- SCOPE OF THIS PRIVACY POLICY
At Sani/Ikos Group, we guarantee our commitment to respecting and protecting your privacy, as well as safeguarding your personal data. Our vision and goal is the provision of services that exceed your highest expectations. Therefore, Sani/Ikos with respect to the applicable national and EU legal framework on data protection, especially the General Data Protection Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018, the Greek Law 4624/2019 and the Portuguese Law 41/2004, as in force, provides you hereby with a lawful, fair and transparent policy in order to inform you about the personal data we collect, how we use it, and how the use of this information can benefit your experience while enjoying our services, as well as visiting our premises and/or our online platforms (websites and mobile application).
Where the terms "Sani/Ikos", “we”, “us”, or “our” are mentioned in this Privacy Policy, they shall collectively refer to all Ikos resorts, Sani resort and Sales Offices, Sani Single Member Societe Anonyme Development & Tourism, Ikos Hotel Management S.M.S.A. and Ikos Spanish Hotels Management S.L.U.
We are dedicated to achieving transparency of the collection and use of your personal data, therefore we wish to provide you via this Privacy Policy with information about:
- what personal data we collect and how we use them;
- the purposes we process your personal data and the relevant legal basis under which we process your personal data;
- your rights related to your personal data.
This Privacy Policy applies to all individuals whose personal data we process in the course of our operations, including guests, prospective guests, persons making reservations, visitors to our premises and users of our online platforms. It applies to personal information collected through our websites, mobile applications, email communications, and other digital channels, as well as through offline interactions, including when you visit or stay at one of our resorts, attend our events, contact our call centre, make a reservation, or otherwise interact with us. The use of our websites is also subject to our Cookie Policy.
This Privacy Policy does not apply to personal information that we collect about employees and other personnel in connection with their working relationship with us, or personal information that we collect about applicants and candidates.
This Privacy Policy aims to inform you on the processing of your personal data; however, it may not include all our processing activities as these constantly evolve. In case a new processing activity is added, we shall endeavour to update this Privacy Policy and, in any case, we will provide you with the necessary information.
For further information, please contact our Data Protection Officer at privacy@saniikos.com.
- DATA CONTROLLERS
The means and purposes of personal data processing in this Privacy Policy are jointly determined by:
- SANI SINGLE MEMBER SOCIETE ANONYME DEVELOPMENT AND TOURISM with registered address at 8 Chalkis Str, 55535, Pylaia, Thessaloniki, Greece.
- IKOS HOTEL MANAGEMENT SINGLE MEMBER SOCIETE ANONYME with registered address at 8 Chalkis Str, 55535, Pylaia, Thessaloniki, Greece.
- IKOS SPANISH HOTELS MANAGEMENT, S.L.U, with registered address at Calle Príncipe de Vergara 108, Planta 7, 28002, Madrid, Spain.
- WHAT PERSONAL DATA WE COLLECT AND HOW WE USE THEM
The following table summarizes the categories of personal data that we process, the sources of such personal data, the purpose of collection, as well as the legal basis for such processing. Where we refer to "special categories of personal data" or "sensitive personal data", this relates specifically to health information and allergen data, which we collect exclusively to provide our guests with a safer and more tailored experience.
BOOKING & RESERVATIONS
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Booking (via website, mobile application, booking confirmation form, Tour Operator, Travel Agency, or direct contact) |
You; or third party (Tour Operator or Travel Agency) and/or other partners acting on your behalf |
Name and surname; contact details (email, telephone, postal address, city, country); nationality; Tax Identification Number; official identity document details; arrival and departure dates; flight details (where transfers are requested); preferred payment method.
Special requests may include health/sensitive personal data (Please see Healthcare Data & Medical Services).
|
Processing and managing the reservation; verifying identity and completing payment; complying with legal and tax obligations. |
Contractual relationship.
