Smart Line Paphos

Privacy Policy

Last updated 23rd May 2018

Privacy Policy

At Mayfair Hotels Limited (hereinafter “we”, “us” or “our” or the “Company”) we are
committed to protect our clients’ privacy and handling their personal data in an open and
transparent manner.
The purpose of this privacy policy ("
Policy") is to provide a clear explanation of when, why
and how we collect and use personal data. We have designed it to be as user friendly as possible,
and have separate it in sections to make it easy for you to find the information that is most
relevant to you.
The new European Union (EU) Data Protection Law, the General Data Protection Regulation
(“GDPR”), comes into effect on 25
th of May 2018. The GDPR (EU) 2016/679 gives individuals
in the EU more control over how their data is used and places certain obligations on businesses
that process the information of those individuals. We have updated our Privacy Policy to reflect
the new requirements of the GDPR.

2. Who we are
Mayfair Hotels Limited is a company registered in Cyprus under registration number HE 34002
with its registered office located at 1 Pari Street, 8049, Paphos, Cyprus. The Company is the
owner of Mayfair Hotel and manages Mayfair Gardens apartments (which is owned by DKM
Estates Company Ltd) and operates in the field of hotel accommodation.

3. Who this privacy policy is directed to
This privacy policy is directed to natural persons (hereinafter our “clients”) who are either past,
current or potential clients, or are authorized representatives/agents of past, current or potential

4. Identity and contact details of the Data Controller and Data Protection Officer.
(a) Data Controller
Mayfair Hotels Limited, a Cyprus private limited liability company, having a registration
number HE 34002, is the «Data Controller» pursuant to the GDPR, and related Cyprus Law,
and determines how your personal data is kept and processed.
The main establishment and the central administration of the Data Controller is situated at 1
Pari Street, 8049, Paphos, Cyprus.

(b) Data Protection Officer (DPO)
We have designated a Data Protection Officer (DPO), who is responsible to monitor
compliance with this privacy policy as well as the applicable Laws and liaise with the Cyprus
Supervisory Authority, namely the Office of the Commissioner for Personal Data Protection.
The DPO may be contacted directly with regards to all matters concerning this policy and the
processing of your personal data including the enforcement of all applicable and available
Official requests may be made by post at 1 Pari Street, 8049, Paphos, Cyprus, or electronically

5. How do we collect personal data?
We collect and process Personal Data that have been provided directly by you such as when
you access and use our website, when you make a booking through our reservation system
directly or indirectly through a service provider. We may also collect and process personal data
which we lawfully obtain not only from our clients but also from third parties e.g. tour operators
that we have a contract with. We also collect and process certain browsing data from cookies,
which are pieces of data stored directly on the computer or mobile device that you are using.
Cookies allow us to collect data such as browser type, time spent on the Online Services, pages
visited, referring URL, language preferences, and other aggregated traffic data. We use the data
for security purposes, to facilitate navigation, to display data more effectively, to collect
statistical data, to personalize your experience while using the Online Services and to recognize
your computer to assist your use of the Online Services. We also gather statistical data about
use of the Online Services to continually improve design and functionality, understand how
they are used and assist us with resolving questions.

6. Categories of personal date that we collect.
We collect and use several types of information about you, including information by which
you may be personally identified and that is defined as personal data under applicable law such
as your first and last name, gender, address, telephone number, email address, credit and debit
card number or other payment data, date and place of birth and nationality, passport, visa or
other government-issued identification data.
Should there be a need to further process the personal data for a purpose other than that for
which they were initially collected, you will be informed about the additional purpose and the
relevant details in respect to the further processing.
With your explicit consent we may collect special categories of personal data. Pursuant to the
definition given by the GDPR, these data may include racial or ethnic origin, political opinions,
religious or philosophical beliefs, health data, trade union membership, the processing of
genetic data, biometric data, data concerning health, sex life or sexual orientation and criminal
We do not generally collect special categories of personal data unless it is volunteered by you
or unless we are required to do so pursuant to applicable laws or regulations. We may use

health data provided by you to serve you better and meet your particular needs (for example,
the provision of disability access).
In more limited circumstances, we also may collect images and video data via security cameras
located at the entrance and areas such as the gardens for security purposes in order to reduce
the risk arising from unauthorized access, theft e.t.c. For this purpose, we have placed signs
inside and outside of our premises in all prominent places that are clearly visible and readable
and convey appropriate information including the purpose for using security cameras and our
contact details.

7. Personal Information from Children
We do not knowingly collect and process personal data of persons under 16 years of age. As a
parent or legal guardian, please do not to allow your children to submit personal data. We
advise all visitors to our website and premises who are under the age of 16 to avoid disclosing
or providing any personal information to our service. In the event that we discover that a child
under the age of 16 has provided personal information to us, we shall delete the child's personal
information from our files, insofar as this is technically possible.

8. What lawful reasons do we have for collecting, processing and disclosing personal
In accordance with GDPR we may rely on the following lawful reasons when we collect and
process personal data to operate our business and provide our services:
Consent: We will rely on your consent to use (i) your Personal Data for marketing and
advertising purposes; (ii) your Personal Data for other purposes when we ask for your
consent separately from this privacy policy and for which the purpose of the process
does not relate to the services we offer to you. You have the right to withdraw consent
at any time. However, any processing of personal data will not be affected prior to the
receipt of the withdrawal.
Performance of contract: The use of your Personal Data for the purpose of providing
the services under our terms and conditions and any other contract that you have with
Compliance with legal obligation: We may collect and process your personal data in
order to meet our legal and regulatory obligations.
Legitimate interests- We may rely on legitimate interests based on our evaluation that
the processing is fair, reasonable and balanced. A legitimate interest is when we have a
business or commercial reason to use our clients’ information. Instances of such
processing activities can include, initiating legal claims, preparing our defense in
litigation procedures, initiating complaints to our regulator etc.

