Contents

Introduction 3

Privacy and personal data protection policy 3

The General Data Protection Regulation 3

Definitions 3

Principles relating to processing of personal data 3

Data Collected and means of collection 4

Lawful basis of processing 5

Use of Data 5

Direct Marketing 6

Methods of Processing 6

Transfer of personal data outside of the European Economic Community 6

Data retention 7

Data Deletion 8

Rights of the individual 8

Privacy by design 9

Data protection officer 10

Self-Assessment of Legal Compliance 10

Third-Party Links 10

Cookies 10

Review and Update of Data Protection Policy 11

Tables

Table 1: Timescales for data subject requests 9

Introduction

Welcome to Aya Resort Ltd.

Aya Resort Ltd (referred as “the hotel”, the “Organization”), respects your privacy and is committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website, become a client or visit our premises. It also informs you of your privacy rights and how the law protects you. 

This policy outlines how we collect, process, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR) 2016/679 and relevant Cyprus data protection laws “The Protection of Physical Persons Against the Processing of Personal Data and Free Movement of such Data Law 125(I)/2018”.

This policy applies to all systems, people, and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers, and other third parties with access to the hotel’s systems. 

Privacy and personal data protection policy

The General Data Protection Regulation

The General Data Protection Regulation 2016 (GDPR) is one of the most significant pieces of legislation affecting the way that the hotel carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the GDPR, which is designed to protect the personal data of citizens of the European Union. It is the hotel’s policy to ensure that our compliance with the GDPR and other relevant legislation is always clear and demonstrable. 

Definitions

Personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Processing means: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Controller means: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

Principles relating to processing of personal data

There are several fundamental principles upon which the GDPR is based. 

These dictate that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
4. Accurate and, where necessary, kept up to date (‘accuracy’)
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

In addition, the controller shall be responsible for and be able to demonstrate compliance with all these principles (‘accountability’).

The hotel ensures that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.   

Data Collected and means of collection 

Information can be obtained in various ways, including but not limited to:

1. Directly from You

• Via our website booking engine and web forms
• By email, telephone or in person at our front desk
• Through paper forms or other physical documents, you submit

1. From Third Parties

• Payment processors, travel agencies, and online travel platforms

1. Automatically

• Cookies and similar tracking technologies on our website
• CCTV cameras in public areas (lobbies, corridors, entrances/exits)

The hotel collects, uses, stores, processes, and transfers different kinds of personal data, such as:

Table 1: Types of data collected

Note on Legal Bases: For each category above, we rely on one or more lawful bases under Art. 6 GDPR (e.g. Contract, Legitimate Interests, Consent) and, where applicable, Arts. 9(2) and 10 GDPR for special categories. Please see the following Section (“Lawful Bases of Processing”) for full details.

Lawful basis of processing

When processing personal data the hotel  ensures that it is based in at least one of the following Lawful basis: 

• Legitimate interests: Where processing is necessary for our legitimate business interests (for example, improving guest services), provided those interests do not override your rights and freedoms.
• Contractual obligations: Where processing is necessary to perform a contract with you (for instance, your reservation and check-in/check-out).
• Legal obligations: Where processing is required to comply with a law (e.g. health and safety reporting, employment law).
• Consent: Where you have given clear permission for us to process your data for a specific purpose (such as sending you promotional newsletters).

(For special-category data processed under Article 9, we additionally rely on explicit consent or employment-related legal requirements.)

Use of Data

The hotel collects your data for: 

• Reservation & Stay Management: To handle bookings, check-in/check-out, room allocations and related customer services.
• Guest Services & Personalization: To understand your preferences and offer tailored experiences (e.g., dietary requirements, special occasions).
• Operational & Administrative Support: To manage day-to-day hotel operations (staff rostering, maintenance requests, facility access).
• Health & Safety: To respond to incidents, medical emergencies or complaints during your stay.
• Security: To monitor our premises via CCTV in public areas for the protection of guests, staff, and property.
• Employee Administration: To onboard, pay, and manage our staff in compliance with employment laws.
• Marketing & Communications: To send you updates, offers or newsletters where you have opted in or where permitted by the “soft opt-in” rules.
• Regulatory Compliance: To fulfil any statutory obligations (e.g., local tourism reporting, health inspections).

Direct Marketing 

PROMOTIONAL OFFERS FROM US  

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing. 

Prior consent is required for electronic direct marketing, i.e. newsletters, emails containing promotion, advertisements, texts or automated calls. There is, however, a limited exception for existing customers known as “soft opt in”, which allows organisations to send marketing texts or emails if they have already obtained contact details in the course of a sale to that person or they are marketing similar products or services or they have already given the person an opportunity to opt-out of marketing when first collecting the details and in every subsequent message. 

The right to object to direct marketing is explicitly provided to the data subjects in an intelligible manner, so that it is clearly distinguishable from other information. 

THIRD-PARTY MARKETING  

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or] by Contacting us at any time.