Legal obligation.
|
| Call Recordings (reservations call centre) |
Automated systems |
Personal data disclosed in the course of the call. |
Quality assurance; staff training; dispute resolution. |
Legitimate interests. |
Additional Considerations:
- AI-assisted tools may be used to help the concierge team respond to enquiries; all AI-generated responses are reviewed and approved by a team member before being sent.
- Third-party online booking engines and travel agents may act as independent data controllers.
CHECK-IN
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Pre-Check-In (via mobile application or online form) |
You |
Name and surname; contact details; identity document details (type, number, place and date of issue, expiry date). |
Completing the pre-arrival check-in procedure. |
Contractual relationship. |
| Check-In (at the front desk or via mobile application) |
You |
Name and surname; contact details; date of birth; nationality; language; Tax Identification Number; passport or ID number; names and dates of birth of accompanying family members; preferred payment method; payment card details; arrival and departure dates; room number. |
Completing the check-in procedure; opening and managing the guest account; complying with applicable legal registration requirements. |
Contractual relationship.
Legal obligation.
|
| Passport Scanning & Identity Verification |
You |
Name and surname; date and place of birth; nationality; identity document number, type and expiry date; visa-related information; signature; reservation metadata; consent status. |
Verifying identity; completing guest registration; fulfilling regulatory reporting obligations. |
Contractual relationship.
Legal obligation.
|
Additional Considerations:
- For properties located in Spain, Sani/Ikos complies with Real Decreto 933/2021, de 26 de octubre, which establishes documentary registration and information obligations for operators of accommodation establishments. Check-in information will be shared with the relevant law enforcement authorities to the extent required by law.
- Passport scanning platforms are used to extract identity document data for guest registration and regulatory reporting purposes. These platforms act as data processors bound by data processing agreements with Sani/Ikos. No photographs of identity documents are stored on these platforms.
- Pre-arrival communications ( including emails, calls, and messages containing guest enquiries, requests, or preferences received before check-in) are handled by dedicated teams and are covered under the E-Concierge & Guest Communication Services activity in the following Accommodation, In-Room Services & Guest Experience section of this Privacy Policy.
ACCOMMODATION, IN-ROOM SERVICES & GUEST EXPERIENCE
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Housekeeping Services |
Internal records |
Name and surname; room number; arrival and departure dates; number of guests; guest preferences and special requests.
Special requests may include health/sensitive personal data (Pease see Healthcare Data & Medical Services).
|
Delivering housekeeping services; applying guest preferences and safety-related precautions. |
Contractual relationship. Legitimate interests. |
| Room Service (via telephone, in-room tablet, or mobile application) |
You |
Name and surname; room number; order details.
Special requests may include health/sensitive personal data (Pease see Healthcare Data & Medical Services).
|
Processing and delivering room service orders during your stay. |
Contractual relationship. Legitimate interests. |
| VIP Guest Coordination |
Internal records |
Name and surname; room number; number of guests; check-in and check-out dates; profile notes; loyalty tier or repeater status. |
Coordinating personalised arrival arrangements across relevant departments; delivering an enhanced guest experience. |
Legitimate interests. Contractual relationship. |
| Guest Experience |
You; internal records |
Preferences and requests shared or collected before and during your stay.
Special requests may include health/sensitive personal data (Pease see Healthcare Data & Medical Services).