9. Why do we need Personal Data.
We aspire to be transparent when we collect and use personal data and tell you why we need
it, which typically includes:
To provide our services that you request including the following:
o To facilitate reservations, payment, send administrative information,
confirmations or pre-arrival messages, to assist you with meetings and events
and to provide you with other information about the area and the property at
which you are scheduled to visit.
o To complete your reservation and stay, for example, to process your payment,
ensure that your room is available and provide you with related customer
Maintaining legal records and accounts for the time periods required by
European/Cyprus law or where we need to comply with a legal or regulatory obligation;
To reply to your questions and requests.
To the extent that you have consented to being contacted for marketing purposes, we
will use your personal data for the purposes of providing you with email newsletters,
and any other marketing communication for the purposes of advertising and marketing
of our services;
Administering, maintaining and ensuring the security of our information systems;
To perform analyses and improvements on our website concerning our services.
To improve our marketing strategy.
To perform data analysis, audits, security and fraud monitoring and prevention
(including with the use of security cameras, card keys, and other security systems).

10. Do we share personal data with third parties?
In the course of our business relationship our clients’ personal data may be provided to
various departments within our Company.
In addition, the following third parties may also be the recipients of the personal data under
the certain circumstances:
Supervisory and other regulatory and public authorities, whereby a statutory
obligation exists that we are subject to.
Financial institutions in the context of receiving payments from our clients.
External auditors in the normal course of the audit of the Company’s financial
Insurance company for the purposes of handing a client’s claim.
Third parties to whom we may disclose Personal Data may have their own privacy policies
which describe how they use and protect Personal Data. If you want to learn more about their
privacy practices, we encourage you to visit the websites of those third parties.

11. Do we transfer your personal data outside the European Economic Area?
We store personal data on servers located in the European Economic Area (EEA). We may
transfer personal data to reputable third party organizations situated inside or outside the EEA
when we have a business reason to engage these organizations. Each organization is required
to safeguard personal data in accordance with our contractual obligations and data protection
You have the right to ask us for more information about the safeguards that we have put in
place. Contact us as set out in Section 16 if you would like further information or to request a
copy where the safeguards are documented (which may be redacted to ensure confidentiality).

12. Personal data security.
We have put in place appropriate technical and organisational measures including physical,
electronic and procedural measures to protect personal data from loss, misuse, alteration or
destruction. We restrict access to information at our offices so that only officers and/or
employees who need to know the information have access to it. Those individuals who have
access to the data are required to maintain the confidentiality of such information. In addition,
we have trained our employees on how to handle, manage and process personal data, applied
upgraded technical measures and transformed our policies and procedures in a way that will
comply with the GDPR. Images from security cameras are securely stored and only a limited
number of authorised persons may have access to them.
Please be aware that the transmission of data via the Internet is not completely secure. Users
should also take care with how they handle and disclose their personal data and should avoid
sending personal data through insecure email.

13, How long do we retain personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or reporting
We maintain a data retention policy which we apply to records in our care. When your personal
data is no longer required and we do not have a legal requirement to retain it, they will be
securely destroyed.
The personal data processed for the purposes of sending marketing material and newsletters
after you have provided your consent shall be kept with us until you notify us that you no longer
wish your personal data to be used for this purpose.

14. Do we change this privacy policy?
We may modify or revise our privacy policy from time to time to reflect our current privacy
practices. When we make changes to the privacy policy, we will revise the "updated" date at
the top of this page. We encourage you to periodically review this Privacy policy that can be
found at our website
to be informed about how Mayfair Hotels Limited is protecting your Personal Data.

15. What are your data protection rights?
Subject to the provisions of the GDPR, you have certain rights regarding the Personal Data we
collect, process or disclose and that is related to you, including the right:
To receive access to your personal data (right to access).
To rectify inaccurate personal data concerning you (right to data rectification);
to request deletion/ erasure of your personal data (right to erasure/deletion, “right to be

to receive the Personal Data provided by you in a structured, commonly used and
machine-readable format and to transmit those Personal Data to another data controller
(right to data portability);
to object to the use of your personal data where such use is based on our legitimate
interests or on public interests (right to object);
in some cases to request the restriction of processing of your personal data (right to
restriction of processing);
To withdraw the consent given to us with regard to the processing of your personal data
at any time. Note that any withdrawal of consent will not affect the lawfulness of
processing based on consent before it was withdrawn.
We may need to request specific information from you to help us confirm your identity and
ensure your right to access the information or to exercise any of your other rights. This helps
us to ensure that personal data is not disclosed to any person who has no right to receive it. No
fee is required to make a request unless your request is clearly unfounded or excessive.
Depending on the circumstances, we may be unable to comply with your request based on other
lawful grounds. We will try to respond to all legitimate requests within one month.
Occasionally it may take us longer than a month if your request is particularly complex or you
have made a number of requests. In this case, we will notify you and keep you updated.

16. How to raise a complaint
To exercise any of the above rights, or for any questions or complaints about our use of your
personal data, please contact our Data Protection Officer, either by post at Pari 1, 8064, Paphos,
Cyprus, or electronically at
Complaints may also be lodged to the supervisory authority in Cyprus (Office of the
Commissioner for Personal Data Protection, by post at 1 Iasonos Str. 1082, Nicosia, Republic
of Cyprus. More information can be found at


Copyright 2015 Smart Line Paphos