OPTING OUT 

The objection of the data subjects to direct marketing is promptly honoured. In case a data subject opts out at any time, their details are suppressed as soon as possible, and processing is forbidden. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of [a product/service purchase, warranty registration, product/service experience or other transactions].

Methods of Processing

• Manual Processing: Personal data may also be processed manually by our trained staff, who handle data securely and confidentially.
• Data Transfers: Personal data may be transferred to third-party service providers who assist us in our operations. These providers comply with data protection laws and maintain a high level of data security.

Transfer of personal data outside of the European Economic Community

The hotel does not normally transfer Personal Data outside of the European Economic Community.

Where none of the appropriate safeguards are applicable, we may carry out the transfer on the basis of at least one of the specific situations, i.e. the data subject’s specific consent, necessity for the performance of a contractual obligation etc. In addition, we will always take into account the relevant provisions under Cyprus Data Protection Law. In any event, we always make sure we take all reasonable and practicable measures to ensure the secure transfer in accordance with the GDPR.

Data retention

The hotel retains Personal Data retains Personal Data for the periods set out in the table below. After these periods, data is securely deleted or anonymized unless otherwise required by law: 

Table 2: Data retention table

Personal Data of clients and employees are retained as long as they are actively interacting and then archived and retained according to Laws, Regulations and internal policies. The hotel implements all technical and organisational measures to safeguard the data for the full life cycle.

Data Deletion

The hotel deletes personal data when:

1. The statutory retention period expires.
2. You submit a valid erasure request and no legal exception applies.
3. The data are no longer necessary for the purposes for which they were collected

Where feasible and appropriate, we may irreversibly anonymize data instead of deleting it, so it can still be used for statistical or historical purposes. All deletion and anonymization actions are recorded in our audit logs.

Methods of information deletion may vary according to the way in which the information is stored and may include:

• Automated deletion after a specified period of time (for example for email)
• Using secure deletion software to ensure that information may not be retrieved
• For information held on paper, shredding using a cross-cut shredder
• Physical destruction of storage devices such as hard drives
• Manual deletion of information once no longer required (for example, temporary files at the end of a project)
• Restoration of factory settings (for example in the case of a mobile device)

 Rights of the individual

The data subject also has rights under the GDPR. These consist of:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

Each of these rights is supported by appropriate procedures within the hotel that allow the required action to be taken within the timescales stated in the GDPR. These timescales are shown in Table 1.

Table 3: Timescales for data subject requests

Other rights include: the right to be notified of a Personal Data Breach which is likely to result in high risk to your rights and freedoms; the right to make a complaint to the Supervisory Authority; the right to withdraw consent to Processing at any time.

Please note that these rights are not absolute and subject to exceptions. These therefore may be limited where the hotel has an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure under applicable law. The applicability of data subjects’ rights depends on the legal basis on which the hotel relies in each case.

The data subjects can request the exercise of their rights by sending e-mail to dpo@aya-resort.com. 

If data subjects wish to raise a complaint on how the hotel handled their Personal Data, they may contact the Company to have the matter investigated. 

If they are not satisfied with the hotel’s response, they may lodge a complaint to:

Office of The Commissioner for Personal Data Protection

Office address: Iasonos 1, 1082 Nicosia, Cyprus

Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus

Tel: +357 22818456

Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy

Privacy by design 

The hotel takes all appropriate security measures to ensure that the personal data/data collected and stored in connection with your visit to the website and/or in relation to the services and products provided by the hotel is protected against any unauthorized access, misuse, loss and/or destruction.

The hotel uses physical and electronic security measures, including but not limited to the use of firewalls, personal passwords, encryption and authentication technologies. The hotel’s employees and service providers are bound by professional secrecy and must comply with all data protection provisions.

It is to be noted, that access to personal data is restricted to specific employees, contractors and third-party service providers who require this access in order to process the agreement between the Hotel and you, all on a “need to know” basis and to be able to execute all obligations emanating from the agreements in place. Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.

Data protection officer

The hotel has appointed a Data Protection Officer (DPO, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details for the Data Protection Officer are as follows: 

Email: dpo@aya-resort.com.

Tel:  +357 24 828 623 

Address: 

22, Archbishop Makarios III, MAKARIA CENTER, 5th floor, office 501, Larnaca, Cyprus 

Corporate website: www.aya-resort.com

Self-Assessment of Legal Compliance

The hotel conducts a self-assessment regarding personal data and its compliance with relevant legal provisions. This self-assessment is carried out using appropriate methodologies developed by the organization or from a reliable external source. The self-assessment is repeated annually, with results retained and necessary compliance measures implemented.

Third-Party Links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Cookies 

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see https://aya-resort.com/cookies/

Review and Update of Data Protection Policy

The hotel reviews and updates its Data Protection at least annually or when a significant change to the processing activities occurs.

Last Update 05 May 2025.

Aya Resort Ltd, 

22, Archbishop Makarios III, MAKARIA CENTER, 5th floor, office 501, Larnaca, Cyprus 

+357 24 828 623