|
Personalising and enhancing your experience during current and future stays. |
Legitimate interests. |
| Sani/Ikos Mobile Application |
You |
Name and surname; contact details; account credentials; gender; country of origin; payment card details; booking and request details; passport details (where passport scanning is used during check-in). |
Providing and maintaining the application; processing bookings and requests; completing payments; managing debt recovery and disputes. |
Consent (account creation). Contractual relationship. Legitimate interests. |
| E-Concierge & Guest Communication Services (via email, WhatsApp, and other messaging channels) |
You |
Name and surname; contact details; room number; booking reference; enquiry content; communication metadata. |
Responding to guest requests and enquiries; providing timely information; facilitating personalised service delivery. |
Contractual relationship. Legitimate interests. |
| Room Charges (charges to guest account from resort facilities and third-party service points) |
You; internal records; third-party service providers operating at the resort |
Name and surname; room number; details of the charge (item or service, amount, date, location). |
Adding charges to the guest room account; processing payments and settlements; invoicing and billing reconciliation. |
Contractual relationship. Legitimate interests. |
Additional Considerations:
- For further information regarding the Sani/Ikos Mobile Application, please refer to the Mobile Application's Terms of Use and Privacy Policy.
- AI-assisted tools may be used to support the concierge and communications teams. All AI-generated responses are reviewed and approved by a team member before being sent.
FOOD, BEVERAGES & DINING
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Restaurant Reservations (via call centre, mobile application, or third-party reservation platform) |
You |
Name and surname; contact details; nationality; reservation details (date, time, occasion, number of persons); preferences; visit history and intervals.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Managing restaurant reservations; providing personalised dining services. |
Contractual relationship. Legitimate interests. |
| Off-Site Dining Facilitation (via concierge, E-Concierge, or mobile application) |
You |
Name and surname; room number; contact details; preferred dining date, time, and number of persons; preferences and special requests.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Arranging off-site dining reservations on your behalf as part of the concierge service. |
Contractual relationship. Legitimate interests. Explicit consent (health data). |
Additional Considerations:
- When Sani/Ikos arranges an off-site dining reservation on your behalf, your name and reservation details will be shared with the relevant external venue solely for the purpose of completing the booking. That venue acts as an independent data controller and is subject to its own privacy policy.
ACTIVITIES, RECREATION & TRANSPORT
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Activity Booking Platform (operated by third parties on behalf of Sani/Ikos) |
You |
Name and surname; contact details; participant details (name, surname, age, ability group); arrival and departure dates; preferred payment method; room number (optional). |
Managing activity bookings; ensuring safe service delivery; adding charges to the guest account. |
Contractual relationship. Legitimate interests. |
| Adult Sports & Organised Recreational Activities |
You |
Name and surname; room number; contact details; age group or ability level.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Managing participation in organised activities; ensuring safe and appropriate service delivery; processing applicable charges. |
Contractual relationship. Legitimate interests. Explicit consent (health data). |
| SANI Marina & SANI/IKOS Boat Rental / Cruise Services (via SANI marina application form or at point of booking) |
You |
Name and surname; contact details; room number; tax registration details; passport details (where required); number of passengers; vessel and captain details. |
Administering SANI marina and SANI/IKOS boat rental services; completing transactions; complying with port authority and maritime safety requirements. |
Contractual relationship. Legal obligation. |
| Buggy & Bicycle Rental (via rental agreement or check-in form at point of rental) |
You |
Name and surname; room number; date of birth; nationality; identity document details; equipment details; rental dates and times; pre-existing damage notes; signature.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Administering rental services; verifying identity and eligibility; processing charges for damage, loss, or late return. |
Contractual relationship. Legitimate interests. Explicit consent (health data). |
| Car Rental |
You |
Not collected or processed by Sani/Ikos (see Additional Considerations). |
Not applicable. |
Not applicable. |
Additional Considerations:
- Car rental services are provided by third-party rental operators who act as independent data controllers. All personal data (including driving licence details) is collected and retained solely by the rental operator. As an exception, in some resorts the vehicle rental check-in process may be administered by Sani/Ikos; personal data collected in those cases is retained solely by Sani/Ikos and is not transferred to the rental operator.
- Passenger lists for marina and boat services may be shared with port authorities as required by applicable law.
