The société anonyme with company name “MORFOULAKIS ANONYMI ETAIREIA KSENODOHEIAKON – TOURISTIKON KAI EMPORIKON EPIHEIRISEON”, with distinctive title “Morfoulakis A.E.Ks.T.E.E.” (the “Company”), attaches great importance to the lawful processing, security and protection of your personal data, in any capacity you communicate or cooperate with us, such as prospective or active customers, consumers, website visitors, employees, and suppliers.

Please read carefully the terms of this Privacy and Personal Data Protection Policy of the Company (the “Policy„). In order for you to use our website or our services, you first need to accept the terms and conditions of this Policy, which shall also govern our contractual relationship. 

If you do not agree with our Policy please do not use our website or our services.

These terms may be improved, updated or in any way modified, in whole or in part, at any time, so please review them regularly.

1. What are your personal data

Your personal data includes any information on paper or electronic media that may result, either directly or in combination with others, to your unique identification or identification as a natural person. This category may include, as the case may be, information such as full name, Tax Identification Number, Social Security Number, postal and electronic addresses (email), your landline and mobile phone numbers, your bank/debit/prepaid card details, passport number, and any other information that allows your unique identification in accordance with the provisions of the General Data Protection Regulation (Regulation 2016/679/EU, the “GDPR”), the local framework, as in force from time to time, including for the avoidance of doubts Greek Law 4624/2019, as well as the decisions of the Hellenic Data Protection Authority (hereinafter “DPA”).

2. What personal data we collect

We process and protect your personal data when you contact us and/or purchase our services directly and/or online, when you call us to provide you with services and/or information about our services or our activity in general, in accordance with the relevant legislation.

When you make a reservation with us directly by contacting our Company (by phone or online, such as via our website’s online platform), you may be asked to provide personal information, such as:

contact information, your name, postal address, email address and telephone number, credit card or bank account number, billing address and other payment and billing information, information that is necessary to fulfil your special requests (e.g. cases that due to special health conditions you require special accommodation), information about your stay, including the date of arrival and departure, information collected through the use of CCTV systems, card keys and other security systems.

The provision of some of the above personal information is mandatory if you are going to use our services. If you do not provide such data, we will unfortunately not be able to provide our services. However, providing special categories of personal data (sensitive personal data) is optional.

3. Ways we collect your personal data

The Company collects your personal data in various occasions, such as:

• when you call our numbers, when you send us an email, or fill out our website’s contact form or make a reservation with us;

• when contacting us, either to request information or to make a reservation, to express your opinion, file complaints or comments;

• when you send us the postal address for the issuance or the courier of an invoice or any other tax statement for the provision of services by our Company;

• when you purchase our service, to check your age and see if you are legally allowed to enter into a valid contract with us or if the consent or signature of your parents or guardians is required;

• when you voluntarily subscribe to receive electronic information or other marketing material or to renew your preferences or to participate any of our promotional competitions we may organise (e.g. giveaways or special promotional offers);

• when you visit our website through which we collect, with your explicit consent, via cookies, information from your terminal device, such as your Internet Protocol (IP) address, the type and version of your browser, etc.; and/or

• when we receive documents, requests, orders, petitions, warrants, etc. of third parties, such as supervisory, prosecutorial, judicial, tax authorities, to investigate crimes and protect you against fraud or the fight against all forms of crime and to prevent the infringement of legal property.

4. Processing Purposes (Lawfulness of Processing)

4.1 The Company will use your information for the following lawful processing purposes (according to article 6 of the GDPR), as the case may be, with your explicit consent which you can freely revoke at any time, or for the performance of a contract or pre-contractual relationship between us, or to serve our legitimate interests or to protect your vital interests, and in particular:

(1) In the normal course of our business, in order to be able to manage your reservation, to the extent that the processing is necessary for the implementation of the reservation request or your direct reservation with the Company or for the provision of our services or to answer questions and requests about our services.

(2) In order to be able to understand your personal preferences, customise the services that we will provide to you as a visitor of the touristic accommodation of our Company.

(3) For your convenience, so that we can facilitate you by re-providing the information you are interested in when you visit the Company’s website again.

