Privacy Policy

Privacy Policy

About Privacy Policy

0026.0287.49.0202161172 PRIVACY POLICY

  • The Company’s Website
  • What are Personal Data
  • What is the Processing of Personal Data
  • What information and personal data we maintain about you
  • Purposes for which we use your Personal Data
  • Automatic Data Collection
  • How we use your Personal Data
  • What is the legal basis for processing your Data by the Company
  • Who are the recipients of your Data
  • How your Data is shared
  • The policy we apply to third parties Processing your Data in accordance with the above
  • How we ensure that the Company and its associates respect your Data
  • Data Transfer
  • How long we retain your Data
  • Are your Data safe
  • What are your rights
  • How you can exercise your rights
  • When we respond to your requests
  • What is the applicable law during the processing of your Data by us
  • Where you can appeal if we violate the applicable law for the protection of your Personal Data
  • How you will be informed about any modifications to this Policy


Protecting your personal data is of paramount importance to us. WESTERN CRETE TRAINS INC (hereafter referred to as “the Company,” “we,” or “us”), based in Agia Marina, Chania, outlines and announces the terms under which it, acting as the “Data Controller” as defined by law, collects, stores, uses, and generally processes your personal data. This encompasses data collection during your visits, registrations, or use of the Company’s website (hereinafter referred to as the “Website”), as well as interactions with the Company’s physical office.

This Privacy Policy also explains how we use, share, and protect your personal data, the choices you have regarding your personal data, and how you can communicate with us. This Privacy Policy complies with the General Data Protection Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016, as well as any other relevant applicable legislation.

Should you have any questions about this Privacy Policy, or any matters related to the processing of your data and the exercise of your rights, please contact us at [email protected].


The Company’s Website

The site is the website of the Company, and you can access all the services it provides for organizing and conducting excursions with tourist trains.

In general, our goal is to collect and maintain only the personal data that online visitors voluntarily provide so that we can offer them information and/or services or the information they request. Please study this Statement to learn more about how we collect, store, use, transmit, and protect the information/personal data we receive.


What is Personal Data?

The term “personal data” refers to information of natural persons, such as name, mailing address, email address, telephone number, age, gender, occupation, salary, etc., which identify or can identify your identity, hereafter referred to as “Personal Data or Data”.


What is the Processing of Personal Data?

Any operation or set of operations performed with or without the use of automated means, on personal character data or sets of personal character data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of provision, alignment or combination, restriction, erasure or destruction.


What Information and Personal Data Do We Maintain About You?

We ensure to collect only the absolutely necessary Personal Data from you, which are appropriate and clear for the purpose they are intended for. We may collect various kinds of personal data about you depending on the purpose for which we collect them, such as identification details (e.g., surname, first name, date and place of birth, identity card or passport number, email address, landline and/or mobile phone number, etc.)


Purposes for Which We Use Your Personal Data

We use your Data, as appropriate, for the following purposes:


To Fulfill Contractual Obligations: The Company processes your Data in order to fulfill its contractual obligations to you or to take pre-contractual measures upon your request and/or consent, and to process your service orders. We note that it may be necessary to transfer your Data to third parties to deliver the service you have requested from us.


For Communication: The Company uses your Data to respond to your requests/questions or any complaints. The information you share with us allows us to manage your requests and respond to you in the best possible way. We may also keep a record of your questions/requests to us so that we can respond better to any future communication. We do this based on our contractual obligations to you, our legal obligations, and our legitimate interests to provide you with the best possible service and to be able to improve our services based on your personal experience.


For Sending Newsletters/Offers: With your consent, we will use your Personal Data, preferences, and transaction details to inform you via email, internet, telephone about relevant products and services, including personalized offers, etc. Of course, you have the option to withdraw this consent at any time.


For the Development and Improvement of the Products and Services We Provide: This is done based on our legitimate business interests because we want to offer you deals and suggestions that are personalized to your needs.


