Privacy Policy

Atrium Hotels & Resorts respects your privacy and is committed to protecting your personal data. This Privacy Policy / Privacy Notice explains how we collect, use, store, disclose and otherwise process personal data when you interact with us before, during or after your stay, including through our website, mobile application, online booking services, guest registration forms, hotel facilities, concierge services, restaurant reservations, room-service ordering, guest satisfaction surveys, activities, excursions, lessons, transfers or other services.

This Privacy Notice applies both online and offline. It applies to our website, mobile application, digital services, guest registration process and hotel-stay experience.

We process personal data in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), and applicable Greek data-protection legislation.

This Privacy Notice does not mean that all processing is based on your consent. Where processing is based on consent, we will request your consent separately and you may withdraw it at any time. In other cases, we may process personal data because it is necessary for a contract, required by law, necessary for our legitimate interests, necessary for legal claims, or otherwise permitted under applicable law.

For the purposes of this Privacy Notice, references to “Atrium Hotels & Resorts”, “we”, “us” or “our” mean, as applicable depending on the hotel, service, booking or interaction concerned, one or both of the following legal entities:

1. XENODOCHIAKES TOURISTIKES EPICHIRISIS S.A. “PRESIDENTIAL”, Ixia Beach, 85133 Rhodes, Greece, owner of Atrium Platinum; and

2. XENODOCHIAKES TOURISTIKES EPICHIRISIS NOTIOANATOLIKIS RODOU S.A. “ATRIUM PALACE”, Kalathos, 85102 Rhodes, Greece, owner of Atrium Palace and Atrium Prestige.

The hotels operate under the brand name Atrium Hotels & Resorts. Unless the context requires otherwise, references to Atrium Hotels & Resorts are intended to apply to all hotels, services and facilities operating under that brand, including Atrium Platinum, Atrium Palace and Atrium Prestige.

Depending on the hotel, service or interaction concerned, the relevant legal entity acts as the data controller of your personal data. In certain cases, both entities may process personal data under the Atrium Hotels & Resorts brand, for example where centralized systems, reservations, guest relations, marketing, quality assurance, administration or technology platforms are used.

You may contact us about privacy matters at:

Email: [email protected]
Main Office: Ixia Bay, 85100 Rhodes, Greece
Telephone: +30 22410 44901

“Personal data” means any information that identifies you or can reasonably be used to identify you as an individual. This may include your name, contact details, booking information, payment information, identification information, stay details, preferences, communications with us, images captured by CCTV, app interactions, survey responses and other information connected to your use of our services.

The categories of personal data we process may include the following.

4.1 Reservation and booking data

When you make a reservation through our website, booking engine, call center, contact form, email, travel agent, tour operator or other booking channel, we may collect:

• name and surname;
• email address;
• telephone number;
• country;
• address;
• company, where applicable;
• arrival and departure dates;
• hotel, room type, package and stay details;
• purpose of stay;
• number of guests;
• preferences and special requests;
• dietary requests;
• POS financial transactions;
• allergy information or health-related requests, where provided;
• payment-card or transaction information, where required to process or guarantee your booking;
• comments or messages you provide to our staff members

Where payment information is processed through a booking engine, payment processor, bank or other payment-service provider, those providers may also process payment data in accordance with their own legal obligations and security requirements.

4.2 Reservation changes and cancellations

When you change or cancel a reservation, we may process:

• name and surname;
• booking reference;
• email address;
• telephone number;
• payment or refund details;
• correspondence relating to the change or cancellation.

4.3 Guest registration and check-in data

When you check in, complete a guest registration form or stay at one of our hotels, we may process:

• name and surname;
• booking reference;
• passport, identity-card or travel-document information, where required or permitted by law;
• nationality;
• address;
• date of birth, where required or relevant;
• arrival and departure dates;
• room number;
• signature;
• payment guarantee or payment information;
• information required for legal, tax, tourism, security or hotel-administration purposes.

4.4 Mobile application and digital guest-service data

Where you use our mobile application, guest portal, Wi-Fi-related services or other digital guest-service tools, we may process information relating to your use of those services, including:

• account, device, session or technical information;
• hotel, room, booking or stay identifiers, where connected to your stay;
• restaurant reservations;
• room-service orders;
• spa, sports, leisure or other hotel-service requests;
• requests for lessons, activities, excursions, transfers or other services;
• chat messages or communications with guest relations, concierge, reception or other hotel teams;
• guest preferences and service choices;
• app usage information, where permitted by law and applicable settings.