WELLNESS & SPA
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Spa, Gym & Wellness Facilities (via registration and health consultation forms) |
You |
Name and surname; contact details; date of birth; room number; signature; parent or guardian details (where the guest is a minor); sign-in and sign-out records; treatment details.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Registering guests and providing spa and wellness services; maintaining health and safety during service provision; completing transactions and invoicing. |
Legitimate interests. Contractual relationship. Explicit consent (health data). |
Additional Considerations:
- Subject to your consent, limited personal data may be shared with cosmetics partners for the purpose of sending marketing communications about their products and offers.
CHILDREN'S SERVICES
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Kids Experience / Childcare Services |
Parent or legal guardian |
Child's name, surname, and age; parent or guardian name, surname, room number, contact details, arrival and departure dates, and signature. For babysitting and supervised care: care instructions and service duration.
For crèche services: monitoring records (temperature, sleep, nappy changing, head injury). Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Managing childcare bookings; assigning children to age groups; adding charges to the room account; monitoring arrivals and departures; ensuring the health, safety, and wellbeing of the child; complying with legal obligations. |
Contractual relationship.
Legal obligation.
Legitimate interests.
|
| Watersports & Swimming Lessons (via third-party operators) |
Parent or legal guardian |
Child's name, surname, and age; parent or guardian name, surname, room number, and signature; service costs (for invoicing). |
Facilitating the activity; completing transactions and invoicing. |
Contractual relationship. |
| Football Academy & Other Organised Sports Activities |
Parent or legal guardian |
Parent or guardian name, surname, telephone number, and room number; child's name, surname, and age.
Health/sensitive personal data referring to allergies or other medical conditions may be collected (Please see Healthcare Data & Medical Services).
|
Completing transactions and invoicing; ensuring the safety and appropriate grouping of participants. |
Contractual relationship.
Legitimate interests.
Explicit consent (health data).
|
| Third-Party Children's Consultancy Services |
Third party: service provider (invoicing data only) |
Name and surname; room number; service costs. |
Completing transactions and invoicing. |
Contractual relationship. |
Additional Considerations:
- Personal data is not collected directly from minors, but from their parents/ legal guardians.
- The third-party watersports operator and children consultancy service providers act as independent data controllers and provide their own registration forms and privacy information.
HEALTHCARE DATA & MEDICAL SERVICES
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Allergies, Dietary Requirements, Medications & Pre-Existing Health Information |
You
Parent, legal guardian, or authorised representative (on behalf of accompanying guests, including minors)
|
Allergies; dietary requirements; medical conditions; medications; pre-existing injuries and treatments.
All data in this category constitutes health/sensitive personal data under Article 9 GDPR.
|
Protecting guest health and safety; enabling relevant resort teams (restaurants, housekeeping, activity providers) to apply appropriate precautions; providing safe and personalised service. |
Explicit consent. |
| On-Site Medical & Doctor Services |
Third party: independent medical professional or clinic (invoicing data only) |
Name and surname; room number; amount charged. |
Re-invoicing of medical charges incurred during the stay. |
Contractual relationship. Vital interests. Explicit consent (where health data is shared with Sani/Ikos). |
Additional Considerations:
- Allergies, dietary requirements, medical conditions, medication, pre-existing injuries and treatments and other health information disclosed at any touchpoint during your stay (including verbally at a restaurant, gym, spa or reception desk) will be handled with the same level of care as information provided via the appropriate forms. Forms (such as the Allergies & Special Preferences form) may be completed on behalf of accompanying guests, including minors or persons who are unable to provide consent themselves, provided the individual completing the form is their parent, legal guardian, or is otherwise authorised to act on their behalf. This information is shared internally only with teams that require it for the safe delivery of services. It is not shared with third parties except where necessary for the provision of a specific service (e.g. a third-party activity provider where the guest has booked a relevant activity). In the event of a medical emergency, Sani/Ikos staff may share limited information with emergency services or accompanying guests to the extent necessary to protect the vital interests of the individual concerned, pursuant to Article 9(2)(c) GDPR.