For Processing Payments and Preventing Fraudulent Transactions: We do this based on our legitimate business interests, which also helps protect our customers from fraud.


To Comply with Our Contractual Obligations to You or Under the Provisions of the Law (e.g., Accounting Obligations): To send you communications required by law or that are necessary to inform you about changes to the services we provide to you. For example, updates regarding these privacy notices and legally required information about our contractual obligations. These service messages will not include promotional content and do not require prior consent when sent by email. If we do not use your personal Data for these purposes, we cannot comply with our legal obligations.


Automatic Collection of Personal Data:

In some cases, the Company and its service providers use cookies, web beacons, and other technologies to automatically collect certain categories of data when you visit us online, as well as through electronic messages that we may exchange. The collection of this data allows us to personalize your online experience, improve the performance, usability, and effectiveness of the Company’s online presence, and evaluate the effectiveness of our service promotion (marketing) activities.


IP Address

The IP address is a number assigned to your electronic computer each time you access the internet. It allows electronic computers and network servers to recognize and communicate with each other. IP addresses from which visitors appear to be coming may be recorded for information technology security and system diagnostic reasons. These data may also be used in an aggregated form to perform an analysis of trends and performance of the website.


How Do We Use Your Personal Data?

According to Greek Law and the General Data Protection Regulation 2016/679/EU (otherwise GDPR), we will not process your personal data unless we have a legal justification provided by law for this purpose. Therefore, we will process your personal data only if there is a lawful basis for doing so, such as:

  • Contract Performance: when processing your personal data is necessary to fulfill our obligations under a contract.
  • Legal Obligation: when we need to process your personal data to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement authority.
  • Legitimate Interest: when pursuing our legitimate interests does not significantly impact your rights and freedoms as data subjects.
  • Vital Interests: when processing is necessary to protect the vital interests of the data subject or another natural person.
  • Public Interest: when processing is necessary for the performance of a task carried out for the public interest.

Finally, we inform you that the processing of your Data is carried out either by the specially authorized personnel of the Company or through information systems and electronic devices by the Company and, exceptionally, by our third-party partners. These partners, having contractually committed to confidentiality and the protection of your Data, perform tasks necessary for achieving the purposes strictly connected with the use of our Online and Physical Records.


What is the Legal Basis for the Processing of Your Data by the Company?

The data protection legislation defines various reasons for which a company may collect and process your personal data, among which are the terms of our contractual relationship:

  • Your consent, where required. For example, when you choose to receive a newsletter. When collecting your personal data, we will always inform you which data are necessary in relation to a specific service.
  • The Company’s obligations arising from the law (e.g., tax legislation, e-commerce legislation, etc.).
  • The legitimate interest of our Company. In specific cases, we collect your Data in a manner reasonably expected as part of the operation of our business and which does not significantly affect your rights, freedoms, or interests.


Who are the Recipients of Your Data?

The Company does not share personal data with unrelated third parties, unless this is necessary for our legitimate professional and business needs, to execute your requests, or as required or permitted by law or professional standards.

The Company collaborates with trustworthy partners and service providers so that they can process your personal data on our behalf. The Company will transfer personal data to them only if they meet the strict standards that apply to us for data processing and security. The Company only shares personal data that are necessary for them to provide their services.


How Are Your Data Shared?


Data Sharing by Our Company Our Company shares your Data with:

  • Third-party independent service providers that process personal data on behalf of our Company, for example (but not limited to) for providing part of the services you have entrusted to the Company, processing payments, purposes of research and data collection necessary for the implementation of the services you have requested, analysis of survey results and creation of statistical data, management of promotional activities, and management of certain services and elements. When we use third-party service providers, we enter into written contracts that obligate them to implement appropriate technical and organizational measures for the protection of your personal data.
  • Other third parties, to the extent required for the following purposes: (i) compliance following a request from a Greek State authority, judicial decision, or applicable law, (ii) prevention of illegal uses of our Website or breaches of our Website’s Terms of Use and our policies.
  • Other third parties to whom you have given your consent.