We use this information to provide, manage, personalize and improve the guest experience, to handle your requests, to communicate with you, to coordinate services and to operate our hotel services efficiently.

4.5 Restaurant, room service, concierge and guest-request data

When you make restaurant reservations, order room service, contact concierge or guest relations, use live chat, request assistance, or ask us to arrange a service, we may process:

• your name, room number and contact details;
• reservation or order details;
• date, time and location of the service;
• dietary preferences, allergy information or accessibility-related requests, where provided;
• guest preferences and special requests;
• communications with our team.

This information is used to provide the requested service, coordinate hotel operations, respond to your requests, personalize your stay and improve our services.

4.6 Third-party activities, excursions, lessons and external services

Through our website, mobile application, concierge, guest relations team or other channels, you may be able to request or book activities, lessons, excursions, transfers, tours or other services provided by independent third-party providers.

Where you ask us to facilitate such a request or booking, we may process and share with the relevant provider the personal data necessary to handle the request, such as:

• name and surname;
• contact details;
• room number or stay details, where needed;
• number of participants;
• requested activity, date and time;
• relevant preferences or requests;
• information necessary for safety, suitability, coordination, payment, cancellation or legal purposes.

The third-party provider may act as an independent data controller for the services it provides. The provider may have its own terms, privacy notices, cancellation policies, safety rules, insurance obligations and legal responsibilities. We recommend that you review the relevant provider’s information before confirming any third-party service.

Atrium Hotels & Resorts may act only as an intermediary, facilitator or booking-support channel for such services. The actual service is provided by the relevant third-party provider, subject to that provider’s own terms and legal obligations.

4.7 Guest satisfaction, feedback and survey data

We may invite you to complete guest satisfaction surveys, questionnaires or feedback forms during or after your stay, in paper form, by email, through our website, through the mobile application, through Wi-Fi-related services or through other guest-experience platforms.

Depending on the survey or interaction, we may process:

• name and surname;
• room number;
• email address;
• country;
• arrival and departure dates;
• length of stay;
• ratings;
• comments;
• complaints;
• suggestions;
• preferences;
• any other information you choose to provide.

We use this information to evaluate guest satisfaction, improve our services, respond to feedback, handle requests or complaints, train and support our teams, personalize your current or future guest experience and, where legally permitted, provide tailored communications or offers.

4.8 Newsletter and marketing data

Where you subscribe to our newsletter, request marketing communications or otherwise consent to receive marketing, we may process:

• name, where provided;
• email address;
• telephone number, where provided;
• marketing preferences;
• communication preferences;
• information about your interactions with our marketing communications, where permitted by law.

You may unsubscribe from marketing communications or withdraw your consent at any time.

4.9 Recruitment data

If you apply for employment with us, we may process:

• name and surname;
• email address;
• telephone number;
• CV, résumé, cover letter and application details;
• employment history, qualifications and references;
• any additional information you provide during the recruitment process.

4.10 CCTV, security and incident data

Where installed, we may operate CCTV systems in and around hotel premises for security, safety and crime-prevention purposes. We may process images and video footage captured by CCTV systems. In some cases, non-operational or replica cameras may be used for precautionary and safety purposes.

Our security department may also prepare incident reports, lost-property reports, open-safe lists, accident forms or other security-related reports. Such reports may include personal data such as name, surname, room number, contact details, stay details and information about the relevant incident.

If an accident occurs on our premises, we may ask you to provide information such as your name, surname, date of birth, room number, duration of stay, location of the incident, date and time of the incident, nature of the incident and any other relevant details.

4.11 Technical, website and cookie data

When you visit our website, use our mobile application or interact with our digital services, we may collect technical information such as:

• IP address;
• device identifiers;
• browser type and version;
• operating system;
• pages visited;
• date and time of access;
• referring pages;
• cookies and similar technologies;
• analytics and usage information, where permitted by law.

Further information is provided in our Cookie Policy.

Special categories of personal data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data used for identification, health data and data concerning sex life or sexual orientation.

