Facebook Twitter Instagram Linkedin Youtube
Surprice car Logo

Privacy policy

Scope of the Privacy Policy

Surprice Car Rentals, hereinafter referred to as “the Company”, guarantees the safety and protection of your personal data, which are collected through its website https://surpricecars.com/ (hereinafter “Website”). The Company publishes the present lawful, fair and transparent Privacy Policy, in order to provide sufficient information on the personal data it collects and further processes in the context of the operation of its Website. The Company, as the Data Controller, collects and processes personal data only to the extent necessary for specific and lawful purposes in compliance with the European and National Data Protection Legislation.

Definitions 

For the purposes of this Policy, the following definitions should apply: 

‘Personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

‘Special categories of personal data’: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

‘Processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

‘Controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 

‘Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 

‘Data Subject’: the natural person whose personal data are processed. The data subjects this Policy refers to are the users of our website. 

‘Consent’: of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 

‘Personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

Anonymization’: the processing of personal data in such a way that data can no longer be attributed to a particular data subject; 

‘Pseudonymization’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; 

Existing legislation’: The provisions of the existing …………, EU or other legislation which is applicable to the Company which regulates matters of data protection, such as the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Greek Law 4624/2019, the Decisions, Directives and Opinions of the competent Data Protection Authority (DPA) as well as any further applicable laws regulating data privacy matters.

Principles relating to the processing of personal data 

The Company collects and processes personal data based on the following principles: 

  1. Lawfulness, fairness and transparency: The Company ensures that personal data are collected and processed lawfully, fairly and in a transparent manner in relation to the data subject. 
  2. Purpose limitation: The Company ensures that personal data are collected only for specified, explicit and legitimate purposes. 
  3. Data minimization: The Company takes relevant technical and organizational measures so that personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 
  4. Accuracy: The Company shall take all necessary steps to ensure that the personal data it collects and processes are always accurate and, where necessary, kept up-to-date. 
  5. Storage limitation: The Company does not store the personal data it collects for longer than is necessary for the purposes for which the personal data were collected and set under process. However, the Company may further retain personal data when necessary for:
  6. a) the compliance with its legal obligations
  7. b) for the performance of a task carried out in the public interest
  8. c) the purposes of the legitimate interests pursued by the Company
  9. d) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
  10. e) the establishment, exercise or defense of its legal claims
  11. Integrity and confidentiality: The Company ensures that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

 Data collected and processed  through our Website, Purposes of processing and legal basis

The Company collects personal data in the following cases:

Α.1.1. Data collected through the communication (Contact) form

When you choose to contact us through the electronic contact form available in the Website, you will need to provide certain information, such as your name, surname, e-mail address, as well as any further information you include in your message to us. 

Α.1.2. Purpose of processing and legal basis 

 

We collect and process the information you will provide through the communication form with the sole purpose of serving and contacting you in order to satisfy your request, response your question etc. The legal basis of processing is your prior consent [GDPR art. 6 (1a)] which is given after having read the current Policy by checking the relevant box before submitting your message as well as the Company’s legitimate interest to satisfy the requests of its customers [GDPR art. 6 (1f)]. Your consent can under specific legal conditions be withdrawn at any time, bearing in mind that such a withdrawal does not affect the lawfulness of the processing performed until then.

 

Α.2.1. Data collected by sending email for future collaboration

When you choose to send us an email to express your interest for future collaboration with our Company and forward to us your CV, we will collect and process personal data included in your email and your CV such as name, surname, email address, phone number, certificates, working experience, knowledge of foreign languages etc. 

Α.1.2. Purpose of processing and legal basis 

 

We collect and process the information you will provide through the email with the sole purpose of serving and contacting you in order to satisfy your request. The legal basis of processing is your prior consent [GDPR art. 6 (1a)] which is given after having read the current Policy by checking the relevant box before submitting your message as well as the Company’s legitimate interest to satisfy the requests of its customers [GDPR art. 6 (1f)]. The consent can under specific legal conditions be withdrawn at any time, bearing in mind that such a withdrawal does not affect the lawfulness of the processing performed until then.

 

Β.2.1. Online technologies 

While browsing our site, we may collect some essential information related to the traffic to our Website, such as the web address (IP address) and the type of browser used by the user etc. For more information on by using the cookies on our Website, you can refer to Cookies Policy. 

The cookies used by the website are the essential for the proper functionality of the website, they allow you to navigate and use its functionalities, as accessing safe locations. 

