Shazdeh Travel Privacy Policy

Shazdeh Travel values the protection and privacy of personal information. It is important to us our customers can enjoy our services without having their privacy compromised. Therefore this Privacy Policy outlines clear and transparent details about how we handle your personal data and ensure its privacy.

 

PRIVACY POLICY 

Shazdeh Travel, as a brand name of Sugar and Spice Travel Private Company (hereafter “the Company”) is based in Greece (12 Dimokratias Square 54628 Thessaloniki, tel: +30 6979667348, email: info@shazdeh-travel.com, General Electronic Commercial Registry 155210806000,) and is represented legally by Maryam Osanloo. 

 

Shazdeh Travel.» provides services related to:

  • organized trips and tours in Iran
  • hotel accommodation
  • excursions
  • car rentals
  • travel advice
  • visa support

With this Privacy Policy, the Company provides all the necessary information for the collection and the processing of the personal data in the context of its activity, the type of personal data it collects and uses, the purpose of processing, the data retention period, the transfers to third recipients, and your rights under the privacy law. 

Acting as travel agency the Company is bound to protect and process the personal data according to the General Data Protection Regulation/GDPR (EU) 2016/679, and the Greek legislation, especially the Greek law 4624/2019 for the Protection of Individuals regarding the Processing of Personal Data and the law 3741/ 2006 for the Protection of Personal Data and the Protection of the Privacy of the Electronic Communications.

The location of the processing is the main establishment of the Company in Greece (as mentioned above) where all processing activities take place. 

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, organization, structuring, storage, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.

The personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject, for specified, explicit and legitimate purposes. The Company shall collect and processes only the personal data which are adequate, relevant, and limited to what is necessary, accurate and, where necessary, kept up to date. The Company shall not further process the personal in a manner that is incompatible with the initial purposes of collection. It shall ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures

The processing of personal data will be in accordance with the effective Privacy Policy. The Company reserves the right to amend this Privacy Police at any time. The latest version will be found on this webpage and depending on the revisions we might alert you via electronic communication. 

Processing personal data of clients or partners

Personal data from clients or partners is obtained by Shazdeh Travel in accordance to the following purposes:

- Administrative purposes;

- Communication regarding orders and/or invitations to our partners;

- Performing or assigning an order.

The foundation for collecting personal data is:

- The agreed order, which means the booking of your trip.

For all purposes mentioned above, Shazdeh Travel can request the following details from you:

- First name according to passport;

- Insertion;

- Last name according to passport;

- (Business) Phone number;

- (Business) Email address;

- Gender

- Passport number, expiry date passport

- Date of birth

- Home address

Your personal data will be collected and saved by Shazdeh Travel for the following time frame:

- During the term of the agreement, after that 2 years in our reservation system and then solely in our financial administration for a maximum of 7 years.

Access, correction and deleting personal data

We are responsible for processing your personal data. However, you have the right to request access and/or correction or removal of your personal data. If you wish to do so, please contact us via info@shazdeh-travel.com

 

LEGAL BASIS OF PROCESSING 

- Your freely given consent  

- The performance of a contract to which you are a party or to take steps at your request prior to entering a contract

- The compliance with a legal obligation 

- The legitimate interests pursued by the Company

 

HOW WE COLLECT YOUR PERSONAL DATA 

  • When you fill and submit forms in print or electronically (available in https://www.shazdeh-travel.com).
  • When we communicate with you via mail, email, social media, internet-based communication platforms (Zoom, WhatsApp, Messenger, etc.), videocalls. 
  • From marketing promotions after getting your consent to use your contact details to inform you about our services.
  • From third parties to whom you have given your consent to transfer your personal data to us.
  • From the device or the browser, you use to access our website and our social media pages.  

 

TYPE OF PERSONAL DATA WE COLLECT  

 

 

  • Individuals who have expressed their interest by filling the electronic form available at the website: name, surname, email, phone number, destination, tour, travel theme. 

 

  • Customers: identification data: name, surname, identity card/passport number, driver’s license (for renting car services), contact details: email address, telephone number, Tax Identification Number, Financial data: bank accounts, credit cards, Comments and questions, Questionnaires. 

