Olakala Privacy Policy

1. The administrator of your personal data is Olakala Travel, Hotel And Tourist Enterprises Vasileiou Gkioni S.A. based in Athens at ul. Nikopoleos 74, 10446 Athens, hereinafter referred to as the "Controller".

2. In matters related to the protection of personal data, you can contact the Administrator at the following e-mail address: contact@olakala.travel

1. This Policy sets out the rules for the processing of personal data by the Administrator:

o about people using tourist services offered by the Office,

o about users of the website www.olakala.travel (hereinafter referred to as the "Website"),

o people contacting the Office regarding offers, reservations or inquiries.

2. Data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Personal Data Protection Act and other applicable legal provisions.

3. 3. The Administrator processes data only to the extent and for the purpose specified in this Policy or in separate information made available to the data subject

The administrator may process the following personal data and for the following purposes:

a) Data transferred directly

• Name and surname, residential address, e-mail address, telephone number, date of birth - in order to conclude and perform a contract for the provision of tourist services, including: booking an event, confirming participation, issuing an invoice, contact before, during and after the event.

• Login details (user name, e-mail, password) – when creating an account or logging in to the Website.

• Payment data (e.g. bank account number) – to the extent necessary for payments and settlements.

• Other data of travelers or accompanying persons (e.g. passport/ID, health data, dietary requirements) - when they are necessary for the implementation of the tourist event.

b) Data collected automatically

• Technical data: IP address, browser type and version, operating system, referrals, time and date of visit, cookies and session analysis - to ensure the proper operation of the Website, statistics, security and optimization of the Website.

c) Purposes of processing

• Implementation of the contract for the provision of tourist services - including organization, reservation, service, contact before, during and after the event.

• Fulfillment of the Administrator's legal obligations (e.g. accounting, archiving documents, protection of participants in tourist events).

• Direct marketing of own services (if consent has been given) - sending offers, newsletters.

• Improving the functioning of the Website, profiling in the scope of improving the offer (only if the user has given separate consent).

• Ensuring the security of data processing, detecting abuses, preventing fraud.

The administrator processes personal data on one or more of the following legal bases:

• art. 6 section 1 letter b GDPR - processing necessary for the performance of a contract to which the data subject is a party, or to take action at the request of that person before concluding the contract;

• art. 6 section 1 letter c GDPR - processing necessary to fulfill the legal obligation imposed on the Administrator;

• art. 6 section 1 letter a GDPR - if the person voluntarily consented to the processing of their data for a specific purpose;

• art. 6 section 1 letter f GDPR - processing necessary for the purposes of the Administrator's legitimate interests - e.g. marketing of own services, improving the operation of the Website, preventing abuse.

1. Personal data may be shared:

• about entities providing payment, accounting, legal, transport, hotel services or other partners necessary to perform the travel contract;

• about entities processing data on behalf of the Administrator (e.g. providers of IT-hosting, analysis, marketing services) on the basis of an entrustment agreement;

• about state authorities to the extent required by law.

2. In the case of transfer of data outside the European Economic Area (EEA), the Administrator ensures an appropriate level of data protection, e.g. through standard contractual clauses or other means in accordance with the GDPR.

1. Data will be stored for the period necessary to achieve the purposes for which they are processed, including the performance of the contract and compliance with legal obligations.

2. After this period, the data will be deleted or anonymized, unless the law provides otherwise (e.g. the period of storage of accounting or tourist documents).

3. In the case of data processed on the basis of consent - until its withdrawal and possibly for the time required by law.

1. Pursuant to Regulation (EU) 2016/679 (GDPR) and Greek Law 4624/2019, each person whose data is processed by the Administrator has the following rights:

2. The right to access your personal data and obtain a copy of the data (Article 15 of the GDPR).

3. The right to rectify incorrect or incomplete data (Article 16 of the GDPR).

4. The right to delete data ("right to be forgotten") to the extent provided for by law (Article 17 of the GDPR).

5. The right to limit data processing (Article 18 of the GDPR).

6. The right to object to data processing, including profiling and direct marketing (Article 21 of the GDPR).

7. The right to transfer data in the case of data processing in an automated manner based on consent or contract (Article 20 of the GDPR).

8. The right to withdraw consent at any time - withdrawal does not affect the compliance of processing carried out before its withdrawal.

In the event of a violation of your rights related to the protection of personal data, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), the Greek supervisory authority:

HDPA contact details:

• Address: Kifisias 1 3, 115 23 Athens, Greece

• E-mail: info@dataprotection.gr

Telephone: +30 210 6475600

Website: https://www.dpa.gr

The Administrator undertakes to consider all applications or requests regarding the processing of personal data in accordance with the GDPR and Act 4624/2019.

1. Our Website uses cookies and may use similar technologies (e.g. web beacons, local storage) for the proper operation of the Website, traffic analysis, content personalization, and marketing.

2. Types of cookies:

• session – expire after the end of the browser session;

• permanent – remain on the user's device for a specified period of time or until they are manually deleted.

3. The Administrator explains that cookies do not always independently identify a natural person, but may be linked to other data.

4. The User may disable or limit the storage of cookies at any time by changing the browser settings - this may result in limitations in the functionality of the Website.

5. When using marketing, analytics or social media services, it may be necessary to express separate consent to the use of cookies or tracking technologies.

The Administrator applies appropriate organizational and technical measures to protect processed data against unauthorized access, disclosure, loss, replacement or destruction - in accordance with Art. 32 GDPR and Art. 24–25 GDPR.

In the event of an incident regarding a data breach ("data breach"), the Administrator will apply procedures for notifying the supervisory authority and - if required - data subjects, in accordance with Art. 33-34 GDPR and Greek regulations (Law 4624/2019).

The Administrator reserves the right to make changes to this Privacy Policy, especially in the case of:

• technology development,

• changes to generally applicable data protection laws,

• development or change of the services provided or the functionality of the Website.

The Administrator will inform users about significant changes through appropriate information on the Website or directly (e.g. by e-mail).

By using the Website or concluding a contract for the provision of tourist services with the Olakala.travel Travel Agency, you agree to the terms of data processing presented in this Policy. If you have any questions or requests regarding the processing of personal data, please contact the Administrator.