Β.2.2. Purpose of processing and legal basis

The purpose of collecting and processing data these data is to improve the functionality of the Website and the services provided as well as the analysis of its traffic. The legal basis for the processing of personal data is the consent of the user, with the exception of the strictly essential cookies which are permanently deselected and are essential for the operation of the Website. Legal basis of processing for the strictly essential cookies is the legitimate interest of the Company to ensure the optimal functionality of the Website.

Minors’ Data

Requesting or receiving minors’ personal data is not a part of our Policy (i.e. from individuals that have not reached the age of 18 years old), either directly or indirectly through third parties. However, given that it is impossible to always control the age of individuals entering or using the Website of the Company, parents and legal guardians are advised to contact directly the Company in case they observe any unauthorized disclosure of data on behalf of the minors for whom they are responsible, in order to exercise their rights accordingly, as e.g. the erasure of their data.

Transfer of Personal Data

The Company may transfer personal data to third parties, to whom it has entrusted the processing of personal data on its behalf (such as service companies, website developers etc.). In any case, such third parties are contractually bound to the Company in order to ensure the obligation of confidentiality as well as the obligations provided by the applied existing Legislation.
At the same time, the personal data of the users may be transferred to public authorities, independent authorities, etc. (eg Police, prosecuting authorities, tax authorities etc.) during the exercise of their duties ex officio or at the request of a third party invoked legal interest and in accordance with legal procedures.

When the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), we always check whether:

  • The Commission has issued an adequacy decision on the third country to which the transfer is addressed to.
  • Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data.

In any other case, the transfer to a third country is not allowed and we may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).

Data retention period 

All personal data collected and processed by the Company are retained for a pre-determined and specified period of time, depending of the purpose of processing. When this time period expires, the personal data are safely deleted and/or destroyed, unless their further retention is permitted or required by law. 

Data Privacy and Security

Taking into account the latest updates, implementation costs and nature, scope and purposes of processing, as well as the risks of different probability of occurrence and seriousness of the rights and freedoms of users from processing, the Company takes the necessary technical and organizational measures to protect users’ personal data. However, it is noted that no electronic data transfer or storage method is 100% secure. Nevertheless, the Company takes all necessary security measures (antivirus, firewall). 

Data Protection Officer 

The Company has appointed a Data Protection Officer (DPO). The contact details are as follows: dpo@surpricecars.com 

 

Data Subject Rights 

The Company shall ensure and take the appropriate measures for the data subjects to be able to exercise their rights, as provided by national and EU legislation regarding the collection and processing of personal data concerning them. Each data subject has the following rights:

  1. Right to withdraw his/her consent. In cases where the processing is based solely on your prior consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed based on consent before its withdrawal. 
  2. The Right of Access and Information. 
  3. The Right of rectification. 
  4. The right to erasure (“the right to be forgotten”). 
  5. The right to restriction of processing.
  6. The right to data portability. 
  7. The right to object to the processing and the right to object to automated individual decision-making, including profiling. 

The Company may refuse to fully or partially satisfy a data subject’s request only when this possibility is provided for by the Regulation or by national law.

The Company provides the data subjects with information on the processing operations within one (1) month from the submission of the data subject’s relevant request and following the data subject’s identification. This period provided can be extended by two (2) more months, if necessary, if the request is complex or in case of numerous requests. In this case, the Company is obliged, within one month of the receipt of that request, to inform the data subject about the delay and the reasons of the delay. Within that period, the Company shall also inform the data subject of possible refusal to fully or partially satisfy the request as well as for the motives of the refusal. 

If the data subject submits the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests differently. 

If the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive character, the Company may charge a reasonable fee in order to satisfy the request or refuse to respond to the request. 

To exercise any of the above rights, you can contact the Data Protection Officer of the Company. The contact details are as follows: dpo@surpricecars.com

Right to Lodge a complaint with the Hellenic Data Protection Authority 

Data subjects have the right lodge a complaint with the Hellenic Data Protection Authority (DPA) for issues concerning the processing of their personal data. For the Authority’s competence and the means of filing a complaint, detailed information is provided on the website of the DPA (“http://www.dpa.gr” www.dpa.gr “My Rights Submitting a Complaint”). 

Updates to the Privacy Policy 

The Company may update this Privacy Policy from time to time for compliance reasons or to meet its operational needs and legal obligations. Updated versions will be uploaded to our website, with data reference, so that you are always aware of when our Privacy Policy was last updated. 

Updated: January 2024