(4) To contact you, following your explicit consent, and to send you information about the services that we believe you may be interested in. You may unsubscribe from communications at any time by sending a message at: [email protected]

(5) To validate your information (and, in some cases, match it with information collected from third parties, such as travel agents and online intermediaries), to verify that our customer’s data is correct and accurate, especially regarding the date of arrival and payment level of the reservation. This processing is necessary for the realization of your reservation or for the provision of other services.

(6) For the safety of persons, property and goods. To ensure the legitimate interests of the Company, there is a closed camera recording circuit (CCTV) to ensure the safety of our premises, staff and customers.

(7) To comply with any of our legal obligations.

(8) To periodically review if your personal data we have stored is accurate.

(9) For the verification of your data when you connect to our website and the wi-fi of the Company.

(10) For our internal operations and analysis, such as internal management, fraud prevention, use by administration and management information systems, invoicing, accounting, billing and checking. If you would like to be informed of your personal data we hold, please contact us, by sending your request via e-mail at: [email protected]

4.2 The use of the website is not intended for use by minors below the legal age limit, which in Greece is 18 years. No one below the legal age can provide any personal data on or through our website. We do not knowingly collect personal data from minors. If you are below the legal age limit, please do not visit our website, do not make any use of the above and do not send information about yourself to us, including your name, address, telephone number or email address. In the event that we find that we have collected personal data from minors without verifying the consent of their parents or guardians, this information will be deleted, with the relevant notification of the minor’s parent or guardian. If you think we may have information from or about minors, please contact us at: [email protected]. To the fullest extent permitted by all applicable laws and regulations and without prejudice to any other provision of this Policy, the Company declines and rejects any and all liability for any personal data submitted in violation of this term.

5. What are the principles of collection and processing

The purpose of this Policy is to inform you regarding the terms of collection, processing, and transmission of your personal data that we may collect in our capacity as data processor or data controller, as the case may be. The Company and its trained staff apply the principles of the processing of the GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. The above applies without discrimination and applies to all the processing we perform and in all services we provide.

6. Minimisation, storage and erasure of your data

The Company will always ask you for the minimum personal data required by law to connect with us, to purchase or use our services or to take part in any promotional activities (e.g. giveaways and special offers) we may organise. Our Company keeps your personal data only for as long as required by the contractual terms of each service, in combination with the current legislation, based on the respective purpose of processing, and then destroys or renders the same anonymous, unless their maintenance is required by law for tax, evidentiary or judicial purposes and for the prosecution of illegal acts.

7. Cookies Policy

In accordance with the European ePrivacy Directive 2009/136/EC (which will be replaced by the ePrivacy Regulation) and the DPA recommendations dated 25.2.2020, our website accepts the use of cookies. Cookies are online tools for collecting and analysing information from social networking platforms or collaborating with third party websites to measure traffic, improve functionality, the content and overall appearance of our website and be customised to the needs of customers. When using our website, your personal data is processed by third parties, such as social networks and search engines (e.g. Google Analytics) without any involvement, influence or control by the Company and may be transmitted either inside or outside the European Economic Area, for which transfer each such third party is solely responsible. If you do not wish third parties, such as Google, to receive information from your browser when you visit the Company’s website, you may opt out of the terms provided by the respective Terms of Use on the website of any such third party. Although most browsers automatically accept the use of cookies, you can always change the settings of your computer by choosing not to accept cookies, or to be asked to accept each of them separately. However, you should be aware that this will limit the range of browsing capabilities available to you on each website and your user experience.

8. Transfer of your data to third parties

Your personal data is collected, stored and processed by the Company, exclusively for the purposes stated in this Policy and in accordance with the applicable legal framework. 

8.1. We may share your personal data with third parties, when this is necessary for the performance of a contract or when we have a legitimate interest to do so. Therefore, we may provide your personal data to third parties that are responsible or are directly or indirectly implicated in the operation of the Company (e.g. tax and financial advisors, legal counsels, host providers, IT companies, etc.). Finally, we may share your personal data in the following occasions:

a) to governmental, police or other competent authorities, when required to do so by all applicable laws and regulations, in order to comply with any judicial order or other legal obligation, or to respond to a certain governmental request;

b) when we believe, in good faith, that disclosure is necessary to protect our rights or property, your safety or the safety of others, or to assist in the investigation of theft or fraud. This includes exchanging information with other companies and organizations or police authorities for the purposes of protection against possible fraud and reducing the risk of stolen credit cards;

c) to service providers and data processors we may use to provide or improve our services and support our business;

d) in case your stay has been paid by a third party we will provide the billing information to the party who made the payment.