We do not request special categories of personal data unless necessary for a specific purpose, such as accommodating allergy, health, accessibility, dietary or safety-related requirements. Where required by law, we will process such data on the basis of your explicit consent or another applicable legal basis under the GDPR.

If you provide us with information about another person, including a child or another guest, you must ensure that you are authorized to do so and, where necessary, that you have that person’s consent or authority.

We process personal data for the following purposes and legal bases.

6.1 To manage reservations, bookings and hotel stays

We process personal data to create, confirm, administer, amend or cancel bookings, provide accommodation, manage packages, process payments, issue invoices, communicate with you about your stay and provide requested services.

Legal basis: performance of a contract, steps prior to entering into a contract, legal obligation and legitimate interests.

6.2 To provide hotel services and guest support

We process personal data to provide restaurant reservations, room service, concierge support, guest relations assistance, live chat, service requests, spa or leisure services, guest communications and general hotel operations.

Legal basis: performance of a contract, legitimate interests and, where relevant, consent.

6.3 To operate the mobile application and digital services

We process personal data to operate the mobile application, guest portal, Wi-Fi-related services and other digital tools, including service requests, chat messages, notifications, app functionality, service coordination and guest support.

Legal basis: performance of a contract, legitimate interests, legal obligation and, where required, consent.

6.4 To facilitate third-party services

Where you ask us to arrange or support a request for excursions, lessons, transfers, tours, activities or other services provided by third-party providers, we process personal data to facilitate that request, communicate with the provider and coordinate the service.

Legal basis: performance of a contract or steps prior to entering into a contract, legitimate interests, legal obligation and, where required, consent.

6.5 To personalize and improve the guest experience

We may use information about your stay, preferences, survey responses, service requests, mobile-app interactions and communications with us to personalize your current or future guest experience, remember preferences, improve services, train teams, resolve issues and provide more relevant recommendations.

Legal basis: legitimate interests and, where required, consent.

6.6 To send marketing communications

Where permitted by law, we may send you marketing communications about our hotels, services, events, offers, experiences and promotions. Marketing communications may be sent by email, telephone, SMS, messaging services, social media, push notifications or other electronic means, where permitted and in accordance with applicable law.

Legal basis: consent or legitimate interests, where permitted by applicable law.

You have the right to opt out of direct marketing at any time.

6.7 To comply with legal obligations

We process personal data to comply with legal, tax, accounting, tourism, hotel-registration, public-authority, police, court, regulatory and consumer-protection obligations.

Legal basis: legal obligation.

6.8 For safety, security and fraud prevention

We process personal data for CCTV operation, hotel security, incident management, accident reporting, lost-property handling, fraud prevention, payment security, guest and staff safety, protection of property and enforcement of hotel rules.

Legal basis: legitimate interests, legal obligation, vital interests where applicable, and establishment, exercise or defence of legal claims.

6.9 For complaints, disputes and legal claims

We process personal data to handle complaints, investigate incidents, resolve disputes, collect amounts owed, defend legal claims, cooperate with insurers and protect our rights and interests.

Legal basis: legitimate interests, legal obligation and establishment, exercise or defence of legal claims.

6.10 For recruitment

We process applicant data to assess applications, communicate with candidates, conduct recruitment procedures and, where applicable, retain candidate information for future opportunities.

Legal basis: steps prior to entering into an employment contract, legitimate interests, legal obligation and consent where required.

Your feedback and preferences help us improve and personalize our services. We may use information collected during your stay, from guest satisfaction surveys, from service requests, from the mobile application, from live chat or from other interactions to better understand your preferences and provide a more tailored guest experience.

This may include preferences relating to rooms, dining, beverages, allergies, accessibility, wellness, spa, sports, family needs, activities, excursions, celebrations, service style or other guest-experience details.

Where legally permitted, we may also use this information to provide tailored recommendations, offers or communications. Where direct marketing or electronic marketing requires consent, we will request consent separately. You may opt out of direct marketing at any time.

We do not sell your personal data.

