or claim. For this reason, the retention of the relevant declarations for the above period is considered necessary and proportionate, provided that the data is kept in a restricted and secure environment, with access only by persons who have a genuine need to know.

If, before the expiry of the above retention period, the declaration is connected with an incident, complaint, allegation, insurance investigation or legal claim, the relevant data may be included in a separate complaint, incident, insurance or legal management file and retained for a longer period, to the extent necessary for the management and completion of the relevant case.

After the applicable retention period expires, the data is securely deleted, destroyed or anonymised, unless further retention is required or permitted by applicable law.

  1. Automated decision-making

No decision concerning you is made solely on the basis of automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

  1. Your rights

Subject to the conditions of applicable law, you have the following rights in relation to the Personal Data concerning you:

  • right to be informed;
  • right of access to your data;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure, where provided for by law;
  • right to restriction of processing;
  • right to data portability, where applicable;
  • right to object, where processing is based on legitimate interest;
  • right to withdraw consent, where processing is based on consent;
  • right to lodge a complaint with the competent supervisory authority.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

  1. How to exercise your rights

To exercise your rights or for any question regarding the processing of your Personal Data, you may contact the Data Protection Officer at:

[email protected]

The COMPANY makes every effort to respond to your requests within one (1) month from receipt and identification of the request. This period may be extended in accordance with the law, where required due to the complexity or number of requests.

  1. Right to lodge a complaint

If you consider that the processing of Personal Data concerning you violates applicable law, you have the right to lodge a complaint with the competent supervisory authority:

Hellenic Data Protection Authority
Kifisias 1-3, 115 23 Athens, Greece
Tel.: +30 210 6475600
Email: [email protected]

  1. Data Protection Officer

The COMPANY has appointed a Data Protection Officer, who may be contacted at the following email address:

[email protected]

  1. Changes to this Privacy Notice

The COMPANY reserves the right to revise and update this Privacy Notice in order to reflect changes in processing practices, the services provided or the applicable legislative and regulatory framework.

The updated version of this Privacy Notice will be available on the COMPANY’s website and/or by other appropriate means.

Where material changes are made to this Privacy Notice, the date of the last update will also be amended.

Last Updated: 01.04.2026