What Policy Do We Apply with Third Parties Processing Your Data According to the Above?

The Company ensures that external service providers who have access to or use confidential information are bound by contractual obligations to maintain the confidentiality and security of the information. These confidentiality and security obligations must be at least equivalent to those to which the Company’s employees are required to comply. The Company includes confidentiality clauses in the General Terms of Transactions and confidentiality or non-disclosure agreements that may be signed from time to time with third parties (i.e., external service providers who have access to confidential information). Specifically:

  • We provide only the information they need to perform their specific services.
  • They can use your Data only for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any data they hold will be deleted or made anonymous.

If you wish to receive more information about the sharing of your Data with third parties, please contact us by email at [email protected].


How Do We Ensure That the Company and Its Associates Respect Your Data?

We have implemented appropriate organizational and technical measures to provide a high level of privacy protection and security for your personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access, and other illegal forms of processing. The Company incorporates the protection of personal data as an integral part of its business activities from design and by default, in order to protect the rights of data subjects, such as user management policy, various roles and responsibilities, backup copies, physical security measures, personal data destruction policy, etc.


Where the Company acts as a Data Processor, it is obliged to comply with the GDPR and, among other things, it must:

  • Process the personal data only in accordance with the instructions of the Data Controller who transmitted the data, who is called to comply with the requirements of the GDPR.
  • Maintain personal data until the end of the data processing services, subject to any requirements of applicable law.
  • Immediately notify the Data Controller who transmitted the data about any legally binding requirement for disclosure of the data, any accidental or unauthorized access, or any requests submitted directly by the data subject.
  • Not respond to any request for data disclosure unless authorized by the Data Controller who transmitted the data or the data subject, or as required by law.


Where the Company acts as a Data Controller, it is obliged to comply with the GDPR and, among other things, it must:

  • Implement all appropriate measures for compliance and data protection from design and by default.
  • Implement appropriate technical and organizational security measures to protect personal data.
  • Report data breaches to the Data Protection Authority and the data subject.
  • Cooperate with supervisory authorities.
  • Facilitate the exercise of the rights of data subjects.


Our partners, as Data Processors on our behalf, have agreed and contractually committed to the Company:

  • To maintain confidentiality.
  • Not to send your Data to third parties without the Company’s permission.
  • To take appropriate security measures.
  • To comply with the legal framework for the protection of personal data and in particular the General Data Protection Regulation 2016/679/EU (otherwise GDPR).


How Long Do We Retain Your Data?

We retain your Personal Data for as long as necessary to fulfill the purposes set out in this Privacy Policy. Generally, this means that we will retain your Personal Data for at least 6 months and, in any case, for as long as you have a collaboration with our Company and until the purpose of processing the Data is achieved, subject to any requirements for keeping the information for a different period in the context of compliance with applicable law, regulation, professional requirements, or standards. The Company has a process for determining and monitoring the nature and location of the personal data it retains about you. It allows you to access your personal data held by the Company and enables you to check and correct any errors in your personal data, as required by applicable laws and regulations. Regarding your Personal Data related to the services provided, we retain this Data for a longer period to comply with our legal obligations (such as tax and commercial legislation).


Are Your Data Safe?

We are committed to safeguarding your Personal Data. Recognizing the importance of the security of your Personal Data, we have taken all appropriate organizational and technical measures for the security and protection of your Data from any form of accidental or unfair processing. We use the most modern and advanced methods to ensure the highest possible security. The website uses the encryption protocol……………… In this way, all the Data you provide, including your name and address, are encrypted so that they cannot be decrypted or altered during their transfer over the Internet.


What Are Your Rights?

