The Controller

We hereby inform you that ATTICA HOLDINGS S.A., headquartered in Kallithea at the junction of 1-7 Lysikratous Street & Evripidou Street (hereinafter, "ATTICA GROUP"), for the purposes of carrying out its business activities, processes personal data provided in the context of the Seasmiles loyalty programme in accordance with applicable national law and European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation, hereinafter “Regulation”) as in force and, for this reason, acts as the controller of personal data of SEASMILES members who provide their data, including through the www.seasmiles.com website.

Data Protection Officer

For any matter concerning the processing of personal data, please contact us via e-mail at DPO@attica-group.com or via letter sent to the above postal address.

How and why do we use your personal data?

The ATTICA GROUP processes personal data in the context of the Seasmiles customer loyalty programme, as such data are provided during registration, as well as data generated from the use of a member card in the context of participation in the programme (ticket purchase data and data generated from purchases at sea and/or consumption during which a member card is shown and that corresponds to specific miles, subsequently ranking members in corresponding tiers according to the terms and conditions of the programme):

1. to execute the terms of the Seasmiles loyalty programme and provide the services and privileges of membership to the members 
2. to communicate – provided you have given the appropriate consent each time – general or personalised offers, tailored to your preferences 
3. to fulfil our obligations under law, such as when the relevant data is requested by the tax authorities in the context of audits or to serve its obligations and legitimate interests, such as in cases before regulatory, administrative or Judicial authorities, and to ensure that the member is an adult natural person and that the terms and conditions of the provision of the service, as accepted by the member, are met.

Legitimate reasons for processing personal data are:

(a) Performance of a contract to provide services and privileges to members of the Seasmiles customer loyalty program, who are rewarded with miles and privileges from their purchases.

(b) Compliance with a legal obligation, such as regulatory compliance for tax purposes.

(c) The consent provided by members under the specific conditions set by the legal framework so that ATTICA GROUP can communicate with them via messaging services such as Viber or WhatsApp regarding news, offers, and personalised updates.

Members are free to choose the channels of communication to be used by Attica Group to inform them or to request the termination of commercial communication online by sending an email to dpo@attica-group.com from the email they have declared in their account. Members can also terminate commercial communications by clicking on the "Unsubscribe" option located at the end of each electronic communication they receive.

Where are your data shared?

Regarding the data necessary for serving each of the above processing purposes and in the context of the competences of each recipient, the recipients of the member’s data may be

• Tax, auditing, regulatory, etc. authorities in case of a relevant audit: ATTICA GROUP may share members’ information with relevant agencies, law enforcement agencies, state authorities and other third parties, where our law allows for this, for the purpose of preventing or detecting criminal acts, to provide customer account data, etc.
• With an external partner, if and when the need arises, who technically supports the proper operation of the management platform we use internally for the programme.

The ATTICA GROUP has legally ensured that, regarding the latter case of the data processor on its behalf, the conditions are met and sufficient assurances are provided for the implementation of appropriate technical and organisational measures so that the processing of your personal data ensures the protection of your rights.
 

Personal data of members is not transferred to third countries outside the EU.

Data Storage Period

The period for which these personal data are stored in connection with the provision of the Seasmiles service lasts for as long as the service is provided to you, until the member requests his removal from the programme and for as long as may be required to establish, exercise, and/or support legal claims based on the contract.

For purposes of promoting products and services (marketing activities), your personal data is retained until your consent is withdrawn. You can withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent during the period prior its withdrawal.

Right to access:

You have the right to be made aware and verify the legitimacy of the processing. Thus, you have the right to access the data and receive additional information concerning its processing.

Right to rectification:

You have the right to study, rectify, update or modify your personal data by sending an e-mail to DPO@attica-group.com or a letter to the above postal address.

Right to erasure:

You have the right to request the erasure of your personal data when we process it on the basis of your consent or in order to protect our legitimate interests. In all other cases (for example, where there is a contract, an obligation to process personal data required by law, public interest), this right is subject to specific restrictions or does not exist, as the case may be.

Right to restriction of processing:

You have the right to request a restriction on the processing of your personal data in the following cases: (a) when you contest the accuracy of the personal data and until verification takes place; (b) when you oppose the erasure of personal data and request the restriction of their use instead of erasure; (c) when the personal data are not needed for processing purposes but are necessary for the foundation, exercise and support of legal claims; and (d) when you object to the processing and it is verified that there are legitimate reasons that concern us and supersede the reasons for which you oppose the processing.

Right to oppose processing:

You have the right to object at any time to the processing of your personal data where, as described above, it is necessary for the purposes of the legitimate interests we pursue as controllers, as well as for processing for direct marketing and consumer profiling purposes.

Right to portability:

You have the right to receive your personal data free of charge in a format that allows you to access, use, and edit them through commonly used editing methods. You also have the right to ask us, if technically feasible, to transfer the data directly to a different controller. Your right to do so applies to the data that you have provided to us and that is being processed by automated means based on the performance of a relevant contract.

Right to withdraw consent:

When processing is based on your consent, you have the right to withdraw it freely, without affecting the lawfulness of processing based on you consent before its withdrawal. 

In order to exercise any of the above rights, please contact us via e-mail at DPO@attica-group.com or via letter sent to the above postal address.

Right to complain to the HDPA

You have the right to submit a complaint to the Hellenic Data Protection Authority (www.dpa.gr ) via its portalhttps://eservices.dpa.gr/ by filling out the online form corresponding to the type of complaint.

We highlight that the provision of personal data is a requirement for the conclusion of a contract.

Profiling

Please be informed that, if you provide the relevant consent, automated processing and profiling takes place so that you can receive customised updates tailored to your preferences, based on the personal data collected for this purpose, in accordance with the special notification in the consent field. However, no decision is taken on the basis of this automated processing, which would fall under Article 22(1) of the Regulation.