Sensitive data: We may request from you to provide us sensitive information regarding your health situation such as mobility problems to inform you about the accessibility or to facilitate your access and transportation to accommodations, sites, and sightseeing. Additionally, you may wish to inform us on food allergies and dietary habits you may have, or other health issues for safety reasons.   

Legal basis: 

  • Your freely given and informed consent (article 6, [1] [a], and article 9, [2] [a], GDPR for sensitive personal data). 
  • The performance of a contract to which you are a party or to take steps at your request prior to entering a contract (article 6, [1] [b], GDPR)
  • The compliance with a legal obligation to which our Company is subject (article 6, [1] [c], GDPR).

 

Your failure or denial to provide us the personal data that is strictly necessary for the conclusion or performance of the contract may mean that the contract cannot be concluded or performed as a whole or with respect to some of its aspects. 

  1. Providers: name, surname, company name, Tax Number, contact details: telephone number, address, email address, details of legal representatives, payment, and financial data: bank accounts, credit cards.

Legal basis

  • The performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering a contractη (article 6, [1] [b], GDPR) and the compliance with a legal obligation to which the controller is subject (article 6, [1] [c], GDPR).

 

  • Employees and job applicants: name and surname, identity card/passport number, Tax ID No., residence, and work permit (for foreigners), photo, citizenship, contact details (phone numbers, residence address, email address), payment details, financial data (bank accounts) and payroll, Social Security Data (social insurance registration number /AMKA), social security number (AMA), Single Agency of Social Insurance (EFKA), date of first registration with the social insurance agency), Vocational training data (degrees, diplomas, recommendation letters) 

 

Special categories of personal data of Article 9 GDPR if required by law and where it is strictly necessary (health data, medical opinions for suitability for employment and sick leaves etc.)

Legal basis

  • The performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering a contract (article 6, [1] [b], GDPR), the compliance with a legal obligation to which the controller is subject (article 6, [1] [c], GDPR) and articles 22 and 27 of the Greek Law 4624/2019.

 

  • Website and social media users:  browsing information which are automatically collected by the device or the browser (IP address, name of Internet Service Provider, type of device, operating systems, navigation information, actions on the website, clicked URLs and other preferences. This information may be used for the targeted advertisements, messages, or content through remarketing and retargeting actions in Facebook, Instagram, and Google platforms. After getting your consent information of how you use our website may be stored for improving the quality and the content of the website. You can find more information about the cookies in the Cookies Policy.   

 

Legal basis

  • The legitimate interests pursued by the Company as Data Controller (Article 6 (1)(f), GDPR), Article 11 [3] L. 3741/2006 for electronic communications, and your freely given and informed consent (article 6, [1] [a], GDPR)

 

  • Newsletter recipients: name, surname, email address

 

Legal basis

  • The legitimate interests pursued by the Company as Data Controller (Article 6 (1)(f), GDPR), Article 11 [3] L. 3741/2006 for electronic communications, and your freely given and informed consent (article 6, [1] [a], GDPR).

 

USE OF INFORMATION FOR MARKETING AND PROMOTIONAL PURPOSES

Information may be used for the targeted advertisements, messages, or content through remarketing and retargeting action in Facebook, Instagram, Google, and other platforms.

Legal basis

  • The legitimate interests pursued by the Company as Data Controller (Article 6 (1)(f), GDPR), Article 11 [3] L. 3741/2006 for electronic communications, and your freely given and informed consent (article 6, [1] [a], GDPR)



ABOUT YOUR CONSENT 

When your consent is required for the processing of your personal data, you will provide it after getting all the appropriate information for the scope and the lawfulness of processing, and by filing and signing a Consent Form (printed or electronical). You have the right to withdraw your consent at any time according to the Article 7 (3) GDPR by sending an email to info@shazdeh-travel.com. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

If you have agreed to receive our newsletters, you can unsubscribe (opt out) by clicking to the unsubscribe button to available at every message you will receive from our Company.  