- Medical and doctor services are provided by independent medical professionals or clinics, who act as independent data controllers for the processing of health data. Guests should refer to the privacy information provided by the relevant medical professional or clinic.
MARKETING, COMMUNICATIONS AND LOYALTY PROGRAMS
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Commercial Communications & Newsletters |
You; internal records (previous bookings) |
Name and surname; email address. |
Sending commercial communications and newsletters about services, products, and offers. |
Consent. Legitimate interests (soft opt-in for previous guests). |
| Targeted Advertising & Online Marketing |
Internal records; automated systems (cookies and tracking technologies, with consent) |
Contact details; date of birth (optional); country of residence (optional). |
Displaying targeted advertising on third-party platforms; analysing travel preferences; promoting relevant offers and services. |
Consent. |
| Newsletter Registration (via website subscription form) |
You |
Email address; name and surname (optional); country (optional). |
Sending newsletters about services, products, and offers. |
Consent. |
| Membership / Loyalty Programme |
You; internal records |
Name and surname; membership number; booking history; loyalty tier. |
Administering the loyalty programme; providing rewards and personalised offers. |
Contractual relationship. Legitimate interests. |
| Guest Questionnaires & Feedback (following booking, during stay, or after departure) |
You |
Name and surname; contact details; date of birth; room number; profession; stay details; booking reference; survey responses and feedback. |
Evaluating guest experience; improving services; handling complaints. |
Legitimate interests. |
| Photography & Filming for Promotional Purposes |
You (via signed consent form or general notice in filming areas) |
Images and video footage; name and surname (where applicable). |
Creating promotional and marketing content for use across Sani/Ikos platforms and channels. |
Explicit consent. Legitimate interests (incidental capture — see Additional Considerations). |
| Data Analytics & AI Services |
Internal records; third-party data providers |
Guest profile and behavioural data. |
Analysing travel preferences; personalising services; improving service quality; direct marketing (with consent). |
Legitimate interests. Consent (direct marketing). |
Additional Considerations:
- Where you have previously been a guest and contact details were obtained in the context of a completed booking, marketing communications about similar services may be sent without prior consent under the "soft opt-in" exemption.
- Where photography or filming takes place in general resort areas (e.g. pool areas, restaurants, event spaces) and guests appear incidentally in the background rather than as the intended subject, Sani/Ikos relies on legitimate interests in creating promotional and marketing content for use across its platforms and channels, provided that a visible general notice is in place in the relevant area. Images or footage featuring identifiable guests will not be shared with third parties for their own commercial use without separate, specific consent.
- You may unsubscribe from marketing communications at any time by clicking the unsubscribe link in any communication or by contacting the Data Protection Officer at privcacy@saniikos.com.
- Potential data analytics and/or profiling activities do not involve solely automated decision-making that produces legal or similarly significant effects without human review.
SECURITY & SURVEILLANCE
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| CCTV / Video Surveillance |
Automated systems |
Images and video footage from common areas (entrances, lobbies, reception, parking, marina, pool areas, corridors, back-of-house areas, perimeter). Cameras do not record audio. |
Ensuring the security of guests, employees, equipment, and premises. |
Legitimate interests. |
| Room Access & Safety Box Logs |
Automated systems |
Door access logs (time of entry, key card identifier); safety box usage logs (time of access, code type). |
Security monitoring; incident investigation. |
Legitimate interests. |
| Car & Parking Area Data |
Automated systems (licence plate recognition) |
Licence plate number; vehicle details; entry and exit times. |
Managing vehicle access; ensuring premises security. |
Legitimate interests. |
| Corporate Offices & Parking CCTV |
Automated systems |
CCTV images and video footage; licence plate number; vehicle details; entry and exit times. |
Ensuring the safety and security of employees, visitors, and premises. |
Legitimate interests. |
| Security Reports & Forms |
You |
Name and surname; room number; signature; passport or ID number. |
Creating security documentation; recording and investigating incidents; protecting guests, employees, and premises. |
Legitimate interests. |
| Eligibility List |
Internal records |
Name and surname; identity document details; dates of stay; resort; general category of conduct. |
Maintaining records of conduct that posed a risk to guests, employees, or premises; informing future booking decisions. |
Legitimate interests. |
Additional Considerations:
- Drones may be used for fire safety patrols, emergency search operations, and — on specific occasions — for marketing recordings. Where drone flights are conducted for marketing purposes, appropriate advance notice will be provided to guests in the affected areas. Drones used for security purposes follow the same data retention protocols as CCTV footage.