Right to Access Your Personal Data: This means you have the right to be informed by us if we are processing your Data. If we are processing your Data, you can request to be informed about the purpose of the processing, the type of Data we hold, to whom we disclose them, how long we store them, if automated decision-making takes place, as well as about your other rights, such as correction, deletion of data, restriction of processing, and the right to file a complaint with the Data Protection Authority.


Right to Correction of Inaccurate Personal Data: If you find that there is an error in your Data, you can submit a request to us to correct them (e.g., correction of name or updating a change of address).


Right to Erasure / Right to be Forgotten: You can ask us to delete your data if they are no longer necessary for the above-mentioned processing purposes or if you wish to withdraw your consent.


Right to Data Portability: You can request to receive your Data in a readable format that you have provided or ask us to transfer them to another data controller.


Right to Restrict Processing: You can ask us to restrict the processing of your Data for as long as your objections to processing are being examined.


Right to Object and Withdraw Consent to the Processing of Your Data: You can object to the processing of your Data, and we will stop processing your Data, unless there are other compelling and legitimate reasons that prevail over your right. If you have declared your consent for the collection, processing, and use of your personal data, you can withdraw your consent at any time with future effect:

  • Opting out of Marketing Communications You can choose not to receive marketing communications by changing your email subscriptions by clicking the unsubscribe link.


Please contact us at [email protected] for further assistance or inquiries.


What Are Your Rights? (Continued)

Alternatively, you can contact us using the contact details provided below.

In cases where we rely on our legitimate interest: In cases where we process your personal data based on our legitimate interest, you can ask us to stop for reasons related to your personal situation. We must then do so unless we believe that we have a legitimate imperative reason to continue processing your Personal Data.


How Can You Exercise Your Rights?

To exercise your rights, you can submit a relevant request to our email address [email protected] with the subject “Exercise of Right,” and we will review it and respond to you as soon as possible.

Additionally, for any complaint or grievance, you can use the complaint form which you can send to the aforementioned email address.


  • If you wish to withdraw your consent for receiving the newsletter, you can do so by selecting the “To unsubscribe from the newsletter mailing list/unsubscribe click here” link located at the bottom of each newsletter.
  • If you wish not to receive web push notifications from the Company, you can deactivate the option from your browser settings.


Identity Verification

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you submit under this Privacy Policy. If you have authorized a third party to submit a request on your behalf, we will ask them to prove that they have your permission to act for this purpose.


When Do We Respond to Your Requests?

We respond to your requests free of charge without delay, and in any case within ten (10) days from when we receive your request. However, if your request is complex or there is a large number of requests from you, we will inform you within this deadline if an extension of another fifteen (15) days is required within which we will respond to your request.


What is the Applicable Law When We Process Your Data?

The applicable law is Greek Law, as shaped in accordance with the General Data Protection Regulation 2016/679/EU (otherwise GDPR), and the current national and European legislative and regulatory framework for the protection of personal data.

Any dispute arising from or related to the protection of your Personal Data shall be subject to mediation in accordance with the Mediation Regulations of the European Mediation and Arbitration Organisation (EMAO). If the dispute or part thereof is not resolved through mediation, the dispute or the unresolved part thereof shall be exclusively resolved by the Greek Courts and specifically the Courts of the city of Chania.


Where Can You Appeal if We Violate the Applicable Law for the Protection of Your Personal Data?

You have the right to file a complaint with the Data Protection Authority if you believe that the processing of your Personal Data violates the applicable national and regulatory legal framework for the protection of personal data.

Data Protection Authority (DPA) [], Postal Address: Kifisias 1-3, P.O. Box 115 23, Athens, Phone: 210.6475600, E-mail: [email protected]


How Will You Be Informed of Any Modifications to This Policy?

We update this Privacy Policy whenever necessary. If there are significant changes to the Privacy Policy or how we use your Personal Data, we will post an update on our website before the changes take effect and notify you in every appropriate way.


We encourage you to read this policy regularly to know how your Data is protected.

Last Update: 9/1/2024