Where necessary for the purposes described in this Privacy Notice, we may share personal data with:

• companies operating under the Atrium Hotels & Resorts brand;
• booking engine providers;
• payment processors and banks;
• IT, hosting, software, mobile-app, guest-experience and communication providers;
• email, newsletter and marketing-service providers;
• customer-service, concierge and guest-relations systems;
• restaurants, spa, leisure, sports or hotel-service departments;
• independent third-party providers of excursions, lessons, tours, transfers, activities or external services, where you request such services;
• travel agents, tour operators or business partners involved in your booking;
• professional advisers, including lawyers, auditors, accountants and insurers;
• public authorities, police, courts, tax authorities, tourism authorities, statistical authorities or regulators, where required or permitted by law;
• any person or organization to whom disclosure is necessary for the establishment, exercise or defence of legal claims.

Where third-party providers act as independent controllers, they are responsible for their own processing activities. Where service providers process data on our behalf, we require them to process the data only in accordance with our instructions and to apply appropriate technical and organizational security measures.

Where personal data is transferred outside the European Economic Area, we will take steps to ensure that the transfer is lawful and protected by appropriate safeguards, such as an adequacy decision, Standard Contractual Clauses or another lawful transfer mechanism under the GDPR.

We apply appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, misuse or destruction.

These measures may include access controls, secure systems, confidentiality obligations, staff training, supplier controls, contractual protections, restricted access to sensitive information and other measures appropriate to the nature of the data and the risks involved.

Although we take reasonable steps to protect personal data, no system, platform, application, website or method of transmission is completely secure.

We keep personal data only for as long as necessary for the purposes for which it was collected, including to provide services, manage our relationship with you, comply with legal obligations, resolve disputes, prevent fraud, collect amounts owed and establish, exercise or defend legal claims.

More specifically:

1. Reservation and stay data is retained for the duration of the contractual relationship and thereafter for the limitation period applicable to legal claims and for any period required by tax, accounting, tourism or other applicable laws.
2. Reservation-change and cancellation data is retained for the duration of the contractual relationship and thereafter for the limitation period applicable to legal claims and legal obligations.
3. Guest registration and legal hotel records are retained for the period required or permitted by applicable law.
4. Newsletter and marketing data is retained until you withdraw your consent, unsubscribe or object to processing, unless we have another lawful basis to retain limited suppression records.
5. Guest survey and feedback data is retained for as long as necessary to evaluate guest satisfaction, improve services, handle complaints and maintain appropriate business records.
6. CCTV footage is retained only for as long as necessary for security purposes, unless a longer retention period is required for the investigation of an incident or for the establishment, exercise or defence of legal claims.
7. Incident, accident and security reports are retained for as long as necessary for security, insurance, legal and claims-management purposes.
8. Recruitment data for unsuccessful applicants is retained for 24 months after the end of the relevant recruitment process, unless you consent to a longer retention period for future employment opportunities. If you consent to such retention, we may keep your data for a further 6 months. If your application is successful, relevant recruitment data will be transferred to your employment file and retained in accordance with the employee privacy notice.

Where personal data is no longer required, it will be deleted, anonymized or securely destroyed, unless retention is required or permitted by law.

It is not our policy to knowingly collect personal data directly from minors under the age of 18 without the consent of a parent or legal guardian, unless permitted by applicable law.

As it may not always be possible to determine the age of persons using our website, mobile application or services, we encourage parents and guardians to contact us if they believe that a minor has provided personal data without appropriate authorization.

Where you provide personal data about a child or minor guest, you confirm that you are authorized to do so.

Subject to applicable law and any legal limitations, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete personal data;
• request deletion of your personal data;
• request restriction of processing;
• object to processing based on legitimate interests;
• object to direct marketing at any time;
• request data portability, where applicable;
• withdraw consent where processing is based on consent;
• lodge a complaint with the competent data-protection authority.

If you would like to exercise your rights, please contact us at:

[email protected]

We will consider your request in accordance with applicable law. In some cases, we may need to verify your identity before responding. There may also be circumstances where we are required or permitted to continue processing your data, for example to comply with legal obligations or to establish, exercise or defend legal claims.

If you believe that we have not complied with applicable data-protection law, you may contact us at [email protected].

You also have the right to lodge a complaint with the Hellenic Data Protection Authority or another competent supervisory authority.

We may update this Privacy Notice from time to time to reflect changes in our services, legal obligations, technology, hotel operations or data-processing practices.

The updated version will be made available on our website and, where appropriate, through our mobile application or other communication channels.