INCIDENTS, COMPLAINTS & LEGAL PROCEEDINGS
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Disputes |
Internal records; all available sources relevant to the dispute |
Contact details; booking and reservation information. |
Establishing, exercising, or defending legal claims. |
Legitimate interests. |
| Accident & Incident Forms |
You; resort staff |
Name and surname; date of birth; room number; duration of stay; incident details (location, date, time, nature). Health/sensitive personal data may be included — see Healthcare Data & Medical Services. |
Assessing and investigating accidents and incidents; managing legal and insurance matters. |
Legitimate interests. Explicit consent (transfer of health data to insurers). |
| Complaint Handling & Medical Records Release |
You; medical professionals (where applicable) |
Name and surname; date of birth; room number; duration of stay; complaint or incident details. Health/sensitive personal data may be included — see Healthcare Data & Medical Services. |
Investigating complaints; managing claims; coordinating with insurance providers. |
Legitimate interests. Explicit consent (transfer of health data). |
| Sanctions & Compliance Screening |
Internal records; publicly available sanctions databases |
Name and surname; date of birth; nationality; identity document details. |
Screening against applicable sanctions lists; preventing fraud; ensuring regulatory compliance. |
Legal obligation. Legitimate interests. |
Additional Considerations:
- Data may be transferred to the insurance company with your explicit consent. Where medical information is involved, explicit consent is required before sharing with insurers. A Medical Records Release Consent Form may be required.
BUSINESS RELATIONSHIPS & OTHER PROCESSINGS
| Activity |
Source |
Personal Data |
Purpose |
Legal Basis |
| Raffles & Competitions |
You |
Name and surname; contact details; room number; participation details. |
Administering the raffle or competition; contacting winners. |
Consent. |
| Agents & Business Partners (via Agents' Registration System or in the context of a business relationship) |
You |
Company details; contact person details; email address. |
Completing registration; administering the business relationship; ensuring the security of financial transactions; business communications. |
Legitimate interests. |
- MINORS DATA
We do not, as a general rule, seek or collect personal data directly from minors (i.e. under the age of 18); instead, we endeavour to collect such data from their parent or legal guardian and, when necessary, we obtain relevant consent. In limited circumstances where a minor stays at our resorts unaccompanied by their parent or legal guardian (e.g. as a guest of another family), we require a signed consent form from the parent or legal guardian authorising the stay, identifying the person responsible for the minor during that period, and consenting to the collection of the minor's personal data. The designated responsible person is also required to countersign such form. In these cases, certain personal data may be collected directly from the minor to the extent necessary for the provision of our services and the safety of the minor. However, as it is impossible to always determine the age of persons who access and use our websites, we encourage parents or guardians to contact us if they notice any case of unauthorised data provision by minors in order to exercise accordingly their rights, such as deletion of their data.
- TRANSFER OF PERSONAL DATA – INTERNATIONAL TRANSFERS
The personal information you provide us is being kept secured and safeguarded. We may share your information within our group companies for the above-described purposes in accordance with our Intercompany Agreement for Sharing of Personal Data, which governs and regulates intra-group data transfers within the Sani/Ikos Group and ensures that all group entities apply equivalent standards of data protection. Furthermore, we may disclose your personal data to third parties (legal entities or individuals) which process your personal data under our written order and clarifications (Data Processors). We always guarantee that these third parties apply the same level of measures for the protection of your personal data and act only under our written orders with respect to your personal data. Certain purchases made with, or services provided by, third-party partners during your stay (including retail stores, medical or doctor services, and cruise or excursion providers) may be communicated to the respective Sani/Ikos resort for billing and re-invoicing purposes. Each such entity acts as an independent data controller for its own processing activities.