 

ELECTRONIC COMMUNICATIONS 

Based on the customer relationship and the Greek Law 3741/2006 the Company has the right to inform its customers via electronical communication about relevant services or for similar purposes, even if the customers have not given beforehand their consent. The customers have the right to object to the communication by clicking the unsubscribe button and opt out of the communication. 

For any other category of recipients, the Company shall seek and obtain the appropriate consent in advance. 

 

DISCLOSURE/TRANSFER OF PERSONAL DATA TO THIRD RECIPIENTS 

If necessary, the Company may transfer personal data to third parties for the fulfilment of the specific purpose of processing in order to provide its services. 

These third parties may include:

- collaborators and contractors such as hotels, car rental companies, transportations, tour guides, etc.  

- service providers and subcontractors (processors and subprocessors) who process personal data on behalf of the company: accounting, IT, cloud services, etc.

In this case, the transfer of data will be in accordance with the Article 28 GDPR that sets the responsibilities of the data processors. The data processors are bound to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. If the processor or the subprocessor processes personal data in a third country outside the EΕΑ, the transfer will be according to the provisions of GDPR including the Standard Contractual Clauses issued by the European Committee or any appropriate legal basis.  

The Company may transfer personal data to public authorities, if required by law or a statutory obligation, and if the transfer is necessary for the protection of its rights, for compliance with legal or judicial procedures and court decisions. 

 

SECURITY OF PROCESSING

The Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, the unlawful use or unauthorized access. 

All the personal data will be treated as confidential and will be accessible only by authorized personnel and for specific processing activities. The Company shall use security access codes, technologies for detecting unauthorized intrusion to the network, pseudonymization and encryption methods, verification technologies, procedures for secure connectivity and protection from malware and other threats. 

 

DATA RETENTION PERIOD

The retention period of the personal data is subject to the requirements of the legislation. Personal data will be stored for as long as it is required to meet the purpose of processing (as set out above) and for a reasonable time after your last interaction with the Company. When your personal data are no longer necessary, it will be deleted or destructed in a secure way.

The data retention period is defined and may be extended if required by law and for the fulfilment of the Company’s contractual and legal obligations, for the establishment, exercise, or defense of legal claims, and for security reasons. 

Specifically:

  • Online questionnaires that have been filled and submitted by potential customers and have not resulted in sale, will be deleted immediately. 
  • Customers’ contracts will be stored and kept by the Company for the period required by the law and for a reasonable time after your last interaction with us, especially if there is a legitimate reason to extend the retention period e.g., legal claims or complaints.  
  • The contact details of the persons who have opted in for receiving electronic communications will be kept until the recipient decides to opt out (unsubscribe). 

After the expiration of the data retention period, the Company may notify the persons of the deletion or destruction of their files by email, or any other available means (press announcement or public communication). 

The persons have the right to receive a copy of the files with their personal data. 

When the Company processes personal data for statistical purposes this will be anonymized so as the natural persons cannot be identified. 

 

DATA SUBJECTS’ RIGHTS

You have the right:

  • to obtain confirmation as to whether your personal data are being processed, and the right to request and receive a copy. 
  • to request the rectification of inaccurate personal data concerning you. 
  • to request the deletion of your personal data. This right can be exercised under the conditions set in the legislation, especially in cases when the Company is required to retain the personal data for a longer period.
  • to receive the personal data concerning you, which you have provided to us, and transmit those data to another controller.
  • to withdraw your consent.
  • to object to the processing of your personal data and request the restriction of the processing. However, this may prohibit the Company from providing its services to you. 

 

EXERCISE OF YOUR RIGHTS UNDER GDPR  

For exercising your legal rights under the GDPR, you may send us an email to  info@travelmule.gr or contact us at +30 2316019887. 

The Company shall provide information on action taken on a request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and number of the requests. In this case you will be informed of any such extension within one month of receipt of the request, together with the reasons for the delay. 

Information shall be provided free of charge, unless the requests are manifestly unfounded or excessive, in particular because of their repetitive character

For further actions, you have the right to lodge a complaint with the Greek Data Protection Authority (Kifissias 1-3, PC 115 23, Athens, Greece, https://www.dpa.gr/, Telephone: +30-210 6475600, Ε-mail: contact@dpa.gr)

 

Last update, January 2023