In any case we will require such third parties to respect the security and confidentiality of your data and to handle it in accordance with all applicable laws and regulations. 

8.2. We may transfer your personal data outside the European Union and/or the European Economic Area (EEA). When doing so, we will ensure that these transfers are lawful and that your information remains secure in accordance with the GDPR as well as subject to a satisfactory level of protection.

9. Security of your Personal Data 

We will process all your information with great care and respect, and make every effort to continuously adopt all reasonable technical and organizational measures to keep your personal data secure as soon as it arrives in our systems and in the database we hold. We implement the best practices for collection, storage and processing of data and security measures to protect against unauthorized access, modification, disclosure or destruction of your personal data and data stored on our website or related database. In particular, we make every effort to keep your personal data in a safe place under the protection of encryption and security and protection software. However, keep in mind that while we take reasonable steps to protect your information, no internet site, no internet transmission, no computer system and no wireless connection is completely secure.

10. Links to third party websites

Our Company website may contain links that lead to websites of third parties, independent bodies, (such as payment service providers etc.) which are operated and maintained exclusively by them, and which we do not control. Therefore, we have absolutely no responsibility for the content, actions or policies of these websites. Please read the respective data protection policies on the websites you visit carefully, as they may differ significantly from ours.

11. Your rights

11.1 Right of Access

According to the current legal framework, you have the right to information, access, correction, and/or request to delete and object to the processing, the right to withdraw your consent at any time, without affecting the legality of the processing based on consent before its withdrawal, complaint to the supervisory authority (HBA) and the portability of your data. You can request access by requesting a copy of your personal information. If you have any questions about your privacy when using the sites and/or our services or in case you want to exercise your rights, please contact us via email at [email protected].

11.2 Right of Withdrawal

If you have given your consent to use your personal data, you may withdraw your consent at any time. Please contact us if you would like to withdraw your consent and we will delete your data in accordance with your right of deletion described below. You can contact us at any time and submit your relevant request via e-mail at [email protected]. Upon receiving notification that you have withdrawn your consent, we will cease to process your information for the purpose for which you originally agreed, unless we have another legal basis to do so legally.

11.3 Right of Rectification

You can ask us to correct any inaccurate information about you. You can contact us at any time and submit your request for correction via e-mail at [email protected].

11.4 Right of Erasure

You can ask us to delete your personal data. You can contact us at any time and submit your request for erasure via e-mail at [email protected].

11.5 Right to Data Portability

You can ask us to provide the personal data we hold about you in a structured, widely used, machine-readable format, or ask us to send your personal data in a structured form to another data controller. You can contact us at any time by sending your request by messaging us in our e-mail at [email protected].

11.6 Right of Prohibition

You may oppose the processing of your personal data in accordance with the current Privacy Policy. You can contact us at any time and submit your relevant request via e-mail at [email protected].

11.7 Right to Lodge a Complaint

You can lodge a complaint about the processing of your personal data by our Company to the supervisory authority (DPA for Greece) at

To ask questions, file complaints, or to exercise any of your rights arising from this Policy please contact us via e-mail at [email protected].

To be able to verify your identity and secure your right of access your data or any of your other rights, we may ask you for additional information or legal documents (such as an I.D. card, passport etc.). This is an important security measure so that your personal data is not disclosed to anyone who does not have the right to receive it. We will not ask you to pay a fee for exercising some of your rights. However, we may charge you a reasonable fee if your request is unfounded or excessive and we may also refuse to comply with your request in such cases.

If you would like additional information regarding this Policy, please contact us via email at [email protected], and we will inform you.

In case you have problems or questions, you have the right to contact the competent authority (DPA in Greece) at

12. Jurisdiction and Applicable Law

Any dispute or claim arising out of or in connection with this Policy and/or the interpretation of any of the terms hereof, shall be governed by and construed in accordance with Greek law. The competent courts of Heraklion, Crete, Greece shall have exclusive jurisdiction.  

This website uses cookies to improve your experience. We’ll assume you’re ok with this, but you can opt-out if you wish.