More specifically, in the context of pursuing the processing purposes, personal data may be transferred to:
- Third companies which provide us relevant services (e.g. hosting services, finance, legal or technical support, payroll, IT services, AI and cloud service providers, point-of-sale system providers, spa management platforms, IT support providers, activity booking platforms, restaurant reservation platforms, guest feedback platforms, call quality assurance platforms, unified messaging platforms, passport scanning applications, mobile application providers etc.). In any case, all these companies are contractually bound to us in order to ensure the observance of confidentiality, as well as commitment to the data protection legislation.
- Companies in our Group, to the extent that this transfer is necessary for the pursuance of our purposes. Such transfers are governed by our Intercompany Agreement for Sharing of Personal Data, which ensures compliance with applicable data protection legislation.
- Tour operators and travel agents, who may act as independent data controllers as provided for under the data processing agreements signed with them.
- Public authorities (Police, prosecuting authorities, tax authorities, port authorities, etc.) in the context of issuance of fines, or upon relevant request.
- Banks and financial institutions, for the processing of payments, refunds and financial transactions related to your stay.
- Insurance companies, in the context of incident management and claims handling, where you have provided your explicit consent for the transfer of health-related data.
- Third-party service providers operating at our resorts, such as cruise and excursion operators, watersports providers, retail stores and medical professionals, where data sharing is necessary for the provision of services you have requested or for billing purposes. Each provider acts as an independent data controller.
- Cosmetics partners, where you have provided your consent for the receipt of marketing communications about their products and offers.
When information is transferred as aforementioned, we limit the extent of information that is being disclosed, to the strictly necessary for the performance of the specific purpose. In addition, given that some of our activities are processed by third parties, we endeavour to ensure by contractual assurances that personal data processing is secure and fully compatible with this privacy policy.
When the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), we always check whether the European Commission has issued an adequacy decision in respect of that country, or whether appropriate safeguards are in place in accordance with the GDPR for the transfer of such data.
In any other case, the transfer to a third country is not allowed and we may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).
- THIRD-PARTY WEBSITES’ DISCLAIMER
Our websites and digital platforms may contain hyperlinks, plug-ins and applications operated by third parties. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites, plug-ins or applications and are not responsible for their content, their privacy practices or the information they may collect.
The inclusion of a link to a third-party website does not imply any association with, or endorsement of, that website or its operators by Sani/Ikos.
We encourage you to read the privacy policy or notice of every website or application you visit before providing any personal information.
Please note that this Policy does not apply to personal data collected by third parties through their own platforms, including social media networks through which you may access our services or communicate with us, third-party Wi-Fi providers operating within our resorts, or any booking or travel platforms through which your reservation may have been made.
- YOUR RIGHTS
At Sani/Ikos, we endeavour to protect and respect your rights, as set forth by GDPR, including more specifically:
- your right to be informed on the processing of your personal information (i.e. right of access) and to request and obtain further information on the processing applied.
- your right to request for correction of your personal data, if inaccurate.
- your right to request for deletion of personal information provided, unless further retention of your data is provided by law.
- your right to request for limitation of processing.
- your right to request for portability of your personal information and your right to objection/opposition to further processing thereof.
- where the processing is based on your consent, you have the right to withdraw that consent at any time, without this affecting the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal. Withdrawing your consent may affect our ability to provide you with certain services.
In these cases, we will respond in writing within 30 days upon receipt and identification of the request. In particularly complex cases or where there is a high volume of requests, this period may be extended by a further two months, in which case we will inform you of this within the first month. The exercise of these rights is generally free of charge, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to comply.
In addition, in the event of exercising one or more of the above-mentioned rights of correction, deletion and restriction of your data, these requests shall also be forwarded to any third-party recipient to whom the personal information may have been disclosed in the scope of pursuance of the aforementioned processing purposes.
To exercise any of these rights, you may contact us via privacy@saniikos.com. To protect your privacy, we may verify your identity before processing the request and, in cases of reasonable doubt, request supporting documentation.
- DATA PROTECTION OFFICER
To ensure that your personal information is being efficiently protected, a Data Protection Officer has been appointed to whom data subjects may address their questions and concerns in relation to this Privacy Policy. You may reach out at:
- Email: privacy@saniikos.com.
- Postal address: 8 Chalkis Street, Pylaia, 555 35, Thessaloniki, Greece.
In case you believe that we have not properly responded to your request or that we are processing your personal data in breach of applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority, in particular, the authority of your habitual residence, place of work or place of the alleged infringement. We ask that you please try to resolve any issues with us first before referring your complaint to a supervisory authority.
Sani/Ikos GDPR lead supervisory authority is the Hellenic Data Protection Authority, which can be contacted at: Hellenic Data Protection Authority (APDH) Kifissias 1-3 115 23 Athens Greece www.dpa.gr
The supervisory authorities for the other countries where our resorts are located are:
- Spain, the Agencia Española de Protección de Datos: aepd.es
- Portugal, the Comissão Nacional de Proteção de Dados: cnpd.pt
- INFORMATION SECURITY
Sani/Ikos is committed to protecting the confidentiality and security of your personal information. We implement appropriate technical, organisational and physical security measures, in accordance with applicable data protection law (including Article 32 GDPR), to protect your personal data against unauthorised access, disclosure, alteration, accidental loss, misuse or destruction.
These measures include, but are not limited to, encryption of data in transit and at rest, access controls based on a strict need-to-know basis, employee training on data protection and information security, and regular review and monitoring of our security controls.
We require any third parties who process personal data on our behalf or to whom we disclose personal data to apply equivalent levels of security protection.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with our legal obligations under applicable data protection law.
- RETENTION PERIOD OF PERSONAL DATA
Your personal data is retained for a predetermined and limited period depending on the purpose of processing, after the end of which it will be securely deleted or anonymized in a manner that prevents it from being restored or reconstructed unless another retention period is required or permitted by applicable law.
When determining the appropriate retention period, we take into account the following criteria:
- The purposes for which the personal data was collected and whether those purposes have been fulfilled.
- Any identifiable and ongoing business need, including record-keeping obligations.
- Any specific legal, regulatory, tax or accounting requirement applicable in the jurisdictions where we operate.
- Whether the data may be relevant to any notified regulatory investigation or active or anticipated legal proceedings.
Where personal data is processed for more than one purpose, we will retain it until the purpose with the latest applicable retention period has expired.
All the above is governed by the Sani/Ikos Data Retention Policy.
- UPDATES TO THE PRIVACY POLICY
Sani/Ikos may amend this Privacy Policy from time to time in order to meet changes in the regulatory environment, business needs, or to satisfy the needs of our guests, properties, strategic marketing partners, and service providers.
Updated versions will be uploaded to our website and date stamped so that you are always aware of when our Privacy Policy was last updated. Any changes will be effective from the date of publication on our website, unless otherwise stated.
Where changes are made to the way in which we use your personal information in a manner materially different from that described at the time of collection, we will take appropriate steps to bring these changes to your attention, such as by posting a prominent notice on our website or by notifying you directly via email. Where required by applicable law, we will seek your consent to such changes.
Your continued use of our services following the publication of any revised Privacy Policy will be deemed to constitute your acceptance of those changes.
Revised: June 2026
